Difference between revisions of "Category:Summit 2011 Browser Security Track"

From OWASP
Jump to: navigation, search
(Added info on current subtopics and co-chairs)
Line 1: Line 1:
 
=Track: Browser Security=
 
=Track: Browser Security=
  
Info all about the about the browser security track.
+
==Virtualization and Sandboxing for Secure Multi-Domain Web Apps==
 +
[[Image:JS_DOM_Box_Jasvir_Gaz.jpg]]
 +
 
 +
====Co-chair Dr Jasvir Nagra====
 +
Jasvir Nagra is a researcher and software engineer at Google. He is the designer of [http://code.google.com/p/google-caja/ Caja] - a secure subset of HTML, CSS and JavaScript; co-author of [http://www.amazon.com/Surreptitious-Software-Obfuscation-Watermarking-Tamperproofing/dp/0321549252 Surreptitious Software] - a book on obfuscation, software watermarking and tamper-proofing, contributer to [http://shindig.apache.org/ Shindig] - the reference implementation of OpenSocial.
 +
 
 +
====Co-chair Gareth Heyes====
 +
Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] & [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.
 +
 
 +
====Goals (draft)====
 +
Goals and issues that need browser vendor cooperation:
 +
* '''Applying un-sandboxed methods inside the sandboxed environment'''. We need a way of standardizing how to extend the environment. For example lets say we want to modify the alert function to do something different in sandboxed code. Do we just allow code to be injected into the "window"? If I decide to use a function called "extendSandbox" in Sandbox A from vendor A this won't work in sandbox B vendor B unless it has been defined.
 +
* '''Client side sandboxed apps maintaining state and authentication'''. For example if a user is created in a sandboxed app how is it determined what that user can do?
 +
* '''Create a standard for modifying a sandboxed environment'''
 +
* '''Create a standard for authentication within a sandboxed environment''' (maybe interfacing with existing auth without passing creds like 0Auth works)
 +
 
 +
====Working Form====
 +
The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.
 +
 
 +
 
 +
==Enduser Warnings==
 +
[[Image:Three_browsers_user_info.jpg]]
 +
 
 +
How should browsers signal invalid SSL certs to the enduser? Are we helping security right now? What to do about 50 % of users clicking through warnings? Mozilla replaces the padlock with a [https://support.mozilla.com/en-US/kb/Site%20Identity%20Button site identity button] i Firefox 4. "Larry" will inform the user of the site's status. Google recently tried out a skull & bones icon for bad certs but move back to [http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95617 padlocks] again.
 +
 
 +
====Goals (draft)====
 +
Clearly there is a need for warnings that users understand and that conveys the right information. Perhaps we can agree on some guidelines or at least exchange lessons learned.
 +
 
 +
 
 +
==New HTTP Headers==
 +
Are new opt-in HTTP headers the right way to add security features? For example:
 +
* [http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 HTTP Strict Transport Security] for enforced HTTPS (supported in Chrome 4, Firefox+NoScript, Firefox 4 and up)
 +
* [http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx X-Frame-Options] for non-framing (supported in IE8, FF3.6, Safari 4, Opera 10.5, Chrome 4 and up)
 +
* [https://developer.mozilla.org/en/Introducing_Content_Security_Policy Content Security Policy] for whitelisting of script and media sources (supported in Firefox 4 and up)
 +
 
 +
====Co-chair John Wilander====
 +
[http://www.owasp.org/index.php/User:John.wilander John Wilander] is chapter co-leader in Sweden and ran the AppSec conference in Stockholm 2010. He is still [http://www.ida.liu.se/~johwi/research_publications/ pursuing his PhD in software security] and works as an appsec consultant in media/banking/healthcare.
 +
 
 +
====Co-chair Michael Coates====
 +
[%3Cbr%3Ewww.owasp.org/index.php/User:MichaelCoates Michael Coates] is a long-time OWASP contributor and leader, as well as a Mozilla employee. He leads the [%3Cbr%3Ewww.owasp.org/index.php/Category:OWASP_AppSensor_Project AppSensor] and the [http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet TLS Cheat Sheet] project.
 +
 
 +
 
 +
==Securing Plugins==
 +
Should browsers ship with default plugins? Should plugins be auto-updated? Can plugins or versions of plugins be blacklisted centrally?
 +
 
