1

Gibraltar: Exposing Hardware De-vices to Web Pages Using AJAX

2013. 10. 21Mobile Lab

박세준

2

Contents

- Intro

- Design Scheme

- Implementation

- Application

- Security

- Evaluation

- Related Work & Conclusion

3

Intro

• Web developers who want to exploit local de-vice face choices

Both of them has lack of portability.

4

Intro

• Alternative solution– Ex. <input>– Original HTML tag(Before HTML5)

• <input type=“submit” value=“Register”>• Submit data from form to server or other object in web

pages session

– Applied HTML tag• <input type="file" name="image"

accept="image/*" capture>• Shot picture(image) saved to file with using camera

From http://w3.org/TR/html-media-capture

5

Intro

• Trade-offs– Native application

• Faster response time– It can exploit device-optimized libraries

• Needs installation, depends on OS

– Cross platform application such as HTML5• No dependency

– User only connect to web with URL• Higher response time, Vulnerability

– Javascript is aware to most of all OS and browsers but it has to be interpreted to local domain

– Javascript and web browsers has a lot of surface that can be attacked or manipulated

6

Intro

• Gibraltar: Take only advantages– Simply, it is hardware abstraction to web

• HTTP is medium like IPC• Device server acts like kernel• Really, it is in browser with sandboxed

– Advantages merged• Low response time• No installation• Secure access control• Compatibility

– HTML5 ->Gibraltar(X)– Gibraltar ->HTML5(O)

7

Design

• Separated modules– Based on privilege separation– hardware.js

• Consists of javascript codes• Provide public Gibraltar API• Compiler: from page request

to AJAX raw code– Device server

• Independence with browser• In principle, a device server

only allows one origin data• Manages authorization,

alarms when suspiciousrequest received

8

Design

• Manifest authorization– When installing android application

install manager ask to user– So does Gibraltar– A page / pages which want to

access device should have amanifest describing what toaccess

– New page requests access /Old page requests new access: User have to approve permission

9

Design

• Find the in common

허접쓰레기

referrer

10

Design

• Find the in common

허접쓰레기http://www.korean.go.kr

referrerhttp://en.wikipedia.org/wiki/Referrer

11

Design

• Session management– Referrer field

• If there is a link to y.html in x.html and this linkhas been activated, a HTTP request that makes page x.html to move y.html contains x.html in referrer field

• Possibility of fake request (Replay attack)– Replay attack

• Reuse session or cookie

Trusted.com Device server1. Request device access

3. Exists : Inspect mapping table with token4-1. Equal : Approve access4-2. Different : Ignore request & Alarm5. No : Create new unique token(=mapping) The token is transmitted to page

Trusted.com/x.htm 2. Check if

granted token exists

Untrusted.-com/x.htm

X

Suspicious request:Denied because of different mapping

12

Design

• Sensor widgets– Browser’s perspective

• Creating/copying authorized token in web browser to gain permission to device

1. Request device access

Device server

Sensor widget

Trusted.com

2. Send authorized token

3. Capture & copy authorized tokenin a browser

4. Try to get hardware access permission

5. Sensor widgets alert userbecause there is no trusted pagebut browser is trying to accesshardware with authorized token

13

Design

• Sensor API– Many devices (GPS, camera, bluetooth, …)– Web pages can gain sensor data via Gibraltar’s API

in a time or several times– It aids various sensors & devices conveniently

singleQuery()

hardware.jsTrusted.comcontinuousQuery()

Abstraction(Simple code)

In detail(Complex code)

sensorAdded()sensorRemoved()

startSensor()stopSensor()

14

Design

• Processor API– Designed to support multi-core CPU & GPU– Inspired by OpenCL(Open Computing Language)– enqueueKernel()

• Specify which kernel will execute job– setKernelData()

• Set data to be computed parallel– Two parallelism methods

• Plural enqueueKernel() call & setKernelData(scalar)• An enqueueKernel() call & setKernelData(vector)

– executeKernels()• Automatic distribution & coordination & intercommunication

15

Design

• Storage API– Provides a key/value storage interface– HTML5 DOM storage provides a key/value storage,

too• But it is only to non-removable storage

• As shown above, there is no specific field to assignstorage in DOM

interface Storage { readonly attribute unsigned long length; DOMString? key(unsigned long index); getter DOMString? getItem(DOMString key); setter creator void setItem(DOMString key, DOMString

value); deleter void removeItem(DOMString key); void clear(); };

from dev.w3.org/html5/webstorage

16

Design

• Remote device access– By default, it is disabled

• To prevent security problem• If it is allowed, seizing referrer field or duplicating capable

token can occur– Alleviation through whitelist

• Users must explicitly designate IP or DNS– It is done by constructing user driven manifest by

oneself• But user care about the list extremely to prevent

security issues

17

Implementation

• Gibdroid– Implementation Gibraltar to Android– There is two sensors classified by data rate

• High data rate : video cam, accelerator• Low data rate : picture cam, GPS

– To alleviate throughput drop, Gibdroid uses indefinite size frame for high data rate• Session establishing messages hurt performance between

Gibdroid and device

18

Application

• 4 Applications using Gibraltar API– MapQueest

• Uses GPS data of user’s location• Uses local cached tile expressed key-value

(tileID, fileSystemLocation), e.g. (1B, /map/00011011)– Shazam

• Identifies playing music• Exploit complex computation with Processor API

– Gibraltar Paint• Canvas on browser of desktop

is drawn by a mobile device– Pacman

• Same manner as above

19

Security

• Two security issues– The device access request is reliable?

• If there is weird browser, how can system detect?– If once data from hardware has been transmitted,

what can system do?• Isn’t that mend the barn after the horse is stolen?

– Five security principals• User, Gibraltar, OS, Web page, Web browser• The system concerned two component: page, browser

– Three defenses• Referrer, Sensor widget, Legitimate page

20

SecurityAnd operation:

Fake referrer

Steal token

legitimately-authorized page

No satisfactionall of them,no attack success

referrer<token<authorized page

21

Security

• If browser is reliable, then?– No attack is going to be succeeded– Modern browsers, e.g. IE9, Chrome support

process isolation– Attacker’s try that steal token from authorized page

won’t be succeeded• Because of process separation• Place of attacker’s process is different with

authorized page’s process• So attacker has no route for authorized page’s token

22

Evaluation

• Multi-core machinesWrite latency is superiorover HTML5Asynchronous write policyIf Gibraltar write policy isset to write-through, thenresult will be similar toHTML5

Read latency is inferiorto HTML5Inferior local storage using method to HTML5’s such ascaching user data to avoid fetching it over a slow network

23

Evaluation

• Single-core machines

Raw performance is inferior to Dual-core’s oneModern smartphones all adopt multi-core systemGibraltar can exploit this advantage and bad performance for single-corewill be reduce gratefully..

24

Evaluation

• Single-core machines

LeftAccelerator and geolocation sensor is sufficient to use interactive app(The rate approaches null rate)

RightServer push is superior to R-R. However, when the setting of R-R is turn to server push it is reduced dramatically. It doesn’t come from server push technique but from diverse devise server

25

Evaluation

• Sampling rate

Gibdroid’s throughput is almost Native’s one.

26

Evaluation

• Power consumption

Gibdroid accelerator and browsing consumes much powerBut it comes from not Gibdroid’s bad architecture, but frombrowser and device server

27

Thank you!