Monday, October 27, 2008


I'm off to present at ACM CCS this week. We're talking about our simple web security solution, SOMA. It's a pretty neat little system -- turns out a handful of simple rules can be used to block a lot of current web attacks.

We call it "Same Origin Mutual Approval" because the idea is that all servers involved in making a web page all have to approve before anything gets loaded or included in the page. This means the site providing the page as well as any sites providing content (eg: youtube, flickr...) have to agree that that's ok. It's very simplistic, but surprisingly powerful because a lot of web attacks rely on the fact that the browser currently includes anything without checking, letting attackers include nasty code or send information out by loading other content.

I'm hoping to have my presentation slides online after the conference is done, but for now, I recommend you take a look at the SOMA webpage. There's a brief explanation along with links to our technical report, and the ACM CCS paper should be available soon too.

Wednesday, October 15, 2008

What constitutes new? Why buzzword bingo might help security.

Last week, I was reading through the web security mailing list. The topic of the day was ClickJacking, which of course had come under fire because it's not really that new. Critics accused it of being just another useless trendy buzzword applied to a specific style of Cross Site Request Forgery.

This caught my attention for two reasons:

(a) This was my first reaction to the announcement. I'd talked about this sort of attack with colleagues at the university months (maybe over a year?) ago. My first experience that got me thinking about what is now called clickjacking was a car ad that overlaid a huge chunk of a page I was visiting. It was a flash thing that just made a car drive across the page. Harmless, except that it happened to cover something I wanted to click on at the time. And it made me realise -- there's no reason my click supposedly on that ad couldn't result in me clicking something else I didn't want to click on that page... I've been suspicious of those "x to close" things on ads ever since.

If I'd realised I could just give it a shiny new name and publish, we could have gotten some nice papers out of it. Oh well. It seemed so obvious, though, what was the point?

(b) This was actually one of the reactions we got for the next paper I'll be presenting at a conference. Roughly translated, the reviewer said "It's not really that new an idea, but it's a nicely combined set of protections." The reviewer recommended us anyhow and the paper was accepted.

I didn't agree that our solution wasn't novel, but I could definitely agree that it clearly synthesized ideas from other sources (in fact, we'd made this clear in the paper!). If we assumed that anything made from wood was more or less the same and not novel or worthy of note, Ikea would be out of business, though. ;) It's an important part of science to learn which things are related and how they can influence each other. Why shouldn't it be a useful part of computer science?

The author of this web security mailing list post got me thinking further about buzzwords and media-awareness however:

"Which one is the proper way to describe the attack vector? The one labeled with the shiny new name or the one with the more technically-accurate name? And which one had the most positive impact, that is, which one educated the most people? And finally, should security researchers package security issues for media consumption?"

As someone with a fair amount of biology training, I know the answer to this. People connect much better to the Sugar Maple than they do to its scientifically useful name, Acer saccharum. Do you care about Danaus plexippus or is it the words Monarch Butterfly that would bring to mind the delicate migrators? And honestly? As long as you don't overdo it, having "common" names for things just makes it easier to communicate about them.

And communicating about web security issues is clearly something we need to do. With many web programmers convinced that they don't need to write secure code because they're not handling traditional targets such as credit cards, it's leaving a lot of people at risk. Part of the reason is that security sounds complex, and it's filled with "if you mess this up at all, your entire system is insecure" leading people toss up their hands. Everyone knows how easy it is to make a mistake, so what's the point?

If a new name and some media attention helps people communicate and maybe even realise that they are at risk and that mitigating it might be a good idea, we might be one step closer to a more secure world. "Oh, that's not new," may be true, but it can lead people to believe that they can go back to their dangerous assumptions that all is well in their worlds...

So next time, I'm going to think twice about dismissing the latest buzzword. It may be doing more good than I think!

Monarch Butterfly @ Carleton