Privilege Separation in Browser Extensions Based on Web Workers
|
|
- Lucas Francis
- 5 years ago
- Views:
Transcription
1 Advanced Materials Research Submitted: ISSN: , Vols , pp Accepted: doi: / Online: Trans Tech Publications, Switzerland Privilege Separation in Browser Extensions Based on Web Workers Chunmei Yu 1,a, Jianhua Sun 2,b, Hao Chen 3,c, and Xianghua Xu 4,d 1,2,3 College of Information Science and Engineering, Hunan University, Changsha, China 4 Zhejiang Provincial Key Lab of Data Storage and Transmission Technology, Hangzhou Dianzi University, China a lantianxia@hnu.edu.cn, b jhsun@aimlab.org, c haochen@aimlab.org, Keywords: Privilege Separation, Web Workers Abstract. In this paper, we propose to use Web Workers [1], isolated parallel threads in current browser working in the background, to enforce privilege separation in chrome extensions. Our tests show that our design is applicable to most chrome extensions (those not using the jquery library) and achieves a reduction in TCB up to 77 percent for our examples. Our implementation shows that our design is efficient enough to enforce privilege separation in chrome extensions and not needs to modify the browser or learn new high-level languages. Introduction With Web applications and browser extensions becoming more and more popular, the web vulnerabilities are still pervasive [2]. The Web applications that own the elevated privileges are the main target of attackers. The Google Chrome Extension platform has recognized the necessity to enforce privilege separations in the chrome extensions. The Google Chrome Extension platform divides a chrome extension into two components: the core extension that runs in an isolated sandbox and content scripts that are in charge of interacting with the browser [4]. The permission mechanism enforces restrictions on the privileges the extension requires [7]. However, this design that needs to modify the browser and its permission mechanism is not sufficient enough to enforce privilege separation because of its coarse grained policies. Recently, the paper [3] proposes a language-based approach to isolate an application by assigning every component a minimum of privileges of a Web application, each of which forms an isolated domain. But, in this approach, it is necessary for developers to learn a new high-level language that is time consuming and can t maintain completed compatibility with legacy code. In 2012, iframes are proposed to enforce privilege separation in Web applications. But it has a shortcoming that the script code in an iframe may impact the main page s liveness, if the script code consumes the resources of the browser or goes into a dead loop [6]. In this paper, we proposed to use Web Workers to enforce privilege separation in Chrome extensions. Web Workers provide completely isolated JavaScript environment and work in the background, which can t impact the main page s liveness. In our system, we create a common privileged master and a few unprivileged workers. How many components a chrome extension can be divided is decided by the number of the extension pages, e.g., we divide an extension owning background.html, popup.html and options.html into three components. We just put all the functional JS files from an extension page into an unprivileged Web Worker and other HTML and CSS files still execute in the extension page. The workers communicate with the master with postmessage [6]. The master interposes on all the privileged calls from workers by enforcing a fine-grained policy code that is application-specific and can be modified freely by developers. We show that our proposal is practical for most existing chrome extensions. We retrofit two Google Chrome extensions to use our design. Its overhead for memory consumption is a little high, but the absolute costs are tolerable (no human perceivable latency). In our examples, the trusted All rights reserved. No part of contents of this paper may be reproduced or transmitted in any form or by any means without the written permission of Trans Tech Publications, (ID: , Pennsylvania State University, University Park, USA-10/05/16,05:20:04)
2 4676 Materials Science, Computer and Information Technology computing base (TCB) [8] reduces by up to 77 percent and no more than 18 lines of code need to change. And, there is no need for developers to learn new languages. There is a limitation to use our design. Since Web Workers can t access the DOM, the library jquery will not work in them. As a result, our design is only applicable to these chrome extensions that not using jquery. Design In this section, we describe our privilege separation architecture for chrome extensions. In our design, an extension has a common privileged master and an arbitrary number of unprivileged Web Workers [6]. The privileged master is loaded in every extension page before the extension is packaged. Each unprivileged Web Worker is created by the privileged master in each extension page and all JS files from an extension page execute