SlideShare une entreprise Scribd logo
1  sur  23
Télécharger pour lire hors ligne
SOMA:
Mutual Approval for Included
  Content On Web Pages

       Terri Oda, Glenn Wurster,
    P. C. van Oorschot, Anil Somayaji
SOMA


               Same Origin Mutual Approval

               Tighten the JavaScript Same
                  Origin policy to prevent
                  additional attacks
               Extension to web browsers
                       – Obey simple policies set by
                          site operators




http://flickr.com/photos/kenturamon/168978666/         2
Same Origin Policy

 All JavaScript code has full access to:
     – Run/Overwrite all other JavaScript code
     – Read/Write to other content from the document origin
 Same Origin Policy restricts access to content from
    other domains




                                                              3
Same Origin Policy

 Same Origin policy restricts read and modify access
 Fetching of content is unrestricted


   Content                     Permissions
    Type       Fetch    Read     Modify Execute   Display
 Images         YES      SO        SO      NO       YES
 HTML           YES      SO        SO      NO       YES
 JavaScript     YES      SO       YES      YES      NO
 Audio/Video    YES    Plugin Dependant    NO       YES




                                                            4
Sample Web Attack




                    5
Inclusions




Inclusions allowed with Same Origin        Inclusions allowed with SOMA

                                                                          6
SOMA Manifests

1. A file on the origin domain (/soma-manifest)
2. Lists domains approved by origin site


                    Possible Manifest States
                           (given by site A)
Server Response                  Meaning              Symbol
No Manifest                  All sites approved        AAB
B in Manifest             Content from B allowed       AAB
B not in Manifest        Content from B not allowed    ACB


For some domain B


                                                               7
SOMA Approvals

1. Script on content provider site (/soma-approval)
2. Responds to approval requests
        – Based on origin page domain


               Possible Approval Responses
                              (by site B)
Server Response                  Meaning                    Symbol
File Not Found               All sites approved              BBA
YES                   Can include content into A's page      BBA
NO                  Can NOT include content into A's page    BDA

For some domain A


                                                                     8
SOMA Message Flow

 Originating                                                       Remote
                                  Web Browser
Web Server A                                                     Web Server B

          Request Page
        Request Manifest
         Return Manifest
           Return Page

               If A wants to include        Request Approval
               content from B (and
               B is in A's manifest)   Approval Response (YES/NO)


                   If B returns YES         Request Content
                                                Return Content



                                                                                9
Cross Site Scripting

 Any script can include other scripts (from any site)
 Inclusion blocked by SOMA Manifest




                                                         10
Unrestricted Outbound Communication

 Any script can read content from the document origin
 Transmission blocked by SOMA Manifest




                                                   11
Cross Site Request Forgery

 A script can make requests to any domain
 Request blocked by SOMA Approval




                                             12
Bandwidth Stealing

 A document can include content from anywhere
 Inclusion blocked by SOMA Approval




                                                 13
SOMA Prototype

 Mozilla Firefox 2 Add-on
     – also compatible with Firefox 3
     – can be downloaded and tried out
           – http://ccsl.carleton.ca/software/soma
 Fully backwards compatible
     – current websites appear unchanged
 Stops attacks discussed earlier
 Icon in statusbar indicates that SOMA is running




                                                     14
Screenshot of Prototype




                          15
Deployment

 Need:
     – minor modifications to browser
            – Mozilla SOMA Add-on implementation code is 12k
     – policy on origin & content providers (ideally)
            – some protection if either side provides policy
 Requires some additional network overhead
     – fetch manifest from origin
     – fetch approval from each content provider before
         fetching content
 Deployment is incremental


                                                               16
Performance

 Approvals overhead:
     – adds one additional round trip
     – estimated additional page load time is 5.58%
     – estimate probably overstated:
           – We used average content response size: 10459 bytes
           – soma-approval response size: 4 bytes (0.1% overhead)
                  • independent of site complexity
 Manifest size:
     – checked front page of top 500 Alexa sites
     – average: 5.45 domains per site (5.3 stdev)



                                                                    17
Complementary Work:
Existing Code Injection Prevention

     Do careful input checking
         – risk of interactions with web page
         – difficult to do well
         – done by web programmer in source code

     Detect known code injection attacks
         – XSS, CSRF, SQL Injection
         – risk of false positives/missing new attacks
         – can be done by 3rd party tool
            • eg: web application firewalls



                                                    18
Complementary Work:
                   Mashups

 A mashup is a web application
  which combines information and
  code from different sources
 There has been work on ways to
  make them more secure
  – better separation between components
  – communication between different contexts
 Mashup work focuses on interactions within the page
  – SOMA focuses on interactions with external servers
 Requires use of tools by skilled web developers


                                                         19
Related Work:
Tahoma and Flash

 Tahoma [Cox 2006]
     – SOMA Manifest for VM's




 Flash's crossdomain.xml
    – SOMA approvals for Flash




                                 20
Related Work:
       Mozilla's Content Security Policy

 First version (“Site Security Policy”) similar to SOMA
 Most recent version has only manifest
     – Does not protect against cross site request forgery
 Other major differences:
     – policy is per-resource
     – more complex syntax required




                                                             21
SOMA Benefits

1. Incrementally deployable (with incremental benefit)
2. No configuration/usage burden on end users
3. Required changes/configuration are done by site
operators
4. Changes are relatively simple to
understand and easy to implement
5. Gives server operators the ability
to specify which sites can interact
with their content

