Documentos de Académico
Documentos de Profesional
Documentos de Cultura
We present the ar
hite
ture of a se
ure browser, de- The paper is organized as follows. In Se
tion 2 we
signed to handle atta
ks by in
oming mali
ious ob- dis
uss the motivation behind this work. In Se
-
je
ts. Our design is based on an operating system tion 3 we give a brief ba
kground des
ription of a
that oers pro
ess-spe
i
prote
tion me
hanisms. SubOS-
apable operating system. In Se
tion 4 we
present the ar
hite
ture of our system. In Se
tion 5
Keywords: Se
ure systems, web browser, pro
ess{ we dis
uss related work, and nally we
on
lude in
spe
i
prote
tion. Se
tion 6.
In the
urrent highly inter
onne
ted
omputing en- With the growth of the Internet, ex
hange of infor-
vironments, Web browsers are probably the most mation over wide-area networks has be
ome essen-
popular tool for re
eiving data over the internet. tial for users. Web browsers, like Nets
ape Naviga-
More often than not, the data
ome from unauthen- tor and Mi
rosoft Internet explorer often automati-
ti
ated sour
es that
an potentially be mali
ious.
ally invoke helper appli
ation to handle the down-
Sin
e the in
oming data often
arry a
tive
ontent loaded obje
t. In some
ases, like in Perl s
ripts,
that will be interpreted on the
lient ma
hine, in they will query the user about exe
uting it. In oth-
many
ases without the users knowledge, a number ers, like in Posts
ript les or Java applets [10, 15, 9℄,
of atta
ks be
ome possible. they will exe
ute the
ontent, possibly
ompromis-
ing the se
urity of the system. The former approa
h
To interpret a
tive
ontent web browsers often rely puts a lot of burden on the user, who more often
on helper appli
ations, that be
ome se
urity
riti
al than not is not parti
ularly se
urity
ons
ious. In
This work was supported by DARPA under Contra
t
1 There are a number of hostile JavaS
ript and VBS
ript
F39502-99-1-0512-MOD P0001. sites on the Web, easily found using sear
h engines
the latter
ase the user is bypassed altogether and sions and managing resour
es. All this is what
system se
urity be
omes dependent on the
orre
t- is traditionally done by operating systems. Web
ness of the Posts
ript or Applet viewer. browsers
onsequently, be
ause of their
omplexity
as well as the la
k of
exibility in the underlying
It is also the
ase that seemingly ina
tive obje
ts se
urity me
hanisms, possess a number of se
urity
like Web pages are very mu
h a
tive and potentially holes. Examples of su
h problems are numerous,
dangerous. One example is JavaS
ript [6℄programs e.g. JavaS
ript, mali
ious Posts
ript do
uments,
whi
h are exe
uted within the se
urity
ontext of et
.
the page with whi
h they were down{loaded, and
they have restri
ted a
ess to other resour
es within We wish to demonstrate how to build a se
ure
the browser. Se
urity
aws exist in
ertain Web browser, designed to handle atta
ks by in
oming
browsers that permit JavaS
ript programs to mon- mali
ious obje
ts, on top of an an operating system
itor a user's browser a
tivities beyond the se
urity that oers pro
ess-spe
i
prote
tion me
hanisms.
ontext of the page with whi
h the program was
down-loaded (CERT Advisory CA:97.20). It is obvi-
ous that su
h behavior automati
ally
ompromises
the user's priva
y and se
urity. 3 SubOS-enabled Operating Systems
viewing a file
Command shell
Browser
Applications .....
Unprotected Space
Operating System
Resources
Protected Space
(CPU, Memory, Disk, Network, etc.)
Figure 1: User appli
ations exe
uting on an operating system maintain the user privileges, allowing
them almost full a
ess to the underlying operating system.
The advantages of our approa
h be
ome apparent Figure 3: In the left part of the Figure we see
if we
onsider the alternative methods of ensuring an obje
t, in this
ase a posts
ript le foo.ps,
that a mali
ious obje
t does not harm the system. with its asso
iated sub{user id. The moment the
Again using our posts
ript example we
an exe
ute ghosts
ript appli
ation opens le Foo.ps, it turns
foo.ps inside a safe interpreter that will limit its a
- into a SubOS pro
ess and it inherits the sub{user
ess to the underlying le system. There are how- id that was asso
iated with the untrusted obje
t.
ever a number of examples on how relying on safe From now on, this pro
ess has the permissions
languages fails [11℄. We
ould exe
ute the posts
ript and privileges asso
iated with this sub{user id.
interpreter inside a sandbox using
hroot(2), but
this will prohibit it from a
essing font les that it
might need. Finally we
ould read the posts
ript 3.1 Se
urity Me
hanism Enfor
ement
ode and make sure that it does not in
lude any
mali
ious
ommands, but this is impra
ti
al.
