itextsharp compare pdf c# : Create bookmarks pdf file software control dll windows azure winforms web forms dcs-esorics0-part1431

Data-conned HTML5 Applications
DevdattaAkhawe
1
,FrankLi
1
,Warren He
1
,PrateekSaxena
2
,and Dawn Song
1
1
University ofCalifornia, Berkeley,Berkeley, CA,USA
2
National University ofSingapore,Singapore
Abstract. Rich client-side applications written in HTML5 proliferate
ondiverse platforms, accesssensitive data, and need tomaintain data-
connement invariants. Applications currently enforce these invariants
using implicit, ad-hoc mechanisms. We propose a new primitive called
a data-conned sandbox or DCS. A DCS enables complete mediation
of communication channels with a small TCB. Our primitive extends
currently standardized primitivesand has negligible performance over-
head and a modest compatibility cost. We retrot our design on four
real-worldHTML5applicationsanddemonstratethatasmallamountof
eortenablesstrong data-connementguarantees.
1 Introduction
Richclient-sideapplicationswritteninHTML,CSS,andJS|includingbrowser
extensions,packagedbrowserapplications(ChromeApps)[17],Windows8Metro
applications[32],andapplicationsinnewerbrowseroperatingsystems(B2G[33],
ChromeOS [18])|arefast proliferating on diverse computingplatforms.These
\HTML5" applications run with access to sensitive user data, such as brows-
inghistory, personal and socialdata, and nancialdocuments,as wellascapa-
bility bearing tokens that grant access to these data. A recent study of 5,943
Google Chrome browser extensions revealed that 58% required access to the
user’sbrowsinghistory,and35%requested permissionstotheuser’sdataonall
websites [10].
Applicationshandlingsensitivedataneedtheabilitytoveriablyconnedata
tospecicprincipalsand toprevent it fromleakingtomalicious actors.Onone
hand,thedeveloperswantaneasy,high-assurancewaytoconnesensitivedata;
on the other, platform vendors and security auditors want to verify sensitive
data connement. For example, consider LastPass, a real-world HTML5-based
passwordmanagerwithclosetoamillionusers3.Bydesign,LastPassonlystores
an encrypted version of the user’s data in the cloud and decrypts it at the
client side with the user’s master password. It is critical that the decrypted
user data (i.e., the clear-text password database) never leave the client. We
termthisrequirementadata-connementinvariant.Data-connementinvariants
are fundamental security specications that limit the  ow of sensitive data to
atrusted set of security principals. These data-connement invariants are not
3
https://www.lastpass.com
Create bookmarks pdf file - add, remove, update PDF bookmarks in C#.net, ASP.NET, MVC, Ajax, WinForms, WPF
Empower Your C# Project with Rapid PDF Internal Navigation Via Bookmark and Outline
how to add bookmark in pdf; bookmarks pdf file
Create bookmarks pdf file - VB.NET PDF bookmark library: add, remove, update PDF bookmarks in vb.net, ASP.NET, MVC, Ajax, WinForms, WPF
Empower Your VB.NET Project with Rapid PDF Internal Navigation Via Bookmark and Outline
create bookmarks in pdf from excel; how to create bookmarks in pdf file
explicitlystated in today’s HTML5applications but areimplicitly necessaryto
preservetheirprivacy andsecurityguarantees.
We observe two hurdles that hinder practical,high-assurance dataconne-
ment in existing client-side HTML5 applications. First, mechanisms to spec-
ify and enforce data-connement invariants areabsentin HTML5 platforms as
aresult, they remain hidden in application designs; raising the TCB. Second,
client-side HTML5 applications have numerous channels to communicate with
distrusting principals, and no unied monitoring interface like the OS system
callinterfaceexists.Due to the number of channels availableto HTML5appli-
cations, attackers can violate data connement invariants even in the absence
of code injection vulnerabilities [45,26].As we explain in Section 3.2, previous
research proposals do not oer complete mediation, or have an unacceptably
largeTCB and compatibilitycost.
We introduce the data-conned sandbox (or DCS), a novel security primi-
tive for client-side HTML5 applications. A data-conned sandbox is a unit of
execution,such as code executingin an iframe,the creator of which explicitly
controlsallthedataimportedandexportedbytheDCS.Ourdesignprovidesthe
creatorofaDCSasecurereferencemonitortointerposeonallcommunications,
privileged APIaccesses,and input/output dataexchanges originatingfrom the
DCS.
