SOMA

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

SOMA: mutual approval for included content in web pages

Full text

Pdf (207 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 15th ACM conference on Computer and communications security table of contents

Alexandria, Virginia, USA

SESSION: Browser security table of contents

Pages 89-98

Year of Publication: 2008

ISBN:978-1-59593-810-7

Authors

Terri Oda	Carleton University, Ottawa, ON, Canada
Glenn Wurster	Carleton University, Ottawa, ON, Canada
P. C. van Oorschot	Carleton University, Ottawa, ON, Canada
Anil Somayaji	Carleton University, Ottawa, ON, Canada

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 39, Downloads (12 Months): 365, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1455770.1455783 What is a DOI?

ABSTRACT

Unrestricted information flows are a key security weakness of current web design. Cross-site scripting, cross-site request forgery, and other attacks typically require that information be sent or retrieved from arbitrary, often malicious, web servers. In this paper we propose Same Origin Mutual Approval (SOMA), a new policy for controlling information flows that prevents common web vulnerabilities. By requiring site operators to specify approved external domains for sending or receiving information, and by requiring those external domains to also approve interactions, we prevent page content from being retrieved from malicious servers and sensitive information from being communicated to an attacker. SOMA is compatible with current web applications and is incrementally deployable, providing immediate benefits for clients and servers that implement it. SOMA has an overhead of one additional HTTP request per domain accessed and can be implemented with minimal effort by application and web browser developers. To evaluate our proposal, we have developed a Firefox SOMA add-on.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Adobe Systems Incorporated. External data not accessible outside a Macromedia Flash movie's domain. Technical Report tn_14213, Adobe Systems Incorporated, Feb 2006.
	2	Alexa top 500 sites. Web page (viewed 14 Apr 2008). http://www.alexa.com/site/ds/top_sites?ts_mode=global?=none.
	3	R. Auger. The cross-site request forgery (CSRF/XSRF) FAQ. Web page, Jan 2007. http://www.cgisecurity.com/articles/csrf-faq.shtml.
	4	R. Berends. Bandwidth stealing. Web page, Apr 2001. http://www.website-awards.net/articles/article39.htm.
	5	CERT advisory CA-2000-02 malicious HTML tags embedded in client web requests. Web page, Feb 2000. http://www.cert.org/advisories/CA-2000-02.html.
	6	The cross site scripting (XSS) FAQ. Web page, Aug 2003. http://www.cgisecurity.com/articles/xss-faq.shtml.
	7	Richard S. Cox , Steven D. Gribble , Henry M. Levy , Jacob Gorm Hansen, A Safety-Oriented Platform for Web Applications, Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.350-364, May 21-24, 2006 [doi>10.1109/SP.2006.4]
	8	D. Dean , Felten , Wallach, Java Security: From HotJava to Netscape and Beyond, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.190, May 06-08, 1996
	9	S. DeDeo. Pagestats extension. Web page, May 2006. http://www.cs.wpi.edu/~cew/pagestats/.
	10	Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976 [doi>10.1145/360051.360056]
	11	Edward W. Felten , Michael A. Schneider, Timing attacks on Web privacy, Proceedings of the 7th ACM conference on Computer and communications security, p.25-32, November 01-04, 2000, Athens, Greece [doi>10.1145/352600.352606]
	12	Ian Goldberg , David Wagner , Randi Thomas , Eric A. Brewer, A secure environment for untrusted helper applications confining the Wily Hacker, Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, p.1-1, July 22-25, 1996, San Jose, California
	13	J. Grossman and T. Niedzialkowski. Hacking intranet websites from the outside --- JavaScript malware just got a lot more dangerous. In Blackhat USA, Aug 2006.
	14	Jon Howell , Collin Jackson , Helen J. Wang , Xiaofeng Fan, MashupOS: operating system abstractions for client mashups, Proceedings of the 11th USENIX workshop on Hot topics in operating systems, p.1-7, May 07-09, 2007, San Diego, CA
	15	Collin Jackson , Adam Barth , Andrew Bortz , Weidong Shao , Dan Boneh, Protecting browsers from dns rebinding attacks, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA [doi>10.1145/1315245.1315298]
