Toward Secure Embedded Web Interfaces

Baptiste GourdinLSV ENS-Cachan

gourdin@lsv.ens-cachan.fr

Chinmay SomanStanford University

cpsoman@stanford.edu

Hristo BojinovStanford University

hristo@cs.stanford.edu

Elie BurszteinStanford University

elie@cs.stanford.edu

AbstractWe address the challenge of building secure embeddedweb interfaces by proposing WebDroid: the first frame-work specifically dedicated to this purpose. Our designextends the Android Framework, and enables developersto create easily secure web interfaces for their applica-tions. To motivate our work, we perform an in-depth studyof the security of web interfaces embedded in consumerelectronics devices, uncover significant vulnerabilities inall the devices examined, and categorize the vulnerabili-ties. We demonstrate how our framework’s security mech-anisms prevent embedded applications from suffering thevulnerabilities exposed by our audit. Finally we evaluatethe efficiency of our framework in terms of performanceand security.

1 Introduction

Virtually all network-capable devices, including sim-ple consumer electronics such as printers and photoframes, ship with an embedded web interface for easyconfiguration. The ubiquity of web interfaces can beexplained by two key factors. For end users, they are easyto use because the interaction takes place in a familiarenvironment: the web browser. For device manufacturers,providing a web-based interface is cheaper than develop-ing and maintaining custom software and installers.

Though web interfaces are clearly an effective solutionfrom a usability perspective, considerable expertise isrequired to make them secure [50]. Our first securityaudit of embedded web interfaces ([7]) provided theinitial impetus for our work. To underscore the impact ofthese earlier results, we point out that compromising anetworked device can be used as a stepping stone towardscompromising the local network [45]. For example,compromising a photo frame in an office buildingcan lead to an infection of a Web browser connecting

to the photo frame. The infection can subsequentlyspread to the entire local network, and also result inprivacy breaches [8]. For instance a router web interfacecan be exploited to steal remotely the WiFi WPA keyand gain access to the entire network. Mitigating thethreats posed by embedded devices, including routers,is becoming a critical task, as pointed out repeatedly inrecent work [7, 45, 19, 27]. In the absence of a referenceframework for building embedded web interfaceseach vendor is forced to develop its own stack, whichusually leads to security problems. This work takes theinitial studies a step further and proposes a solutionthat uniformly addresses all of the known sources ofvulnerabilities in embedded web applications.

We have chosen to build our reference implementationas an Android application for several reasons. First,Android has quickly become the premier open embeddedoperating system on the market, shipping not only ontens of millions of smart-phones every year, but also onspecialized devices such as the Nook e-book reader byBarnes&Noble. Second, Android’s de facto bias towardsthe ARM architecture makes the operating systemsuitable for embedding in other consumer devices suchas cameras, photo frames, and media hubs. Third, thesecurity architecture adopted by Android is particularlywell-suited for embedded single-user devices as it caststhe system security question into one of effectivelyisolating concurrent, possibly vulnerable applications.

Our main contribution in this paper, WebDroid [16], isthe first open-source web framework specifically designedfor building secure embedded web interfaces:

• WebDroid is designed, implemented and evaluatedbased on the knowledge we gained by auditing morethan 30 web embedded devices’ web interfaces overthe two last years, and the more that 50 vulnerabili-ties we discovered on these devices.

1

• WebDroid is a novel composition of security designprinciples and techniques with a simple and intuitiveconfiguration interface where most of the securitymechanisms are enabled by default—including lo-cation and network address restrictions, as well asserver-side CSP and frame-busting.

• WebDroid also features application-wide authen-tication that ensures that every embedded webapplication will have a secure login and logoutmechanism which is resistant to attacks, includingbrute-forcing and session hijacking.

Similar to previous work done on building secure webservers (e.g., the OKWS server [29]), our frameworkseparates the core web server components from theapplications to protect against low level attacks. Unlikeprevious systems however, our framework also mitigatesall of the known application-level attacks including XSS(Cross-Site Scripting) [13], CSRF (Cross Site RequestForgery) [50], SQL injection [50] and Clickjacking [44].

The remainder of the paper is organized as follows: inSection 2 we briefly go through the background necessaryto understand this work. In Section 3 we present andcategorize the vulnerabilities we found during our auditwork. Section 4 develops the threat model that we addresswith our system design depicted in Section 5. In Sec-tion 6 we highlight the main defense mechanisms that areemployed in our implementation. Section 7 presents theuser interface for managing web applications. Section 9discusses two application case studies and describes howWebDroid security mechanisms help to mitigate vulnera-bilities. In Section 10 we provide a summary of relevantrelated work, and Section 11 concludes the paper.

2 Background

The embedded device market is growing rapidly. Forexample, in the 4th quarter of 2008, 7 million digitalphoto frames were sold, almost 50% more than in the 4thquarter of 2007. Similarly, analysts forecast that by 2012,12 million Network Attached Storage (NAS) deviceswill be sold each year. At the current pace, devices withembedded web servers will outnumber traditional webservers in less than 2 years; Netcraft reported that thereare roughly 40 millions active web servers on the Internetin June 2009 [35].

In order to differentiate their products from those oftheir competitors, vendors are constantly adding novelfeatures to their products, such as BitTorrent support inNAS devices.

As the number of features increases, a need for apowerful management interface on the device rapidlyarises. To offer this in an intuitive, convenient, andcost effective way, vendors have started to embed webinterfaces in their products. While the most well knownuse of these web interface is to configure networkequipments such as WiFi access points and routers,many other embedded devices include web interfaces.For instance digital photo frames are an excellentexample of this expansion of features and need for a richconfiguration interface. Thus, it is safe to say that webinterfaces have become the norm in managing embeddeddevices.

Our audit uncovered abundant examples of featuresthat were hastily implemented and vulnerable to web at-tacks. For example the Flickr integration in digital photoframes led to XSS attacks. What is especially trouble-some is the fact that we found CSRF exploits in managednetwork switches aimed for datacenter use. Attacks onsuch devices could allow remote users to reboot them andeffectively DoS an entire company intranet in one step.

Figure 1: The web interface embedded into a Samsungphoto frame.

Figure 1 is a screenshot of the interface embedded ina high-end Samsung photo frame. This interface allowsthe user to control the frame’s display remotely, add anInternet photo feed to be displayed on the frame, andto find out various statistics. Although at first sight thisinterface looks perfectly designed, we found out that inreality it is completely flawed: for example, it is possibleto bypass the authentication process to view photos andit is possible to inject an exploit via a CSRF and XSSvulnerability that allows to extract photos and send themto a remote server.

