technical Perspective
Reframing security
for the Web
By Andrew Myers
DOi: 10.1145/1516046.1516065
thE WEB has
brought exciting new functionality while simultaneously requiring new mechanisms to make it secure.
We’ve repeatedly discovered that these
mechanisms are not good enough, as
clever hackers and academics have figured out how to circumvent and misuse them to compromise security.
We now live in a world in which
viewing an advertisement might compromise your bank account. In the following paper, “Securing Frame Communication in Browsers,” researchers
Adam Barth, Collin Jackson, and John
Mitchell not only illustrate how subtle
some of these security vulnerabilities
can be, they show how to solve them
in a principled way. This paper has
had a real impact: their solutions have
already been widely adopted.
Why is Web security difficult? It’s
because the Web browser is a place
where programs and data from different sources interact. Each source
may control resources whose security
can be affected by the programs and
data from other sources. In fact, there
is a deep, underlying problem that
has never been satisfactorily solved:
how to securely permit fine-grained
sharing and communication between
programs from mutually distrusting
sources. Conventionally, security was
considered the job of the operating
system. But the granularity of operating system enforcement is far too
coarse for Web applications, whose
security depends on the precise details of the interactions between ap-plication-level data structures such as
frames, cookies, and interpreted application code.
Web security forces us to think anew
about the problem of fine-grained
sharing across trust domains because
many exciting new applications and
services require this sharing. Some of
the techniques developed for operating system security, such as controlled
communication between processes,
can be adapted to the Web. But Web
security poses new challenges as well.
For example, Web security violations
can occur within the context of a single Web page, which often comprises
multiple frames controlled by code
from different sources. These frames
may be third-party advertisements
or integrated content from multiple
parties who do not trust each other;
the many mashups based on Google
Maps are examples of the latter. The
absence of effective solutions to the
problem of fine-grained interaction
between trust domains—coexisting
on the very same Web page—has left
Web applications vulnerable.
Fortunately, researchers like Barth,
Jackson, and Mitchell are applying
principled methods to identify and
eliminate these vulnerabilities. The
vulnerabilities they address arise from
the paper is
a great example
of research that
has impact
precisely because
it offers principled
solutions.
the feature of frame navigation in Web
browsers. Code running in one frame
(that is, one trust domain) can control
where another frame loads its content
from. The authors use elegant reasoning to identify the most permissive secure policy for controlling frame navigation. This argument is so simple
and convincing that the policy they
identify has been adopted by most
major browsers.
In itself, this would be a significant
contribution, but the paper goes farther. It newly identifies vulnerabilities in two important mechanisms
for communication between different
frames; one of these mechanisms is in
the HTML 5 standard. The paper gives
a thoughtful and principled analysis
of each communication mechanism
and identifies a fix for each. These
fixes have also been adopted by current browsers and communication libraries.
The paper is a great example of research that has impact precisely because it offers principled solutions.
Too often, proposed computer security mechanisms merely raise the bar
against attacks, starting the next phase
of an arms race. This is a different
kind of work—work that clearly identifies and convincingly solves a real
security problem. The work described
in this paper makes our lives more secure and helps the next generation of
applications to be built securely. And
their work also helps us understand
how to think about the new security
challenges that lie ahead.
Andrew Myers is an associate professor of computer
science at cornell university, ithaca, ny.
© 2009 acm 0001-0782/09/0600 $10.00