Trusted Browser Security Model
This paper includes some of my thoughts (’request for comments’) regarding minimizing the affects of client-side related browser attacks using the Trusted Computing Solution. It includes some of my initial thoughts.
Restrictions & Limitations: The semantic web is a security nightmare and certainly will not agree with these ideas. Right lets get on with it..brainstorming…
As always with security, our attempt here is not to solve every problem but rather to mitigate and complicate matters for the attacker, thus, discouraging these attacks.
Trusted Browser Security Model (TBSM):
In case your wondering or googling for this name, I made it up for the purpose of this blog entry.
TBSM for starters works towards 3 goals:
- Defines supported Client-Side technologies (i.e. JavaScript)
- Defines trusted 3rd party applications (i.e. Adobe, Quicktime)
- Defines cross-site access on both the client-side and more logically on the server-side.
In application:
Basic idea of how this works:
- Both the client and server have XML defined security rules. These rules include what browser functionality, and 3rd party applications will be allowed to communicate with our currently selected domain name. Furthermore, we may define cross-site policies which allow us to allow or restrict which sites may be accessed from our current location.
- The files are signed using TPM and exchanged with the client (i.e. SSL-type negotiation).
- If the security rules are met on both sides the client is permitted to access the site. This means the client’s set of security rules are met, and the server-side security rules are adopted for the duration of the visit.
Note: Steps 2&3 can quite easily be done at the browser level without the requirement of the TPM.
Simplified:
Like any firewall, both simplified and complex rulesets exist. The TBSM idea is a shared access control list between the client and server. We pre-determine what is allowed for the duration of our session. At some point TBSM can be expanded to stateful application inspection, permitting only specific functions for browser langauges such as JavaScript.
Our major challenge at the moment is that the browser world is like the pre-firewall days. Our default rule is to ACCEPT just about anything. Such an implementation would have been to far fetching before, but with TPM now being implemented as a standard, I think this area has potential to be expanded into the browser security frontier.
Implementing this model will mitigate XSS, CSRF and client-side vulnerabilities (i.e. Universal PDF vulnerability). This will also greatly mitigate AJAX worms utilising Cross-Site vulnerabilities. With the future of TPM, we can have so much more control over what we allow and don’t allow. We can deny access by country, city or even processor type if we really wanted :)