2

3 Embedded Web Application Security:State of the Art

Over the last two years we audited the web interfacesfor more than 30 embedded devices. In this section wereport our audit results and discuss the insights we gainedfrom them. These results and insights are later used tojustify and guide the design of our framework securityfeatures. Note that although we discussed some of thevulnerabilities we found in a previous publication [8], thisis the first time that the complete audit results are reportedand discussed.

3.1 Audit coverage

The eight categories of devices we tested are: lights-outmanagement (LOM) interfaces (these typically allow theadministrator to power cycle a PC or control network ac-cess, bypassing the OS), NAS (used for shared storageaccessible via Ethernet), photo frames (we focused on“smart” frames with network connectivity), routers/accesspoints (probably the most familiar browser-managed classof consumer device), IP cameras (with video feeds thatcan be accessed over the network), IP phones (especiallythose with a web-based management interface), switches(“managed switches” that expose some configuration op-tions), and printers (the larger ones usually have a HTTP-based interface used to configure a variety of functions,including access via e-mail). The eight device categoriesspanned seventeen brands: Table 1 shows which typesof devices were tested for each brand. As one can seewe did test devices from vendors specialized in one typeof product such as Buffalo, and from vendors that have awide range of products such as D-link.

3.2 Vulnerability classes

XSS. As a warm-up we started by testing for Type 2(stored) cross-site scripting (XSS) vulnerabilities [13],which are common in web applications. Most devicesare vulnerable, including those that perform some inputchecking. For example, the TrendNet switch ensures thatits system location field does not contain spaces, but doesnot prevent attacks of the form:

loc");document.write("<script/src=’http://evil.com/a.js’></sc"+"ript>.

XSS attacks are particularly dangerous on embeddeddevices because they are the first step toward a persistentreverse XCS, as discussed below.

CSRF. Cross-site request forgery [50] enables an attackerto compromise a device by using an external web site asa stepping stone for intranet infiltration. On embeddeddevices it can also be used as a direct vector of attack as itallows the attacker to reboot critical network equipmentssuch as switches, IP phones and routers. Finally we usedCSRF as a way to inject Type 2 (stored) XSS and reverseXCS [9] payloads.

File security. For each device, we checked whether it waspossible to read or inject arbitrary files. Some devices,such as the Samsung photo frame, allow the attackerto read protected files without being authenticated. Onthis device, even when the Web interface was protectedby a password, it was still possible to access the photosstored in memory by using a specially crafted URL. Onother devices, the Web interface could be compromisedby abusing the log file.

User authentication. Most devices have a default pass-word or no password at all. Additionally, most devicesauthenticate users in cleartext (i.e. without HTTPS). Thiswas even true for several security cameras, which is sur-prising given that they are intended to securely monitorprivate spaces. We even found that some NAS and photoframes do not properly enforce the authentication mecha-nism and it is possible to access the user content (i.e. pho-tos) without being traced in the logs. Similarly, nothing isdone at the network level to prevent session hijacking asthe traffic is in clear and the cookies are sent over HTTPS.Finally as far as we can tell not a single device implementsa password policy or an anti-brute force defense.

Clickjacking attacks. Clickjacking attacks [18] are themost recent, and most overlooked attack vectors as alldevices were vulnerable to them. While at first sight thisdoes not appear to be a big issue, it turns out that beingable clickjack an embedded interface gives a lot of lever-age to the attacker. For example basic Clickjacking canbe used to reboot devices, erase their content and in thecase of routers, enable guest network access. AdvancedClickjacking [49] as demonstrated by Paul Stone at Black-Hat Europe 2010 allows the attacker to steal the routerWPA key or the NAS password.

Deviceattacker User

AltermateChannels Web

Injecton Storage Reflexion

Figure 2: Overview of an XCS attack.

3

Brand Camera LOM NAS Phone Photo Frame Printer Router SwitchAllied XBuffalo X XBelkin XD-Link X X XDell XeStarling XHP XIBM XIntel XKodak XLaCie XLinksys X X X XNetgear X XSMS networks XPanasonic XQNAP XSamsung XSMC XTrendNet X XZyXEL X

Table 1: List of devices by brand.

XCS. A Cross-Channel Scripting attack [9] comprisestwo steps, as shown in Figure 2. In the first step theattacker uses a non-web communication channel such asFTP or SNMP to store malicious JavaScript code on theserver. In the second step, the malicious content is sentto the victim via the Web interface. XCS vulnerabilitiesare prevalent in embedded devices since they typicallyexpose multiple services beyond HTTP. XCS bugs oftenaffect the interaction between two specific protocols only(such as the combination of HTTP and BitTorrent), whichcan make them harder to detect.

Reverse XCS. In a Reverse XCS attack the web interfaceis used to attack another service on the device. Weprimarily use reverse XCS attacks to exfiltrate data that isprotected by an access control mechanism.

We did not look for SQL injections [21], as it was un-likely that the audited devices would contain a SQL server.However we still consider SQL injection attack to be apotential threat and therefore our framework has securitymechanisms in place to mitigate them. Finally, while insome cases we found weaknesses in the networking stack(for example: predictable Initial Sequenced Numbers),we do not discuss that topic here.

3.3 Tools usedThe audit of each device was done in three phases. First,we performed a general assessment using NMap [31] andNessus [42]. Next, we tested the web management inter-face using Firefox and several of its extensions: Firebug[20], Tamper Data [26], and Edit Cookies [51]. We useda custom tool for CSRF analysis. In the third phase wetested for XCS using hand written scripts and commandline tools such as smbclient.

3.4 Audit resultsTable 2 summarizes which classes of vulnerabilitieswere found for each type of device. We use thesymbol �when one device is vulnerable to this class ofattacks and �when multiples devices in the class arevulnerable. The second column from the left indicatesthe number of devices tested in that category. We sur-vey the most interesting vulnerabilities in the next section.

Table 2 shows that the NAS category exhibits themost vulnerabilities, which can be expected given thecomplexity of these devices. We were surprised by thelarge number of vulnerabilities in photo frames, whichare relatively simple devices.

