WO2013079113A1 - Système client-serveur de navigation en nuage sécurisée et procédé de navigation à distance sécurisée l'utilisant - Google Patents
Système client-serveur de navigation en nuage sécurisée et procédé de navigation à distance sécurisée l'utilisant Download PDFInfo
- Publication number
- WO2013079113A1 WO2013079113A1 PCT/EP2011/071507 EP2011071507W WO2013079113A1 WO 2013079113 A1 WO2013079113 A1 WO 2013079113A1 EP 2011071507 W EP2011071507 W EP 2011071507W WO 2013079113 A1 WO2013079113 A1 WO 2013079113A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- browsing
- server
- client
- instance
- client device
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims description 86
- 238000012544 monitoring process Methods 0.000 claims description 38
- 230000006854 communication Effects 0.000 claims description 36
- 238000004891 communication Methods 0.000 claims description 36
- 230000009466 transformation Effects 0.000 claims description 9
- 238000012546 transfer Methods 0.000 claims description 5
- 238000012360 testing method Methods 0.000 claims description 4
- 238000004883 computer application Methods 0.000 abstract description 3
- 230000008569 process Effects 0.000 description 36
- 230000009471 action Effects 0.000 description 27
- 230000006870 function Effects 0.000 description 27
- 230000015654 memory Effects 0.000 description 21
- 230000007246 mechanism Effects 0.000 description 14
- 239000000243 solution Substances 0.000 description 14
- 230000004048 modification Effects 0.000 description 13
- 238000012986 modification Methods 0.000 description 13
- 230000008901 benefit Effects 0.000 description 12
- 238000012545 processing Methods 0.000 description 12
- 238000004458 analytical method Methods 0.000 description 11
- 230000006399 behavior Effects 0.000 description 10
- 230000008859 change Effects 0.000 description 8
- 238000002955 isolation Methods 0.000 description 7
- 238000003860 storage Methods 0.000 description 7
- 230000005641 tunneling Effects 0.000 description 7
- 238000004590 computer program Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 238000000844 transformation Methods 0.000 description 5
- 230000003993 interaction Effects 0.000 description 4
- 230000000670 limiting effect Effects 0.000 description 4
- 230000004224 protection Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000004075 alteration Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 230000001010 compromised effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 238000009877 rendering Methods 0.000 description 3
- 230000032258 transport Effects 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 230000007175 bidirectional communication Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 230000000295 complement effect Effects 0.000 description 2
- 239000012141 concentrate Substances 0.000 description 2
- 230000003247 decreasing effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005538 encapsulation Methods 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 208000015181 infectious disease Diseases 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000003362 replicative effect Effects 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 239000011365 complex material Substances 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000001627 detrimental effect Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000001747 exhibiting effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000007639 printing Methods 0.000 description 1
- 230000001902 propagating effect Effects 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
- 238000013515 script Methods 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
- 238000003892 spreading Methods 0.000 description 1
- 238000010561 standard procedure Methods 0.000 description 1
- 239000012086 standard solution Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000002195 synergetic effect Effects 0.000 description 1
- 230000008685 targeting Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6263—Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/951—Indexing; Web crawling techniques
Definitions
- the present invention relates generally to securely navigating the Internet and more specifically to a novel Secure Cloud Browsing Client-Server system, and corresponding method of securely navigating the internet using the same.
- WWW World Wide Web
- Some examples of these applications are web mails, e-commerce, online banking, corporate intranets, social networks or office suites.
- FIG. 1 depicts a standard system architecture 100 for navigating the Internet.
- a piece of software called a browser 111, installed on a user's computing device 110, such as personal computer PC, is executed.
- the browser 111 establishes a communication link 140 from the user's device 110 to a web server 120 hosted by any web application provider.
- the link 140 is established over a network 130, which is typically the Internet, but which can also refer to any sort of public or private network.
- the most common browsers used are Internet Explorer from Microsoft, Firefox from Mozilla, Chrome from Google, or Safari from Apple.
- the user To retrieve a document the user introduces an address, or Universal Resource Locator URL, into the browser triggering a request to be sent from the PC's browser to the web server via the Hypertext Transfer Protocol HTTP.
- the web server 120 receives and processes the request and either recovers the document from a local storage or generates it dynamically.
- the web server 120 then transmits the document to the user's PC 110 via link 140.
- the browser on the PC receives the document it processes its contents to end up rendering it in the user device's 110 display.
- Another problem is that a browser' s vulnerability can be exploited locally without the user even noticing it.