Data-connedsandboxesareafundamentalprimitivetoenableadata-centric
securityarchitecturefor emergingHTML5applications.Bymovingmuchofthe
application code handling sensitive data to data-conned sandboxes, we can
enableapplications that have better resiliencetoprivacy violating attacks and
thatare easy toaudit bysecurity analysts.
Contributions. Wemake the followingmain contributions:
{ Weintroducetheconceptofdataconnementforclient-sideHTML5appli-
cationsthat handlesensitivedata(Section 2).
{ We identify the limitations of current security primitives in the HTML5
platformthatmaketheminsucient forimplementingdata-connementin-
variants (Section 3.2).
{ We design and implement a data-conned sandbox, a novel mechanism in
web browsers that provides complete mediation on all explicit data com-
munication channels (Section 4) and discuss howtoimplement such a new
primitivewithoutaectingthesecurityinvariantsmaintainedbytheHTML5
platform(Section 4.3).
{ We demonstrate the practicality of our approach by modifying four appli-
cationsthat handle sensitivedatatoprovidestrongdataconnementguar-
antees (Section 6). All our code and case studies are publicly available on-
line[13].
2 Data Connement in HTML5 applications
Data connement is a data-centric property, which limits the  ow of sensitive
datatoanexplicitlyallowedsetofsecurityprincipals.Inthissection,wepresent
example data-connement invariants from real-world applications. Our focus
VB.NET PDF File Compress Library: Compress reduce PDF size in vb.
Bookmarks. below is mainly to optimize PDF file with multiple String outputFilePath = Program.RootPath + "\\" 3_optimized.pdf"; 'create optimizing options
add bookmark pdf file; auto bookmark pdf
C# PDF File Split Library: Split, seperate PDF into multiple files
Split PDF file by top level bookmarks. The following C# codes explain how to split a PDF file into multiple ones by PDF bookmarks or outlines.
creating bookmarks in pdf documents; convert word to pdf with bookmarks
is on modern HTML5 applications that handle sensitive data or tokens with
complex client-sidelogicleadingtoalargeclient-side TCB.
2.1 Password Managers
Passwordmanagersorganizeauser’scredentialsacrosstheweb in acentralized
store. Consider LastPass, a popular password manager that stores encrypted
credential data in the cloud. LastPass decrypts the password database only at
theclient side(ina‘vault’)with auserprovided masterpassword.Anumber of
data-connement invariants areimplicit in thedesign of LastPass.
{ First, the user’s master password should never be sent to any web server
(includingLastPassservers).
{ Second, the password database should only be sent back to the LastPass
servers afterencryption.
{ Third, the decrypted password database on the client-side should not leak
to any web site.
{ Finally, only individual decrypted passwords should be sent only to their
correspondingwebsites: e.g., the credentials for facebook.com should only
beused on facebook.com.
2.2 Client-side SSO Implementations
Single sign-on (SSO) mechanisms have emerged on the web to manage users’
onlineidentities.Thesemechanismsrelyonconningsecrettokenstoanallowed
setofprincipals.ConsiderMozilla’srecentSSOmechanismcalledBrowserID.It
hasthefollowingdata-connement invariants implicitin its design:
{ It aims toshare authorization tokens only with specic participants in one
run of the protocol.
{ Similar tothe‘vault’inLastPass,BrowserIDprovidesaninterfaceforman-
agingcredentialsinauser‘homepage.’Thishomepagedatashouldnotleak
toexternalwebsites.
{ Theuser’sBrowserIDcredentials(master password)should neverbeleaked
toathirdparty:onlytheauthorizationcredentialsshouldbesharedwiththe
intended web principals involved in the particular instance of the protocol
ow.
Other SSO mechanisms, like Facebook Connect, often process capability-
bearing tokens (such as OAuth tokens). Implementation weaknesses and logic
aws can violate these invariants, as researchers demonstrated in 2010 [24,3],
2011[43],and 2012[41].
