Rethinking Security of Web-Based System Applications
作者: Martin Georgiev , Suman Jana , Vitaly Shmatikov
关键词:
摘要: Many modern desktop and mobile platforms, including Ubuntu, Google Chrome, Windows, Firefox OS, support so called Web-based system applications that run outside the Web browser enjoy direct access to native objects such as files, camera, geolocation. We show access-control models of these platforms are (a) incompatible (b) prone unintended delegation native-access rights: when request for their own code, they unintentionally enable it untrusted third-party too. This enables malicious ads other content steal users' OAuth authentication credentials, camera on devices, etc. then design, implement, evaluate PowerGate, a new mechanism applications. It solves two key problems plaguing all existing platforms: security consistency. First, unlike PowerGate correctly protects from unauthorized access. Second, provides uniform semantics across is 100% backward compatible. application developers write well-defined native-object policies with explicit principals "application's local code" "third-party code," easy configure, incurs negligible performance overhead.
acm.org
sumanj.info 
core.ac.uk 参考文章(34)
Eric A. Brewer, David Wagner, Ian Goldberg, Randi Thomas, A secure environment for untrusted helper applications confining the Wily Hacker usenix security symposium. pp. 1- 1 ,(1996)
Mike Ter Louw, V. N. Venkatakrishnan, Karthik Thotta Ganesh, AdJail: practical enforcement of confidentiality and integrity policies on web advertisements usenix security symposium. pp. 24- 24 ,(2010)
Erika Chin, David Wagner, Bifocals: Analyzing WebView Vulnerabilities in Android Applications workshop on information security applications. pp. 138- 159 ,(2013) , 10.1007/978-3-319-05149-9_9
Kapil Singh, Practical Context-Aware Permission Control for Hybrid Mobile Applications recent advances in intrusion detection. pp. 307- 327 ,(2013) , 10.1007/978-3-642-41284-4_16
V. N. Venkatakrishnan, Zhenkai Liang, Weiqing Sun, R. Sekar, One-Way Isolation: An Effective Approach for Realizing Safe Execution Environments. network and distributed system security symposium. ,(2005)
Shashi Shekhar, Michael Dietz, Dan S. Wallach, AdSplit: separating smartphone advertising from applications usenix security symposium. pp. 28- 28 ,(2012)
Xing Jin, Tongbo Luo, Wenliang Du, Derek G. Tsui, Code Injection Attacks on HTML5-based Mobile Apps. arXiv: Cryptography and Security. ,(2014)
Jean-Pierre Seifert, Bhargava Shastry, Hao Chen, Daniel Defreez, A First Look at Firefox OS Security arXiv: Cryptography and Security. ,(2014)
Niels Provos, Improving host security with system call policies usenix security symposium. pp. 18- 18 ,(2003)
Spiridon Aristides Eliopoulos, Joe Gibbs Politz, Shriram Krishnamurthi, Arjun Guha, ADsafety: type-based verification of JavaScript Sandboxing usenix security symposium. pp. 12- 12 ,(2011)