混搭網站中以代理伺服器為輔助的安全跨網域溝通

Fu-Chi Ao; 敖富琪

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/48265

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	孫雅麗(Yeali S. Sun)
dc.contributor.author	Fu-Chi Ao	en
dc.contributor.author	敖富琪	zh_TW
dc.date.accessioned	2021-06-15T06:50:39Z	-
dc.date.available	2016-02-25
dc.date.copyright	2011-02-25
dc.date.issued	2010
dc.date.submitted	2011-02-16
dc.identifier.citation	[1] Saman Zarandioon, Danfeng (Daphne) Yao, and Vinod Ganapathy. OMOS: A Framework for Secure Communication in Mashup Applications. In Proc. of the Annual Computer Security Applications Conference (ACSAC), 2008 [2] del.icio.us. http://delicious.com/ [3] PopUrls. http://popurls.com/ [4] Twitter. http://twitter.com/ [5] Digg. http://www.digg.com/ [6] Flickr. http://www.flickr.com/ [7] Craigslist.http:// www.craigslist.org/ [8] Google Maps API. http://code.google.com/apis/maps/ [9] Yahoo Pipes. http://pipes.yahoo.com/ [10] Richard Cornford. JavaScript Closures, March 2004. http://jibbering.com/faq/faq_notes/closures.html [11] http://www.w3.org/DOM/ [12] D. Kristol and L. Montulli. HTTP State Management Mechanism. IETF RFC 2109, February 1997 [13] Aaron Bohannon. Building Secure Web Mashups. University of Pennsylvania, July 2008 [14] J. Ruderman. The Same Origin Policy. August 2001. http://www.mozilla.org/projects/security/components/same-origin.html. (Accessed August 10, 2008) [15] C. Jackson and H. Wang. Subspace: Secure Cross-Domain Communication for Web Mashups. In Proc. WWW, 2007 [16] Twitpay. https://twitpay.me/ [17] Amazon Payment. https://payments.amazon.com/sdui/sdui/index.htm/ [18] Collin Jackson, and Helen J. Wang. Subspace: Secure Cross-Domain Communication for Web Mashups. WWW, 2007 [19] Chris Grier, Shuo Tang, and Samuel T. King. Building a More Secure Web Browser. USENIX Journal, 2008 [20] HTML 5 Specification, August 2009. http://www.w3.org/TR/html5/v [21] Adam Barth, Collin Jackson, and John C. Mitchell. Secure Frame Communication. In Communications of the ACM (CACM 2009). [22] F. D. Keukelaere, S. Bhola, M. Steiner, S. Chari, and s. Yoshihama. SMash: Secure Cross-Domain Mashups on Unmodified Browsers. Technical report, IBM Research, Tokyo Research Laboratory, June 2007. [23] Helen J. Wang, Xiaofeng Fan, Jon Howell, and Collin Jackson. Protection and Communication Abstractions for Web Browsers in MashupOS. In Proc. SIGOPS Operating System. Rev., 41(6):1–16, 2007. [24] Steven Crites, Francis Hsu, and Hao Chen. OMash: Enabling Secure Web Mashups via Object Abstractions. In Proc. of the 15th ACM Conference on Computer and Communications Security (CCS), 2008. [25] D. Crockford. The Module Tag: A Proposed Solution to the Mashup Security Problem. http://www.json.org/module.html/ [26] Mark S. Miller, Mike Samuel, Ben Laurie, Ihab Awad, and Mike Stay. Caja: Safe active content in sanitized javascript. A Google research project, January 2008. [27] FBML. http://developers.facebook.com/ [28] http://wiki.developers.facebook.com/index.php/FBMLspec [29] C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML . In Proc. OSDI, 2006. [30] http://www.apache.org/ [31] http://php.net/index.php [32] http://www.squid-cache.org/ [33] http://wiki.squid-cache.org/SquidFaq/ContentAdaptation [34] http://wiki.squid-cache.org/Features/eCAP [35] http://www.e-cap.org/Downloads [36] http://xerces.apache.org/xerces-c/ [37] http://curl.haxx.se/libcurl/ [38] http://www.httpwatch.com/ [39] http:// www.getfirebug.com. [40] http://onlamp.com/pub/a/onlamp/2004/03/25/squid.html?page=2