- the effects of the attack are persistently stored and affect all future browsing sessions.
- the browser can thus be under an attacker's influence which can register user actions, access sensitive information, or modify user's actions, whilst these modifications are hidden from the user itself by editing the server's response to them.
- the user's device might lack the mechanisms to implement robust channel encryption negotiation. In such case this also becomes an added security risk that can also lead to leakage of confidential information or to modification of the communication between parties (browser and server). Furthermore, in this case, these risks can be materialized without the need for an attacker to gain control over the user's device.
- a secure server in response to a request for browsing the internet received from a client, transmits an executable file to be run on the client device.
- the resulting computer application permits access to a remote browser hosted in the secure server.
- the user browses the internet in a transparent manner, however from within a highly secured browsing environment as provided by the secure server. In this manner the exposure to malicious software attacks directly at the client device is minimised.
- the client-server solution of the invention is advantageous in that the responsibility for securing the navigating environment is assigned to a network administrator, who is better suited for these tasks, given its knowledge and resources, than the standard end user navigating the WWW.
- This administrator can be located anywhere on the Internet, and has the flexibility to enhance the security of the browsing experience of any user, no matter its location in the World Wide Web. Hence this enhanced security can be referred to as a Cloud solution, and the server managed by the administrator a Cloud Server.
- the administrator would therefore be enabled to maximise the protection provided to the client's browsing environment, as well as the communication channel, hence securing the navigation environment, while at the same time enabling a more pleasing browsing experience removing from the user the need to worry about security risks or administration.
- a solution accomplishing these conditions is therefore beneficial for both parties.
- a device at a server is provided which is configured to communicate with the end user's computing device and the web application server in order to provide a secure browsing environment for the end user.
- the client device is provided with an application which is configured to communicate with the device at the server in order to provide a secure browsing environment for the end user.
- Another embodiment of the invention refers to a method of secure Internet browsing, the method being performed at a secure server on the Internet.
- Another embodiment of the invention refers to a method of secure Internet browsing, the method being performed at the client device.
- Another embodiment of the invention provides a computer readable medium configured to store instructions, which when executed on the client device, performs a method of secure Internet browsing.
- Another embodiment of the invention provides a computer readable medium configured to store instructions, which when executed on the device at the server, performs a method of secure Internet browsing.
- the invention provides methods and devices that implement various aspects, embodiments, and features of the invention, and are implemented by various means. For example, these techniques may be implemented in hardware, software, firmware, or a combination thereof.
- the processing units may be implemented within one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field programmable gate arrays (FPGAs), processors, controllers, micro- controllers, microprocessors, other electronic units designed to perform the functions described herein, or a combination thereof.
- ASICs application specific integrated circuits
- DSPs digital signal processors
- DSPDs digital signal processing devices
- PLDs programmable logic devices
- FPGAs field programmable gate arrays
- processors controllers, micro- controllers, microprocessors, other electronic units designed to perform the functions described herein, or a combination thereof.
- the various means may comprise modules (e.g. procedures, functions, and so on) that perform the functions described herein.
- the software codes may be stored in a memory unit and executed by a processor.
- the memory unit may be implemented within the processor or external to the processor.
- FIG. 1 is a general overview of an Internet navigation system of the prior art.
- FIG. 2 depicts a general overview of the client-server embodiment of the Secure
- FIG. 3 depicts a detailed view of the client-server embodiment of the Secure
- Client-Server architecture together with its components both on client and server side.
- FIG. 4 depicts components of the Secure Secure Server System at the server side.
- FIG. 5 depicts components of the user device together with the Client Access Tool at the client side.
- FIG. 6 depicts the different approaches to obfuscation code renewal according to one aspect of the invention.
- FIG. 7 depicts the communication between client and server via a Tunneling
- FIG. 8 depicts components of the Monitoring Manager according to another embodiment of the invention.
- FIG. 9 depicts a method of assigning a secure browsing or testing environment for new sessions.
- FIG. 10 depicts communication flows of a download and connection process according to one aspect of the invention.
- FIG. 11 depicts communication flows of a download and connection process according to another aspect comprising user authentication.
- FIG. 12 depicts communication flows of a download and connection process according to another aspect illustrating a transport process to a secured browsing environment.
- FIG. 13 depicts communication flows of a download and connection process according to another aspect illustrating further details of the communication between the client and the server.
- FIG. 14 depicts communication flows of a download and connection process according to another aspect illustrating new tab creation.
- webpage refers to the data files hosted on diverse computing devices on the Internet and which are served to end users by transmission to their computing devices so that they can be displayed for viewing on the user device's display.