 +
 
 +
==Blacklisting==
 +
Can we cooperate better on blacklisting? Does it work between cultures, i e can we have the same process for reporting throughout the world?
 +
 
 +
 
 +
==OS Integration==
 +
More and more features in browsers get integrated with the underlying operating system. Processes, fonts, filesystem, 3D graphics. How do we secure this?
 +
 
 +
 
 +
==Sandboxed Tabs/Domains/Browser==
 +
Microsoft Research has been doing some groundbreaking work on the [http://research.microsoft.com/apps/pubs/default.aspx?id=79655 Gazelle browser], Chrome uses a sandboxing model, and the [http://www.romab.com/ironsuite/ IronSuite] provides sandboxed versions of Firefox ([http://www.romab.com/ironfox/ IronFox]) and Safari on Mac OS X.
 +
 
  
 
[[Category: Summit 2011 Tracks]]
 
[[Category: Summit 2011 Tracks]]

Revision as of 14:02, 4 January 2011

Contents

Track: Browser Security

Virtualization and Sandboxing for Secure Multi-Domain Web Apps

JS DOM Box Jasvir Gaz.jpg

Co-chair Dr Jasvir Nagra

Jasvir Nagra is a researcher and software engineer at Google. He is the designer of Caja - a secure subset of HTML, CSS and JavaScript; co-author of Surreptitious Software - a book on obfuscation, software watermarking and tamper-proofing, contributer to Shindig - the reference implementation of OpenSocial.

Co-chair Gareth Heyes

Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind JSReg – a Javascript sandbox which converts code using regular expressions; HTMLReg & CSSReg – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-' – a book on how an attacker would bypass different types of security controls including IDS/IPS.

Goals (draft)

Goals and issues that need browser vendor cooperation:

  • Applying un-sandboxed methods inside the sandboxed environment. We need a way of standardizing how to extend the environment. For example lets say we want to modify the alert function to do something different in sandboxed code. Do we just allow code to be injected into the "window"? If I decide to use a function called "extendSandbox" in Sandbox A from vendor A this won't work in sandbox B vendor B unless it has been defined.
  • Client side sandboxed apps maintaining state and authentication. For example if a user is created in a sandboxed app how is it determined what that user can do?
  • Create a standard for modifying a sandboxed environment
  • Create a standard for authentication within a sandboxed environment (maybe interfacing with existing auth without passing creds like 0Auth works)

Working Form

The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.


Enduser Warnings

Three browsers user info.jpg

How should browsers signal invalid SSL certs to the enduser? Are we helping security right now? What to do about 50 % of users clicking through warnings? Mozilla replaces the padlock with a site identity button i Firefox 4. "Larry" will inform the user of the site's status. Google recently tried out a skull & bones icon for bad certs but move back to padlocks again.

Goals (draft)

Clearly there is a need for warnings that users understand and that conveys the right information. Perhaps we can agree on some guidelines or at least exchange lessons learned.


New HTTP Headers

Are new opt-in HTTP headers the right way to add security features? For example:

Co-chair John Wilander

John Wilander is chapter co-leader in Sweden and ran the AppSec conference in Stockholm 2010. He is still pursuing his PhD in software security and works as an appsec consultant in media/banking/healthcare.

Co-chair Michael Coates

[%3Cbr%3Ewww.owasp.org/index.php/User:MichaelCoates Michael Coates] is a long-time OWASP contributor and leader, as well as a Mozilla employee. He leads the [%3Cbr%3Ewww.owasp.org/index.php/Category:OWASP_AppSensor_Project AppSensor] and the TLS Cheat Sheet project.


Securing Plugins

Should browsers ship with default plugins? Should plugins be auto-updated? Can plugins or versions of plugins be blacklisted centrally?


Blacklisting

Can we cooperate better on blacklisting? Does it work between cultures, i e can we have the same process for reporting throughout the world?


OS Integration

More and more features in browsers get integrated with the underlying operating system. Processes, fonts, filesystem, 3D graphics. How do we secure this?


Sandboxed Tabs/Domains/Browser

Microsoft Research has been doing some groundbreaking work on the Gazelle browser, Chrome uses a sandboxing model, and the IronSuite provides sandboxed versions of Firefox (IronFox) and Safari on Mac OS X.

This category currently contains no pages or media.