Skip to content

Caja at OWASP, Sweden

Last week, I attended OWASP AppSec Research 2010 in Stockholm, Sweden.  The conference was well attended with a mix of people from industry and from academia.  There were an especially interesting set of presentations.

Mike Samuel and I spoke about virtualization as an essential security tool exemplified by our project, Caja, which replaces the same-origin policy in browsers.  The same origin policy is the existing security policy baked into browsers.  The authority that code on a page has is decided completely by the domain of the page.  This has somewhat worked traditionally when all of the code and data on a webpage is generated and vetted by the same person or organization.  The limits of this security policy become apparent, however, in social networks and on other websites which include code authored by third parties.  The browser exposes all sorts of authority ambiently to all code executing on a page irrespective of how the code came to execute. Users rightly hold the website (as identified by the url they entered in the browsers address bar) responsible for their data, however, the browser gives no ability to the site to limit what third party code on the page is able to do.

For social networks, there is a further problem in that the security policy needed changes over time as the social network experiments and matures, the value of its data grows and new attacks emerge.  Unfortunately by the time a social networking site has figured out its niche and identified its real threats, the site has acquired a large body of legacy code which must continue to run to avoid annoying its users.  The threat model is sufficiently unpredictable that no amount of upfront security design is sufficient  for the lifetime of the site.

Virtualization gives sites which anticipate this problem the ability to flexibly respond to changing threats by maintaining the security policy in code the site controls.  Simply by requiring third party code to only interact via exposed APIs, a social network can modify the authority any particular third party code has simply by changing the implementation of the API.  This gives it a place to stand to attenuate the authority the third party code gets without changing the API it responds to.

Virtualization is a general tool which is applicable wherever the mutually untrusting code must execute in the face of changing security policy.  For browsers, Caja provides such a virtualization layer for JavaScript, HTML, CSS and the DOM.  The browser is a complicated beast and not every layer is completely supported — third party code can only use those APIs which have been virtualized.  That said, as of today this includes almost all of HTML 4.01, CSS 2.1 and JavaScript and a large number of the commonly used DOM functions with more being added as they are requested and their security properties understood.

Try it out