WebSand project

Project scope

Since its birth in 1990, the Web has evolved from a simple, stateless delivery mechanism for static hypertext documents to a fully-edged run-time environment for distributed, multi-party applications. Security becomes increasingly important in this context, but is typically only an afterthought in this process. The next wave, the Future Internet, will continue to rely on the same Web application technology, while adopting more p2p and mashup-style approaches.

Today's server-centric solutions will give way to a rich and stateful client-centric paradigm with even less manageable security and even more severe threats to the Web-based economy of the Future Internet. Data and services from multiple heterogeneous domains, aggregated both on the server-side and on an end-user's client, demand for a novel, comprehensive security solution that increases the user's trust into the technological infrastructure.

The WebSand research project aims to tackle this demand by departing from the observation that security should be server-driven. Even though security preferences from end-users on the client-side have to be taken into account, only the service developers on the server-side have the necessary expertise and context information to define the policies to be enforced. Moreover, server-driven security can be deployed relatively easily since much can be achieved without updating the client-side platform.

The WebSand project framework consists of four major building blocks:

  1. A secure interaction model that allows explicit and ne-grained control concerning incoming Web communication
  2. Methods for secure end-to-end information flow control to enforce confidentiality and integrity properties
  3. Behavioral sandbox environments for secure client-side and server-side composition of multi-origin components
  4. A declarative and expressive policy description mechanism that ties the individual components together into a united security architecture spanning client and server.

Overall goal of WebSand

The overall goal of the WebSand project is to empower Web application developers, hosters, and users in designing, implementing, and running secure applications. Developers and hosters may be empowered to develop and deploy secure Web applications on their application servers. Users could benefit from the project's results by transparently receiving a security platform for their applications on their clients. To achieve this goal, WebSand will define fine-grained security policies and apply a novel sandboxing technique to the application to enable a client-side enforcement of the given policies. WebSand aims at non-disruptively building upon existing Web application technologies where possible to allow a seamless, immediate adoption of results in existing and future Web applications.

WebSand focuses on fine-grained security policies necessary for Future Internet applications. The hybrid aggregation of content and functionality across multiple trust boundaries (each with their particular security characteristics), as is typically the case in client-side and server-side mashups, and the fragmentation of ownership, clearly illustrates the limitations of the coarse-grained security policies in today's Internet. A single security domain per application, and the same-origin policy as cross-domain barrier no longer suffice to reflect the security needs of Future Internet applications. Increased client-side cross-domain communication as promoted by rich Internet clients or scripting frameworks demand security policies that span across multiple origins.

The WebSand project aims to enable the specification and enforcement of three classes of security policies: fine-grained access control policies, information flow control policies and secure composition policies.

  • The fine-grained access control policies secure the Web interaction model between the client and the server. More precisely, these policies define how the application authenticates and authorizes end-users, from which application contexts the application can be consulted, and which interaction sequences maintain the application's integrity (i.e., control flow integrity).
  • The information flow control policies specify how sensitive and public data, possibly originating from multiple content providers in multiple trust domains, can be used in data aggregations, and client-side and server-side processing as is typically done in mashups. Typically, this involves information flow policies from several involved parties, with possibly conflicting goals. Moreover, these information flow policies can also specify how sensitive application data (such as session state) is prevented from leaking to other applications.
  • The secure composition policies specify how active third-party components, for instance written in javascript, can be securely integrated into applications via client-side and server-side mashups. In the current Web model, the only constraint on third party execution is limited to the same-origin policy where e.g. scripts running on pages originating from the same site can access each other's data. WebSand's secure composition policies will be much more expressive, allowing the specification of the necessary privileges of each component, including both behavioral capabilities as well as interaction constraints. In this way, we aim to achieve a least-privilege composition and reach the much-needed goal of secure multi-origin policies.

As a necessary prerequisite for the enforcement of such policies, a goal of WebSand is to enforce a reliable separation of data and executable code, e.g. through a strict type system. This separation also thwarts many types of injection attacks targeting a server or relying on injected scripts being reflected to a client-side end-user.

Server-driven approach

To enforce these fine-grained security policies, the WebSand project is applying a unique server-driven outbound sandboxing paradigm, as depicted above. The fine-grained security policies discussed above are enforced using a server-driven sandboxing approach (see figure below). This diagram also captures WebSand's ability to secure client-side data aggregation (service provider to the right) and secure service composition including the aggregation of active content (service provider to the left).

Client-side enforcement

The WebSand research project starts from the realistic assumption that policies should be defined at the server and that enforcement should happen as much as possible at the server. The server -- from where (meta-)data and client-side application code originates -- is hereby implicitly assumed as trusted. Also, client-side application code sent by the server that adheres to WebSand security specification and enforcement techniques is assumed as trusted. Coding from the trusted server that is bound to WebSand security policies runs with more capabilities, e.g. to access local resources, in its client's sandboxed environment than code from a different domain without such techniques. The latter is then executed in a more constrained sandbox environment.

Workplan

WebSand is a 36-month research project that can be subdivided into five main technical parts and a dissemination package, together with a work package WP7 devoted to project management. The dependencies (and input-output relations) between the work packages are depicted below.

WP dependencies

The project starts with WP1 (Requirement Analysis), which will drive the other work packages. WP1 will consolidate existing state-of-the-art in Web application security and investigate emerging security scenarios of the Future Internet via well-chosen and representative use case scenarios. The requirements will be refined iteratively during the project and will be driven from month 4 by the three technical enforcement work packages  - WP2 (Secure Web Interaction), WP3 (Information Flow Control), and WP4 (Secure Composition).

Based on the requirements of WP1, each of the enforcement work packages will develop fine-grained security policies and enforcement mechanisms. This will allow for a server-driven sandboxing approach on the client-side.

In parallel, the selected use case scenarios of WP1 will be concretised and implemented in the course of WP5 (Evaluation and Integration). This will provide an early testbed for the policies defined in the other technical work packages and provide feedback to WP1. In addition, these use case scenarios will provide an integration and evaluation platform for the solutions developed in WP2, WP3, WP4.

WP6 (Dissemination and Integration) will leverage on the outcome of WP1 through WP5 to disseminate the research results in both academia and in industry and to explore the exploitation opportunities.