Applications
Discussion and Limitations
Download 0.74 Mb.
|
krip 3
Discussion and LimitationsIn this section, we discuss the ramifications of the de- sign and implementation of Hails and suggest solutions to some of its limitations. Browser-level confinement As previously noted, we cannot expect all users to install the Hails browser exten- sion which provides confinement in the browser. A differ- ent approach would be to re-write VC output at the server- side before sending it to the client, neutralizing data- exfiltration risks. Until recently, such content-rewriting was a dangerous proposition. In particular, Google [28], Yahoo [11], Facebook [13], and Microsoft [16] have all developed technology to constrain the effects of third- party web content such as advertisements; but the design of existing browser interfaces made those tools vulnerable to attack [26]. However, ECMAScript 5 Strict mode, now supported by most browsers, makes the prospect of safe re-writing far more tractable. For instance, SES [43], one promis- ing approach with solid theoretical foundations, can now be implemented in about 200 lines of JavaScript. Though SES is not compatible with popular JavaScript libraries such as jQuery, this may well change. In our prelimi- nary experimentation with Caja [28], a system which in- fluenced SES, we successfully sandboxed VC responses in a similar fashion to our browser extension. Hence, if we cannot get traction from the browser vendors with our custom HTTP header, in the future we will experiment with a server-side filter that parses and regenerates HTML (so as to sanitize URLs in src and href attributes), and enforces JavaScript confinement with SES. Query interface Hails queries are limited to expres- sions on keys. By separating keys from elements, the decision to permit a query is simple: if a Hails compo- nent can read from the database collection, it may per- form a key-based query. This limited interface is sufficient for many VCs, which may perform further refinement of query results by inspecting labeled fields in their own ex- ecution contexts. For larger datasets, better performance would result from filtering on all relevant fields in the underlying database system itself. Additionally, this would obviate the need to reason about the security semantics of keys. However, providing this more-general interface to a Hails application would require sensitivity to label policies in- side the query engine. Since Hails builds atop MongoDB, which provides a JavaScript interface, we hope to compile policies to code that can implement the necessary label- checking logic. Download 0.74 Mb. Do'stlaringiz bilan baham: 
|