in its own Web Worker. Since jquery library is invalid in a worker, our design is only applicable to those chrome extensions without using jquery. Figure 1 shows our proposed model for privilege separation. Master. The master mediates all the privileged calls from the unprivileged Web Workers. The privileged master has four components: (1) Startup Code. After the extension is loaded, the startup code begins to create a Web Worker and imports all the JS files hosted in the extension page into the worker. (2) Master Shim. When the script code in a worker makes privileged calls to the privileged master in the extension page, the master shim is in charge of all the privileged calls on behalf of the workers and returns the required results to the corresponding workers. (3) Policy Code. The policy code specifies what kinds of privileged operations the worker code can ask the master to perform. It is application-specific. The developers can add additional essential restrictions on these extensions or modify some privileges. (4) Proxy. Since the Web Workers do not have access to DOM, we have to virtualize the DOM (VDOM)[6]. The proxy is in charge of disposing the DOM modification messages from workers. Workers. Our system moves all functional JavaScript files from different components of an extension to Web Workers. Each worker consists of three components: (1) JavaScript Code. JavaScript code means the JavaScript files that render operations from the extension page, e.g., popup.js and other JavaScript libraries the page needs. (2) Worker Shim. The worker shim consists of a wrapper module. It wraps all the privileged functions. When a call is invoked, its corresponding wrapped function marshals the function as a message and posts this message to the master. On receiving respond from the master, the worker shim also deals with the execution of the callback with the results to complete the original call. (3) Monitor. Since workers have no access to the real DOM, the monitor is in charge of 1) exporting to the Web Worker a Virtual DOM (VDOM) [6], 2) listening to the VDOM modifications, 3) applying the modification events to the master. The VDOM can be implemented by Jsdom [9], a JavaScript implementation of the DOM. Besides, we also use the libraries underscore and RequireJS to complement the JavaScript functionality. The VDOM contains subtrees of the real DOM (the extension s JavaScript code decides which subtrees are used). Implementation To integrate our design into a chrome extension, before an extension is packaged, the developer needs to include the master code as a JavaScript file inside every extension pages. When the packaged extension loaded, the startup code in every page creates an unprivileged Web Worker respectively and executes the extension script code in it. In this section, we focus on the procedure of implementing a privileged call and DOM modification.
3 Advanced Materials Research Vols (1) Implementing a privileged call. When a privileged API (e.g., chrome.tabs.getselected) is called, its wrapped function begins to executes, which asks the master to perform the correct function by 1) marshaling the privileged function name and all its arguments as a message, 2) saving the privileged function s callback in Figure 1: High-level of our architecture an array, 3) sending the messages to the master, 4) waiting for respond from the master, 5) executing the saved callback with the parameters from the master. Listing 1 is the wrapped function for the chrome.tabs.getselected. On receiving a message from a Web Worker, the master shim 1) demarshals the message from the worker, 2) checks with the policy code to see if the call is allowed, 3) executes the correct function if allowed, 4) marshals the results as a message, 5) sends the message back to the worker. Listing 2 shows the master shim for the chrome.tabs.getselected. (2) Implementing a DOM modification. When the VDOM is modified, the monitor 1) serializes the events, 2) marshals it as a message, 3) sends the message to the master using postmessage. Upon receiving this message, the proxy 1) demarshals the message, 2) deserializes the modification event, 3) applies the modification event to the real DOM. Examples We apply our design to two chrome extensions to demonstrate that our architecture is efficient enough in privilege separation. In the two examples we measure (a) the reduction in TCB after using our architecture, (b) the amount of code need to be changed in order to retrofit the application, and (c) performance overheads (load latency, communication time, the interposition time by policies, and memory consumption). Table 1 lists our examples and summarizes our results. TabJump. We apply our design to a chrome extension called TabJump, which can help a user to easily access most used tabs, associated tabs, and closed tabs, and allow a user to lock the current tab in case of accidentally clicking the close button. This extension has two components: background.html and popup.html. The functionality of background.html is to get tabs information, consisting recently closed tabs, related tabs, and frequently used tabs, then send these tabs to popup.html; when a user click the TabJump button, popup.html opens, which shows all these tabs link and provide the lock feature. (1) Unbundling and Example Policy: In the original version of TabJump, popup.html receives the tabs information from background.html and allows users to open, update, or lock these tabs, but runs with full privileges of the extension. Under our design, the popup.js code runs within an unprivileged worker and the policy only gives the popup.js access to the sendmessage API to send and receive the
