Gibraltar: Exposing Hardware Devices to Web Pages Using AJAX 2013. 10. 21 Mobile Lab 박박박 1
Mar 30, 2015
1
Gibraltar: Exposing Hardware De-vices to Web Pages Using AJAX
2013. 10. 21
Mobile Lab
박세준
2
Contents
- Intro
- Design Scheme
- Implementation
- Application
- Security
- Evaluation
- Related Work & Conclusion
3
Intro
• Web developers who want to exploit local de-vice face choices
Both of them has lack of portability.
4
Intro
• Alternative solution– Ex. <input>– Original HTML tag(Before HTML5)
• <input type=“submit” value=“Register”>• Submit data from form to server or other object in web
pages session
– Applied HTML tag• <input type="file" name="image"
accept="image/*" capture>• Shot picture(image) saved to file with using camera
From http://w3.org/TR/html-media-capture
5
Intro
• Trade-offs– Native application
• Faster response time– It can exploit device-optimized libraries
• Needs installation, depends on OS
– Cross platform application such as HTML5• No dependency
– User only connect to web with URL
• Higher response time, Vulnerability– Javascript is aware to most of all OS and browsers but it has to
be interpreted to local domain– Javascript and web browsers has a lot of surface that can be
attacked or manipulated
6
Intro
• Gibraltar: Take only advantages– Simply, it is hardware abstraction to web
• HTTP is medium like IPC• Device server acts like kernel• Really, it is in browser with sandboxed
– Advantages merged• Low response time• No installation• Secure access control• Compatibility
– HTML5 ->Gibraltar(X)– Gibraltar ->HTML5(O)
7
Design
• Separated modules– Based on privilege separation– hardware.js
• Consists of javascript codes• Provide public Gibraltar API• Compiler: from page request
to AJAX raw code
– Device server• Independence with browser• In principle, a device server
only allows one origin data• Manages authorization,
alarms when suspiciousrequest received
8
Design
• Manifest authorization– When installing android application
install manager ask to user– So does Gibraltar– A page / pages which want to
access device should have amanifest describing what toaccess
– New page requests access /Old page requests new access: User have to approve permission
9
Design
• Find the in common
허접쓰레기
referrer
10
Design
• Find the in common
허접쓰레기http://www.korean.go.kr
referrerhttp://en.wikipedia.org/wiki/Referrer
11
Design
• Session management– Referrer field
• If there is a link to y.html in x.html and this linkhas been activated, a HTTP request that makes page x.html to move y.html contains x.html in referrer field
• Possibility of fake request (Replay attack)
– Replay attack• Reuse session or cookie
Trusted.com Device server1. Request device access
3. Exists : Inspect mapping table with token4-1. Equal : Approve access4-2. Different : Ignore request & Alarm5. No : Create new unique token(=mapping) The token is transmitted to page
Trusted.com/x.htm
2. Check if granted token exists
Untrusted.-com/x.htm
X
Suspicious request:Denied because of different mapping
12
Design
• Sensor widgets– Browser’s perspective
• Creating/copying authorized token in web browser to gain permission to device
1. Request device access
Device server
Sensor widget
Trusted.com
2. Send authorized token
3. Capture & copy authorized tokenin a browser
4. Try to get hardware access permission
5. Sensor widgets alert userbecause there is no trusted pagebut browser is trying to accesshardware with authorized token
13
Design
• Sensor API– Many devices (GPS, camera, bluetooth, …)– Web pages can gain sensor data via Gibraltar’s API
in a time or several times– It aids various sensors & devices conveniently
singleQuery()
hardware.jsTrusted.com
continuousQuery()
Abstraction(Simple code)
In detail(Complex code)
sensorAdded()sensorRemoved()
startSensor()stopSensor()
14
Design
• Processor API– Designed to support multi-core CPU & GPU– Inspired by OpenCL(Open Computing Language)– enqueueKernel()
• Specify which kernel will execute job
– setKernelData()• Set data to be computed parallel
– Two parallelism methods• Plural enqueueKernel() call & setKernelData(scalar)• An enqueueKernel() call & setKernelData(vector)
– executeKernels()• Automatic distribution & coordination & intercommunication
15
Design
• Storage API– Provides a key/value storage interface– HTML5 DOM storage provides a key/value storage,
too• But it is only to non-removable storage
• As shown above, there is no specific field to assignstorage in DOM
interface Storage { readonly attribute unsigned long length; DOMString? key(unsigned long index); getter DOMString? getItem(DOMString key); setter creator void setItem(DOMString key, DOMString
value); deleter void removeItem(DOMString key); void clear(); };
from dev.w3.org/html5/webstorage
16
Design
• Remote device access– By default, it is disabled
• To prevent security problem• If it is allowed, seizing referrer field or duplicating capable
token can occur
– Alleviation through whitelist• Users must explicitly designate IP or DNS
– It is done by constructing user driven manifest by oneself• But user care about the list extremely to prevent
security issues
17
Implementation
• Gibdroid– Implementation Gibraltar to Android– There is two sensors classified by data rate
• High data rate : video cam, accelerator• Low data rate : picture cam, GPS
– To alleviate throughput drop, Gibdroid uses indefinite size frame for high data rate• Session establishing messages hurt performance between
Gibdroid and device
18
Application
• 4 Applications using Gibraltar API– MapQueest
• Uses GPS data of user’s location• Uses local cached tile expressed key-value
(tileID, fileSystemLocation), e.g. (1B, /map/00011011)
– Shazam• Identifies playing music• Exploit complex computation with Processor API
– Gibraltar Paint• Canvas on browser of desktop
is drawn by a mobile device
– Pacman• Same manner as above
19
Security
• Two security issues– The device access request is reliable?
• If there is weird browser, how can system detect?
– If once data from hardware has been transmitted, what can system do?• Isn’t that mend the barn after the horse is stolen?
– Five security principals• User, Gibraltar, OS, Web page, Web browser• The system concerned two component: page, browser
– Three defenses• Referrer, Sensor widget, Legitimate page
20
Security
And operation:
Fake referrer
Steal token
legitimately-authorized page
No satisfactionall of them,no attack success
referrer<token<authorized page
21
Security
• If browser is reliable, then?– No attack is going to be succeeded– Modern browsers, e.g. IE9, Chrome support
process isolation– Attacker’s try that steal token from authorized page
won’t be succeeded• Because of process separation• Place of attacker’s process is different with
authorized page’s process• So attacker has no route for authorized page’s token
22
Evaluation
• Multi-core machinesWrite latency is superiorover HTML5Asynchronous write policyIf Gibraltar write policy isset to write-through, thenresult will be similar toHTML5
Read latency is inferiorto HTML5Inferior local storage using method to HTML5’s such ascaching user data to avoid fetching it over a slow network
23
Evaluation
• Single-core machines
Raw performance is inferior to Dual-core’s oneModern smartphones all adopt multi-core systemGibraltar can exploit this advantage and bad performance for single-corewill be reduce gratefully..
24
Evaluation
• Single-core machines
LeftAccelerator and geolocation sensor is sufficient to use interactive app(The rate approaches null rate)
RightServer push is superior to R-R. However, when the setting of R-R is turn to server push it is reduced dramatically. It doesn’t come from server push technique but from diverse devise server
25
Evaluation
• Sampling rate
Gibdroid’s throughput is almost Native’s one.
26
Evaluation
• Power consumption
Gibdroid accelerator and browsing consumes much powerBut it comes from not Gibdroid’s bad architecture, but frombrowser and device server
27
Thank you!