skip to main content
10.1145/2508859.2516722acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Content-based isolation: rethinking isolation policy design on client systems

Published: 04 November 2013 Publication History

Abstract

Modern client platforms, such as iOS, Android, Windows Phone, and Windows 8, have progressed from a per-user isolation policy, where users are isolated but a user's applications run in the same isolation container, to an application isolation policy, where different applications are isolated from one another. However, this is not enough because mutually distrusting content can interfere with one another inside a single application. For example, an attacker-crafted image may compromise a photo editor application and steal other images processed by the editor.
In this paper, we advocate a content-based principal model in which the OS treats content owners as its principals and isolates content of different owners from one another. Our key contribution is to generalize the content-based principal model from web browsers, namely, the same-origin policy, into an isolation policy that is suitable for all applications. The key challenge we faced is to support flexible isolation granularities while remaining compatible with the web. In this paper, we present the design, implementation, and evaluation of our prototype system that tackles this challenge.

References

[1]
Adobe Secure Software Engineering Team. Inside Adobe Reader Protected Mode. http://blogs.adobe.com/asset/tag/protected-mode.
[2]
Adobe Security Bulletin Search. http://www.adobe.com/support/security/.
[3]
AppArmor Application Security for Linux. http://www.novell.com/linux/security/apparmor/.
[4]
A. Barth. The web origin concept. Internet-Draft, http://tools.ietf.org/html/draft-abarth-origin-09, 2010.
[5]
A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In To appear at the 15th ACM Conference on Computer and Communications Security (CCS 2008), 2008.
[6]
Build FAQ for OpenOffice.org. http://www.openoffice.org/FAQs/build_faq.html.
[7]
Y. Cao, V. Rastogi, Z. Li, Y. Chen, and A. Moshchuk. Redefining web browser principals with a configurable origin policy. In DSN, 2013.
[8]
T. Close. Decentralized identification. http://www.waterken.com/dev/YURL/.
[9]
C. Collberg, J. H. Hartman, S. Babu, and S. K. Udupa. Slinky: static linking reloaded. In USENIX ATC, 2005.
[10]
R. S. Cox, J. G. Hansen, S. D. Gribble, and H. M. Levy. A safety-oriented platform for web applications. In IEEE Symposium on Security and Privacy, 2006.
[11]
Content security policy (csp). https://wiki.mozilla.org/Security/CSP/Spec.
[12]
J. R. Douceur, J. Elson, J. Howell, and J. R. Lorch. Leveraging legacy code to deploy desktop applications on the web. In OSDI, 2008.
[13]
P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Zieglar, E. Kohler, D. Mazieres, F. Kaashoek, and R. Morris. Labels and Event Processes in the Asbestos Operating System. In SOSP, 2005.
[14]
W. Enck, P. McDaniel, and T. Jaeger. Pinup: Pinning user files to known applications. In ACSAC, 2008.
[15]
I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer. A secure environment for untrusted helper applications. In USENIX Security, 1996.
[16]
Google Cloud Connect for Microsoft Office. http://tools.google.com/dlpage/cloudconnect.
[17]
GreenBorder. www.google.com/greenborder/.
[18]
C. Grier, S. Tang, and S. T. King. Secure web browsing with the OP web browser. In Proceedings of the IEEE Symposium on Securiy and Privacy, 2008.
[19]
J. Howell, B. Parno, and J. Douceur. Embassies: Radically refactoring the web. In NSDI, 2013.
[20]
G. Hunt and J. Larus. Singularity: Rethinking the Software Stack. In Operating Systems Review, April 2007.
[21]
S. Ioannidis and S. M. Bellovin. Building a secure web browser. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, 2001.
[22]
S. Ioannidis, S. M. Bellovin, and J. M. Smith. Sub-operating systems: A new approach to application security. In SIGOPS European Workshop, 2002.
[23]
C. Jackson. Improving browser security policies. PhD thesis, Stanford University, CA, 2009.
[24]
C. Jackson and A. Barth. Beware of Finer-Grained Origins. In Web 2.0 Security and Privacy, May 2008.
[25]
C. Karlof, J. Tygar, D. Wagner, and U. Shankar. Dynamic Pharming Attacks and Locked Same-Origin Policies for Web Browsers. In CCS, 2007.
[26]
T. Kim and N. Zeldovich. Making Linux protection mechanisms egalitarian with UserFS. In Usenix Security, aug 2010.
[27]
M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris. Information Flow Control for Standard OS Abstractions. In 21st Symposium of Operating Systems Principles, 2007.
[28]
E. Lawrence. XDomainRequest - Restrictions, Limitations and Workarounds. http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx.
[29]
P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the 2001 USENIX Annual Technical Conference, 2001.
[30]
Microsoft. Protected View in Office 2010. http://blogs.technet.com/b/office2010/archive/2009/08/13/protected-view-in-office-2010.aspx.
[31]
Microsoft. Remote desktop protocol. msdn.microsoft.com/en-us/library/cc240445(PROT.10).aspx.
[32]
Microsoft. Windows Internet API. msdn.microsoft.com/en-us/library/aa385331(VS.85).aspx.
[33]
Microsoft. Windows Vista Integrity Mechanism Technical Reference. http://msdn.microsoft.com/en-us/library/bb625964.aspx.
[34]
Microsoft security bulletins and advisories: MS10-087, MS10-079, MS10--103. http://www.microsoft.com/technet/security/current.aspx.
[35]
MS Office 2010 RTF Header Stack Overflow Vulnerability. http://www.exploit-db.com/exploits/17474/.
[36]
P. Muncaster. How We Found the File That Was Used to Hack RSA. http://www.f-secure.com/weblog/archives/00002226.html, August 2011.
[37]
L. Popa, A. Ghodsi, and I. Stoica. Http as the narrow waist of the future internet. In HotNets, Monterey, CA, 2010.
[38]
D. E. Porter, S. Boyd-Wickizer, J. Howell, R. Olinsky, and G. C. Hunt. Rethinking the library OS from the top down. In ASPLOS, 2011.
[39]
Programming application-level add-ins. http://msdn.microsoft.com/en-us/library/bb157876.aspx.
[40]
F. Roesner, T. Kohno, A. Moshchuk, B. Parno, and H. J. Wang. User-driven access control: Rethinking permission granting in modern operating systems. In IEEE Symposium on Security and Privacy, 2012.
[41]
J. Ruderman. The Same-Origin Policy. http://www.mozilla.org/projects/security/components/same-origin.html.
[42]
J. S. Shapiro and S. Weber. Verifying the eros confinement mechanism. In IEEE Symposium on Security and Privacy, 2000.
[43]
Shatter Attacks - How to break Windows. http://www.thehackademy.net/madchat/vxdevl/ papers/winsys/shatter.html.
[44]
K. Singh, A. Moshchuk, H. J. Wang, and W. Lee. On the incoherencies in web browser access control policies. In IEEE Symposium on Security and Privacy, 2010.
[45]
S. Tang, H. Mai, and S. T. King. Trust and protection in the Illinois Browser Operating System. In OSDI, 2010.
[46]
A. van Kesteren. Cross-origin resource sharing. W3C Working Draft, http://www.w3.org/TR/cors/, 2010.
[47]
R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In SOSP, 1993.
[48]
H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and Communication Abstractions in MashupOS. In ACM Symposium on Operating System Principles, October 2007.
[49]
H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The Multi-Principal OS Construction of the Gazelle Web Browser. In USENIX Security, 2010.
[50]
H. J. Wang, A. Moshchuk, and A. Bush. Convergence of Desktop and Web Applications on a Multi-Service OS. In HotSec, 2009.
[51]
T. Wobber, A. Yumerefendi, M. Abadi, A. Birrell, and D. R. Simon. Authorizing Applications in Singularity. In Eurosys, March 2007.
[52]
XMLHttpRequest Level 2. http://www.w3.org/TR/XMLHttpRequest/.
[53]
B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In IEEE Symposium on Security and Privacy, 2009.
[54]
N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazieres. Making information flow explicit in HiStar. In 7th Symposium on Operating Systems Design and Implementation, 2006.