4

Type # Devices XSS CSRF XCS RXCS File AuthLOM 3 � � � �NAS 5 � � � � � �Photo frame 3 � � � � � �Router 8 � � � � �IP camera 3 � � �IP phone 1 � � � �Switch 4 � � � �Printer 1 � � � �

Table 2: Vulnerability classes by device type.

A possible explanation is that vendors rushed to marketin order to grab market share with new features. Indeed, inthe Kodak photo frame, half the Web interface is protectedagainst XSS while the other half is completely vulnerable.IP cameras and routers are more mature, and thereforetend to have a better security. Table 2 also shows thateven enterprise-grade devices such as switches, printers,and LOM are vulnerable to a variety of attacks, whichis a concern as they are usually deployed into sensitiveenvironments such as server rooms.

4 Threat Model

Our audit showed that embedded web management inter-faces pose a serious security threat and are currently oneof the weakest links in home and office networks. In thissection we formalize our attacker model and the securityobjectives that our framework aims at achieving.

4.1 Attacker model

In this paper, we are concerned with securing embeddedweb interfaces from malicious attackers. Inspired by thethreat model of [6] we are using the ”web attacker” con-cept with slightly more powerfully attacker as we allowthe attacker to interact directly with the web frameworklike in the active attacker model. Accordingly our attackermodel is defined as follows: we assume an honest useremploys a standard web browser to view and interact withthe embedded web interface content. Our malicious webattacker attempts to disrupt this interaction or steal sen-sitive information such as a WPA key. Typically, a webattacker can attempt to do this in two ways: by tryingto exploit directly a vulnerability in the web interface,or by placing malicious content (e.g. JavaScript) in theuser’s browser and modifying the state of the browser,interfering with the honest session. We allow the attackerto attempt to directly attack the web framework in anyway he likes; in particular, we assume that the attackerwill attempt to DDOS the web server, find buffer overflow

exploits or brute force the authentication. Finally, we alsoassume that the attacker will be able to manipulate anynon-encrypted session to his advantage.

4.2 Security objectivesBased on our audit evaluation and the attacker modeldescribed above we now formalize what security objec-tives our framework aims at achieving. These goals fallinto four distinct umbrella objectives that cover all of theknown attacks against a web interface.

Enforcing access control. The first goal of our frame-work is to ensure that only the right principals have accessto the right data. Access control enforcement needs to beenforced at multiple levels. First, at the network level, ourframework needs to ensure that the web interface is onlyavailable in the right physical or network location and tothe right clients. At the application level, it means thatthe framework needs to ensure that every web resourceis properly protected and that the attacker can not brute-force user passwords. Finally, at the user level it alsomeans that the framework offers to the user the ability todeclare whether a specific client is allowed to access agiven web application.

Protecting session state. Protecting session state ensuresthat once a session is established with the framework,only the authenticated user is accessing the session. Atthe network level, protecting the session state impliespreventing man in the middle attacks by enforcing theuse of SSL. At the HTTP level, protecting the sessionmeans protecting the session cookies from being leakedover HTTP (as in the Sidejacking attack) or being readvia JavaScript (XSS).

Deflecting direct web attacks. Deflecting direct webattacks requires that our framework is not vulnerable tobuffer overflow or at least that the privileges gained in caseof successful exploitation are limited. At the applicationlevel, the framework must be able to mitigate XSS [13],and SQL injection attacks [21].

5

Preventing web browser attacks. In order to preventweb browser attacks, the framework has to work with thebrowser to ensure that the attacker cannot include in a website a piece of code (such as an iframe or JavaScript) thatcan abuse the trust relation between the browser and theweb interface. These attacks are instances of the confuseddeputy problem [6]. They include CSRF and Clickjackingattacks.

5 System Overview

In this section we discuss the design principles behind ourframework, provide an overview of how the frameworkworks and describe how a web request is checked andprocessed.

5.1 Design principlesTo address the threat model presented in the previous sec-tion, our framework is architected around the followingfour principles:

Secure by default. The team in charge of building anembedded web interface is usually not security savvyand is likely to make mistakes. To cope with this lackof knowledge our framework is designed to be secureby default, which means that every security feature andcheck is in place and it is up to the developers to makethem less restrictive or turn them off. For instance, ourdefault CSP [14] (content security policy) only allowscontent from self, which means that no external contentwill be allowed to load from a page in the web interface.Similarly the framework uses whitelists for input filtering:by default only a restricted set of characters is allowedin URL parameters and POST variables, and it is up tothe developer to relax this whitelist if needed. As a finalexample, the framework injects JavaScript frame-bustingcode and the X-Frame-Option header in all the pagesin order to prevent Clickjacking attacks. In the unlikelysituation where the interface needs to be embedded inanother webpage, the developer must turn the defensemechanism off.

Defense in depth. Since there is no universal fix for manytypes of attacks, including XSS, CSRF, and Clickjacking,our framework follows the defense in depth principle andimplements all the known techniques to try and mitigateeach threat as much as possible. We perform filtering andsecurity checks at input, during processing, and duringoutput.

Least privilege. Following the OKWS design [29], weimplement the least privilege principle by leveraging theAndroid architecture. Each application and the frame-work have separate user IDs and sets of permissions; this

guarantees that if the framework or one of the applica-tions is compromised, the attacker will not take completeownership of the data. For instance by taking over theframework one does not gain access to the phone contactslist used by one of the applications: our framework onlyhas the network privilege. Note that the application de-veloper must modularize his or her application to fullybenefit from the least privilege design. Product featuresthat can significantly modify device functionality, suchas by executing a firmware upgrade, need to receive spe-cial consideration as well perhaps resulting in additionalbackend checks performed in advance.

User consent. Our last design principle is ”user consentas permission”: we let the user make the final decisionsabout key security policies. For example, when a newweb client wants to access one of the phone web applica-tions, it is up to the user to allow this or not because onlyshe knows if this request is legitimate. Similarly, whenthe user installs a new web application, she is asked ifshe wants to be prompted for approval each time a clientconnects to that application. Finally, at install time wealso provide the user with a summary of the security fea-tures that have been disabled. The user can then decide ifthe presented security profile is acceptable or not. Whileusers can generally not be relied on for ensuring systemsecurity, we implement the user consent principle in or-der to catch potential security issues that clearly defeatcommon sense.

5.2 Server architectureAs shown in Figure 3, the framework is composed of fourblocks and architected like the iptables firewall with aseries of security checks performed at input time, andanother series during output.