As we mentioned earlier in Se
tion 3, every time
Our method provides transparen
y to the user and the system a
epts an in
oming obje
t it asso
iates
in
reased se
urity sin
e every data obje
t has its a
- a sub-user id with it, depending on the
redentials
ess rights bound to its identity, preventing it from the obje
t
arries. The sub-user id is permanently
harming the system. saved in the Inode of the le that holds that obje
t,
whi
h is now its immutable identity in the system
and spe
ies what permissions it will have. It has
essentially the same fun
tionality as a UNIX user
running an applet
Word processor
executing a game
viewing a file
Command shell
Browser
Applications .....
Unprotected Space
SubOS
SubOS
SubOS
Operating System
Resources
Protected Space
(CPU, Memory, Disk, Network, etc.)
Figure 2: Under SubOS enabled operating systems user appli
ations that \tou
h" possibly mali
ious
obje
ts no longer maintain the user a
ess rights, and only get restri
ted a
ess to the underlying
system.
4.1 The Threat Figure 4: In the top part of the Figure we see the
regular pro
ess of a user Bar logging in a UNIX
system Foo and getting a user id. In the same
The use of Java, JavaS
ript and VBS
ript in HTML way obje
ts that enter the system through ftp,
pages is be
oming ever more popular, furthermore mail, et
., \log in" using a
ryptographi
token,
HTML provides support for other s
ripting lan- and are assigned sub-user id's.
guages with the use of the <SCRIPT> tag [3℄. Even
though this fun
tionality is primarily intended to
enhan
e the
apabilities of web pages and the \surf-
ing experien
e" of the user, it is often used to atta
k have restri
ted a
ess to other resour
es within the
unsuspe
ting hosts. browser. Some browsers running JavaS
ript may, in
turn, have se
urity
aws that allow the JavaS
ript
Even worse, the site or host is vulnerable even if program to monitor a user's browser more than
the browser is behind the rewall and the do
ument what is
onsidered safe or se
ure. In addition, it
is a \se
ure" HTTPS-based do
ument. JavaS
ript may be diÆ
ult or impossible for the browser user
programs are exe
uted within the se
urity
ontext to determine if the program is transmitting informa-
of the page in whi
h they were down-loaded, and tion ba
k to the web server. For instan
e, among
other fun
tions, JavaS
ript is able to monitor a 2. Web pages that
arry a
tive
ontent that is in-
user's browser a
tivity by: terpreted by the browser.
Observing the URLs of visited do
uments as To address these problems we will use the me
h-
well as bookmarks. anisms provided by the SubOS-
apable operating
system, as well as a modular Web browser ar
hi-
Observing the data lled into HTML forms (in- te
ture. We divide the Web browser into three
luding passwords). parts, a
ording to its fun
tionality. The rst part
is responsible for down-loading obje
ts over the net-
Observing the values of
ookies (that might
work, the se
ond is responsible for displaying the
hold
riti
al information).
ontent, and the last is a set of helper appli
a-
tions/interpreters used to pro
ess the
ontent of the
In Java the user may or may not be informed that an down-loaded obje
ts. The design is presented in
applet is being down-loaded into their browser. The Figure 5
real sho
k
omes when a user inadvertently down-
loads a hostile applet. There are many dierent
things hostile applets
an do to wreak havo
on your Browser Log−in Daemon Browser Display
system. Among a few of the most noteworthy are
the following:
We have presented the ar
hite
ture of a se
ure web We would like to thank Jonathan M. Smith for
browser, that prote
ts against mali
ious in
oming his useful
omments and guidan
e throughout the
obje
ts. We have implemented a rst version of our
ourse of this work. We also like to thank
prototype on a SubOS-
apable OpenBSD 2.8 [2℄ op- the FREENIX 2001 anonymous reviewers and our
erating system using Perl. \shepherd" Ken Coar for their
omments and sug-
gestions on improving this paper.
