2nd USENIX Conference on Web Application Development ...

More documents

Recommendations

Info

7 Conclusion This study contributes evidence in support of application permission systems. Our large-scale analysis of Google Chrome extensions and Android applications finds that real applications ask for significantly fewer than the maximum set of permissions. Only 14 of 1000 Google Chrome extensions use native code, which is the most dangerous privileges. Approximately 30% of extension developers restrict their extensions’ web access to a small set of domains. All Android applications ask for less than half of the available set of 56 Dangerous permissions, and a majority request less than 4. These findings indicate that permission systems with up-front permission declarations have two advantages over the traditional user permission model: the impact of a potential third-party vulnerability is greatly reduced when compared to a full-privilege system, and a number of applications could be eligible for expedited review. These results can be extended to time-of-use permission systems if the system requires developers to declare a set of maximum permissions. However, our study shows that users are frequently presented with requests for dangerous permissions during application installation in install-time systems. As a consequence, installation security warnings may not be an effective malware prevention tool, even for alert users. Future work should identify which permission warnings are useful to users and consider alternate methods of presenting permissions to users. References [1] BARRERA, D., KAYACIK, H. G., VAN OORSCHOT, P. C., AND SOMAYAJI, A. A Methodology for Empirical Analysis of Permission-Based Security Models and its Application to Android. In ACM CCS (2010). [2] BARTH, A., FELT, A. P., SAXENA, P., AND BOODMAN, A. Protecting Browsers from Extension Vulnerabilities. (2010). In NDSS [3] CLULEY, G. Windows Mobile Terdial Trojan makes expensive phone calls. http://www.sophos.com/ blogs/gc/g/2010/04/10/windows-mobile-terdial-trojanexpensive-phone-calls/. [4] EGELMAN, S., CRANOR, L. F., AND HONG, J. You’ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In CHI (2008). [5] ENCK, W., GILBERT, P., CHUN, B., COX, L. P., JUNG, J., MCDANIEL, P., AND SHETH, A. N. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In OSDI (2010). [6] ENCK, W., ONGTANG, M., AND MCDANIEL, P. D. On Lightweight Mobile Phone Application Certification. CCS (2009). In ACM [7] FELT, A. P. Issue 54006: Security: Extension history permission does not generate a warning. http://code.google.com/p/chromium/issues/ detail?id=54006, August 2010. 12 [8] GUHA, A., FREDRIKSON, M., LIVSHITS, B., AND SWAMY, N. Verified Security for Browser Extensions. In IEEE Security and Privacy (2011). [9] IBRAHIM, S. Universal 1-Click Root App for Android Devices. http://androidspin.com/2010/08/10/ universal-1-click-rootapp-for-android-devices/, August 2010. [10] LIVERANI, R. S., AND FREEMAN, N. Abusing Firefox Extensions. Defcon17, July 2009. [11] MAGAT, W.,VISCUSI, W. K., AND HUBER, J. Consumer processing of hazard warning information. Journal of Risk and Uncertainty (1988). [12] MOTIEE, S., HAWKEY, K., AND BEZNOSOV, K. Do Windows Users Follow the Principle of Least Privilege? Investigating User Account Control Practices. In SOUPS (2010). [13] MOZILLA ADD-ONS BLOG. The Add-on Review Process and You. http://blog.mozilla.com/addons/2010/02/ 15/the-add-onreview-process-and-you. [14] SERIOT, N. iPhone Privacy. Black Hat DC (2010). [15] STEWART, D. W., AND MARTIN, I. M. Intended and Unintended Consequences of Warning Messages: A Review and Synthesis of Empirical Research. Journal of Public Policy Marketing 13, 1 (1994). [16] SUNSHINE, J., EGELMAN, S., ALMUHIMEDI, H., ATRI, N., AND CRANOR, L. F. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In <strong>USENIX</strong> Security Symposium (2009). [17] TAM, J., REEDER, R. W., AND SCHECHTER, S. I’m Allowing What? Disclosing the authority applications demand of users as a condition of installation. Tech. Rep. MSR-TR-2010-54, Microsoft Research, 2010. [18] VENNON, T., AND STROOP, D. Threat Analysis of the Android Market. Tech. rep., SMobile Systems, 2010. [19] WILLISON, S. Understanding the Greasemonkey vulnerability. http://simonwillison.net/2005/Jul/ 20/vulnerability/. A Manual Review Android Applications. Jesus Hates Zombies, Compass, Aquarium Live Wallpaper, Movies, Mobile Banking, Calorie Counter by Fat- Secret, Daily Horoscope, Pandora Radio, The Weather Channel, Advanced Task Killer, Google Sky Map, Barcode Scanner, Facebook for Android, NFL Mobile Aquarium, Live Wallpaper, weird facts, Google Maps Screen Crack, screen krack, twidroyd for twitter, touch to talk, open home, pageonce pro, personal finance, baby esp, gentle alarm, picsay pro, beautiful widgets, iQuran Pro, Grocery King, Touitor Premium, MLB.com at Bat 2010, myBackupPro, London Journey, BeyondPod Unlock Key, Text