Application Architectures for Critical Data Isolation. Zhenkai Liang

Size: px

Start display at page:

Download "Application Architectures for Critical Data Isolation. Zhenkai Liang"

Claude Melton
5 years ago
Views:

1 Application Architectures for Critical Data Isolation Zhenkai Liang 1

2 Computing Platform in Cloud Era User access control Same Origin Policy App Permissions 2

3 New Security Challenges Heterogeneous system platform OS and applications from many sources Open execution environment Malicious code coexecute in the same environment Data push/ synchronization across platforms Multiple copies of data in different platforms 3

victims privilege Mobile device: Malware Security mechanism: app-based isolation

4 Example Attacks Browser: Third-party JavaScript Injection Security mechanism: SOP Problem: Cross-site scripting (XSS) Injected JavaScript access resource with victims privilege Mobile device: Malware Security mechanism: app-based isolation Problem: Repackaged malware, mobile rootkit User data accessible by malicious code 4

5 Drawbacks of Existing Mechanism User Lack of unified data protection Different mechanism Different user notion Excessive data exposure to unrelated code Coarse-grained isolation Large trusted computing base (TCB) Data security dependent on individual platforms Data 5

6 Data-Oriented Protection Unified user notion and security policy Platform-independent protection Support rich operations on data 6

7 Observation Data are not equally important for security Office phone number Bank account number Social security number/credit card number There exists a class of security critical data They are not needed by all parts of an application Operations on them are limited 7

8 Our Application Architecture Signature and Verification Data Operation Data Encryption 8

9 High-level View of Solutions Identify and protect security sensitive data Provide secure environments to operate on such data Integrate with the rest of application 9

10 DroidVault: A Trusted Data Vault for Android Devices 10

11 Our Assumption Compromised Android OS, malicious apps Application Android Middleware Linux Kernel Hardware 11

12 Security Requirements Secure Data Processing Secure Network Communication Secure Input and Output Secure Data Storage 12

13 ARM TrustZone Background Normal Zone Normal Operating System Trusted Zone Trusted Software Hardware Platform Separation with hardware level protection Red/green system 13

14 DroidVault Architecture (Normal) (Trusted) Android OS Client Application Bridge DroidVault DPM I/O Hardware 0 14

15 Secure Network Communication & Data Storage Challenge: Limited resource in trusted component. Solution: Reuse OS functionalities Android OS DroidVault Network Bridge File System 15

16 Secure Data Processing Data Processing Module (DPM) allows code from legitimate users to operate on their sensitive data Results are contained in DroidVault Android OS Bridge DroidVault DPM Authority Check File System Integrity Check 16

17 Secure Input and Output DroidVault directly controls IO devices Cannot reuse existing service by untrusted OS Contents of IO are in clear text DroidVault I/O 17

18 Prototype Prototype of DroidVault Freescale i.mx53 QSB Open Virtualization, PolarSSL Much smaller TCB than Android OS ~12K LOC 18

19 Case Study: Dropbox File Manager Adoptable to legacy Dropbox cloud service Secure network communication & data storage Log in to Dropbox account Browse the Dropbox file system Upload/download files Secure data processing grep strings in the files, output to secure display 19

Case Study: Zip Archiver Support popular operations on sensitive data Secure data processing (Decrypt sensitive zip files inside DroidVault) Read each file header

20 Case Study: Zip Archiver Support popular operations on sensitive data Secure data processing (Decrypt sensitive zip files inside DroidVault) Read each file header through file related operations Extract file entry names by parsing the file header When assuming file names not sensitive, parsed filenames can be returned to app 20

21 UserPath: End-to-End Trusted Path in Web Applications 21

22 Post-Injection Script Execution in Web Applications Script injections are common in web applications Mixed HTTP/HTTPS contents Malicious third-party libraries Cross-site scripting (XSS) attacks Important to have a second line of defense to protect security of critical data and operations in web application 22

23 Our Assumption Compromised browser sessions, trusted browser and OS Web Application Web Browser Hardware 23

24 Observations Two fundamental limitations in web security mechanism No user authority No trusted path between users and servers Need to isolating sensitive data and their related operations 24

25 UFrame Client-side component for isolation Based on notion of user sub-origins Confining a user s sensitive data, and supporting authenticated operations on such data Important server operations can only be initiated in corresponding UFrame 25

26 UserPath Overview Augmenting web platform with user authority and establish end-to-end trusted path 26

Case Studies Applicati on LOC # Applicatio n

30350 OwnCloud 337192 CubeCart 11942 HotCRP

Content Mgmt Sys 15% E- Commerce 35% CRM

27 Case Studies Applicati on LOC # Applicatio n LOC # Elgg Magento Friendica ZenCart Roundcube oscommerc e OpenEMR StoreSprite OwnCloud CubeCart HotCRP WordPress OpenConf Joomla PrestaShop Drupal OpenCart Piwigo AstroSpace s Private profile data, Admin options (set user as admin, add new user) 6972 X2CRM Content Mgmt Sys 15% E- Commerce 35% CRM Social Network App 15% 5% # OF APPS App 5% Health IS 5% File Mgmt Sys 10% Conferenc e Mgmt Sys 10% Account information, address book, checkout information 27

28 Adoption Effort Successfully retrofitted 20 applications Modify web page that contains sensitive userowned resources Measure the LOC number of PHP code (mostly JS code) Application Category UserPath LOC (PHP) # LOC : 149 Social Network App App 96 Health Information System 141 File Management System 161 Conference Mgmt System 145 E-Commerce Content Mgmt System 87 CRM

29 TCB Reduction Initial TCB : Web Page Size Final TCB : Size of the UFrame Code (size in KB) Average TCB Reduction : 103x Reduction Factor TCB Reduction : 8x 264x Reduction Factor

30 Summary Challenges for data protection in cloudbased systems Heterogeneous platform Data exposure Data push/synchronization Data-oriented protection mechanism TrustZone-based data vault for Android Notion of user-suborigin and end-to-end trusted path in web applications 30

Chrome Extension Security Architecture

Chrome Extension Security Architecture Presenter: Jienan Liu Network, Intelligence & security Lab outline Chrome extension introduction Threats towards extension Chrome extension s security architecture