4 4678 Materials Science, Computer and Information Technology tabs information from the background page as well as only tabs.create, tabs.update, tabs.getselected and tabs.getallinwindow chrome APIs. PanicButton. PanicButton is a chrome extension that can be used to hide all tabs in the browser just clicking the hide button and restore them by another click. This extension has three components: Listing 1: Wrapped function for chrome.tabs.getselected Listing 2: Master shim for chrome.tabs.getselected background.html, popup.html and options.html. The functionality of background.html is to hide or restore all tabs; a user also can set a shortcut for this button and set a password to manage these hidden tabs in options.html. When a password is set, a user must enter the password in the popup page to restore these hidden tabs. (1) Unbundling and Example Policy: This extension uses options.html to set a shortcut for the hide button and enter a password in the popup.html to manage the hidden tabs. But these two pages have full privileges of this extension. In our architecture, popup.js and options.js execute in different unprivileged Web Workers, the policy only gives the popup page the privilege to call sendmessage API and the options page the privileges to call chrome.tabs.create and sendmessage APIs. Evaluation Our approach has four possible overheads: 1) latency of loading Web Workers; 2) the overhead caused by the parent s mediation on privileged APIs; 3) the overhead on each call crossing the sandbox boundary; 4) the memory consumption of the redesigned extensions. We measure the impact of each below. Latency. To measure the time overhead, we include two scripts in an extension page s different places, measuring the time elapsed between them. For example, one script is in the page s header and the other at the end of its body to measure the load latency. We perform 10 runs in each extension page, using the JavaScript s Date.now() API to collect the average time. For TabJump, the background load latency is about 319ms, and the VDOM size is 9 KB with 61ms to populate it. The average time on each call crossing the sandbox boundary is about 14ms, and with 13 lines of policy code, the average interposition time is less than 1ms. As shown in Table 1 and Table 2, without VDOM, our extension runs nearly at a local speed; even with VDOM, we do not observe any user-perceivable increase in latency. The VDOM population time is affected by its size more or less. However, unless the chrome extensions spend most of its time in DOM operations and the VDOM size is not too big, and the total overhead should be tolerable. Memory. We evaluated the memory overhead by observing the increase in memory consumption caused by creating web workers. We found that with the two extensions, the memory increase is 2.8M and 2.3M respectively. We believe that this level of overhead should be acceptable to enforce privilege separation in chrome extensions. Besides, it s up to a user to close these Web Workers after the chrome extensions exit, since it will not be automatically garbage collected.
5 Advanced Materials Research Vols Conclusion We propose a new design that uses Web Workers to partition a web application into an arbitrary number of unprivileged components. Our evaluation shows that we can apply our architecture to most chrome applications and achieve significant reduction in TCB with no more than 18 lines of change for the chrome extensions we studied. However, those extensions that use jquery library do not fit with our model. Acknowledgements This research was supported in part by the National Natural Science Foundation of China under grants and , the Program for New Century Excellent Talents in University, the open research fund of Zhejiang Provincial Key Lab of Data Storage and Transmission Technology, Hangzhou Dianzi University(No ) Reference [1] HTML5 living standard. [2] Google Inc., Google chrome webstore. [3] A. Krishnamurthy, A. Mettler, and D. Wagner. Fine-Grained Privilege Separation for Web Applications. In Proceedings of the International Conference on World Wide Web, pages , [4] A. Barth, C. Jackson, C. Reis, and T. G. C.Team, The security architecture of the chromium browser, [5] Privilege Separation in HTML5 Applications, Devdatta Akhawe, Dawn Song, Prateek Saxena, [6] TreeHouse: JavaScript sandboxes to help Web developers help themselves, Lon Ingram, Michael Walfish, [7] N. Carlini, A. P. Felt, and D. Wagner, An evaluation of the google chrome extension security architecture, in Proceedings of the 21st USENIX Conference on Security, [8] [9]