2.3 Electronic Medical Record Applications
Electronic medical record (EMR) applications provide a central interface for
patient data, scheduling, clinical decisions,and billing.Strict compliance regu-
lations, such as HIPAA, require data connement for these applications, with
nancialandreputationalpenalties for violations.OpenEMRis themost popu-
laropen-sourceEMRapplication [38]andhasastrict connementrequirement:
VB.NET PDF File Split Library: Split, seperate PDF into multiple
how to split a PDF file into multiple ones by PDF bookmarks or outlines. value for each index: 1 to (Page Count - 1). ' Create output PDF file path list
bookmarks pdf documents; creating bookmarks pdf files
C# PDF File Compress Library: Compress reduce PDF size in C#.net
Bookmarks. below is mainly to optimize PDF file with multiple String outputFilePath = Program.RootPath + "\\" 3_optimized.pdf"; // create optimizing options
create bookmarks pdf; bookmarks pdf
an instance of OpenEMRshouldnot leak user datatoany principalotherthan
hospitalservers.
Notethedualrequirements in thisapplication:rst,OpenEMR’sdevelopers
wantto ensuredataconnement totheir application;second,hospitalsneed to
verifythat OpenEMRisnotleakingpatientdatatoanyexternalservers.In the
current design,itis dicultfor hospitals toverifythis: any vulnerabilityin the
client-sidesoftwarecanallowdatadisclosure.
2.4 Web Interfaces for Sensitive Databases
Web-based database administration interfaces arepopular today,because they
areeasy to use. PhpMyAdmin is one such popular interface with thousands of
downloadseachweek[34].Thefollowingdata-connementinvariantsareimplicit
in its design:
{ Datareceived from thedatabase serveris notsent toanywebsite.
{ User inputs (newvaluestostore)areonlysenttothedatabaseserver’s data
insertion endpoint.
Currently,acodeinjectionvulnerabilityintheclient-sideinterfacecanenable
attackerstostealtheentiredatabase,astheinterfaceexecuteswiththedatabase
user’s privileges.Moreover, the application is large and not easily auditable to
ensuredata-connementinvariants.
Prevalence of Data Connement The discussion above only provides ex-
emplars: any application handling sensitive data typically has a connement
invariant. Due to space constraints, we have made our analysis of the twenty
most popular Google Chrome extensions available online [13]. All applications
handling sensitive data (sixteen applications in total) maintained an invariant
implicitly.4 The trusted code base for these extensions varied from 7.5KB to
1.24MB.Sensitivedataavailabletotheextensionsvaryfromaccesstotheuser’s
browsinghistorytotheuser’ssocialmedialogincredentials.
3 Problem Formulation
Given the prevalence of data connement in HTML5 applications, we aim to
support secure data connement in HTML5 applications. Due to the increas-
ingly sensitive nature of data handled by modern HTML5 applications, a key
requirementishighassurance:smallTCB,completemediation.Further,forease
of adoption,weaimfora mechanism with minimalcompatibility costs.
The idea of such high assurance mechanisms is not new, with Saltzer and
Schroeder layingitdownas afundamental requirementfor secure systems [39].
OurfocusisondevelopingahighassurancemechanismforHTML5applications.
We rstdiscuss thechallenges in achieving high assurance dataconnementin
HTML5 applications, followed by a discussion on why current and proposed
primitives donot satisfyall ourgoals.Wediscussour design in Section 4.
4
The remainingfourextensions dealt mainlywith the website style andappearance
anddidnotaccesssensitivedata.
C# Create PDF Library SDK to convert PDF from other file formats
Create multipage PDF from OpenOffice and CSV file. Create and save editable PDF with a blank page, bookmarks, links, signatures, etc.
create bookmark in pdf automatically; creating bookmarks in pdf from word
VB.NET Create PDF Library SDK to convert PDF from other file
Create multipage PDF from OpenOffice and CSV file. Create and save editable PDF with a blank page, bookmarks, links, signatures, etc.
bookmark pdf reader; excel hyperlink to pdf bookmark
3.1 HTML5and Data Connement: Challenges
AnumberofidiosyncrasiesoftheHTML5platformmakepracticaldataconne-
mentwitha smallTCB dicult. First,theHTML5 platform lacksmechanisms
toexplicitly statedata-connement invariants|current ad-hoc mechanisms do
notseparate policyand enforcement mechanism. Duetothe coarse-grained na-
ture of the same origin policy, enforcing these invariants on current HTML5
platforms increases theTCBtothe wholeapplication.