Cited By

View all
  • (2019)Site isolationProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361454(1661-1678)Online publication date: 14-Aug-2019
  • (2019)Programming Situational Mobile Web Applications with Cloud-Mobile Convergence: An Internetware-Oriented ApproachIEEE Transactions on Services Computing10.1109/TSC.2016.258726012:1(6-19)Online publication date: 1-Jan-2019
  • (2018)Survey on Compromise-Defensive System DesignInformation Science and Applications 201810.1007/978-981-13-1056-0_51(513-521)Online publication date: 24-Jul-2018
  • Show More Cited By

Index Terms

  1. Content-based isolation: rethinking isolation policy design on client systems

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
    November 2013
    1530 pages
    ISBN:9781450324779
    DOI:10.1145/2508859
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 04 November 2013

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. isolation
    2. same-origin policy
    3. web browsers

    Qualifiers

    • Research-article

    Conference

    CCS'13
    Sponsor:

    Acceptance Rates

    CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;
    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)12
    • Downloads (Last 6 weeks)2
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2019)Site isolationProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361454(1661-1678)Online publication date: 14-Aug-2019
    • (2019)Programming Situational Mobile Web Applications with Cloud-Mobile Convergence: An Internetware-Oriented ApproachIEEE Transactions on Services Computing10.1109/TSC.2016.258726012:1(6-19)Online publication date: 1-Jan-2019
    • (2018)Survey on Compromise-Defensive System DesignInformation Science and Applications 201810.1007/978-981-13-1056-0_51(513-521)Online publication date: 24-Jul-2018
    • (2016)On the Origin of Mobile AppsProceedings of the Sixth ACM Conference on Data and Application Security and Privacy10.1145/2857705.2857712(160-171)Online publication date: 9-Mar-2016
    • (2015)MaxoidProceedings of the Tenth European Conference on Computer Systems10.1145/2741948.2741966(1-16)Online publication date: 17-Apr-2015
    • (2015)Mash DroidProceedings of the 2015 IEEE International Conference on Web Services10.1109/ICWS.2015.102(725-730)Online publication date: 27-Jun-2015

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media