	16	Collin Jackson , Helen J. Wang, Subspace: secure cross-domain communication for web mashups, Proceedings of the 16th international conference on World Wide Web, May 08-12, 2007, Banff, Alberta, Canada [doi>10.1145/1242572.1242655]
	17	N. Jovanovic, E. Kirda, and C. Kruegel. Preventing cross site request forgery attacks. In Proc. 2nd IEEE Conference on Security and Privacy in Communication Networks (SecureComm), Aug 2006.
	18	Katarzyna Keahey , Karl Doering , Ian Foster, From Sandbox to Playground: Dynamic Virtual Environments in the Grid, Proceedings of the 5th IEEE/ACM International Workshop on Grid Computing, p.34-42, November 08-08, 2004 [doi>10.1109/GRID.2004.32]
	19	Engin Kirda , Christopher Kruegel , Giovanni Vigna , Nenad Jovanovic, Noxes: a client-side solution for mitigating cross-site scripting attacks, Proceedings of the 2006 ACM symposium on Applied computing, April 23-27, 2006, Dijon, France [doi>10.1145/1141277.1141357]
	20	J. Kyrnin. Are you invading your customers' privacy? Web page (viewed 14 Apr 2008). http://webdesign.about.com/od/privacy/a/aa112601a.htm.
	21	V. T. Lam , S. Antonatos , P. Akritidis , K. G. Anagnostakis, Puppetnets: misusing web browsers as a distributed attack infrastructure, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA [doi>10.1145/1180405.1180434]
	22	G. Maone. NoScript -- JavaScript/Java/Flash blocker for a safer Firefox experience! Web page (viewed 14 Apr 2008). http://noscript.net/.
	23	Microsoft. Mitigating cross-site scripting with HTTP-only cookies. Web page (viewed 18 Jul 2008). http://msdn.microsoft.com/en-us/library/ms533046.aspx.
	24	A. D. Miglio. "Referer" field used in the battle against online fraud. Web page, Jan 2008. http://www.symantec.com/enterprise/security_response/weblog/2008/01/referer_field_used_in_the_batt.html.
	25	T. Oda, G. Wurster, P. van Oorschot, and A. Somayaji. SOMA: Mutual approval for included content in web pages. Technical Report TR-08-07, School of Computer Science, Carleton University, Apr 2008.
	26	N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In Proc. 17th USENIX Security Symposium, Aug 2008.
	27	Niels Provos , Dean McNamee , Panayiotis Mavrommatis , Ke Wang , Nagendra Modadugu, The ghost in the browser analysis of web-based malware, Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p.4-4, April 10, 2007, Cambridge, MA
	28	J. Reimer. Microsoft apologizes for serving malware. Ars Technica, Feb 2007.
	29	C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In Proc. IEEE Symposium on Security and Privacy, May 2006.
	30	Aviel D. Rubin , Daniel E. Geer, Jr., Mobile Code Security, IEEE Internet Computing, v.2 n.6, p.30-34, November 1998 [doi>10.1109/4236.735984]
	31	J. Ruderman. The same origin policy. Web page, Aug 2001. http://www.mozilla.org/projects/security/components/same-origin.html.
	32	B. Schiffman. Rogue anti-virus slimeballs hide malware in ads. Wired, Nov 2007.
	33	J. Schuh. Same-origin policy part 2: Server-provided policies? Web page, Feb 2007. http://taossa.com/index.php/2007/02/17/same-origin-proposal/.
	34	T. Scott. Smarter image hotlinking prevention. A List Apart, Apr 2004.
	35	R. Sekar , C. R. Ramakrishnan , I. V. Ramakrishnan , S. A. Smolka, Model-Carrying Code (MCC): a new paradigm for mobile-code security, Proceedings of the 2001 workshop on New security paradigms, September 10-13, 2001, Cloudcroft, New Mexico [doi>10.1145/508171.508175]
	36	B. Sterne. Site security policy draft (version 0.2). Web Page, Jul 2008. http://people.mozilla.org/~bsterne/site-security--policy/details.html.
	37	Linda Tauscher , Saul Greenberg, How people revisit web pages: empirical findings and implications for the design of history systems, International Journal of Human-Computer Studies, v.47 n.1, p.97-137, July 1997 [doi>10.1006/ijhc.1997.0125]
	38	P. Vogt, F. Nentwich, N. Jovanovic, C. Kruegel, E. Kirda, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Proc. 14th NDSS Symposium, Feb 2007.
	39	Robert Wahbe , Steven Lucco , Thomas E. Anderson , Susan L. Graham, Efficient software-based fault isolation, ACM SIGOPS Operating Systems Review, v.27 n.5, p.203-216, Dec. 1993
	40	Helen J. Wang , Xiaofeng Fan , Jon Howell , Collin Jackson, Protection and communication abstractions for web browsers in MashupOS, Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, October 14-17, 2007, Stevenson, Washington, USA
	41	WordPress.org. Enable sending referrers. Web page (viewed 14 Apr 2008). http://codex.wordpress.org/Enable_Sending_Referrers.