Achieving a small TCB is particularly important on the HTML5 platform.
TheJavaScriptlanguageand theDOMinterfacemakemodularreasoningabout
individualcomponentsdicult.Allcoderunswith ambientaccesstotheDOM,
cookies, localStorage, and the network. Further, techniques like prototype hi-
jacking can violate encapsulation assumptions and allow attackers to leak pri-
vatevariables in other modules. The DOM API makes connement dicult to
ensureevenin the absenceof codeinjection vulnerabilities[45,26].
Achievingcompletemediation ontheHTML5platformis alsodicult. The
HTML5platform has a large number of data disclosure channels, as by design
it aims to ease cross-origin resourceloading and communication.We categorize
these channelsas:
{ Network channels. HTML5 applications can make network requests via
HTML elements like img, form, script, and video, as well as JavaScript
and DOMAPIs likeXMLHttpRequestand window.open.Furthermore,CSS
stylesheetscanissuenetworkrequestsbyreferencingimages,fonts,andother
stylesheets.
{ Client-side cross-origin channels. Web browsers support a number of
channelsforclient-sidecross-origincommunication.Thisincludesexceptions
tothesame-originpolicyinJavaScriptsuchasthewindow.locationobject.
Initially, mashups used these cross-origin communication mechanisms for
fragment ID messaging (via the location.hash property) between cross-
origin windows.Currentmashups rely on newer channels likepostMessage,
which arealsoamechanismfor dataleaks.
{ StorageChannels.Anothersourceofdataexltrationarestoragechannels
like localStorage,cookies,and soon. These channels donot cause network
requestsorcommunicatewith anotherclient-sidechannelasabove;instead,
theyallowcodetoexltratedatatoothercodethatwillruninthefuturein
thesameorigin (or,in caseof cookies,even other related origins).Browsers
tiestoragechannels totheoriginof an application.
Given the wide number of channels available for inadvertent data disclo-
sure,weobservethatnounied interfaceexistsforensuringconnementofne-
grained code elements in the HTML5 platform. This is in contrast to system
call interposition in commodity operating systems that provides complete me-
diation. For example,mediation of datacommunication channels using system
call sandboxing techniques is well-studied for modern binary applications [30,
19,36].Previouswork alsodeveloped techniques toautomateidentication and
isolation of subcomponents that process sensitive data [30,7].Our work shares
these design principles,buttargetsHTML5 applications.
.NET PDF SDK - Description of All PDF Processing Control Feastures
page navigation, zooming & rotation; Outlines, bookmarks, & thumbnail Create PDF from Jpeg images; Create PDF from CSV. to Jpeg images; More about PDF Conversion
convert word pdf bookmarks; adding bookmarks to pdf reader
C# PDF Convert to HTML SDK: Convert PDF to html files in C#.net
by C#.NET PDF to HTML converter toolkit SDK, preserves all the original anchors, links, bookmarks and font style that are included in target PDF document file.
export pdf bookmarks to text file; add bookmarks to pdf online
3.2 Insuciency of ExistingMechanisms
Table 1.Comparisonofcurrentsolutionsfordataconnement
System Name
Complete Mediation
CompatibilityCost
SmallTCB
HSTS
No: HTTPSpagesonly
Low
Yes
CSP
No: anchorsandwindow.open
High: disableseval
Yes
JS Static Analysis
No: noCSS&DOM
High: disableseval
No
JS IRMs(Cajole,Conscript)
No: noCSS&DOM
High: disableseval
Yes
JSand
No: noCSS
High: SES
No
Treehouse
Yes
High: codechange
No
sandboxwithTemp. Origins
No: all networkchannels
Low
Yes
Data-connedsandboxes
Yes
Low
Yes
None of the primitives available in today’s HTML5 platform achieve com-
pletemediation with asmallTCB.Browser-supportedprimitives,such asCon-
tent Security Policy (CSP), block some network channels but not all. Current
mechanisms in web browsers aim for integrity, not connement. For example,
even the most restrictive CSP policy cannot block data leaks through anchor
tags and window.open. Similarly, our previous work on privilege separation of
HTML5applications does not provide any connement guarantees [4]. An un-
privileged child can leak data by making arequest for an image or including a
CSSstylefrom aremotehost.