- the term "browser” refers to the software, computer program, or application, which permits the content files received to be displayed on the user device's display.
- the browser typically performs a number of data processing actions for converting the received data file to a format ready for display.
- malware will be used to refer to any code, such as software code or computer program, which is hosted by a legitimate user and which executes actions in detriment of the host, thereby exhibiting malicious behaviour. From the following description, it will be understood by the person skilled in the art that although any one preferred aspect of the invention already provides solutions to at least some of the problems of the devices and methods of the prior art, the combination of multiple aspects herein disclosed results in additional synergistic advantageous effects over the prior art, as will be described in the following.
- FIG. 2 depicts an embodiment of the invention wherein a client-server architecture is provided for secure web browsing.
- a Secure Server System, SSS, 210 is provided as a highly secured remote access point to the WWW 130.
- a Client Access Tool, CAT 220 is used with the specific function of offering a transparent access interface to the Secure Server System. A user wanting to visit a web site will access it through the proposed system in order to secure his session.
- Both Secure Server System and Client Access Tool work together via communication link 230 providing an intermediate layer between the web application and the user's device resulting in a browsing architecture which is independent of the web site to be accessed.
- the Secure Server System 210 can be placed in the user's internal network and managed by the network administrator, so that it is used to securely browse all accessed web applications.
- the Secure Server System might be managed by the owner of a specific web application and act as a proxy for incoming sessions to the web application server. In this case, the platform exclusively protects sessions in the mentioned web application.
- the Secure Server System administrator we will generally refer to the Secure Server System administrator as administrator, independently of the location of the Secure Server System in the network.
- FIG. 3 is another view of the system architecture of the embodiment of FIG. 2 depicting further details of the client-server components once deployed.
- the exchange of data and control information flows to and from the user's computing device 110, the Secure Server System 310, and the web application server 120 via the internet 130, or other data communication network.
- the user device 110 comprises the local browser 111 as well as an additional Client Access Tool 220.
- this Client Access Tool does not reside originally on any of the computing devices 110. It is deployed by the server side and executed on each client which necessitates secure browsing.
- the Secure Server System 210 comprises an Access Manager 311, a Connection Manager 312, a Monitoring Manager 313, and at least one instance of a Secure Browsing Server 320.
- Each Secure Browsing Server comprises at least one Secure Browsing Instance 330, each instance comprising one Secure Remote Browser 335.
- the number of Secure Browsing Servers and Instances in the system depends on the number of user's accessing the Secure Server System simultaneously, as will be explained further below.
- the Secure Browsing Server is configured to deliver a new environment to the user for every browsing session. This is done by creating a Secure Browsing Instance with its corresponding Remote Browser, which is used instead of the Local Browser to access the final web application from the user's device 110, however remotely and securely.
- the Access Manager's 311 main function is to coordinate establishment of the communication with the user's standard browser in a transparent manner
- the Connection Manager 312 is responsible for managing the plurality of Secure Browsing Servers, creating and destroying Secure Browsing Instances as the need might be, and coordinating communication between the Client Access Tool and the Secure Browsing Server
- the Monitoring Manager 313 monitors events inside every instance and the overall status of the Secure Browsing Servers, performs a risk estimation and can take actions depending on the level of the estimated risk.
- a user that wants to access a specific webpage introduces the web page's URL in his local browser 111.
- the request is routed to the Access Manager 311, which will in turn deliver a Client Access Tool 220, such as an executable file, to the user's device 110, the Client Access Tool 220 being customized for one specific session.
- the Secure Browsing Server 320 hosted in the Secure Server System 210 creates one Secure Browsing Instance 330, which is assigned to the user as a browsing environment for the mentioned session and interacts with its corresponding Client Access Tool 220.
- the Client Access Tool is executed in the user's computer, it establishes a session with its assigned Secure Browsing Instance 330 through the Connection Manager 312.
- a Secure Remote Browser 335 executed inside the Secure Browsing Instance 330, fetches, retrieves and renders, the contents of the destination web site following the usual process, as if it were hosted in the end user's computing device 110. Once rendered, the webpage contents are sent to the Client Access Tool 220 as images, for display on the user's device display. No HTML code, or other type of programmable code, is sent to the client. The transmission of the webpage contents as an image reduces the amount of processing to be performed at the user's device since the webpages can be displayed almost directly on the display. Furthermore, it adds to the security of the transaction, making the webpage more tamper resistant.