6 Materials Science, Computer and Information Technology / Privilege Separation in Browser Extensions Based on Web Workers /
AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE
AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE Nicholas Carlini, Adrienne Porter Felt, David Wagner University of California, Berkeley CHROME EXTENSIONS CHROME EXTENSIONS servers servers
More informationStefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan. Stanford University, Chalmers University of Technology
Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology One of the most popular application platforms Easy to deploy and access Almost anything
More informationStudy and Design of CAN / LIN Hybrid Network of Automotive Body. Peng Huang
Advanced Materials Research Online: 2014-06-30 ISSN: 1662-8985, Vol. 940, pp 469-474 doi:10.4028/www.scientific.net/amr.940.469 2014 Trans Tech Publications, Switzerland Study and Design of CAN / LIN Hybrid
More informationContent Security Policy
Content Security Policy And mitigating Cross-site Scripting vulnerabilities Joseph Fields M.Sc Computer Science - December 2016 Introduction HTML and Javascript power billions of websites visited daily
More informationBrowser code isolation
CS 155 Spring 2016 Browser code isolation John Mitchell Acknowledgments: Lecture slides are from the Computer Security course taught by Dan Boneh and John Mitchell at Stanford University. When slides are
More informationAN WIRELESS COLLECTION AND MONITORING SYSTEM DESIGN BASED ON ARDUINO. Lu Shaokun 1,e*
Advanced Materials Research Online: 2014-06-25 ISSN: 1662-8985, Vols. 971-973, pp 1076-1080 doi:10.4028/www.scientific.net/amr.971-973.1076 2014 Trans Tech Publications, Switzerland AN WIRELESS COLLECTION
More informationAdministrator User Manual Alandalus
Administrator User Manual Alandalus Document ID USERMANUAL_ALS_2014 Version No. 1.0 Release Date 09-Jan-2014 Ebox solution.2014 This document is provided on the understanding that it is in strict commercial
More informationResearch of 3D parametric design system of worm drive based on Pro/E. Hongbin Niu a, Xiaohua Li b
Advanced Materials Research Online: 2013-06-27 ISSN: 1662-8985, Vols. 712-715, pp 1107-1110 doi:10.4028/www.scientific.net/amr.712-715.1107 2013 Trans Tech Publications, Switzerland Research of 3D parametric
More informationData-confined HTML5 Applications
Data-confined HTML5 Applications Devdatta Akhawe 1, Frank Li 2, Warren He 1, Prateek Saxena 3, and Dawn Song 1 1 University of California, Berkeley, Berkeley, CA, USA 2 Massachusetts Institute of Technology,
More informationThe Most Dangerous Code in the Browser. Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Modern web experience Modern web experience Modern web experience Web apps Extensions NYTimes Chase AdBlock
More informationMatch the attack to its description:
Match the attack to its description: 8 7 5 6 4 2 3 1 Attacks: Using Components with Known Vulnerabilities Missing Function Level Access Control Sensitive Data Exposure Security Misconfiguration Insecure
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationCOURSE OUTLINE MOC 20480: PROGRAMMING IN HTML5 WITH JAVASCRIPT AND CSS3
COURSE OUTLINE MOC 20480: PROGRAMMING IN HTML5 WITH JAVASCRIPT AND CSS3 MODULE 1: OVERVIEW OF HTML AND CSS This module provides an overview of HTML and CSS, and describes how to use Visual Studio 2012
More informationModern client-side defenses. Deian Stefan
Modern client-side defenses Deian Stefan Modern web site Modern web site Page code Modern web site Modern web site Page code Ad code Modern web site Page code Ad code Third-party APIs Modern web site Page
More informationSerial Communication Based on LabVIEW for the Development of an ECG Monitor
Advanced Materials Research Online: 2013-08-16 ISSN: 1662-8985, Vols. 734-737, pp 3003-3006 doi:10.4028/www.scientific.net/amr.734-737.3003 2013 Trans Tech Publications, Switzerland Serial Communication
More informationDesign and Implementation of unified Identity Authentication System Based on LDAP in Digital Campus
Advanced Materials Research Online: 2014-04-09 ISSN: 1662-8985, Vols. 912-914, pp 1213-1217 doi:10.4028/www.scientific.net/amr.912-914.1213 2014 Trans Tech Publications, Switzerland Design and Implementation
More informationContego: Capability-Based Access Control for Web Browsers
Contego: Capability-Based Access Control for Web Browsers Tongbo Luo and Wenliang Du Department of Electrical Engineering & Computer Science, Syracuse University, Syracuse, New York, USA, {toluo,wedu}@syr.edu
More informationCreating Better Forms; an article for developers 2010
By Simon Miller - 20 th May 2010 www.wiliam.com.au Creating a form on a website is not a difficult thing to do with modern frameworks. Ensuring that the form is designed and functions correctly under all