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/48265	-
dc.description.abstract	混搭網站(Web mashup)是整合來自異質來源內容的網頁應用程式，其目標為藉由資訊分享與分析的方式，提供使用者整合性更佳、而且為單一站點（single-stop）的網站瀏覽經驗。本身即為一網站(site)的供應者(provider)，為混搭網站供給內容或服務，一旦網路瀏覽器載入一個混搭網站後，來自供應者的內容會在客戶端創造出一個實例(instance)，我們稱此實例為混搭物(Mashlet)。由架設混搭網站的站點所取得的網頁內容，則被我們稱為原始內容(original content)。在本論文中，為了方便起見，我們以個體(entity)來代指混搭物或是原始內容。　　隨著非同步JavaScript與XML (Asynchronous JavaScript and XML，簡稱XML) 網頁技術的興起，客戶端混搭網站架構(client-side Web mashup architecture)越來越受到歡迎。為了讓客戶端混搭網站更具互動性，瀏覽器中需要進行資訊交換。由瀏覽器實做的相同來源政策(same-origin policy，簡稱SOP)掌管了現今瀏覽器中的存取控制(access control)，然而在此政策之下，實體之間只有完全信任(all trust)或是完全不信任(no trust)的存取控制，因此，針對客戶端混搭網站而言，目前的SOP並不是一個彈性化的資訊分享政策，它忽略了混搭網站開發者的需求，開發者希望能為其每個實體擬定完善的存取控制政策，這些精細到以元素為單位(element-level)、而非以實體為單位(entity-level)的政策，確保每個元素的性質只能由來自被信任網域的實體所讀取。　　在本論文中，我們提出了一個在混搭網站中，以代理伺服器為輔助的安全跨網域溝通機制，我們的信任模型確保了機密性(confidentiality)、完整性(integrity)與鑑別性(authenticity)，除此以外，此模型也提供了彈性化的存取控制，使得來自不同來源的實體們，能夠對一個實體的特定元素擁有不同的存取權限。	zh_TW
dc.description.abstract	Web mashups, or mashups, are Web applications which integrate contents from heterogeneous sources. The goal of these applications is to provide users with a more integrated and single-stop browsing experience by information sharing and analysis. A provider, as a site, provides content or service to a mashup. Once a mashup has loaded by a browser, what comes from a provider creates an instance at the client-side. We call this instance “mashelet”. The Web page content retrieved from the mashup hosting site (excluding the mashlets) is called “original content”. In this thesis, for convenience, we refer either a mashlet or original content to “entity”. With the rise of AJAX, the client-side mashup architecture becomes more and more popular. For client-side mashups to be interactive, it requires information exchange within the browser. The legacy same-origin policy (SOP) enforced by browsers governs access control in today’s browsers. Under SOP, however, there is either all trust or no trust across entities. Therefore, the current SOP is not a flexible information sharing policy for client-side mashups. This insufficiency neglects the needs of mashup developers to finely specify the access-control policy for each of their entities. Such a policy, down the “element-level” rather than the “entity-level”, serves to ensure the properties of an element can only be read by entities from trusted domains. In this work, we propose a secure proxy-based cross-domain communication for Web mashups. Our trust model guarantees confidentiality, integrity, and authenticity for client-side mashups in the process of cross-domain information exchange. Furthermore, it provides flexible access control so that entities from different sources may have different access rights to a certain element of an entity.	en
dc.description.provenance	Made available in DSpace on 2021-06-15T06:50:39Z (GMT). No. of bitstreams: 1 ntu-99-R97725034-1.pdf: 4030771 bytes, checksum: 35d1343c1fb44a0b1fcad3440cd7e533 (MD5) Previous issue date: 2010	en