- the Client Access Tool therefore only receives ready-made images or screen directives for displaying on the user device's display.
- the user device 110 will therefore not be involved in the parsing, compiling, rendering, or other common webpage processing steps, necessary to display an image for viewing. Instead, it either displays the received image or generates an image as a result of screen directives.
- the Client Access Tool is configured with the capability of retrieving instructions input by the user via the device's keyboard or mouse. These instructions are simply routed from the Client Access Tool to the Secure Remote Browser where they are actually transmitted to the application server, effectively enabling the user to interact with it.
- One of the key advantages of the present client-server architecture is that it provides additional security by segregating the high risk components from the end-user device and isolating them at the Secure Server System. Since code never reaches the user's device, the user is protected from any infections caused by the potentially malicious source code, which resides at the server. Moreover, since only images are finally transmitted to the end user, instead of source code, the risk of malicious intervention in the user device is minimised rendering a highly secure environment. However, at the same time, the user is capable of performing all actions as if the full browsing software were hosted on its own device, in a completely transparent manner. [0055] As stated before, a new Secure Browsing Instance is created upon every session establishment, so that every session is assigned one specific instance.
- a Secure Browsing Server is capable of serving many sessions simultaneously, and of delivering a new environment for every session, each environment is isolated from others and from the Secure Browsing Server itself, which acts as a host to these plurality of Secure Browsing Instances.
- the Secure Browsing Instance acts as a container wherein the data and processes running inside belong to one specific session and cannot be accessed from outside, and vice versa.
- a container is an isolated environment that provides an abstraction of an operating system. In this case, each container replicates an independent Secure Browsing Instance. This adds further security as the container- environment prevents an attack by a malicious user to a certain browsing environment from automatically propagating throughout the server.
- FIG. 4 shows a simplified block diagram of a Secure Browsing Server 400 architecture.
- the Secure Browsing Server comprises at least one Secure Browsing Instance 410 depending on the number of simultaneous sessions which are active. It additionally comprises physical hardware resources 440, and a host operating system 430, which could be Linux, Windows or any other OS, and an isolation layer 420 that enables the server to create completely separate Secure Browsing Instances 330.
- Each Secure Browsing Instance comprises isolated input/output resources 413, like network access or a file system.
- Each environment corresponds to a specific user session and runs a Server Access Controller 412, which synchronises with the Client Access Tool, and one Remote Browser 335 that provides access to the WWW.
- Prior art servers have been described wherein a large number of simultaneous user sessions are hosted in the same server.
- a problem with one session typically affects other concurrent sessions.
- general system-spread errors simultaneously affect not only one, but many of the active sessions.
- all sessions are vulnerable to system-level anomalies.
- Another problem is that a system-level error intentionally caused by an attacker would have a detrimental effect on a large group of users. Such attack could concentrate on the confidentiality aspect of user data which could be leaked to other users intentionally.
- the isolation layer 420 solves these problems by providing strong isolation between navigation environments, and with the host, with the use of virtualization techniques
- the isolation layer 420 confines the processes and data of each environment therefore removing completely the possibility of interference between environments. This ensures that, even if an instance would get infected, it would only affect the current session and not any concurrent users. Moreover, virtualization also enables the possibility to effectively delete and reset the Secure Browsing Instance for every session. This means that changes in an instance (for example, a malicious modification of the Secure Remote Browser) will not affect future sessions, since they are confined in the isolated instance and erased with it.
- the preferred virtualization technology is container-based virtualization since the host and instances share a same kernel in a controlled way, while having an independent file system at their disposal. This mechanism offers good isolation level, but also low resources consumption and fast deployment time of the instances.
- container-based virtualization allows flexibility in managing resources. Firstly, since the central processing unit CPU and random access memories RAM are shared, an instance could unknowingly, or intentionally, monopolize resources thus decreasing performance for other instances. Therefore, mechanisms to establish limits on CPU time or RAM memory space consumption are introduced to prevent a situation where a single container consumes all or inadequate CPU time or RAM usage.
- the present invention comprises other measures with the objective of limiting the visibility of communication with other instances from one specific environment.
- the file system is a non-shared resource between containers. The problem here is that replicating a complete file system for every instance can make the system non-viable due to its accumulated overall size. However since most of the file system's content is immutable, which means that some parts never (or nearly never) change in time and are identical among instances, this content can be shared among instances.
- every Secure Browsing Server contains a master file system containing the directories to be shared.
- its file system is composed of non-shared files, or directories, and a set of hard-links pointing to locations in the master file system.