More informationChrome Extension Security Architecture
Chrome Extension Security Architecture Presenter: Jienan Liu Network, Intelligence & security Lab outline Chrome extension introduction Threats towards extension Chrome extension s security architecture
More informationSandboxing JavaScript. Lieven Desmet iminds-distrinet, KU Leuven OWASP BeNeLux Days 2012 (29/11/2012, Leuven) DistriNet
Sandboxing JavaScript Lieven Desmet iminds-distrinet, KU Leuven Lieven.Desmet@cs.kuleuven.be OWASP BeNeLux Days 2012 (29/11/2012, Leuven) DistriNet About myself Lieven Desmet @lieven_desmet Research manager
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationDesign of the Software for Wirelessly Intercepting Voices
Advanced Materials Research Online: 2014-05-23 ISSN: 1662-8985, Vols. 926-930, pp 2470-2473 doi:10.4028/www.scientific.net/amr.926-930.2470 2014 Trans Tech Publications, Switzerland Design of the Software
More informationMaxoid: Transparently Confining Mobile Applications with Custom Views of State
Maxoid: Transparently Confining Mobile Applications with Custom Views of State Yuanzhong Xu and Emmett Witchel University of Texas at Austin 4/24/2015 Bordeaux, France Focus of this work Security problems:
More informationA CNC equipment distributed monitoring system based on cloud computing technology RangYong Zhang a, Geng Ma b, GuangHe Cheng c
Advanced Materials Research Submitted: 2014-07-26 ISSN: 1662-8985, Vol. 1022, pp 392-395 Accepted: 2014-07-28 doi:10.4028/www.scientific.net/amr.1022.392 Online: 2014-08-28 2014 Trans Tech Publications,
More informationNetAdvantage for SharePoint Release Notes
NetAdvantage for SharePoint Release Notes Whether you are a business user who needs to update a list or a developer who wants to create richer visualizations, NetAdvantage for SharePoint allows you to
More informationSecure Architecture Principles
Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Original slides were created by Prof. John Mitchel 1 Secure
More informationCSCE 120: Learning To Code
CSCE 120: Learning To Code Module 11.0: Consuming Data I Introduction to Ajax This module is designed to familiarize you with web services and web APIs and how to connect to such services and consume and
More informationChrome Conceptual Architecture Report
October 19th, 2018 Chrome Conceptual Architecture Report Authors Brynnon Picard (15bdrp@queensu.ca - #20005203) Roy Griffiths (18rahg@queensu.ca - #20137434) Alex Galbraith (18asrg@queensu.ca - #20135646)
More informationxbook: Redesigning Privacy Control in Social Networking Platforms
xbook: Redesigning Privacy Control in Social Networking Platforms Kapil Singh Sumeer Bhola Wenke Lee School of Computer Science Google School of Computer Science Georgia Institute of Technology sumeer@acm.org
More informationFirefox OS App Days. Overview and High Level Architecture. Author: José M. Cantera Last update: March 2013 TELEFÓNICA I+D
Firefox OS App Days Overview and High Level Architecture Author: José M. Cantera (@jmcantera) Last update: March 2013 TELEFÓNICA I+D 1 Introduction What is Firefox OS? A new mobile open OS fully based
More informationProgramming for Digital Media. Lecture 7 JavaScript By: A. Mousavi and P. Broomhead SERG, School of Engineering Design, Brunel University, UK
Programming for Digital Media Lecture 7 JavaScript By: A. Mousavi and P. Broomhead SERG, School of Engineering Design, Brunel University, UK 1 Topics Ajax (Asynchronous JavaScript and XML) What it is and
More informationThe Design of CAN Bus Communication System Based on MCP2515 and S3C2440 Jinmei Liu, Junhong Wang, Donghui Sun
Advanced Materials Research Online: 2014-05-21 ISSN: 1662-8985, Vol. 933, pp 516-520 doi:10.4028/www.scientific.net/amr.933.516 2014 Trans Tech Publications, Switzerland The Design of CAN Bus Communication
More informationThe Evolution of Chrome Security Architecture. Huan Ren Director, Qihoo 360 Technology Ltd
The Evolution of Chrome Security Architecture Huan Ren Director, Qihoo 360 Technology Ltd Today s Chrome Architecture Browser GPU Sandbox Policy Renderer Extension Plug In History Initial version: multi-process,
More informationPresented by Alex Nicolaou
Presented by Alex Nicolaou The world wide Application Server More about Security: Design Principles Do not re-invent the wheel Principle of least privilege Sandboxed code is malicious code
More informationA Quantitative Evaluation of Privilege Separation in Web Browser Designs
A Quantitative Evaluation of Privilege Separation in Web Browser Designs Xinshu Dong, Hong Hu, Prateek Saxena, and Zhenkai Liang Department of Computer Science, National University of Singapore {xdong,
More informationWeb-Based Monitoring for Frequency Converters with USS Interface
Advanced Materials Research Online: 2014-06-25 ISSN: 1662-8985, Vols. 971-973, pp 1866-1869 doi:10.4028/www.scientific.net/amr.971-973.1866 2014 Trans Tech Publications, Switzerland Web-Based Monitoring
More informationA Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications
A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications Riccardo Pelizzi System Security Lab Department of Computer Science Stony Brook University December 8, 2011 1 / 18 Riccardo Pelizzi
More informationSeparating Access Control Policy, Enforcement, and Functionality in Extensible Systems. Robert Grimm University of Washington
Separating Access Control Policy, Enforcement, and Functionality in Extensible Systems Robert Grimm University of Washington Extensions Added to running system Interact through low-latency interfaces Form
More informationMTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions
MTAT.07.019 Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions Kristjan Krips 1 Introduction Mozilla Firefox has 24.05% of the recorded usage share of web browsers as of October
More informationOS Security III: Sandbox and SFI
1 OS Security III: Sandbox and SFI Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab2 VMs on lab machine Extension? 3 Users and processes FACT: although ACLs use users as subject, the OS
More informationResearch on the Application of Digital Images Based on the Computer Graphics. Jing Li 1, Bin Hu 2
Applied Mechanics and Materials Online: 2014-05-23 ISSN: 1662-7482, Vols. 556-562, pp 4998-5002 doi:10.4028/www.scientific.net/amm.556-562.4998 2014 Trans Tech Publications, Switzerland Research on the
More informationEradicating DNS Rebinding with the Extended Same-Origin Policy
Eradicating DNS Rebinding with the Extended Same-Origin Policy Martin Johns, Sebastian Lekies and Ben Stock USENIX Security August 16th, 2013 Agenda DNS Rebinding The basic attack History repeating HTML5
More informationDESIGN AND IMPLEMENTATION OF SAGE DISPLAY CONTROLLER PROJECT
DESIGN AND IMPLEMENTATION OF SAGE DISPLAY CONTROLLER BY Javid M. Alimohideen Meerasa M.S., University of Illinois at Chicago, 2003 PROJECT Submitted as partial fulfillment of the requirements for the degree
More informationThe Multi-Principal OS Construction of the Gazelle Web Browser. Helen J. Wang, Chris Grier, Alex Moshchuk, Sam King, Piali Choudhury, Herman Venter
The Multi-Principal OS Construction of the Gazelle Web Browser Helen J. Wang, Chris Grier, Alex Moshchuk, Sam King, Piali Choudhury, Herman Venter Browser as an application platform Single stop for many
More informationJAVASCRIPT AND JQUERY: AN INTRODUCTION (WEB PROGRAMMING, X452.1)
Technology & Information Management Instructor: Michael Kremer, Ph.D. Class 8 Professional Program: Data Administration and Management JAVASCRIPT AND JQUERY: AN INTRODUCTION (WEB PROGRAMMING, X452.1) AGENDA
More informationIntroduction to Qualtrics
Introduction to Qualtrics Copyright 2014, Software Application Training, West Chester University. A member of the Pennsylvania State Systems of Higher Education. No portion of this document may be reproduced
More informationWedge: Splitting Applications into Reduced-Privilege Compartments
Wedge: Splitting Applications into Reduced-Privilege Compartments Andrea Bittau Petr Marchenko Mark Handley Brad Karp University College London April 17, 2008 Vulnerabilities threaten sensitive data Exploits
More informationHow I Learned to Stop Worrying and Love Plugins
How I Learned to Stop Worrying and Love Plugins Chris Grier Samuel T. King University of Illinois Dan S. Wallach Rice University Abstract This position paper argues that browsers should be responsible
More informationA Library and Proxy for SPDY
A Library and Proxy for SPDY Interdisciplinary Project Andrey Uzunov Chair for Network Architectures and Services Department of Informatics Technische Universität München April 3, 2013 Andrey Uzunov (TUM)
More informationAnalysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan
Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan Outline Motivation Hypertext isolation Design challenges Conclusion Quote
More informationWeb browsers - Firefox
N E W S L E T T E R IT Computer Technical Support Newsletter Web browsers - Firefox February 09, 2015 Vol.1, No.16 A Web Browser is a program that enables the user to view web pages. TABLE OF CONTENTS
More informationSandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018
Sandboxing CS-576 Systems Security Instructor: Georgios Portokalidis Sandboxing Means Isolation Why? Software has bugs Defenses slip Untrusted code Compartmentalization limits interference and damage!
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationUsing the VMware vcenter Orchestrator Client. vrealize Orchestrator 5.5.1
Using the VMware vcenter Orchestrator Client vrealize Orchestrator 5.5.1 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments
More informationiframe programming with jquery jquery Summit 2011
iframe programming with jquery jquery Summit 2011 who invited this guy? name s ben strange last name work at disqus co-author, Third-party JavaScript disqus? dis cuss dĭ-skŭs' third-party commenting platform
More informationThe course also includes an overview of some of the most popular frameworks that you will most likely encounter in your real work environments.
