User Interface Toolkit Mechanisms For Securing Interface Elements
description
Transcript of User Interface Toolkit Mechanisms For Securing Interface Elements
![Page 1: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/1.jpg)
User Interface Toolkit Mechanisms For Securing Interface Elements
Franziska Roesner, James Fogarty, Tadayoshi Kohno
Computer Science & EngineeringDUB Group, Security & Privacy Research Lab
University of Washington
![Page 2: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/2.jpg)
2
Like us on Facebook!
User Interface Toolkits
• Ease interface design and implementation.• Provide developers with flexibility and expressivity.
Assumption: Developers have full
control of an interface.
New Challenge: Modern interfaces include elements implemented by
different developers.
Ad from ad library
Social button from Facebook library
Map from Google library
![Page 3: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/3.jpg)
3
Like us on Facebook!
Attack #1: Programmatic Click FraudAd Server
App Developer
User Click
Programmatic Click
![Page 4: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/4.jpg)
4
Like us on Facebook!
Attack #2: Size Manipulation
Android requires applications to display a camera preview in order to take a photo.
1 pixel X 1 pixel camera preview
![Page 5: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/5.jpg)
5
Attack #3: Eavesdropping
NEW! Login with your Google account!
Interface Layout Tree
Background{App}
LoginBox{Google}
Text{App}
Interface Layout Tree
Background{App}
LoginBox{Google}
Text{App}
Terminology:Code from different developers is in different trust groups.
![Page 6: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/6.jpg)
6
Interface Layout Tree
Background{App}
LoginBox{Google}
Text{App}
Attack #3: Eavesdropping
App Developer
p@ssw0rd
p@ssw0rd
p@ssw0rdNEW! Login with your Google account!
********
![Page 7: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/7.jpg)
7
Like us on Facebook!
Attack #4: Display Takeover
Widget parent = adWidget.getParent();parent.removeChildren();parent.addChild(fullScreenAd);
Ad Library Code
![Page 8: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/8.jpg)
8
An Opportunity for Toolkits
• These vulnerabilities are in the user interface.• Existing solutions come at the expense of
interface usability and flexibility.
Addressing these vulnerabilities in the user interface toolkit provides better security and enables new interfaces.
![Page 9: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/9.jpg)
9
Desired Security Properties
1. Display Integrity2. Input Integrity3. Intent Integrity4. Data Isolation5. UI-to-API Links
![Page 10: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/10.jpg)
10
Desired Security Properties
1. Display Integrity2. Input Integrity3. Intent Integrity4. Data Isolation5. UI-to-API Links
![Page 11: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/11.jpg)
11
Desired Security Properties
1. Display Integrity2. Input Integrity3. Intent Integrity4. Data Isolation5. UI-to-API Links
Protect the display of interface elements across trust groups.
Like us on Facebook!
Recall the attacks:Size Manipulation Display Takeover
![Page 12: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/12.jpg)
12
Recall the attack:Programmatic Click Fraud
Like us on Facebook!
Desired Security Properties
1. Display Integrity2. Input Integrity3. Intent Integrity4. Data Isolation5. UI-to-API Links
Prevent programmatic interaction with interface
elements across trust groups.
![Page 13: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/13.jpg)
13
Desired Security Properties
1. Display Integrity2. Input Integrity3. Intent Integrity4. Data Isolation5. UI-to-API Links
Protect displayed content and input across trust groups.
Recall the attack:Eavesdropping
NEW! Login with your Google account!
![Page 14: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/14.jpg)
14
Architecting a Toolkit for Security
Techniques:• Isolating trust groups• Interface layout tree invariants• Model-level event listeners• Composition across trust groups• Flexible feedback (for drag-and-drop, lenses)
Goals: (1) Achieve our desired security properties. (2) Maintain usability and developer flexibility.
![Page 15: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/15.jpg)
15
Architecting a Toolkit for Security
Techniques:• Isolating trust groups• Interface layout tree invariants• Model-level event listeners• Composition across trust groups• Flexible feedback (for drag-and-drop, lenses)
Goals: (1) Achieve our desired security properties. (2) Maintain usability and developer flexibility.
![Page 16: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/16.jpg)
16
Interface Layout Tree Vulnerabilities
(1) Insecure Layout: Parent elements can manipulate the layout of the child elements.
Recall the attack:Size Manipulation Size
Request
Problem: In a traditional layout tree, there is no guarantee of a trusted path to every node.
![Page 17: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/17.jpg)
17
Interface Layout Tree Vulnerabilities
Input Events
(2) Insecure Input: Parents can eavesdrop on or modify events intended for children.
Recall the attack:Eavesdropping
NEW! Login with your Google account!
Problem: In a traditional layout tree, there is no guarantee of a trusted path to every node.
![Page 18: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/18.jpg)
18
Interface Layout Tree Invariants
Solution: Introduce new invariants:1. The root node of an application’s layout tree
must be a system node.2. Only system nodes may have children of a
different trust group.
systemInput Events
Size Request
system
![Page 19: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/19.jpg)
19
Interface Layout Tree InvariantsHow to do visual embedding?
Solution: Introduce a system-trusted proxy node into the layout tree.
The proxy node is introduced automatically and can be transparent to the developer.
NEW! Login with your Google account!
Background{App}
LoginBox{Google}
Text{App}
Proxy{System}
Root{System}
Background{App}
LoginBox{Google}Text
{App}
Root{System}
![Page 20: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/20.jpg)
20
More in the paper!
• Techniques for flexibility– Exposing model-level APIs
across trust groups– Composing trust groups
in one interface element– Supporting feedback (drag-
and-drop, lenses)
NEW! Login with your Google account!
• Prototype implementations for Android and a web browser
Login token
Like us on Facebook!
![Page 21: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/21.jpg)
21
Conclusion
• Questions for future work and discussions:– What are appropriate defaults for access to APIs
across trust groups?– What new interfaces will a secure toolkit enable?
A security-aware toolkit architecture can achieve security properties while maintaining developer flexibility.
![Page 22: User Interface Toolkit Mechanisms For Securing Interface Elements](https://reader035.fdocuments.net/reader035/viewer/2022062323/56816831550346895ddddb7c/html5/thumbnails/22.jpg)
User Interface Toolkit Mechanisms For Securing Interface Elements
Franziska Roesner, James Fogarty, Tadayoshi Kohno
Computer Science & EngineeringDUB Group, Security & Privacy Research LabUniversity of Washington
This work was supported by the NSF under Graduate Research Fellowship award DGE-0718124 as well as awards CNS-0846065 and IIS-1053868.