1. Beyond IFrames:Web Sandboxes Scott Isaacs Software Architect Microsoft

2. How Web Sites are Built Today Google Friend Connect Youtube The Web normally has a Same Origin Policy – but in practice, “your script works in my origin” All JavaScript code in the page, regardless of origin, has the same trust level and permissions If one bit of code fails or is compromised, the entire page/app/site can be compromised Quick Demo… Youtube Google News Error from Amazon

3. Circles of (Dis)Trust Shared Frameworks Affiliates Images Gadgets Maps You Tube Your Code Social Networks Analytics Search Content Display Ads Images

4. User’s Expectations ≠ Reality Mismatch between browser security and expectations O/S boundaries protected Cross-domain content protected Composite pages have a single policy Aggregation (mash-ups) not protected You need a composite policy for a composite page Let’s secure the cookie…

5. The growing risk… Differentiation between Cloud and Local Services is blurring… User Data being aggregated… Personal Data (both local and cloud-based) Storage, Photos, E-Mail, Social Network/ Contacts, IM Devices Phones, GPS, Camera, etc. …and exposed to… Site Services Rich Advertising, Analytics, Maps, Affiliate Programs Site Extensibility Gadgets, Libraries, etc.

6. What about IFrames? Still exploitable… Run-away code… Navigation… Click-Jacking… And not rich enough… Designed for content embedding Established fixed “policies” Won’t work for display integration (e.g., fly outs) Fails for tight integration w/ API’s, CSS Isolation model, not a Security Architecture

7. Web Sandbox Isolate and secure the boundaries via composite host-defined policies Builds on existing knowledge Embrace existing programming patterns Provides browser equalization Open Source Project (Apache License)

8. QoS - Going beyond security Profiles executing code Error tracking and recovery Code Throttling LifeCycle management QoS Demo…

9. Your Web Page Creating Secure Containers Policy and Rules Policy and Rules Policy and Rules Web Sandbox Virtual Machine Web Sandbox Virtual Machine Web Sandbox Virtual Machine Untrusted Script Untrusted Script Untrusted Script

10. Web Sandbox: The Big Picture Trusted Host(e.g., Your Site) Requests Content(untrusted) SandboxVirtual Machine(JavaScript Library) Sandboxed Execution Sandboxed Execution TransformationPipeline (Server or Client-based) Untrusted Content Virtualize Code

11. Transformation Process Request Resource Parse Resource Output JavaScript for execution within the Sandbox VM Let’s take a look….

12. Sandbox Virtual Machine Validates execution against policies Supports instancing and lifecycle Monitors QoS via profiling & throttling Protects external communication

13. Policies Contextually-aware API “tables” Allow/Deny/Augment rules Cascading model Default “Gadget” Policy Supports JavaScript/ W3C DOM Provides Namespace isolation Demo…

14. Trusted/ Untrusted boundaries Custom Policies to Surface Host APIs Demo… Mutually distrusted components sharing single “Trusted” Map

15. Simple Integration… <script src="sandbox2.js"></script> <div id="box"></div> <script src="transform.ashx?type=script&guid=GadgetGUID&ua=IE8&url=http://siteexperts.com/untrusted.js"></script> <script>var instance = new $Sandbox(document.getElementById("box"), $Policy.Gadget, 'GadgetGUID');instance.initialize(); </script>

16. Closing Thoughts… Web Application ecosystem is evolving Applications getting richer via aggregation More valuable services and personal data are exposed The web security model must evolve Web-sandbox adds protection across the boundaries Sites can properly model and enforce the trust relationship Sites can protect themselves and their users Possible without redefining the web… Go play with it (http://websandbox.livelabs.com)

17. Questions? Learn more at: http://websandbox.livelabs.com Also don’t miss the panelSecure Mashups: Getting to Safe Web Plug-insWednesday, 10:55am