                                                         22
Thanks!

 Carleton Computer Security Laboratory:
     – http://ccsl.carleton.ca
 SOMA Firefox Add-On (and more info):
     – http://ccsl.carleton.ca/software/soma




                                               23

Contenu connexe

Dernier

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 

Dernier (20)

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 

En vedette

AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 

En vedette (20)

AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 

SOMA: Mutual Approval for Included Content On Web Pages

  • 1. SOMA: Mutual Approval for Included Content On Web Pages Terri Oda, Glenn Wurster, P. C. van Oorschot, Anil Somayaji
  • 2. SOMA  Same Origin Mutual Approval  Tighten the JavaScript Same Origin policy to prevent additional attacks  Extension to web browsers – Obey simple policies set by site operators http://flickr.com/photos/kenturamon/168978666/ 2
  • 3. Same Origin Policy  All JavaScript code has full access to: – Run/Overwrite all other JavaScript code – Read/Write to other content from the document origin  Same Origin Policy restricts access to content from other domains 3
  • 4. Same Origin Policy  Same Origin policy restricts read and modify access  Fetching of content is unrestricted Content Permissions Type Fetch Read Modify Execute Display Images YES SO SO NO YES HTML YES SO SO NO YES JavaScript YES SO YES YES NO Audio/Video YES Plugin Dependant NO YES 4
  • 6. Inclusions Inclusions allowed with Same Origin Inclusions allowed with SOMA 6
  • 7. SOMA Manifests 1. A file on the origin domain (/soma-manifest) 2. Lists domains approved by origin site Possible Manifest States (given by site A) Server Response Meaning Symbol No Manifest All sites approved AAB B in Manifest Content from B allowed AAB B not in Manifest Content from B not allowed ACB For some domain B 7
  • 8. SOMA Approvals 1. Script on content provider site (/soma-approval) 2. Responds to approval requests – Based on origin page domain Possible Approval Responses (by site B) Server Response Meaning Symbol File Not Found All sites approved BBA YES Can include content into A's page BBA NO Can NOT include content into A's page BDA For some domain A 8
  • 9. SOMA Message Flow Originating Remote Web Browser Web Server A Web Server B Request Page Request Manifest Return Manifest Return Page If A wants to include Request Approval content from B (and B is in A's manifest) Approval Response (YES/NO) If B returns YES Request Content Return Content 9
  • 10. Cross Site Scripting  Any script can include other scripts (from any site)  Inclusion blocked by SOMA Manifest 10
  • 11. Unrestricted Outbound Communication  Any script can read content from the document origin  Transmission blocked by SOMA Manifest 11
  • 12. Cross Site Request Forgery  A script can make requests to any domain  Request blocked by SOMA Approval 12
  • 13. Bandwidth Stealing  A document can include content from anywhere  Inclusion blocked by SOMA Approval 13
  • 14. SOMA Prototype  Mozilla Firefox 2 Add-on – also compatible with Firefox 3 – can be downloaded and tried out – http://ccsl.carleton.ca/software/soma  Fully backwards compatible – current websites appear unchanged  Stops attacks discussed earlier  Icon in statusbar indicates that SOMA is running 14
  • 16. Deployment  Need: – minor modifications to browser – Mozilla SOMA Add-on implementation code is 12k – policy on origin & content providers (ideally) – some protection if either side provides policy  Requires some additional network overhead – fetch manifest from origin – fetch approval from each content provider before fetching content  Deployment is incremental 16
  • 17. Performance  Approvals overhead: – adds one additional round trip – estimated additional page load time is 5.58% – estimate probably overstated: – We used average content response size: 10459 bytes – soma-approval response size: 4 bytes (0.1% overhead) • independent of site complexity  Manifest size: – checked front page of top 500 Alexa sites – average: 5.45 domains per site (5.3 stdev) 17
  • 18. Complementary Work: Existing Code Injection Prevention  Do careful input checking – risk of interactions with web page – difficult to do well – done by web programmer in source code  Detect known code injection attacks – XSS, CSRF, SQL Injection – risk of false positives/missing new attacks – can be done by 3rd party tool • eg: web application firewalls 18
  • 19. Complementary Work: Mashups  A mashup is a web application which combines information and code from different sources  There has been work on ways to make them more secure – better separation between components – communication between different contexts  Mashup work focuses on interactions within the page – SOMA focuses on interactions with external servers  Requires use of tools by skilled web developers 19
  • 20. Related Work: Tahoma and Flash  Tahoma [Cox 2006] – SOMA Manifest for VM's  Flash's crossdomain.xml – SOMA approvals for Flash 20
  • 21. Related Work: Mozilla's Content Security Policy  First version (“Site Security Policy”) similar to SOMA  Most recent version has only manifest – Does not protect against cross site request forgery  Other major differences: – policy is per-resource – more complex syntax required 21
  • 22. SOMA Benefits 1. Incrementally deployable (with incremental benefit) 2. No configuration/usage burden on end users 3. Required changes/configuration are done by site operators 4. Changes are relatively simple to understand and easy to implement 5. Gives server operators the ability to specify which sites can interact with their content 22
  • 23. Thanks!  Carleton Computer Security Laboratory: – http://ccsl.carleton.ca  SOMA Firefox Add-On (and more info): – http://ccsl.carleton.ca/software/soma 23