to Speech Extended, DocumentsToGo Full Google Chrome Extensions. Orkut Chrome Extension, Google Similar Pages beta (by Google), Proxy Switchy!, AutoPager Chrome, Send using Gmail (no button), Blog this! (by Google), Fbsof, Diigo Web Highlighter and Bookmark, Woot!, Pendule, Inline Search & Look Up, YouTube Middle-Click Extension, Send to Google Docs, [Non-English Title], PBTweet+, Search Center, Yahoo Mail Widget for Google Chrome, Google Reader Compact, Chromed Movilnet, Ubuntu light-themes scrollbars, Persian Jalali Calender, Intersect, deviantART Message Notifier, Expand, Castle Age Autoplayer Alpha Patched, Patr Pats Flickr App, Better HN, Mark the visited links, Chrome Realtime Search, Gtalk, SpeedyLinks, Slick RSS, Yahoo Avatar, Demotivation.ru ads remover, [Non-English Title], PPTSearch Edu Sites, Page2RSS, Good Habits, VeryDou, Wikidot Extender, Close Left, iBood, Facebook Colored, eBay Espana (eBay.es) Busqueda avanzada, Keep Last Two Tabs, Google Transliteration Service, Ohio State University Library Proxy Extension, Add to Google Calendar, Rocky, Short Youtube 86 WebApps ’11: <strong>2nd</strong> <strong>USENIX</strong> <strong>Conference</strong> on Web Application Development <strong>USENIX</strong> Association
Experiences on a Design Approach for Interactive Web Applications Abstract Highly interactive web applications that offer a lot of functionality are increasingly replacing their desktop counterparts. However, the browser and the web itself were originally designed for viewing and exchanging documents and data and not for running applications. Over the years, web pages have slowly been transformed into web applications and as a result, they have been forcefully fit into an unnatural mold for them. In this paper we present a pattern for implementing web applications in a way that completes this transition and creates a more natural environment for web applications to live in. In the pattern, the full MVC stack is implemented in the client while the server is completely decoupled via a RESTful interface. We also present experiences in building an industrial-scale application utilizing this pattern. 1 Introduction Over the recent years, web has become the most important platform for delivering and running applications. With the ubiquitous web, these applications are easily accessible regardless of place and time and without any installation requirements, end users have begun to favor web applications over traditional desktop applications. On the other hand, the rapidly increasing mobile application market has proven that web applications are not always loaded on demand anymore but they are also being installed on devices. The fast growth of the web as an application platform has raised the standard for its inhabitants. Rich and dynamic user interfaces with realtime collaborative features have now become the norm. Moreover, with the popularity of social networks, applications are expected to link or embed information from other web applications. Finally, if the end user is not immediately satisfied with the web site, she will simply enter a new URL and start using another similar service. This has lead application developers to push the limits of the browser and the web standards. Unfortunately, browsers and the standards of the web have not quite been able to keep up with the pace. There- Janne Kuuskeri Department of Software Systems Tampere University of Technology Korkeakoulunkatu 1, FI-33720 Tampere, Finland janne.kuuskeri@tut.fi fore, application developers have been forced to work around the standards and to do whatever it takes to meet end users’ demands. The application logic and the presentation have gotten mixed in the mayhem of HTML, CSS, JavaScript and, some server-side scripting system, say PHP. Within this technology rush, good software development practices and patterns have been somewhat forgotten. Without extra attention, code base gradually loses clear separation of concerns and the responsibilities of different components become unclear [11]. For these reasons many web applications have become difficult to scale or even maintain. In this paper, we describe a pattern for building web applications for scalability both in terms of throughput and in terms of provided functionality. The suggested pattern advises breaking the application in two autonomous parts: a RESTful web service and a single page web application that utilizes it. Following this pattern will contribute to having a clean and consistent design throughout the application, thereby making the end result easier to test and maintain in general. As a side effect, the versatility of the application is greatly increased by offering easier adoption for clients other than browsers. Neither RESTful interfaces nor single page web applications are new ideas by themselves. However, in this paper we suggest using the RESTful API directly from the JavaScript application using Ajax