Security Assurance for Web Device APIs Maritza Johnson and Steven M. - - PowerPoint PPT Presentation

security assurance for web device apis
SMART_READER_LITE
LIVE PREVIEW

Security Assurance for Web Device APIs Maritza Johnson and Steven M. - - PowerPoint PPT Presentation

Nov 04, 2022 131 likes •263 views

Security Assurance for Web Device APIs Maritza Johnson and Steven M. Bellovin http://www.cs.columbia.edu/~ { maritzaj,smb } Columbia University December 9, 2008 1 / 7 The Problem Web servers want access to very sensitive The Problem

slide-1
SLIDE 1

1 / 7

Security Assurance for Web Device APIs

Maritza Johnson and Steven M. Bellovin http://www.cs.columbia.edu/~{maritzaj,smb} Columbia University

December 9, 2008

slide-2
SLIDE 2

The Problem

The Problem Usability Principles Isolation Principles Device Categories High-Assurance Implementation

  • Failures. . .

2 / 7

Web servers want access to very sensitive devices

There is a history of trouble in this space

We need a high-assurance guarantee that the implementation is correct

We need a high-assurance guarantee that the user understands what is happening

What are the design principles for any API spec, given that we cannot rely on bug-free code or bug-free users?

slide-3
SLIDE 3

Usability Principles

The Problem Usability Principles Isolation Principles Device Categories High-Assurance Implementation

  • Failures. . .

3 / 7

1. The user must explicitly authorize any and all accesses to devices

slide-4
SLIDE 4

Usability Principles

The Problem Usability Principles Isolation Principles Device Categories High-Assurance Implementation

  • Failures. . .

3 / 7

1. The user must explicitly authorize any and all accesses to devices Permission request cannot be generated implicitly; users ignore warnings and click through pop-up boxes

slide-5
SLIDE 5

Usability Principles

The Problem Usability Principles Isolation Principles Device Categories High-Assurance Implementation

  • Failures. . .

3 / 7

1. The user must explicitly authorize any and all accesses to devices Permission request cannot be generated implicitly; users ignore warnings and click through pop-up boxes 2. The user must understand the consequences

  • f any change
slide-6
SLIDE 6

Usability Principles

The Problem Usability Principles Isolation Principles Device Categories High-Assurance Implementation

  • Failures. . .

3 / 7

1. The user must explicitly authorize any and all accesses to devices Permission request cannot be generated implicitly; users ignore warnings and click through pop-up boxes 2. The user must understand the consequences

  • f any change

Stream receive must be at same host as permission request; requests cannot come from IFRAMEs unless the URLs match

slide-7
SLIDE 7

Usability Principles

The Problem Usability Principles Isolation Principles Device Categories High-Assurance Implementation

  • Failures. . .

3 / 7

1. The user must explicitly authorize any and all accesses to devices Permission request cannot be generated implicitly; users ignore warnings and click through pop-up boxes 2. The user must understand the consequences

  • f any change

Stream receive must be at same host as permission request; requests cannot come from IFRAMEs unless the URLs match 3. The state of the system must be visible at all times

slide-8
SLIDE 8

Usability Principles

The Problem Usability Principles Isolation Principles Device Categories High-Assurance Implementation

  • Failures. . .

3 / 7

1. The user must explicitly authorize any and all accesses to devices Permission request cannot be generated implicitly; users ignore warnings and click through pop-up boxes 2. The user must understand the consequences

  • f any change

Stream receive must be at same host as permission request; requests cannot come from IFRAMEs unless the URLs match 3. The state of the system must be visible at all times User must see what access is authorized

slide-9
SLIDE 9

Isolation Principles

The Problem Usability Principles Isolation Principles Device Categories High-Assurance Implementation

  • Failures. . .

4 / 7

Must give implementors (and users) confidence that the system will behave properly

Secure across software upgrades

Secure against new, unforeseen devices

System must “fail secure”

slide-10
SLIDE 10

Device Categories

The Problem Usability Principles Isolation Principles Device Categories High-Assurance Implementation

  • Failures. . .

5 / 7

Devise categories: physical world, privacy, etc.

Assign each device to a category

New devices must be in a category to be used; forces a decision

Grant or withhold permission based on at least category; simplifies user decision process

slide-11
SLIDE 11

High-Assurance Implementation

The Problem Usability Principles Isolation Principles Device Categories High-Assurance Implementation

  • Failures. . .

6 / 7

(Unix-style solution; Windows is similar)

Create a group for each category; assign devices to the proper group with permission 060 (group read/write; no others)

To enable a category,device, create a setgid program executable by only that user but setgid to the category’s group

No page interpretation failure can access an unauthorized device (though erroneous web pages can)

slide-12
SLIDE 12
  • Failures. . .

The Problem Usability Principles Isolation Principles Device Categories High-Assurance Implementation

  • Failures. . .

7 / 7