- a hard-link is a directory entry that associates a name with a file on a file system. Consequently, all Secure Browsing Instances have two types of elements in its file system: real files and hard-links to the master copy. Since a hard-link consumes much less memory than a real file, the final memory consumption of every instance is considerably reduced, resulting in a scalable architecture. This highly scalable solution in turn enables a viable implementation on a large scale to many thousands or even millions of users.
- the Secure Browsing Server confines each modification to its own environment, that is, to the Secure Browsing Instance wherein the modification was caused. This is done by copying the modified file locally inside the container's file system as a non-shared file, and at the same time, its corresponding hard-link with master instance is erased. In this manner, containers can share files while assuring that changes to any of these are confined to the instance causing the change. Hence if any file inside the shared file system was to be modified, this would not affect all other sessions inside the given Secure Browsing Server.
- the Secure Browsing instance is meant to temporarily offer the tools needed to browse a web application and these tools are discarded after use.
- the Secure Browsing Server of the present invention only requires the features specifically necessary to access a web application.
- offering complementary features, or different configuration options would pose a new risk, since these options would be available both to legitimate and malicious users. Reducing the available features reduces the attack surface and makes it easy to control the user's actions.
- not including these extra features generally decreases memory consumption, enabling a better scalable secure browsing architecture.
- the Secure Browsing Server offers this way high scalability to attend a high number of users while the provider can strictly control the actions that a user can perform while interacting with its web site, since the provider itself is supplying tailored tools to facilitate access to his own web application.
- a Client Access Tool 220 is supplied by the Secure Cloud Browser.
- This Client Access Tool is a remote control client that does not receive HTML code, JavaScript code or any other form of web source code, but only receives rendered web contents, for instance compressed bitmaps, which are displayed in its window. This way, malicious software that has infected the user device 110 and wants to modify data from the session to commit fraud, should first try to understand the transaction data from a bitmap and then change it. This is a computing intensive process and would normally take a very long time to achieve, if possible at all.
- FIG. 5 shows the main components of the Client Access Tool 220 as integrated within the client device 110 it interacts with.
- the Client Access Controller 540 communicates with the Server Access Controller 412 via communication interface 550.
- the pair formed by the Client and Server Access Controllers offers interaction with one specific Secure Remote Browser. Any webpage contents to be displayed are received ciphered from the respective Secure Browsing Instance at the communication interface, which de-tunnels and de-ciphers them.
- the Client Access Controller then coordinates the display of the received content on display 510 using image formats typically accepted by screen drivers, such as bitmaps.
- the client device also has a keyboard 520 and mouse 530 to receive events and instructions from the user.
- the Client Access Controller intercepts these events and instructions and retransmits them to the Secure Browsing Server after they are ciphered and tunneled by the communication interface. Although more details will be given below on ciphering and tunneling, it is to note that both operations are performed by the communication interface, oblivious to the rest of the elements of the Client Access Tool. Once these events have been processed in the respective Secure Browsing Instance, the resulting changes are sent back to Client Access Tool for updating the contents of the webpage as displayed.
- the Client Access Tool is a security critical element of the client-server architecture, since it is executed in the user's environment, which cannot be assumed to be secure.
- the Client Access Tool is exposed to many of the threats usually affecting a regular browser, which are derived from the environment's condition.
- One of these is manipulation of the application, which is a common attack technique that consists in modifying part of the application's code, such that it will behave in a malicious way, for instance changing the content of webpage forms.
- This type of attack is very common in electronic commerce, or banking activities, or electronic transactions, and they usually target the browser.
- One way of overcoming this kind of threat is for the banking service provider to distribute secure hardware that in general terms contain protected software.
- This software might be used to verify integrity of the interaction between user and local browser, might be a secure browser itself or even a full operating system.
- this solution has a high cost for the institution, both in terms of hardware and distribution of it, and is cumbersome for the user, who is required to carry a physical device for accessing one application.
- Another solution is to install a customized banking application on the client's device.
- this solution requires the financial institution to cater not only for the server side of their electronic commerce activity, but also for the inadequacies of managing the client side.
- this solution is also not usually welcome, as it means installing yet another customized application in their devices.
- the user device is one with limited processing capabilities, such as a wireless mobile phone, smart phone, or tablet, this additional installation is undesirable and not performed by the users.
- the Client Access Tool may be exposed to persistent manipulation if it is permanently stored in an infected machine.