requests. The main contributions of this paper are firstly, to describe the pattern for implementing complex web applications and secondly, to present experiences from utilizing this pattern in a real world, large scale application. This application is currently in production, and experiences listed in the paper are based on actual feedback. By providing experiences and comparison we show the benefits of the suggested pattern. The rest of the paper is structured as follows. In Section 2 we examine the main components of traditional web applications and identify their weaknesses. Next, in Section 3, we introduce our pattern for building complex web applications. In Section 4 we present how to apply the pattern in a real world application and give insight as to what kind of design the application has. Section <strong>USENIX</strong> Association WebApps ’11: <strong>2nd</strong> <strong>USENIX</strong> <strong>Conference</strong> on Web Application Development 87
Page 1 and 2:
Proceedings of the 2nd</str
Page 3 and 4:
USENIX Association
Page 5:
WebApps ’11: 2nd
Page 9 and 10:
GuardRails: A Data-Centric Web Appl
Page 11 and 12:
Policy Annotation Only admins can d
Page 13 and 14:
@edit, price, false, :nothing To ma
Page 15 and 16:
tags in the Project description, bu
Page 17 and 18:
String Command Result "foobar".gsub
Page 19 and 20:
Transformation Status Homepage Logi
Page 21 and 22:
Abstract Ioannis Papagiannis Imperi
Page 23 and 24:
Num. of Occurrences Type Wordpress
Page 25 and 26:
Sanitisation htmlentities() functio
Page 27 and 28:
Original expression Transformed exp
Page 29 and 30:
non-tracking code with a simple str
Page 31 and 32:
Direct request vulnerabilities. The
Page 33 and 34:
Abstract Secure Data Preservers for
Page 35 and 36:
e found for a variety of services.
Page 37 and 38:
3.2 Operational View The lifecycle
Page 39 and 40:
it automatically). A user or servic
Page 41 and 42:
given the availability of client-si
Page 43 and 44: can only be decrypted by the base l
Page 45 and 46: BenchLab: An Open Testbed for Reali
Page 47 and 48: 2.2. Realistic load generation Real
Page 49 and 50: virtual machine with the software s
Page 51 and 52: the Olio calendaring applications (
Page 53 and 54: able to match Firefox’s optimized
Page 55 and 56: 5.4.1. Local vs remote users We obs
Page 57 and 58: Resource Provisioning of Web Applic
Page 59 and 60: in a directed acyclic graph [3]. Th
Page 61 and 62: accordingly. This is the goal of in
Page 63 and 64: Although expressing performance pro
Page 65 and 66: Response time (ms) Response time (m
Page 67 and 68: Response time (ms) Response time (m
Page 69 and 70: C3: An Experimental, Extensible, Re
Page 71 and 72: HtmlParser CssParser IHtmlParser IC
Page 73 and 74: node during construction. This immu
Page 75 and 76: public interface IDOMTagFactory { I
Page 77 and 78: 3.2 JS execution Point (2): Runtime
Page 79 and 80: Extensions IE: Available from C3-eq
Page 81: extensions for web-scale use. The r
Page 84 and 85: dangerous permissions. In compariso
Page 86 and 87: Permission Popular Unpopular Plug-i
Page 88 and 89: (a) Prevalence of Dangerous permiss
Page 90 and 91: its functionality to the permission
Page 92 and 93: y ACCESS COARSE LOCATION. 358 appli
Page 96 and 97: 5 discusses the pros and cons of th
Page 98 and 99: the client is free to use them how
Page 100 and 101: data it uses RESTful API which in t
Page 102 and 103: On top of Django we are using a sma
Page 104 and 105: nal design. Moreover, when the whol
Page 106 and 107: [5] The spring framework. http://ww
Page 108 and 109: of strcpy can preclude the introduc
Page 110 and 111: Integer-valued Binary Stored XSS Re
Page 112 and 113: Java Perl PHP Number of programmers
Page 114 and 115: 0 2 4 6 8 10 0 1 2 3 Team Number La
Page 116 and 117: 0 10 20 30 Number of Vulnerabilitie
Page 118 and 119: Automated black-box penetration tes
Page 121 and 122: Abstract Integrating Long Polling w
Page 123 and 124: the Web server, the framework dispa
Page 125 and 126: all() => [Record] filter(condition)
Page 127 and 128: in any future requests associated w
Page 129 and 130: ��
Page 131 and 132: quests to be put to sleep. For exam
Page 133 and 134: Abstract Detecting Malicious Web Li
Page 135 and 136: 3 Discriminative Features Our metho
Page 137 and 138: the total number of unique IPs and
Page 139 and 140: Table 8: Detection accuracy and tru
Page 141 and 142: centraldevideoscomhomensmaduros. bl
Page 143 and 144: Web content by executing the conten
Page 145 and 146:
Maverick: Providing Web Application
Page 147 and 148:
must schedule USB messages to provi
Page 149 and 150:
priate Web driver. USB events sent
Page 151 and 152:
hardware IDs to the browser kernel
Page 153 and 154:
PhotoBooth latency JavaScript drive
Page 155 and 156:
delegate the higher-level abstracti
show all

2nd USENIX Conference on Web Application Development ...

Create successful ePaper yourself

Delete template?

Save as template?