The Dispatcher is responsible for forwarding an HTTPrequest to the desired application. The forwardingdecision is based on the unique port number assigned toevery application. Separating applications by port numberallows greater granularity for doing data encryptionwhich is specific to every application. In addition toforwarding, the Dispatcher is also responsible for policybased enforcement of security mechanisms.

The Configuration Manager handles per-applicationtuning of the security policies. When an applicationis first registered with the web server, all the securitymechanisms are turned on by default. The administratorcan then enable or disable individual mechanisms usingthe configuration interface. The resulting configurationis captured in a database and made available to theDispatcher for policy enforcement.

6

Pre-processing

Dispatcher

Filtering- Ip- Network - Location- Input (xss)

- URL Scan

Alert system

Session check Post-processing - S-CSP- CSRF

Headers addition

Cookie check

- cookie path- origin/referer

Dispatcher

Configuration manager

App1

Applications

App2 App n..

Client

Figure 3: Overview of the framework design showingthe interaction of the different web server components(dispatcher, applications, and alert system) involved inthe processing a client request.

The Alert System is used to control how the adminis-trator is to be notified for different events. For instance,the administrator may want to be explicitly alerted forevery new client connection. The Alert System alsohandles notifications caused by malicious web requestsas detected by the Dispatcher. Notifications can eitherbe passive or active depending on whether they needapproval from the administrator.

Finally, the framework also provides an API for effi-ciently implementing web applications. The core func-tionality includes methods to handle HTTP requests andgenerate the response. It also provides handlers withbuild in security mechanisms for content generation suchas HTML components, CSS, JavaScript, JSON etc. Forinstance, the HTML, XML and JSON handlers provide pa-rameterized functions required to escape dynamic contentbefore being added to the rendered page. In addition, theframework provides methods for allowing applications toconstruct HTTPOnly or secure cookies.

5.3 Request processing

As depicted in Figure 3 a new web request goes througha series of input security checks and processing, and issubsequently forwarded to the actual application. Theresponse generated is subjected to another iteration ofchecks and processing before being sent to the client.If any check fails then the processing is aborted and anotification is sent via the Alert System.

The pre-processing step performs two rounds ofsecurity checks. First, the origin of the request iscompared to the client restriction policy in order to blockqueries coming from unwanted sources. Second, theHTTP query is validated through regular expressionwhitelists. The corresponding web application is thenidentified (based on the port number) and the session andCSRF tokens validation checks can be done.

After validation, the request is sent to the web appli-cation which generates a page using our framework andsends it back to the web server. Before reaching thenetwork, the response is passed through post-processingsecurity mechanisms like S-CSP and CSRF token gener-ation. This usually results in the inclusion of additionalheaders and modification of certain HTML elements. Theresult is then returned to the client.

6 Security Mechanisms

A broad range of mechanisms and best practices havebeen developed over the last few years to counter themost severe web security problems. It is clear that no sin-gle technique or framework will make a web applicationsecure. In addition, expecting developers to understandand deploy all of these mechanisms on their own is unreal-istic. Table 3 maps the mechanisms that we embed in oursecure web server implementation against the threats theyare designed to mitigate. We now describe each securitymechanism and provide further references. Note that inmany scenarios we depend on a correct browser imple-mentation for security capabilities. Wherever possible,we use additional mechanisms that can add security evenif the browser is not up-to-date or compliant.

HTTPOnly cookies. Many XSS vulnerabilities can bemitigated by reducing the amount of damage an injectedscript can inflict. HTTPOnly cookies [33] achieve thisby restricting cookie values to be accessible by the serveronly, and not by any scripts running within a page. Inpractice, most cookies used in web application logic areinherently friendly to this concept, and this is why wehave chosen to build it in. (HTTPOnly cookies are notimplemented by Android HttpCookie.)

7

Category Access control Session Direct attack Browser attackDefense/Threat Bypass Pass guess MITM Hijack XSS SQLi XCS RXCS CSRF ClickjackHTTP only cookie X X XServer side input filtering X X XCSP X XS-CSP X XCSRF random token X XOrigin header verification X XX-FRAME-OPTION XJS frame-busting code XSSL X XHSTS X XSecure cookie XParametrized queries XURL scanningApplication-wide auth XPassword policy XAnti brute-force XRestrict network/location X X X X X X X X X XDOS protection

Table 3: Threats and corresponding security mechanisms

Server-side input filtering. Even though filtering orwhitelisting of user input can fail if implemented incor-rectly [3, 2, 1], it is still very important to sanitize userdata before web pages are rendered with it. Input filteringcan prevent scripting exploits as well as SQL injections.When applied to data coming from other embedded ser-vices, input filtering can also prevent many XCS attacks.

CSP (Content Security Policy). Pages rendered by thetypical embedded web application have little need to con-tact external web sites. Correspondingly our server is con-figured to offer restrictive CSP [14] directives to browsers,limiting the impact of any injected code in the page.

S-CSP (Server-side Content Security Policy). Forbrowsers that do not support CSP, we introduce Server-side CSP. While rendering a particular site, the serverlooks at the CSP directives present in the header (or thepolicy-uri) and modifies the HTML code accordingly. In-stead of standard input filtering, the changes are based onthe custom policies defined by the administrator: such asvalid hosts for the different HTML elements, use of inline-scripts, eval functionality usage and so on. Its novelty liesin the fact that the resulting HTML page as received bythe browser automatically becomes CSP compliant. Inaddition to filtering, S-CSP can also support reporting ofCSP violations via ’report-uri’ directive which ordinarilyis not possible for incompatible browsers.

X-Frame-Options. Clickjacking is a serious emergingthreat which is best handled by preventing web site fram-ing. Since embedded web applications are usually not

designed with mash-up scenarios in mind, setting theoption to DENY is a good default configuration.

JavaScript frame-busting. Not all browsers support theX-Frame-Options header, and therefore our frameworkautomatically includes frame-busting code in JavaScript.The particular piece of code we use is as simple as possi-ble and has been vetted for vulnerabilities typically foundin such implementations [44].

Random anti-CSRF token. Cross-site request forgeryis another web application attack which is easy to prevent,but often not addressed in embedded settings. Our frame-work automatically injects random challenge tokens inlinks and forms pointing back at the web application, andchecks the tokens on page access [39].

