Privilege Separation in HTML5 Applications
To Appear at the 21st Usenix Security Symposium (Usenix Security) , August 2012
@Misc{akhawe12privsep,
author = {Devdatta Akhawe and Prateek Saxena and Dawn Song},
title = {Privilege Separation in HTML5 Applications},
booktitle = {Proc. of the 21st Usenix Security Symposium (Usenix Security)},
year = {2012},
}
Abstract
The standard approach for privilege separation in web applications is
to execute application components in different web origins. This
limits the practicality of privilege separation since each web origin
has financial and administrative cost. In this paper, we propose a new
design for achieving effective privilege separation in HTML5
applications that shows how applications can cheaply create arbitrary
number of components. Our approach utilizes standardized abstractions
already implemented in modern browsers. We do not advocate any changes
to the underlying browser or require learning new high-level
languages, which contrasts prior approaches. We empirically show that
we can retrofit our design to real-world HTML5 applications (browser
extensions and rich client-side applications) and achieve reduction of
6x to 10000x in TCB for our case studies. Our mechanism requires less
than 13 lines of application-specific code changes and considerably
improves auditability. Our design has influenced the security
architecture of upcoming Chrome applications.
Source Code Release
Our evaluation case studies are available
here
Awards
The poster on a preliminary version of the work was
awarded as the best poster at the
SCRUBS poster session 2012 .