Transcript 슬라이드 1

Gibraltar: Exposing Hardware
Devices to Web Pages Using AJAX
2013. 10. 21
Mobile Lab
박세준
1
Contents
- Intro
- Design Scheme
- Implementation
- Application
- Security
- Evaluation
- Related Work & Conclusion
2
Intro
• Web developers who want to exploit local device
face choices
Both of them has lack of portability.
3
Intro
• Alternative solution
– Ex. <input>
– Original HTML tag(Before HTML5)
• <input type=“submit” value=“Register”>
• Submit data from form to server or other object in web pages
session
– Applied HTML tag
• <input type="file" name="image"
accept="image/*" capture>
• Shot picture(image) saved to file with using camera
From http://w3.org/TR/html-media-capture
4
Intro
• Trade-offs
– Native application
• Faster response time
– It can exploit device-optimized libraries
• Needs installation, depends on OS
– Cross platform application such as HTML5
• No dependency
– User only connect to web with URL
• Higher response time, Vulnerability
– Javascript is aware to most of all OS and browsers but it has to
be interpreted to local domain
– Javascript and web browsers has a lot of surface that can be
attacked or manipulated
5
Intro
• Gibraltar: Take only advantages
– Simply, it is hardware abstraction to web
• HTTP is medium like IPC
• Device server acts like kernel
• Really, it is in browser with sandboxed
– Advantages merged
•
•
•
•
Low response time
No installation
Secure access control
Compatibility
– HTML5 ->Gibraltar(X)
– Gibraltar ->HTML5(O)
6
Design
• Separated modules
– Based on privilege separation
– hardware.js
• Consists of javascript codes
• Provide public Gibraltar API
• Compiler: from page request
to AJAX raw code
– Device server
• Independence with browser
• In principle, a device server
only allows one origin data
• Manages authorization,
alarms when suspicious
request received
7
Design
• Manifest authorization
– When installing android application
install manager ask to user
– So does Gibraltar
– A page / pages which want to
access device should have a
manifest describing what to
access
– New page requests access /
Old page requests new access
: User have to approve
permission
8
Design
• Find the in common
허접쓰레기
referrer
9
Design
• Find the in common
허접쓰레기
http://www.korean.go.kr
referrer
http://en.wikipedia.org/wiki/Referrer
10
Design
• Session management
– Referrer field
• If there is a link to y.html in x.html and this link
has been activated, a HTTP request that makes page x.html to
move y.html contains x.html in referrer field
• Possibility of fake request (Replay attack)
– Replay attack
• Reuse session or cookie
Trusted.com
Trusted.com/
x.htm
1. Request device access
2. Check if granted
token exists
Device server
3. Exists : Inspect mapping table with token
4-1. Equal : Approve access
4-2. Different : Ignore request & Alarm
5. No : Create new unique token(=mapping)
The token is transmitted to page
Untrusted.com/
x.htm
Suspicious request:
Denied because of different mapping
11
Design
• Sensor widgets
– Browser’s perspective
• Creating/copying authorized token in web browser to gain
permission to device
Trusted.com
1. Request device access
5. Sensor widgets alert user
because there is no trusted page
but browser is trying to access
hardware with authorized token
4. Try to get hardware
access permission
3. Capture & copy authorized token
in a browser
2. Send authorized token
Device server
Sensor widget
12
Design
• Sensor API
– Many devices (GPS, camera, bluetooth, …)
– Web pages can gain sensor data via Gibraltar’s API in
a time or several times
– It aids various sensors & devices conveniently
Abstraction
(Simple code)
In detail
(Complex code)
singleQuery()
Trusted.com
hardware.js
continuousQuery()
startSensor()
stopSensor()
sensorAdded()
sensorRemoved()
13
Design
• Processor API
– Designed to support multi-core CPU & GPU
– Inspired by OpenCL(Open Computing Language)
– enqueueKernel()
• Specify which kernel will execute job
– setKernelData()
• Set data to be computed parallel
– Two parallelism methods
• Plural enqueueKernel() call & setKernelData(scalar)
• An enqueueKernel() call & setKernelData(vector)
– executeKernels()
• Automatic distribution & coordination & intercommunication
14
Design
• Storage API
– Provides a key/value storage interface
– HTML5 DOM storage provides a key/value storage, too
• But it is only to non-removable storage
interface Storage {
readonly attribute unsigned long length;
DOMString? key(unsigned long index);
getter DOMString? getItem(DOMString key);
setter creator void setItem(DOMString key, DOMString value);
deleter void removeItem(DOMString key); void clear();
};
from dev.w3.org/html5/webstorage
• As shown above, there is no specific field to assign
storage in DOM
15
Design
• Remote device access
– By default, it is disabled
• To prevent security problem
• If it is allowed, seizing referrer field or duplicating capable
token can occur
– Alleviation through whitelist
• Users must explicitly designate IP or DNS
– It is done by constructing user driven manifest by
oneself
• But user care about the list extremely to prevent
security issues
16
Implementation
• Gibdroid
– Implementation Gibraltar to Android
– There is two sensors classified by data rate
• High data rate : video cam, accelerator
• Low data rate : picture cam, GPS
– To alleviate throughput drop, Gibdroid uses indefinite
size frame for high data rate
• Session establishing messages hurt performance between
Gibdroid and device
17
Application
• 4 Applications using Gibraltar API
– MapQueest
• Uses GPS data of user’s location
• Uses local cached tile expressed key-value
(tileID, fileSystemLocation), e.g. (1B, /map/00011011)
– Shazam
• Identifies playing music
• Exploit complex computation with Processor API
– Gibraltar Paint
• Canvas on browser of desktop
is drawn by a mobile device
– Pacman
• Same manner as above
18
Security
• Two security issues
– The device access request is reliable?
• If there is weird browser, how can system detect?
– If once data from hardware has been transmitted, what
can system do?
• Isn’t that mend the barn after the horse is stolen?
– Five security principals
• User, Gibraltar, OS, Web page, Web browser
• The system concerned two component: page, browser
– Three defenses
• Referrer, Sensor widget, Legitimate page
19
Security
And operation:
Fake referrer
Steal token
legitimatelyauthorized page
No satisfaction
all of them,
no attack success
referrer<token<
authorized page
20
Security
• If browser is reliable, then?
– No attack is going to be succeeded
– Modern browsers, e.g. IE9, Chrome support
process isolation
– Attacker’s try that steal token from authorized page
won’t be succeeded
• Because of process separation
• Place of attacker’s process is different with
authorized page’s process
• So attacker has no route for authorized page’s token
21
Evaluation
• Multi-core machines
Write latency is superior
over HTML5
Asynchronous write policy
If Gibraltar write policy is
set to write-through, then
result will be similar to
HTML5
Read latency is inferior
to HTML5
Inferior local storage using method to HTML5’s such as
caching user data to avoid fetching it over a slow network
22
Evaluation
• Single-core machines
Raw performance is inferior to Dual-core’s one
Modern smartphones all adopt multi-core system
Gibraltar can exploit this advantage and bad performance for single-core
will be reduce gratefully..
23
Evaluation
• Single-core machines
Left
Accelerator and geolocation sensor is sufficient to use interactive app
(The rate approaches null rate)
Right
Server push is superior to R-R. However, when the setting of R-R is turn to server push
it is reduced dramatically. It doesn’t come from server push technique but from diverse
devise server
24
Evaluation
• Sampling rate
Gibdroid’s throughput is almost Native’s one.
25
Evaluation
• Power consumption
Gibdroid accelerator and browsing consumes much power
But it comes from not Gibdroid’s bad architecture, but from
browser and device server
26
Thank you!
27