Recent work on information  owand non-interferenceshowpromisefor en-
suring ne-grained data-connement in JavaScript; unfortunately, these tech-
niquescurrentlyhavehighoverheadformodernapplications[11].IBEXproposed
writing extensions in a high-level language (FINE) in a language amenable to
deep analysis toensure conformancewith specicpolicies [23].In contrast,our
work does not require signicant changes to web applications. Further, as we
explain below,theseapproachesalsohave alargeTCB.
Another approach to interpose on all datacommunication channels is todo
staticanalysisoftheapplication sourcecode[14,16,31].Staticanalysis systems
cannotreasonaboutdynamicconstructssuchaseval,whichareusedpervasively
by existing applications [37] and modern JavaScript libraries [1]. As a result,
suchmechanismshaveahighcompatibilitycost.Whencombinedwithrewriting
techniques, such as cajoling [16], JS analysis techniques can achieve complete
mediation on client-sidecross-framechannels;but still donot provide complete
mediation over DOM and CSS channels.
JSand [2]introducedaclient-sidemethodofsandboxingthird-partyJavaScript
libraries.ItdoessobyencapsulatingallJavscript objectsinawrapperthatme-
diatespropertyaccessesandassignments,viaanapplication-denedpolicy.This
approach does not protect against scriptless attacks such as those using CSS.
Additionally, it relies on the use of Secure EcmaScript 5 (SES), which is not
compatiblefor some JavaScript libraries.JSand does provideasupport layer to
improve compatibility with legacy JavaScript code,but this is a partial trans-
formation andinvolvesahigh performance overhead.
Treehouse uses new primitives, like web workers and EcmaScript5 sealed
objects,in the HTML5 platform to ensure better interposition [27].Treehouse
proposestoexecuteindividualcomponentsinwebworkersattheclientside.One
concern with the Treehouse approach is that web workers also run with some
ambient privileges: e.g., workers have access to XMLHttpRequest, synchronous
le APIs, script imports, and spawning new workers, which attackers can use
to leak data. Treehouse relies on the seal/unseal features of ES5 to prevent
access tothese APIs,butthis mechanism requires intrusivechangesto existing
applicationsand has ahigh compatibility cost.
Perhaps the most important limitation of all primitives not directly sup-
ported by browsers is their large TCB. For example, in the case of Treehouse,
application code (running in workers) cannot have direct access to the DOM,
since that would break all security guarantees. Instead, application code exe-
cutes on a virtual DOM in the worker that the parent code copies over to the
main web page. As a result, the security of these mechanisms depends on the
correctness of themonitor/browser model(e.g.,theparent’sclientside monitor
in Treehouse).
SincetheDOM,HTML,CSS,and JSaresodeeply intertwinedin amodern
HTML5 platform, such a client side monitor is essentially replicating the core
logic of the browser, leading to a massive increase in the TCB. Further,Tree-
houseimplementsthiscomplexlogicinJavaScript.Correspondingissues plague
staticanalysis systems, new languagemechanisms like IBEX, and code rewrit-
ingsystems like Caja|allof them assumea model of the HTML5platform to
implement their analysis/rewritinglogic.
WhileimplementingamodelofHTML5foranalysisand monitoringis di-
cult,theapproachesdiscussedabovesuerfromanotherfundamentallimitation:
they work on a model of HTML5, not the real HTML5standard implemented
in the platform (browser). Any mismatch between the browser and the model
can lead toavulnerability,as observed(repeatedly)for Caja[20,22,21,15]and
AdSafe[31,35].
3.3 Threat Model
WefocusonexplicitdatacommunicationchannelsintheHTML5platformcore,
as dened above. Ensuring comprehensive mediation on explicit datachannels
is an important rst step in achievingdata-conned HTML5 applications.Our
proposed primitive does not protect against covert and side channels (such as
shared browser caches [28] and timing channels [6]) or self exltration chan-
nels[9],which areasubjectofongoingresearch.Thesechannelsareimportant.