Origin header verification. Along with checking CSRFtokens, we make sure that for requests that supply anyparameters (either POST or GET) and include the Ori-gin [5] or Referer header, the origin/referer values areas expected. We do this as a basic measure to preventcross-site attacks. When the Referer header is available,we also check for cross-application attacks, making surethat each application is only accessed through its entrypages.

SSL. Securing network communications often ends upbeing a low-priority item for application developers, andthis is why our web server uses HTTPS exclusively bydefault, with a persistent self-signed certificate createdduring device initialization.

8

HSTS (HTTP Strict Transport Security) and Securecookies. In addition to supporting SSL out of the box,our server implements the HSTS standard [22] and re-quests that all incoming connections be over SSL, whichprevents several passive and active network attacks [23].Moreover, browser cookies are created with the Secureattribute, preventing the browser from leaking them to thenetwork in plaintext.

Parametrized rendering and queries. Android alreadysupports parametrized SQLlite queries [52] and we en-courage developers to make use of this facility. We havealso added the ability to parametrize dynamic HTML ren-dering, in which case escaping of the output is performedautomatically.

URL scanning. Incoming HTTP requests are sani-tized by applying filtering similar to that offered by theURLScan tool in Microsoft IIS [34]. Our filter is config-ured to restrict both the URL and query parts of a request,while changes by the web application developer are al-lowed if necessary. URLScan is most useful in preventingweb application vulnerabilities due to incorrect or incom-plete parsing of request data.

Application-wide authentication, password policy,and password anti-bruteforcing. Recognizing that userauthentication is often a weak spot for web applications,we have implemented user authentication as part of theweb server, freeing the developers from the need to im-plement secure user session tracking. In addition, thepassword strength policy can be changed according torequirements, and a mechanism to prevent (or severelyslow down) brute-force attacks is always enabled.

Network restrictions. Most embedded web servers havea relatively constrained network access profile: either thedevice should serve requests only when connected to aspecific network or WiFi SSID, or the hosts requestingservice might match a profile, such as a specific IP orMAC address. This feature, while easily accessible, cannot be configured by default due to the differences inindividual application environments.

Location restrictions. Similar to network restrictions,the server can be configured to operate only when thedevice is at specific physical locations, minimizing theopportunities for an attacker to access and potentiallycompromise the system.

DDoS. While distributed denial-of-service (DDoS) pro-tection is difficult, we believe that much can be done tomitigate such threats. For most applications, maintaininglocal service is of top priority, and so we throttle HTTPrequests such that those coming from the local networkalways have a guaranteed level of service. Of course, thiscan not prevent lower-level network DDoS attacks: these

have to be taken care of separately, outside of the webserver.

7 User interface

This section briefly describes the user interface requiredfor basic administration of the web server and securitypolicy management. In the following description, we referto the owner of the smart phone or embedded device asthe Admin user.

7.1 Configuration management

Figure 4: Main web server configuration interface.

This interface is used to control the server settingsacross all the applications. As shown in Figure 4, it pro-vides the ability to disable each web application. It alsodisplays the web server overall statistics such as the num-ber of active application and the number of active connec-tions session.

Web server logs. Accessible from the menu options,the logged events such as failures, new connections andconfiguration changes can be visualized.

Settings. From this interface, the Admin overrides somesecurity features in order to enforce certain mechanismsfor all applications, irrespective of their individual config-uration.

9

Figure 5: Web application configuration interface, al-lowing per-application customizations (secure settingshighlighted in green).

7.2 Configuration per web application

This interface enables the Admin user to control someweb application parameters such as the port number, theapplication name, and its password or tune the securitypolicy for every application. As shown in Figure 5, it dis-plays the name, path, security level and status informationalong with the currently enabled security mechanisms.Since all the mechanisms are turned on by default, policyadministration is not strictly necessary. However, thisallows flexibility in the framework that can be useful inspecial circumstances. For instance, the Admin user maywish to disable the heavy S-CSP mechanism in the caseof a restricted set of trusted users. The different function-alities provided by the interface are described below.

Alarm system configuration. Each new client connec-tion request can be monitored by setting the alarm noti-fication level to one of the three possibilities: Disabled,Passive, or Approval. Both Passive and Approval notifi-cations alert the administrator about the new connection.Approval mode has the additional feature of requiring theAdmin user to grant access before proceeding.

Network and location restriction. The web server canrestrict clients connecting based on the network properties(serving WiFi or 3G only for example) or based on thecurrent location such as home or office.

Domain whitelist. The Admin can define a list of do-mains that are allowed in the CSP policy by writing acomma separated list of domains/IP addresses. If this

<WebServerConf><WebApp><path>com.android.websms</path><Enabled>1</Enabled><CSRF>1</CSRF><HttpOnlyCookie>1</HttpOnlyCookie><XFrame>1</XFrame></WebApp></WebServerConf>

Figure 6: Web server configuration sample

field is empty, the web server will enforce the restrictive’allow self’ policy and block all other sources.

IP whitelist. The Admin user can explicitly allow accessfor a specific set of trusted hosts by adding a comma-separated list of IP addresses. For a new connection re-quest, if the source IP is in this list then access is permittedregardless of the restrictions described above.

7.3 Configuration without the UI

For embedded devices without a display to access theconfiguration interface, the web server can be configuredthrough an XML file present in the application packageas a raw resource. With this file, the web server adminis-trator can enforce security mechanisms for specific webapplications or disable all web application that do notrespect some requirements. The web server configura-tion can also be done after installation by modifying theSQLite database on the device.

8 Implementation

In this section we describe how our system is imple-mented and how Android applications interact withit. Our system consists of two main components: theDispatcher (a web server that processes and routesrequests to applications) and our framework API thatAndroid applications can access.

The Dispatcher works as an Android backgroundservice. As a starting block we used the Tornadoopen-source web server that we hardened and mod-ified to work with our framework. The web serverfollows the least privilege principle, and runs withthe minimal permissions set needed to handle HTTPcommunications: android.permission.INTERNET.To be allowed to expose a web interface, an appli-cation requests a new permission that we createdcalled com.android.webserver.WEB APPLICATION.This novel permission is more restrictive than an-droid.permission.INTERNET and only allows the

10

mountWebContent("websms",Home.class);

mountWebContent("websms/send",SendSMS.class);

mountWebContent("websms/view",SMSHistory.class);

mountWebContent("websms/theme.css",RawRessource.class,RawRessource.CSS,R.raw.hello);

Figure 7: WebSMS code used to declare the exposed webinterface.

application to serve web requests via the dispatcher.

