Enhancing Web Application Security Using Trusted Execution - Embedded.com

Enhancing Web Application Security Using Trusted Execution


Wide-spread use of smart mobile devices has opened up a range of new possibil- ities for web applications. Feature-rich web applications can be designed to use resources such as web cameras, GPS receivers and Near Field Communication (NFC) transceivers to provide interactive services.

As a result, personal information such as location, messages and contacts is increasingly being exposed to the web leading to various security concerns about the confidentiality, integrity and availability of this sensitive information.

Rather than relying on software alone to manage access to resources on these devices, it has been proposed that protection should be included as part of the hardware platform. it has been argued that a viable approach towards device security is through trusted execution — a paradigm in which non-security sensitive operations cannot influence sensitive operations even though both take place on the same platform.

This provides the capability to control access to sensitive information and resources. However, trusted execution functionality is normally provided at a low level of abstraction and in order for applications running at a higher level of abstraction to utilize this functionality, there must be mechanisms to expose the functionality in a flexible manner without compromising security.

In this paper, we propose that the security of web applications can be enhanced through a device-independent framework that enables web applications to utilize the functionality provided by trusted execution. We focus on webinos, a state-of-the-art platform for running web applications across multiple devices.

Based on node.js technology, the webinos platform provides an infrastructure for securely executing web applications across multiple devices. Through a set of APIs such as geolocation, NFC and contacts, the webinos platform facilitates access to these services and resources by web applications.

Using webinos, a device can access services and resources provided by a different device within the user’s personal network (called a Personal Zone). To enable this, each device runs a webinos component called a Personal Zone Proxy (PZP) and all devices in a particular zone are interconnected either through peer-to-peer communication or using a central component called the Personal Zone Hub (PZH).

We describe our work-in-progress experiments towards using functionality provided by a Trusted Execution Environment (TEE) in web applications. These experiments include an implementation of the webinos platform integrated with ARM TrustZone technology. Our preliminary results are promising in terms of both the feasibility of implementing this architecture and the performance of the system.

To read this external content in full, download the complete paper from the online archives at the open Central Euroope Online Proceedings .

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.