However, we point out that popular isolation mechanisms on existing systems
alsodonot protectagainstthese[46,8,44].Webelieve explicitchannels cover a
large space of attacks,and we plan to investigate extending our techniques to
covertchannels in thefuture.
In addition to focusing on explicit channels, our primitive only targets the
coreHTML5platform;ourideasextendtoadd-ons/plugins,howeverweexclude
them from our present implementation. We defend against the standard web
attacker model, in which the attacker cannot tamper with or observe network
Parent
DCS Child Iframe
Bootstrap
Code
Policy
Code
Security
Monitor       
SHIM
Browser Page
Application
Code
HTML 
Parser
HTML 
Content
Content 
Dispatch
Network
Engine
URI Parser
Image Src
Browser Kernel
SHIM
Network 
Request 
Monitor 
Call
Fig.1. High-level design of an application running in a DCS. The only component
that runsprivilegedis the parent.The childrenrunin data-connedsandboxes, with
noambientprivilegesandallcommunicationchannelsmonitoredby theparent.
trac for other web origins and cannot subvert the integrity of the HTML5
platform itself[3].
4 The Data Conned Sandbox
To draw a parallel with binary applications, current mechanisms for conning
HTML5applications areanalogous toanalyzing the machine code before itex-
ecutestodecidewhether it violatesanyguarantees.Weargued abovethat such
mechanisms cannot provide high assurance. Instead, taking a systems view of
the problem of data connement, we argue for an strace-like high assurance
monitor fortheHTML5platform.
Wecallourprimitivethedataconnedsandbox,orDCS (Section4.1).Our
keycontributionisidentifyingthattheshrewddesignoftheDCSprimitivepro-
vides high assurance with minimal compatibility concerns (Section 4.2). Intro-
ducingany newprimitive on theHTML5platformbringsup securityconcerns.
Aprimitivelike DCS that providesmonitoring capabilities to arbitrary codeis
particularly fraught. We discuss how we ensure that we do not introduce new
vulnerabilities due toour primitivein Section 4.3.
4.1 Design of DCS
Figure 1presentsthearchitectureofan applicationusingtheDCS design.Our
design extends our previous work on privilege separation [4]. Our key contri-
bution is identifyinghowto extend theideas ofprivilegeseparation to provide
complete mediationontheHTML5platform.Werstrecap privilegeseparated
HTML5applications andthen discuss theDCSdesign.
ModernHTML5platformsallowapplicationstorunarbitrarycode(specied
via a data:/blob: URI) in a temporary, unprivileged origin [4]. Privilege sep-
arated HTML5 applications run most application code in an arbitrarynumber
of unprivileged iframes (children). A small privileged parent iframe, with ac-
cesstofullprivileges ofthe weborigin,provides accesstoprivileged APIs,such
as cookie access and platform APIs like camera access. Unprivileged children
communicatewiththeparentthroughatightlycontrolledpostMessagechannel
(dotted arrowsin Figure 1).
TheparentcanenforcepoliciesontherequestsitreceivesoverthispostMessage
channel from its unprivileged children [4]. The parent uses its privileged inter-
faces to fulll approved requests, such as authenticated XMLHttpRequest calls
(curved dotted arrowin Figure 1). To increase assurance, the parent code en-
forces anumberofsecurity invariants suchas disablingalldynamic codeevalu-
ation, allowingonly atext interface with the children, and settingappropriate
MIMEtypesfor staticcodedownloaded by thebootstrap code.
Though this privilege separation architecture provides integrity, it does not
providedata connement. Anycompromised child can make arbitraryrequests
on thenetworkthrough thenumerous datadisclosurechannels outlinedearlier.
We propose a new primitive,the data-conned sandbox or DCS, that enforces
connement of datain the child. Our primitive relies on the browser toensure
connement.Similar toprivilegeseparation,applications onlyneedtoswitch to
usingtheDCS and write an appropriate policy.
Consider the browser kernelin Figure 1.Any content that a DCS child re-
quests thebrowser todisplaypasses through theHTML/JS/CSS parser.If the
browserencountersaURIthatitneedstoload,itinvokestheURIparser,which
then invokes the content dispatch logic in the browser. We modify this code
for DCS children to callasecurity monitor that the parent denes (solidarrow
in Figure 1). The security monitor in the parent is transparent to the child.
