Achieving the Web Isolation Nirvana - How far along are we?

The presentation discusses the need for a holistic approach to client-side web isolation to improve web application security.

• Current browser-based security features lack full isolation for browser-based apps
• A holistic approach to client-side web isolation is needed to cover all angles of web application security
• Reducing the size of the compartment, making the units stronger, and more developer-friendly is key to achieving this
• Web Page Integrity is a sandboxing solution that can be seamlessly integrated into any web app

The presentation provides examples of compromised scripts and exfiltration of credentials, and demonstrates the use of iframe and sandboxing solutions to mitigate these issues.

Abstract:​​​​Security isolation is a design principle that improves the resilience of applications against attacks. It works like a second layer of defense that protects the application in the presence of a security breach, by containing the attack to the compromised partition.  Sandboxing is one of the techniques often used to provide isolation by restricting code to a limited permission set. Isolation, in this context, is limiting what can happen if a vulnerability is exploited.  It has a strong tie to the also well-known security principles of Least Privilege and Privilege Separation.Any application can and should be designed using these principles. However, it is of vital importance for applications that include untrusted or 3rd party code. Companies can do code reviews of untrusted code before using it, but that is prone to oversights and is too costly to be done for every code change. Additionally, code reviews can be difficult to do in situations where there is no ahead of time access to the code, which is usually the case with web applications, where 3rd party vendor services are directly embedded into applications from their remote servers.Using 3rd party code/components is a growing trend observed in the last decade, and will keep growing, as companies work towards cutting the development time of new applications. This is especially true for Web Applications as high-scale modern Web Applications use dozens of different 3rd party services. Any untrusted code can be compromised and put the rest of the Web Application at risk, potentially leaking sensitive data.Throughout the years, several solutions and best practices have been advocated for creating Web Applications leveraging Web Isolation. The core security model of Browser-based apps sits upon the Same Origin Policy (SOP), a mechanism that aims to prevent different security domains from interfering with each other in malicious ways. But the SOP is limited to what it can do, and imposes several limitations to how the application is designed. It's neither practical nor economically efficient to split every code partition in its own origin. Iframe Sandboxing was a good complement to SOP, but its adoption is still anemic, as most third party scripts require direct access to the DOM and to other scripts in order to function properly. Despite our best efforts to bring effective Web Isolation and privilege separation to the client-side, we are still struggling.In this talk, we will attempt to tie in the journey of the last 20 years of Web Isolation to the “next 20 years”.  We’ll make a pit stop in the present, where we’ll showcase a client-side sandboxing solution that is transparent, does not require any browser modification and can be embedded into any Web Application.  We can pontificate on  what will be the likely state of Web Isolation for  applications deployed in the future.  And lastly, we can discuss where the security challenges will likely be located and how we, the security community, need to work together in order to overcome those challenges.