dc.description.tableofcontents	口試委員會審定書 I 謝詞 II 中文摘要 III THESIS ABSTRACT V CONTENTS VII LIST OF FIGURES X LIST OF TABLES XII CHAPTER 1 INTRODUCTION 1 1.1 BACKGROUND 1 1.1.1 Web Mashups 1 1.1.1.1 Term Definitions 1 1.1.1.2 The Client-side Interactions in Web Mashups 3 1.1.1.3 Two Mashup Architectures 6 1.1.2 AJAX 9 1.1.3 Browser State and the DOM 10 1.1.4 Web Script 12 1.1.5 The Same-Origin Policy 13 1.2 PROBLEM DESCRIPTION 17 1.2.1 The Current All-or-nothing Trust Model 17 1.2.2 Security Requirements 18 1.2.3 Additional Requirement: Flexibility 24 1.2.4 Assumptions 24 1.3 MOTIVATION 25 1.4 GOAL 27 1.5 THESIS ORGANIZATION 28 CHAPTER 2 LITERATURE SURVEY 30 2.1 CLIENT-SIDE INTER-DOMAIN COMMUNICATION FRAMEWORKS 30 2.1.1 The Fragment Identifier Channel 30 2.1.2 The postMessage Channel 30 2.1.3 Subspace and SMash 32 2.1.4 MashupOS and OMash 33 2.1.5 The <module> Tag 33 2.2 SAFE SUBSETS OF HTML AND JAVASCRIPT 34 2.2.1 Caja 35 2.2.2 FBML 36 2.2.3 BrowserShield 36 CHAPTER 3 SYSTEM DESIGN 38 3.1 MODEL OF A WEB MASHUP 38 3.2 SITE-SPECIFIC ACCESS CONTROL POLICY 39 3.2.1 “ACP_Provider.xml” Specified by Provider 40 3.2.2 “ACP_Integrator.xml” Specified by Integrator 41 3.2.3 Site-Specific Access Control Policy Generation 42 3.3 THE TRUSTED PROXY 43 3.4 THE LIBRARY FOR SITE-SPECIFIC ACP IMPLEMENTATION 47 3.4.1 The Properties, Methods, and Events 50 3.4.2 The Procedures of a Secure Client-side Cross-Domain Communication 55 CHAPTER 4 IMPLEMENTATION 59 4.1 DEVELOPMENT ENVIRONMENT 59 4.2 THE TRUSTED PROXY 59 4.2.1 Squid Proxy 59 4.2.2 eCAP and libecap 60 4.2.3 Our eCAP Adapter 61 4.3 THE PROCESSING OF ACPS 61 4.3.1 The “process_list.dat” File 62 4.3.2 ACP Generation 62 CHAPTER 5 PERFORMANCE EVALUATION 63 5.1 SECURITY ANALYSIS 63 5.1.1 Demonstration of Our HousingMaps Website 63 5.1.2 Assessment on Goal Achievement 63 5.1.3 Potential Risk of Introducing a Third-Party Proxy 66 5.2 PERFORMANCE ANALYSIS 67 5.2.1 Time Measurement Tools 67 5.2.2 Experiment I: Proxy’s Response Time 67 5.2.3 Experiment II: Average Page Load Time 68 5.2.4 Experiment III: Library’s Execution Time 70 CHAPTER 6 CONCLUSION 72 REFERENCES 73 簡歷 77
dc.language.iso	en
dc.subject	通訊	zh_TW
dc.subject	網站	zh_TW
dc.subject	混搭	zh_TW
dc.subject	瀏覽器	zh_TW
dc.subject	相同來源政策	zh_TW
dc.subject	安全	zh_TW
dc.subject	代理伺服器	zh_TW
dc.subject	存取控制	zh_TW
dc.subject	mashup	en
dc.subject	access control	en
dc.subject	proxy	en
dc.subject	security	en
dc.subject	same-origin policy	en
dc.subject	browser	en
dc.subject	Website	en
dc.subject	communication	en
dc.title	混搭網站中以代理伺服器為輔助的安全跨網域溝通	zh_TW
dc.title	A Secure Proxy-Based Cross-Domain Communication for Web Mashups	en
dc.type	Thesis
dc.date.schoolyear	99-1
dc.description.degree	碩士
dc.contributor.coadvisor	陳孟彰(Meng-Chang Chen)
dc.contributor.oralexamcommittee	陳建錦(Chien-Chin Chen),李漢銘(Hahn-Ming Lee)
dc.subject.keyword	網站,混搭,瀏覽器,相同來源政策,安全,代理伺服器,存取控制,通訊,	zh_TW
dc.subject.keyword	Website,mashup,browser,same-origin policy,security,proxy,access control,communication,	en
dc.relation.page	77
dc.rights.note	有償授權
dc.date.accepted	2011-02-16
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-99-1.pdf 未授權公開取用	3.94 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。