There are several advantages in our modular ar
hi-
te
ture versus the monolithi
ar
hite
ture of popu-
lar Web browsers, su
h as Nets
ape Navigator and
Mi
rosoft Internet Explorer. Our design adds a Referen
es
stage of authenti
ation before any in
oming obje
t
is pro
essed. The burden of a
ess
ontrol is moved [1℄ NJS JavaS
ript Interpreter.
from the browser and its helper appli
ations, to the http://www.bbassett.net/njs/.
operating system, allowing for a simpler and there-
fore more se
ure design. Finally the user is not in- [2℄ The OpenBSD Operating System.
volved in the pro
essing of in
oming obje
ts, and http://www.openbsd.org/.
therefore
annot be tri
ked into exe
uting hostile
ode. Presently however, our ar
hite
ture requires [3℄ World Wide Web Consortium.
that the operating system provides a data
entri
http://www.w3.org/.
prote
tion me
hanism, that asso
iates permissions [4℄ Anurag A
harya and Mandar Raje. Map-
and privileges to data obje
ts. This limits us to box: Using parameterized behavior
lasses to
our experimental SubOS-enabled OpenBSD operat-
onne appli
ations. In Pro
eedings of the
ing system. 2000 USENIX Se
urity Symposium, pages 1{
17, Denver, CO, August 2000.
There are still some things that remain to be added
to our prototype in order to oer more
omplete [5℄ Andrew Berman, Virgil Bourassa, and Erik
fun
tionality: Selberg. TRON: Pro
ess-Spe
i
File Pro-
te
tion for the UNIX Operating System. In
USENIX 1995 Te
hni
al Conferen
e, New Or-
We
urrently don't support frames. Frames re- leans, Louisiana, January 1995.
quire spe
ial handling sin
e ea
h frame
onsists [6℄ David Flanagan. JavaS
ript The Denitive
of an HTML do
ument with possibly individ- Guide. O'Reilly, 1998.
ual se
urity properties. In future versions of
our browser we will add this fun
tionality to [7℄ Tim Fraser, Lee Badger, and Mark Feldman.
the browser display daemon. Hardening COTS Software with Generi
Soft-
ware Wrappers. In Pro
eedings of the IEEE
Only a subset of HTML was implemented so Symposium on Se
urity and Priva
y, Oakland,
there are a number of tags that need to be CA, May 1999.
added, along with their possible variables.
[8℄ Ian Goldberg, David Wagner, Randi Thomas,
and Eri
A. Brewer. A Se
ure Environment
We want to expand the <SCRIPT> tag to deal for Untrusted Helper Appli
ations. In USENIX
with additional embedded s
ripting languages 1996 Te
hni
al Conferen
e, 1996.
other than JavaS
ript and Perl.
[9℄ Li Gong. Inside Java 2 Platform Se
urity.
Finally we need to have some kind of se
ure au- Addison-Wesley, 1999.
thenti
ation me
hanism for the browser log-in
[10℄ James Gosling, Bill Joy, and Guy Steele. The
daemon. The possible solutions we are
onsid-
Java Language Spe
i
ation. Addison Wesley,
ering are either an additional tag that
arries Reading, 1996.
a
erti
ate in the down-loaded web page, or a
erti
ate atta
hed to the HTTP request. [11℄ http://www.
ert.org/advisories/.
[12℄ Sotiris Ioannidis and Steven M. Bellovin. Sub-
Operating Systems: A New Approa
h to Appli-
ation Se
urity. Te
hni
al Report MS-CIS-01-
06, University of Pennsylvania, February 2000.
[13℄ R. Kaplan. SUID and SGID Based Atta
ks
on UNIX: a Look at One Form of then Use
and Abuse of Privileges. Computer Se
urity
Journal, 9(1):73{7, 1993.
[14℄ Ja
ob Y. Levy, Laurent Demailly, John K.
Ousterhout, and Brent B. Wel
h. The Safe-
T
l Se
urity Model. In USENIX 1998 Annual
Te
hni
al Conferen
e, New Orleans, Louisiana,
June 1998.
[15℄ Gary M
Graw and Edward W. Felten. Java
Se
urity: hostile applets, holes and antidotes.
Wiley, New York, NY, 1997.
[16℄ G. C. Ne
ula and P. Lee. Safe, Untrusted
Agents using Proof-Carrying Code. In Le
-
ture Notes in Computer S
ien
e Spe
ial Issue
on Mobile Agents, O
tober 1997.
[17℄ Dan S. Walla
h, Dirk Balfanz, Drew Dean, and
Edward W. Felten. Extensible Se
urity Ar
hi-
te
tures for Java. In Pro
eedings of the 16th
ACM Symposium on Operating Systems Prin-
iples, O
tober 1997.