Communications - June 2009

technical Perspective
Reframing security
for the Web
By Andrew Myers

DOi: 10.1145/1516046.1516065

thE WEB has

brought exciting new functionality while simultaneously requiring new mechanisms to make it secure. We’ve repeatedly discovered that these mechanisms are not good enough, as clever hackers and academics have figured out how to circumvent and misuse them to compromise security.

We now live in a world in which viewing an advertisement might compromise your bank account. In the following paper, “Securing Frame Communication in Browsers,” researchers Adam Barth, Collin Jackson, and John Mitchell not only illustrate how subtle some of these security vulnerabilities can be, they show how to solve them in a principled way. This paper has had a real impact: their solutions have already been widely adopted.

Why is Web security difficult? It’s because the Web browser is a place where programs and data from different sources interact. Each source may control resources whose security can be affected by the programs and data from other sources. In fact, there is a deep, underlying problem that has never been satisfactorily solved: how to securely permit fine-grained sharing and communication between programs from mutually distrusting sources. Conventionally, security was considered the job of the operating system. But the granularity of operating system enforcement is far too coarse for Web applications, whose security depends on the precise details of the interactions between ap-plication-level data structures such as frames, cookies, and interpreted application code.

Web security forces us to think anew about the problem of fine-grained sharing across trust domains because

many exciting new applications and services require this sharing. Some of the techniques developed for operating system security, such as controlled communication between processes, can be adapted to the Web. But Web security poses new challenges as well. For example, Web security violations can occur within the context of a single Web page, which often comprises multiple frames controlled by code from different sources. These frames may be third-party advertisements or integrated content from multiple parties who do not trust each other; the many mashups based on Google Maps are examples of the latter. The absence of effective solutions to the problem of fine-grained interaction between trust domains—coexisting on the very same Web page—has left Web applications vulnerable.

Fortunately, researchers like Barth, Jackson, and Mitchell are applying principled methods to identify and eliminate these vulnerabilities. The vulnerabilities they address arise from

the paper is
a great example
of research that
has impact
precisely because
it offers principled
solutions.

the feature of frame navigation in Web browsers. Code running in one frame (that is, one trust domain) can control where another frame loads its content from. The authors use elegant reasoning to identify the most permissive secure policy for controlling frame navigation. This argument is so simple and convincing that the policy they identify has been adopted by most major browsers.

In itself, this would be a significant contribution, but the paper goes farther. It newly identifies vulnerabilities in two important mechanisms for communication between different frames; one of these mechanisms is in the HTML 5 standard. The paper gives a thoughtful and principled analysis of each communication mechanism and identifies a fix for each. These fixes have also been adopted by current browsers and communication libraries.

The paper is a great example of research that has impact precisely because it offers principled solutions. Too often, proposed computer security mechanisms merely raise the bar against attacks, starting the next phase of an arms race. This is a different kind of work—work that clearly identifies and convincingly solves a real security problem. The work described in this paper makes our lives more secure and helps the next generation of applications to be built securely. And their work also helps us understand how to think about the new security challenges that lie ahead.