Thebrowser’scalltotheparentalsoincludestheuniqueid identifyingthechild
iframeanddetailsabouttherequest.Fromthere,thesecuritymonitorcandecide
whether togrant the request ornot.
Example Considerthe‘vault’fortheLastPasswebapplication.Inourredesign,
whentheusernavigatestotheLastPassapplication,theserverreturnsbootstrap
code(theparent)thatdownloadstheoriginalapplicationcodeandexecutesitin
adata-connedsandbox (the child). The code in theDCSstarts executingand
makes network requests to include all the complex UI, DOM, and encryption
libraries. Finally, the LastPass child code in the DCS makes a request for the
encrypted password databaseand decryptsit with the user providedpassword.
Theparentsecuritymonitorcanenforceasimplepolicysuchasonlyallowing
network requests to http://lastpass.com. Alternatively, the parent can en-
force statefulpolicies:e.g.,the monitorfunctioncouldonlyallowresourceloads
(i.e.,scripts, images, styles) until the DCS child loads the encrypted password
database.After loading the encrypted database,the securitymonitor disallows
allfuture networkrequests.
4.2 Achieving High Assurance
Recallourgoalsofcompletemediation,smallTCB,andbackwardscompatibility.
We discuss howourDCS designachieves allofthem.
Complete Mediation As discussed Section3,HTML5applicationsonlyhave
three channels for data leakage: storage channels tied to the origin, network
channels,and client-sidecross-originchannels.Sinceallapplicationcoderunsin
childrenoftemporaryoriginsthatonlyexistforthedurationoftheapplication’s
execution, the application code does not have access to any (storage) channel
tied totheorigin (e.g.,cookies, localStorage).
In a DCS, except for a blessed postMessage channel to the parent, the
browser disables all client-side communication channels. This includes cross-
origincommunicationchannelslikepostMessageandcross-origin windowprop-
erties (like location.hash). The postMessage channel is the only client-side
cross-originchannelavailabletothedata-connedchild,andthebrowserguaran-
teesthatthechannelonlyconnectstotheparent.ThepostMessagechannelal-
lowstheparenttoproxyprivilegedAPIsforthechild.Further,thepostMessage
channelalso allows the parent to providea channel toproxy postMessages to
other client-sideiframes|ourdesign only enforces complete mediation by the
parent.
HTML5applications can request networkresourcesviamarkuplike scripts,
images, links, anchors, and forms and JavaScript APIs like XMLHttpRequest.
In our design, the children can continue to make these network requests; the
DCS transparentlyinterposes on allthesenetworkchannels.The parentdenes
a ‘monitor’ function that the browser executes before dispatching a network
request. If the function returns false, the browser will not make the network
request.
Werelyonanexternalmonitor(i.e.,onerunningintheparent)overaninline
one.Thisensuresthatthemonitordoesnotshareanystatewiththeunprivileged
child,makingiteasier toreason about itsruntimeintegrityand correctness.As
we discuss in Section 5, the security monitor is not hard to implement|most
browsersalreadyhaveaninternalAPIforcontrollingnetworkaccess,whichthey
expose tointernal browser codeas wellas popular extensions such as AdBlock
andNoScript.
Small TCB TheTCBin any dataconnementmechanismincludesthepolicy
code and the enforcement code. In our design, this includes the monitor code
in the parent as well as our browser modications to ensure complete media-
tion for the parent monitor.Relyingon thebrowser allows us tocreate a data
connement design with asmallenforcementcode,as evidencedbyour 214line
implementation described in Section 5.This small enforcementTCB allowsfor
easier validation and auditing.
Compatibility Our design for network request mediation is discretionary, as
compared to client-sidechannels that we block outright. An alternative design
is todisallowall network requests too, and only permit network access via the
postMessage channel between the parent and child. Such a design has a sig-
nicantly higher compatibility cost. HTML5 applications pervasively employ
network channels. In contrast, the use of client-side channels is rare|for ex-
ample, Wang et al. report that cross-origin window.location read and writes
occur in less than 0.1% of pages [40]. Therefore, we nd that it is acceptable
todisablecross-origin client-sidechannels andforcethechild tousethe blessed
postMessage channeltotheparent toaccessthese.
Documents you may be interested
Documents you may be interested