At launch time the Dispatcher browses the list of in-stalled applications for new ones requesting the web ap-plication permission. By retrieving the ContentProviderassociated to the framework, it queries the security con-figuration. Following the consent as permission principlewe prompt the user every time a new web applicationwants to register. When an application set the same URLpath than another one, the registration is discarded and apossible malicious application warning is displayed to theuser.

The framework API is a Java library that handles com-munications between the web server and the web appli-cation (which run as separate processes). It also providesa set of classes that help generating web content. Simi-larly to many modern web framework (i.e. Rails), everyweb page need to registered it web path through a func-tion call, in our case this function is mountWebContent.This function bind a path to a java class entry point. Forexample our WebSMS web application register 4 webpages: 3 HTML pages and 1 CSS stylesheet (Figure7). Note the use of the RawRessource.class which al-lows developer to expose directly raw data to the websuch as CCS files. Our framework provides a set ofclasses to help building HTML pages, or handling otherresources request such as pictures, CSS stylesheets orJavaScript libraries. The java classes Home, SendSMSand SMSHistory extends the framework class HTML-Page which provides various methods to add dynamiccontent to the pages. In particular the HTMLPage classhas the method appendHTMLContent(content,String[] vars) that allows to programmatically ap-pend content to the page. Text variables are representedby $ which are substituted by the corresponding var stringafter it is filtered to prevent XSS. While the authors canbypass the filtering process if they want by default it isin place. Similarly, the HTMLPage class ensures thatthe data passed to the application is properly sanitizedand that parametrized SQL queries are used in order toprevent SQL injection.

When an HTTP request is received, it goes through allpre-processing security mechanisms and is dispatched tothe corresponding web application. The framework APIembeds an Android ContentProvider used by the webserver to query pages. HTTP headers, body and securitytokens are added to the query and then transmitted to theweb application. Using the framework API, the web pageis build and send back as answer to the query. This one isfinally checked by all post-process security mechanismsand send back to the web client.

9 Case Studies

In this section we present two case studies that demon-strate how our framework effectively mitigates webvulnerabilities. We describe the applications we built,their attack surface, how the framework protects them,and finally show that when using off-the-shelf securityscanners the framework is indeed able to mitigate thevulnerabilities found in the apps.

To study the effectiveness of our the system we builttwo sample applications that take advantages of thephone’s capabilities to provide useful services: the firstone, WebSMS, is used for reading and sending SMS fromthe browser; the second one, WebMedia, provides a con-venient web interface to browse and display the photosand videos stored on the smartphone. We argue that thesetwo applications—while limited—are good case studiesof what developers might want to built in order to leveragea device’s capabilities in the form of web applications.

9.1 Applications

WebSMS. When loaded in a client browser, the user canchoose to view the current SMS inbox or send a new one.For the second choice, the application displays a list ofcontacts fetched from the phone’s directory along with asearch box. Clicking on a particular contact allows to senda SMS directly from the browser. The SMS content issent by the browser to the application via a POST requestthat contains the contact ID.

WebMedia. This application displays a gallery of photosand videos stored on the Android device (Figure 8). Whena thumbnail is clicked, a full size view of the media fileis displayed. The application provides a convenient wayto display photos and videos to friends and family on abig screen. In addition, this application enables seamlesssharing of content with trusted users (friends or family).

11

Figure 8: The WebMedia embedded web application.

9.2 Attack surfaces

Without framework support, the web applications sufferfrom multiple vulnerabilities. In the WebSMS application,the contact search can be a vector for reflected XSS orSQL injection. Also, the capacity to send message andview their contents afterward can lead to a stored XSS inthe sending and in the receiving phone. The WebMediaapplication is vulnerable to CSRF attacks as well. TheXSS attack allows the attacker to steal private informationas the contact list of the sent and received SMS contents.A CSRF can be conducted to send SMS on behalf ofthe user, which can lead to embarrassing situations orfinancial loss. In extreme cases, if the phone is used asa trusted device to authorize sensitive operations such asbank transfers, then the combination of XSS and CSRFattacks will allow a malicious user to bypass this securitymechanism and conduct fraudulent operations.

9.3 Security evaluation

In order to evaluate whether our framework is able tomitigate the attacks against our vulnerable applicationswe have run the web scanners Skipfish and Nexposeagainst our applications with the framework defensemechanisms off and then on. When the frameworkdefenses are turned off, both Skipfish and Nexposedetected reflected XSS and stored XSS vulnerabilities inthe WebSMS application. When the framework defensesare turned on, no vulnerabilities are reported. Note thatneither scanner reported the CSRF vulnerabilities.

milli

seco

nds

0

5

10

15

20

25

Concurent connections0 10 20 30 40 50 60 70 80 90 100 110 120 130

Without security featuresWith security feature

Figure 9: Average number of request per second with andwithout security features enabled.

This limited experiment shows that our framework canhelp effectively and transparently mitigate vulnerabilitiesthat may exist in embedded web interfaces even thoughit can not completely replace good coding practices andcareful code review.

9.4 Performance evaluationWhile as stated earlier performance should not be thefocus of a mobile web framework, we still ran a basicperformance evaluation using the Apache benchmarktool to evaluate the impact of enabling security featureson WebDroid performance. To reflect as accurately aspossible real world usage, we ran these benchmarks overWiFi with WebDroid on a standard HTC Desire phonewith Android 2.3. We were not able to test over 3G as IPare not routable.

WebDroid performance in term of requests per secondfor the WebSMS application when the number of simul-taneous connections increase is reported in figure 9. Thefigure 10 depicts how fast WebDroid is able to processeach request as the number of simultaneous connectionsincrease. As visible in the diagrams, WebDroid take be-tween a 10% to 30% performance hits when the securityfeatures are turned one depending on the number of simul-taneous connections. On average WebDroid performancetake a 20% hit when the security features are enabled.While this performance hit might not be acceptable for aregular website, for an embedded interface we argue thatit is acceptable as even when there are 128 simultaneousconnections, WebDroid is able to serve every request inless than 80 ms which is below what is the optimal usertolerance time: 100ms [37].

12

milli

seco

nds

−20

0

20

40

60

80

Concurent connections0 10 20 30 40 50 60 70 80 90 100 110 120 130

Without security featuresWith security feature

Figure 10: Average time to process a request with andwithout security features enabled.

