user interface toolkit mechanisms for securing interface elements

User Interface Toolkit Mechanisms For Securing Interface Elements

Franziska Roesner, James Fogarty, Tadayoshi Kohno

Computer Science & EngineeringDUB Group, Security & Privacy Research Lab

University of Washington

2

Like us on Facebook!

User Interface Toolkits

• Ease interface design and implementation.• Provide developers with flexibility and expressivity.

Assumption: Developers have full

control of an interface.

New Challenge: Modern interfaces include elements implemented by

different developers.

Ad from ad library

Social button from Facebook library

Map from Google library

3

Like us on Facebook!

Attack #1: Programmatic Click FraudAd Server

App Developer

User Click

Programmatic Click

4

Like us on Facebook!

Attack #2: Size Manipulation

Android requires applications to display a camera preview in order to take a photo.

1 pixel X 1 pixel camera preview

5

Attack #3: Eavesdropping

NEW! Login with your Google account!

Interface Layout Tree

Background{App}

LoginBox{Google}

Text{App}

Interface Layout Tree

Background{App}

LoginBox{Google}

Text{App}

Terminology:Code from different developers is in different trust groups.

6

Interface Layout Tree

Background{App}

LoginBox{Google}

Text{App}

Attack #3: Eavesdropping

App Developer

p@ssw0rd

p@ssw0rd

p@ssw0rdNEW! Login with your Google account!

********

7

Like us on Facebook!

Attack #4: Display Takeover

Widget parent = adWidget.getParent();parent.removeChildren();parent.addChild(fullScreenAd);

Ad Library Code

8

An Opportunity for Toolkits

• These vulnerabilities are in the user interface.• Existing solutions come at the expense of

interface usability and flexibility.

Addressing these vulnerabilities in the user interface toolkit provides better security and enables new interfaces.

9

Desired Security Properties

1. Display Integrity2. Input Integrity3. Intent Integrity4. Data Isolation5. UI-to-API Links

10

Desired Security Properties

1. Display Integrity2. Input Integrity3. Intent Integrity4. Data Isolation5. UI-to-API Links

11

Desired Security Properties

1. Display Integrity2. Input Integrity3. Intent Integrity4. Data Isolation5. UI-to-API Links

Protect the display of interface elements across trust groups.

Like us on Facebook!

Recall the attacks:Size Manipulation Display Takeover

12

Recall the attack:Programmatic Click Fraud

Like us on Facebook!

Desired Security Properties

1. Display Integrity2. Input Integrity3. Intent Integrity4. Data Isolation5. UI-to-API Links

Prevent programmatic interaction with interface

elements across trust groups.

13

Desired Security Properties

1. Display Integrity2. Input Integrity3. Intent Integrity4. Data Isolation5. UI-to-API Links

Protect displayed content and input across trust groups.

Recall the attack:Eavesdropping

NEW! Login with your Google account!

14

Architecting a Toolkit for Security

Techniques:• Isolating trust groups• Interface layout tree invariants• Model-level event listeners• Composition across trust groups• Flexible feedback (for drag-and-drop, lenses)

Goals: (1) Achieve our desired security properties. (2) Maintain usability and developer flexibility.

15

Architecting a Toolkit for Security

Techniques:• Isolating trust groups• Interface layout tree invariants• Model-level event listeners• Composition across trust groups• Flexible feedback (for drag-and-drop, lenses)

Goals: (1) Achieve our desired security properties. (2) Maintain usability and developer flexibility.

16

Interface Layout Tree Vulnerabilities

(1) Insecure Layout: Parent elements can manipulate the layout of the child elements.

Recall the attack:Size Manipulation Size

Request

Problem: In a traditional layout tree, there is no guarantee of a trusted path to every node.

17

Interface Layout Tree Vulnerabilities

Input Events

(2) Insecure Input: Parents can eavesdrop on or modify events intended for children.

Recall the attack:Eavesdropping

NEW! Login with your Google account!

Problem: In a traditional layout tree, there is no guarantee of a trusted path to every node.

18

Interface Layout Tree Invariants

Solution: Introduce new invariants:1. The root node of an application’s layout tree

must be a system node.2. Only system nodes may have children of a

different trust group.

systemInput Events

Size Request

system

19

Interface Layout Tree InvariantsHow to do visual embedding?

Solution: Introduce a system-trusted proxy node into the layout tree.

The proxy node is introduced automatically and can be transparent to the developer.

NEW! Login with your Google account!

Background{App}

LoginBox{Google}

Text{App}

Proxy{System}

Root{System}

Background{App}

LoginBox{Google}Text

{App}

Root{System}

20

More in the paper!

• Techniques for flexibility– Exposing model-level APIs

across trust groups– Composing trust groups

in one interface element– Supporting feedback (drag-

and-drop, lenses)

NEW! Login with your Google account!

• Prototype implementations for Android and a web browser

Login token

Like us on Facebook!

21

Conclusion

• Questions for future work and discussions:– What are appropriate defaults for access to APIs

across trust groups?– What new interfaces will a secure toolkit enable?

A security-aware toolkit architecture can achieve security properties while maintaining developer flexibility.

User Interface Toolkit Mechanisms For Securing Interface Elements

Franziska Roesner, James Fogarty, Tadayoshi Kohno

Computer Science & EngineeringDUB Group, Security & Privacy Research LabUniversity of Washington

franzi@cs.washington.edu

This work was supported by the NSF under Graduate Research Fellowship award DGE-0718124 as well as awards CNS-0846065 and IIS-1053868.