Live Labs Web Sandbox: Securing Mash-Ups, Site Extensibility, And Gadgets

Scott IsaacsSoftware ArchitectMicrosoft Corporation

Dragos ManolescuProgram ManagerMicrosoft Corporation

TL29

Web security – overview and history Introducing the Web Sandbox Kicking the tires Getting involved and lots of demos

Agenda

How The Web Works

<div id="sitemeter" class="plain"><!--WEBBOT bot="HTMLMarkup" startspan ALT="Site Meter" --><script type="text/javascript" language="JavaScript">var site="s15gizmodo"</script><script type="text/javascript" language="JavaScript1.2" src="http://s15.sitemeter.com/js/counter.js?site=s15gizmodo"></script>

Failure Should Not Be An Option

Web SandboxA Tech Preview

announcing

Technology dates back to the 90s Started with hit counters (images) Transition to affiliate programs Web 2.0 mash-ups: low-cost innovation

Sites want to become “platforms” All suffer the same fate

History

Mashing up third-party content What does this mean for the site? What does this mean for the user? but everyone wants a “partner”

A challenging environment Only as reliable as the weakest link Users pay the cost

A Scary Problem

This is one of the most damaging problems on the Web – security expert RSnake

Ignore the problem IFrame the problem

Too much isolation without security Redirects, installers, history, clickjacking, etc

First Generation Solutions (FBJS…) A new programming model

None address Quality of Service (QoS)

State Of The Art (Before Today)

Think outside the box – literally Beyond gadgets

Site extensibility Componentization model Richer advertising

Control the trust model Protect the overall experience

Where Do We Need To Go?

Goal: Secure Web 2.0 Industry-wide focus

ECMA Security Working Group AdSafe, Caja… Work together to define the standard

Enter the Live Labs Web Sandbox

The Opportunity

Web Sandbox 101

demo

No IFrames were abused…

Architecture 101 – The Big Picture

TransformationPipelineUntrusted Content

Virtualized Code

Trusted HostRequested Content

(untrusted)

Sandboxed ExecutionSandboxed Execution

Virtual Machine

Support for all modern browsers No browser extensions required Provides cross-browser consistency

Why not develop a plug-in? Users must not opt-into security Ubiquity versus deployment

The Browser Challenge

Change function: Success = Customer Pain

Total Perceived Pain of Adoption

Use the materials in the room No new APIs or language No gadget SDK required

The Philosophy

Web Sandbox 201

demo

Standards – based JavaScript “good” and “bad” parts Processing Model

Automatic multi-instancing Code throttling QoS monitoring

Going Beyond Security

Web Sandbox:Graduation

demo

Lack of isolation Increased surface area

Testing challenges Unintentional conflicts No feedback loop

Single point of failure

Why Is QoS Hard?

Grad School:Infinite Is A Big Number…

demo

Goal: Support 99% of the language Work in progress

1. HTML must be well-formed2. document.write3. JavaScript with statement4. XML Proxy is not yet enabled5. Dynamic loading of external scripts6. Silverlight and Flash Support

The Fine Print

Trade-offs Performance: 1.5 – 4x Intermediate transformation step More difficult debugging (?debug=true flag)

The 1%: API Limitations No arbitrary code “eval”uation Addressable with native support

The Finer Print

Privacy:It’s My History

demo

Architecture 101 – The Big Picture

TransformationPipeline

Untrusted Content

Virtualized Code

Trusted HostRequested Content

(untrusted)

Sandboxed ExecutionSandboxed Execution

Virtual Machine

Transformation Pipeline

Untrusted Content

HTML to JSON

CSS to JSON Transform all Scripts

Package With Script

Ready to Run!

Sandbox Execution

Code Invocations

Type and Apply Rule

Sandbox Instance

Interception Layer

Monitor QoS

Sandbox InstanceSandbox InstanceReady to

Run!

We Rule!

demo

Runtime Communication

TransformationPipeline

Untrusted Content

Virtualized Code

Trusted HostRequested Content

(untrusted)

Sandboxed ExecutionSandboxed Execution

Virtual Machine

Runtime

Easy Hosting

<div id="putContentHere"></div><script src="websandbox.js"></script><!-- Use Server Transform --><script src="http://websandbox-code.org/transform.aspx?

url=UrlToUntrustedCode&guid=ContentID"></script><script> // Create a Sandbox instancevar sb = new $Sandbox(

document.getElementById("putContentHere"),$Policy.Gadget, "ContentID")

sb.initialize();</script>

Web Sandbox: DIY

demo

An Open Project http://websandbox.livelabs.com

Interactive Documentation Playground and Samples

Hack us! Break us! Make us feel pain Community Forums

We want all feedback Public Full Disclosure Forum

Join us in defining the standard

Getting Involved

Evals & Recordings

Please fill

out your

evaluation for

this session at:

This session will be available as a recording at:

www.microsoftpdc.com

Please use the microphones provided

Q&A

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.