10 Related Work

Browser defenses. Mozilla Foundation’s Content Secu-rity Policy (CSP) [14] proposal allows a site to specifyrestrictions on content served from the site, includingwhich external resources the content can load. The CSPpolicy is specified as an HTTP header in each HTTPresponse. For example, the CSP header

X-Content-Security-Policy: allow self

prevents the content from loading any external resourcesor executing inline scripts. Replacing “allow self”with “allow whitelist” allows external resources fromthe given whitelist. Another system, SiteFirewall [9],takes a similar approach but also allows persistentbrowser-side policy storage (via cookies or other, moresecure objects). SiteFirewall is capable of blockingsome types of XCS attacks from being completed.The system uses a browser extension that acts as afirewall between vulnerable, internal web sites, andthose accessed by the user on the open Internet. A thirdproposal called SOMA [38] implements a mutual consentpolicy on cross-origin links. That is, both the embeddingand the embedded content must agree to the actionbeing initiated. As with CSP, SOMA is implementedas a content-specific policy rather than a global sitepolicy. Finally Content Restrictions [32] is anotherapproach to defining content control policies on web sites.

Frameworks. Generic web frameworks, such as Rubyon rails [41] and Django, implement numerous featuressuch as built-in CSRF defenses that help developers tobuild secure web interfaces more easily. However thiskind of generic framework is very heavy and thereforenot suitable for being used in embedded devices. We arenot currently aware of any framework specially designedfor embedded devices. Additionally, while designed withsecurity in mind, these frameworks do not make secureweb application design intuitive for the developer.

In contrast, we strive for a secure by default systemwhere a developer has to do little if anything in order tobuild a secure web application.

Web servers. At the process level, flow control en-forcement such as the one presented in Histar [54], As-bestos [11] and Flume [30] can be used to achieve someof our goals such as document sanitization. The AndroidOS [15] capability model can also be extended to enforcenetwork restrictions. As far as we know, none of thelightweight web servers like Tornado [12] were built withthe objective of enforcing security principles. Previouswork on security centric web servers such as [29] wereonly designed to mitigate low level attacks by enforcingprivilege separation. None of them offered a frameworkto mitigate web vulnerabilities.

Other related work. The log injection attack, a simpleform of XCS, has been known for several years [47],most notably in the context of web servers resolvingclient hostnames. Recently, CSRF and XSS attacks haveattracted much attention, including work on variousdefense techniques [6]. NAS security has been a topic fordiscussion since the early days of networked storage [10].

IP telephony security has also been scrutinized. How-ever this has only been done for specific protocols, notfor complete systems [48]. Most other work in websecurity[13, 24, 4, 17, 25, 28, 43, 32, 36, 40, 53, 46] hasfocused on web servers on the open Internet, as opposedto devices on private intranets, which are the topic of thiswork.

11 Conclusion

We present WebDroid the first web application frameworkthat is explicitly designed for embedded applications, witha particular emphasis on secure web application design.We motivate our work with extensive results from auditscarried out over the last two years on a broad range of em-bedded web servers. We evaluate WebDroid performanceand show that despite the fact that that performance takea 20% hit when we all the security features are activated,WebDroid remains sufficiently fast for its purpose. Finallyas a case study we build two sample web applications.

Acknowledgment

We thank Samuel King and anonymous reviewers fortheir comments and suggestions. This work was partiallysupported by the National Science Foundation, the AirForce Office of Scientific Research, and the Office ofNaval Research.

13

References

[1] Minded security research labs: Http pa-rameter pollution a new web attack cate-gory (not just a new buzzword :p). Webhttp://blog.mindedsecurity.com/2009/05/http-parameter-pollution-new-web-attack.html, 2009. 8

[2] Minded security research labs: A twitter domxss,a wrong fix and something more. Webhttp://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html, 2010. 8

[3] Minded security research labs: Bypassingcsrf protections with clickjacking and httpparameter pollution. Web http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html, 2010. 8

[4] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic,E. Kirda, C. Kruegel, and G. Vigna. Saner: Com-posing static and dynamic analysis to validate san-itization in web applications. In IEEE Symposiumon Security and Privacy, 2008. 13

[5] A. Barth, C. Jackson, and I. Hickson. The http originheader. web http://tools.ietf.org/id/draft-abarth-origin-03.html, 2009. 8

[6] A. Barth, C. Jackson, and J. Mitchell. Robust de-fenses for cross-site request forgery. In proceedingsof ACM CCS ’08, 2008. 5, 6, 13

[7] H. Bojinov, E. Bursztein, and D. Boneh. EmbeddedManagement Interfaces: Emerging Massive Inse-curity. In Blackhat USA, July 2009. Invited talk.1

[8] H. Bojinov, E. Bursztein, and D. Boneh. XCS: crosschannel scripting and its impact on web applications.In CCS ’09: Proceedings of the 16th ACM confer-ence on Computer and communications security,pages 420–431. ACM, 2009. 1, 3

[9] H. Bojinov, E. Bursztein, and D. Boneh. Xcs: Crosschannel scripting and its impact on web applications.In CCS 2009: 16th ACM Conference on Computerand Communications Security, Nov 2009. 3, 4, 13

[10] Cifs security consideration update, 1997.http://www.jalix.org/ressources/reseaux/nfs-samba/˜cifs/CIFS-Security-Considerations.txt. 13

[11] P. Efstathopoulos, M. Krohn, S. VanDeBogart,C. Frey, D. Ziegler, E. Kohler, D. Mazieres,F. Kaashoek, and R. Morris. Labels and event pro-cesses in the asbestos operating system. In Proceed-ings of the twentieth ACM symposium on Operatingsystems principles, pages 17–30. ACM, 2005. 13

[12] Facebook. Tornado web server. Webhttp://developers.facebook.com/news.php?blog=1&story=301, 2009. 13

[13] S. Fogie, J. Grossman, R. Hansen, A. Rager, andP. Petkov. XSS Exploits: Cross Site Scripting Attacksand Defense. Syngress, 2007. 2, 3, 5, 13

[14] M. Foundation. Content security policy, 2009.wiki.mozilla.org/Security/CSP/Spec. 6, 8, 13

[15] Google. Android os. Web http://www.android.com/, 2008. 13

[16] B. Gourdin. Webdroid: Google code project.http://code.google.com/p/android-secure-web-server/. 1