Web Development WEB101: Web Development Fundamentals using HTML, CSS and JavaScript $2,495.00 5 Days Replay Class Recordings included with this course Upcoming Dates Course Description This 5-day instructor-led
More informationExtending the Web Security Model with Information Flow Control
Extending the Web Security Model with Information Flow Control Deian Stefan Advised by David Herman Motivation: 3rd party libraries Password-strength checker Desired security policy: Password is not leaked
More informationDeveloping ASP.NET MVC 5 Web Applications. Course Outline
Developing ASP.NET MVC 5 Web Applications Course Outline Module 1: Exploring ASP.NET MVC 5 The goal of this module is to outline to the students the components of the Microsoft Web Technologies stack,
More informationJinx Malware 2.0 We know it s big, we measured it! Itzik Kotler Yoni Rom
Jinx Malware 2.0 We know it s big, we measured it! Itzik Kotler Yoni Rom This is how your browser looks like before Jinx has loaded This is how your browser looks like after Jinx has loaded Did you see
More informationEnhanced OpenID Protocol in Identity Management
Enhanced OpenID Protocol in Identity Management Ronak R. Patel 1, Bhavesh Oza 2 1 PG Student, Department of Computer Engg, L.D.College of Engineering, Gujarat Technological University, Ahmedabad 2 Associate
More informationISOLATION DEFENSES GRAD SEC OCT
ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Setting Possibly with multiple tenants OS: users / processes Browser: webpages / browser extensions Cloud:
More informationDeveloping ASP.Net MVC 4 Web Application
Developing ASP.Net MVC 4 Web Application About this Course In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework 4.5 tools and technologies. The focus will
More informationModule 6 Node.js and Socket.IO
Module 6 Node.js and Socket.IO Module 6 Contains 2 components Individual Assignment and Group Assignment Both are due on Wednesday November 15 th Read the WIKI before starting Portions of today s slides
More informationCIS 408 Internet Computing Sunnie Chung
Project #2: CIS 408 Internet Computing Sunnie Chung Building a Personal Webpage in HTML and Java Script to Learn How to Communicate Your Web Browser as Client with a Form Element with a Web Server in URL
More informationUsing the VMware vrealize Orchestrator Client
Using the VMware vrealize Orchestrator Client vrealize Orchestrator 7.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by
More informationConstructing an University Scientific Research Management Information System of NET Platform Jianhua Xie 1, a, Jian-hua Xiao 2, b
Applied Mechanics and Materials Online: 2013-12-04 ISSN: 1662-7482, Vol. 441, pp 984-988 doi:10.4028/www.scientific.net/amm.441.984 2014 Trans Tech Publications, Switzerland Constructing an University
More informationOpal. Robert Grimm New York University
Opal Robert Grimm New York University The Three Questions What is the problem? What is new or different? What are the contributions and limitations? The Three Questions What is the problem? Applications
More informationResearch Of Data Model In Engineering Flight Simulation Platform Based On Meta-Data Liu Jinxin 1,a, Xu Hong 1,b, Shen Weiqun 2,c
Applied Mechanics and Materials Online: 2013-06-13 ISSN: 1662-7482, Vols. 325-326, pp 1750-1753 doi:10.4028/www.scientific.net/amm.325-326.1750 2013 Trans Tech Publications, Switzerland Research Of Data
More informationCOURSE 20486B: DEVELOPING ASP.NET MVC 4 WEB APPLICATIONS
ABOUT THIS COURSE In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework 4.5 tools and technologies. The focus will be on coding activities that enhance the
More informationLesson 4: Web Browsing
Lesson 4: Web Browsing www.nearpod.com Session Code: 1 Video Lesson 4: Web Browsing Basic Functions of Web Browsers Provide a way for users to access and navigate Web pages Display Web pages properly Provide
More informationAcknowledgments... xix
CONTENTS IN DETAIL PREFACE xvii Acknowledgments... xix 1 SECURITY IN THE WORLD OF WEB APPLICATIONS 1 Information Security in a Nutshell... 1 Flirting with Formal Solutions... 2 Enter Risk Management...
More informationRESOURCE MANAGEMENT MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group RESOURCE MANAGEMENT MICHAEL ROITZSCH AGENDA done: time, drivers today: misc. resources architectures for resource
More informationAdobe Reader (AR) and Internet Explorer (IE) Browser Settings. Adobe Reader and Internet Explorer Browser settings
Adobe Reader and Internet Explorer Browser settings Table of Contents 1. INTERNET EXPLORER (IE) BROWSER SETTINGS... 2 1.1 Locating the menu bar... 2 1.2 Clearing cache... 2 1.3 Allow pop-ups from *.cap.org...
More informationSecure Architecture Principles
CS 155 Spring 2016 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Acknowledgments: Lecture slides are from
More informationWELCOME TO JQUERY PROGRAMMING LANGUAGE ONLINE TUTORIAL
WELCOME TO JQUERY PROGRAMMING LANGUAGE ONLINE TUTORIAL 1 The above website template represents the HTML/CSS previous studio project we have been working on. Today s lesson will focus on JQUERY programming
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationDeveloping ASP.NET MVC 4 Web Applications
Developing ASP.NET MVC 4 Web Applications Course 20486B; 5 days, Instructor-led Course Description In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework 4.5
More informationSecurity Architecture
Security Architecture We ve been looking at how particular applications are secured We need to secure not just a few particular applications, but many applications, running on separate machines We need
More informationExploring Chrome Internals. Darin Fisher May 28, 2009
Exploring Chrome Internals Darin Fisher May 28, 2009 Simple interface, powerful core Modern browsers resemble the cooperatively multi-tasked operating systems of the past. Guiding sentiment, 2006 Goals
More informationOctober 08: Introduction to Web Security
October 08: Introduction to Web Security Scribe: Rohan Padhye October 8, 2015 Web security is an important topic because web applications are particularly hard to secure, and are one of the most vulnerable/buggy
More informationResearch On DB2 Performance Testing Automation
Advanced Materials Research Online: 2013-09-18 ISSN: 1662-8985, Vols. 756-759, pp 2204-2208 doi:10.4028/www.scientific.net/amr.756-759.2204 2013 Trans Tech Publications, Switzerland Research On DB2 Performance
More informationScorebook Navigator. Stage 1 Independent Review User Manual Version
Scorebook Navigator Stage 1 Independent Review User Manual Version 11.2013 TABLE OF CONTENTS Getting Started... 1 Browser Requirements... 1 Scorebook Navigator Browser Compatability... 1 Logging in...