[17] O. Hallaraker and G. Vigna. Detecting maliciousjavascript code in mozilla. In Proceedings of theIEEE International Conference on Engineering ofComplex Computer Systems (ICECCS), 2005. 13

[18] R. Hansen. Clickjacking. ha.ckers.org/blog/20080915/clickjacking. 3

[19] C. Heffner. How to hack millions of routers. InBlackhat USA, 2010. 1

[20] J. Hewitt and R. Campbell. Firebug 1.3.3, 2009.http://getfirebug.com/. 4

[21] T. Holz, S. Marechal, and F. Raynal. New threatsand attacks on the world wide web. Security &Privacy, IEEE, 4(2):72–75, March-April 2006. 4, 5

[22] Http strict transport security (HSTS), 2011. http://http://bit.ly/lwqdlu. 9

[23] C. Jackson and A. Barth. Forcehttps: Protectinghigh-security web sites from network attacks. InProceedings of the 17th International World WideWeb Conference (WWW2008), 2008. 9

[24] T. Jim, N. Swamy, and M. Hicks. Defeating scriptinjection attacks with browser-enforced embeddedpolicies. In in proc. of 16th International WorldWide Web Conference, 2007. 13

14

[25] N. Jovanovic, C. Kruegel, and E. Kirda. Precisealias analysis for static detection of web applicationvulnerabilities. In Proceedings of the Workshop onProgramming Languages and Analysis for Security(PLAS), 2006. 13

[26] A. Judson. Tamper data 10.1.0, 2008. http://tamperdata.mozdev.org/. 4

[27] S. Kamkar. mapxss: Accurate geolocation via routerexploitation. http://samy.pl/mapxss/, Jan-uary 2010. 1

[28] E. Kirda, C. Kruegel, G. Vigna, , and N. Jovanovic.Noxes: A client-side solution for mitigating cross-site scripting attacks. In In Proceedings of the 21stACM Symposium on Applied Computing (SAC), Se-curity Track, 2006. 13

[29] M. Krohn. Building secure high-performance webservices with OKWS. In Proceedings of the annualconference on USENIX Annual Technical Confer-ence, page 15. USENIX Association, 2004. 2, 6,13

[30] M. Krohn, A. Yip, M. Brodsky, N. Cliffer,M. Kaashoek, E. Kohler, and R. Morris. Informationflow control for standard os abstractions. In Pro-ceedings of twenty-first ACM SIGOPS symposiumon Operating systems principles, pages 321–334.ACM, 2007. 13

[31] G. F. Lyon. Nmap Network Scanning: The OfficialNmap Project Guide to Network Discovery and Se-curity Scanning, volume 978-0470170779. NmapProject, 2007. 4

[32] G. Markham. Content restrictions, 2007.www.gerv.net/security/content-restrictions/. 13

[33] Microsoft. Mitigating cross-site scripting with http-only cookies. Web http://msdn.microsoft.com/en-us/library/ms533046.aspx,2009. 7

[34] Microsoft. Urlscan 3.1. Web http://www.iis.net/download/urlscan, 2011. 9

[35] Netcraft. Totals for active servers across alldomains. Website http://news.netcraft.com/archives/2009/06/17/june_2009_web_server_survey.html, Jun 2009. 2

[36] A. Nguyen-Tuong, S. Guarnieri, D. Greene,J. Shirley, and D. Evans. Automatically hardeningweb applications using precise tainting. In In Pro-ceedings of the 20th IFIP International InformationSecurity Conference, 2005. 13

[37] J. Nielsen’s. Response times: The 3 importantlimits. http://www.useit.com/papers/responsetime.html. 12

[38] T. Oda, G. Wurster, P. van Oorschot, and A. So-mayaji. Soma: mutual approval for included contentin web pages. In ACM CCS’08, pages 89–98, 2008.13

[39] P. Petefish, E. Sheridan, and D. Wichers. Cross-siterequest forgery (csrf) prevention cheat sheet.web http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet, 2010. 8

[40] T. Pietraszek and C. V. Berghe. Defending against in-jection attacks through context-sensitive string eval-uation. In Recent Advances in Intrusion Detection(RAID), 2005. 13

[41] Ruby on rails. http://rubyonrails.org/.13

[42] R. Rogers. Nessus Network Auditing, Second Edi-tion, volume 978-1597492089. Syngress, 2008. 4

[43] RSnake. Xss (cross site scripting) cheat sheet forfilter evasion. http://ha.ckers.org/xss.html. 13

[44] G. Rydstedt, E. Bursztein, D. Boneh, and C. Jack-son. Busting frame busting: a study of clickjackingvulnerabilities at popular sites. In in IEEE OaklandWeb 2.0 Security and Privacy (W2SP 2010), 2010.2, 8

[45] G. Rydstedt, B. Gourdin, E. Bursztein, andD. Boneh. Framing attacks on smartphones,dumb routers and social sites: Tap-jacking, geo-localization and framing leak attacks. In Woot, 2001.1

[46] P. Saxena and D. Song. Document structure in-tegrity: A robust basis for cross-site scripting de-fense. In proceedings of NDSS’08, 2008. 13

[47] Log injection attack and defense, 2007. http://bit.ly/kbMebK. 13

[48] Basic vulnerability issues for sip security, 2005.http://download.securelogix.com/library/SIP_Security030105.pdf. 13

[49] P. Stone. Next generation clickjack-ing. media.blackhat.com/bh-eu-10/presentations/Stone/BlackHat-EU-2010-Stone-Next-\Generation-Clickjacking-slides.pdf, 2010. 3

15

[50] D. Stuttard and M. Pinto. The Web ApplicationHacker’s Handbook: Discovering and ExploitingSecurity Flaws, volume 978-0470170779. Wiley,2007. 1, 2, 3

[51] B. Walther. Edit cookies 0.2.2.1, 2007.https://addons.mozilla.org/en-US/firefox/addon/4510. 4

[52] D. Wichers. Sql injection prevention cheat sheet.web http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet, 2011. 9

[53] Y. Xie and A. Aiken. Static detection of securityvulnerabilities in scripting languages. In In Pro-ceedings of the USENIX Security Symposium, 2006.13

[54] N. Zeldovich, S. Boyd-Wickizer, E. Kohler, andD. Mazieres. Making information flow explicit inhistar. In 7th Symposium on Operating SystemsDesign and Implementation, 2006. 13

16