More informationRESOURCE MANAGEMENT MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group RESOURCE MANAGEMENT MICHAEL ROITZSCH AGENDA done: time, drivers today: misc. resources architectures for resource
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationQuick Start Guide for Administrators and Operators Cyber Advanced Warning System
NSS Labs Quick Start Guide for Administrators and Operators Cyber Advanced Warning System Introduction to the Cyber Advanced Warning System and RiskViewer... 1 Activating Your Account... 2 Adding a New
More informationClient Configuration Cookbook
Sitecore CMS 6.2 Client Configuration Cookbook Rev: 2009-10-20 Sitecore CMS 6.2 Client Configuration Cookbook Features, Tips and Techniques for CMS Architects and Developers Table of Contents Chapter 1
More informationCSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Operating System Quandary Q: What is the primary goal of system
More informationCourse 20486B: Developing ASP.NET MVC 4 Web Applications
Course 20486B: Developing ASP.NET MVC 4 Web Applications Overview In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework 4.5 tools and technologies. The focus
More informationStorage Model of Graph Based on Variable Collection
Advanced Materials Research Online: 2013-09-04 ISSN: 1662-8985, Vols. 765-767, pp 1456-1460 doi:10.4028/www.scientific.net/amr.765-767.1456 2013 Trans Tech Publications, Switzerland Storage Model of Graph
More informationDeveloping ASP.NET MVC 4 Web Applications
Developing ASP.NET MVC 4 Web Applications Duration: 5 Days Course Code: 20486B About this course In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework 4.5
More informationCSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 1 Operating System Quandary Q: What is the primary goal of
More informationApplicant Dashboard Step by Step. Contents
Applicant Dashboard Contents Accessing the Applicant Dashboard... 3 Applicant Dashboard Page... 4 Personal Information... 5 Manage Organisations... 6 Manage Users... 7 Adding a User... 7 Current Application...
More informationJavaScript Zero. Real JavaScript and Zero Side-Channel Attacks. Michael Schwarz, Moritz Lipp, Daniel Gruss
JavaScript Zero Real JavaScript and Zero Side-Channel Attacks Michael Schwarz, Moritz Lipp, Daniel Gruss 20.02.2018 www.iaik.tugraz.at 1 Michael Schwarz, Moritz Lipp, Daniel Gruss www.iaik.tugraz.at Outline
More informationPassword Managers: Attacks and Defenses
Password Managers: Attacks and Defenses David Silver!! Suman Jana Dan Boneh Stanford University Eric Chen! Collin Jackson Carnegie Mellon University 8/21/14 Usenix Security 2014 A tool for Convenience?
More informationCombatting Browser Fingerprinting with ChromeDust
Combatting Browser Fingerprinting with ChromeDust Ram Bhaskar Rishikesh Tirumala Timmy Galvin 6.858 Final Project (Lab 7) December 12, 2013 Introduction
More informationIdentity-based Access Control
Identity-based Access Control The kind of access control familiar from operating systems like Unix or Windows based on user identities This model originated in closed organisations ( enterprises ) like
More informationVisual Studio Course Developing ASP.NET MVC 5 Web Applications
Visual Studio Course - 20486 Developing ASP.NET MVC 5 Web Applications Length 5 days Prerequisites Before attending this course, students must have: In this course, students will learn to develop advanced
More informationDesign Document V2 ThingLink Startup
Design Document V2 ThingLink Startup Yon Corp Andy Chen Ashton Yon Eric Ouyang Giovanni Tenorio Table of Contents 1. Technology Background.. 2 2. Design Goal...3 3. Architectural Choices and Corresponding
More informationElastic HTML5: Workload Offloading using Cloud-based Web Workers and Storages for Mobile Devices
Elastic HTML5: Workload Offloading using Cloud-based Web Workers and Storages for Mobile Devices Xinwen Zhang, Won Jeon, Simon Gibbs, and Anugeetha Kunjithapatham Computer Science Laboratory, Samsung Information
More informationASP.NET MVC Training
TRELLISSOFT ASP.NET MVC Training About This Course: Audience(s): Developers Technology: Visual Studio Duration: 6 days (48 Hours) Language(s): English Overview In this course, students will learn to develop
More information