- the Client Access Tool is configured to be used only once per session. After the end of a session, the Client Access Tool is configured to stop operating. In this configuration the Client Access Tool is called a "one-time" browser OTB. This embodiment has the advantage of confining any attacks to a single session. Hence as sessions are destroyed, so is the malware created therein.
- the Client Access Tool Since the Client Access Tool is expected to be downloaded by a large number of users with different platforms and operating systems it needs to be compatible with a large variety of operating systems. Therefore, to ensure its widespread usability, it is programmed using a multiplatform language.
- An example of a preferred multiplatform language is Java, since Java and its Java Virtual Machine (from now on JVM) are widespread in current user systems.
- the Client Access Tool Since the Client Access Tool has to be downloaded every time the user wants to access a web application, download time is very important from a usability point of view, and it would be desirable to minimise it. Therefore in order to maximise the user's positive experience navigating with the Client Access Tool, in another aspect of the invention, the application's functions are minimised to those necessary for, on one hand, receiving images and coordinating their display on the user device, and, on the other hand, receiving and routing user input from the client to the server side.
- the application is not expected to perform any further functionality, as they will be offered by the Secure Cloud Browser environment with which it interacts.
- the Client Access Tool is developed as a "thin" Client Access Tool wherein, firstly, it is designed to be part of a larger architecture where most computing load is hosted by a server.
- a thin client only includes functionalities that have to be exclusively performed by the client, and not the server, and thus is as small as possible. This simplicity makes it especially suitable for use in hostile environments, providing a smallest attack surface which is easier to secure.
- responsibility of connection and configuration is mainly assigned to the Secure Server System, thus keeping management functions in the provider or administrator's control.
- a thin client is very easy to download, thus minimizing the session establishment time.
- Obfuscation consists in deliberately making a code confusing and ambiguous, so that it is harder to understand and, as a consequence, to reverse engineer. This is achieved by applying a series of transformations to the original code, so that control flow, variables' and function's purpose and constant values are hidden. Different transformations are applied to every instance and these are chosen randomly and ensure on one hand that the analysis of the code takes considerable time and that the analysis of one specific instance does not simplify the analysis of any future instance on the other. Hence, an attacker analyzing the code would not be able to write the above mentioned piece of malware, since he would not know what the next client's code would look like. Instead, he would need to analyze every Client Access Tool instance separately. Obfuscation, or code transformation techniques, are well known in the art. In the following several aspects comprising the integration of code transformation techniques to the client-server architecture of the present invention are described.
- a security period is assigned to the application code. After this security period the code is renewed automatically, and the obfuscated code is replaced by a new piece of obfuscated code, where different obfuscation transformations have been applied.
- code renewal is implemented by choosing the security period based on the estimated complexity analysis of the final obfuscated Client Access Tool, such that the condition Tsec ⁇ Te is satisfied, where Tsec is the security period and Te is the estimated analysis time.
- Tsec is the security period
- Te is the estimated analysis time.
- FIG. 6 shows different approaches to obfuscation code renewal.
- two main parameters are taken into account: the time taken to download the new piece of code, Td, and the time period in which the Client Access Tool can be considered protected, Tp.
- the first axis 610 represents a first aspect of code renewal. As can be seen the user starts downloading the first instance of the Client Access Tool (CAT1) at time tl . At this same moment, the code is exposed to analysis by a malicious user either listening into the channel or residing in the user's machine. Once the download has been completed at time t2, the first Client Access Tool is executed and used for a certain time.
- CAT1 Client Access Tool
- the Secure Server System sends a new second instance of the Client Access Tool (CAT2).
- the active session is interrupted, since none of the clients can be used. In other words, there are no active applications available for use.
- a disadvantage with this second aspect of code renewal is that the effective security period of the second instance is decreased, since it is exposed at time t3 but not used until time t7. Hence, new clients need to be downloaded more frequently, so that they are available for use once the effective security period is over. This can lead to traffic congestion or to a situation where the Client Access Tool in use expires before the next one is available.
- a third aspect of code renewal as depicted in axis 630, which permits the exact moment at which an application is first exposed to be controlled and adjusted.
- This is implemented using encryption techniques.
- the Access Manager 311 ciphers the Client Access Tool before delivering it in the background, which can be seen from the shaded intervals between time t3 and time t4, and between time t5 and time t6.
- the Secure Server System delivers the deciphering key.
- the second Client Access Tool is then deciphered by the user's device, and thus exposed for analysis only at the end of this deciphering operation, at time t8. At this same point it is also executed.
- the exposure time can be managed by the Secure Server System, ensuring that the code is not exposed to analysis before it is needed.
- the effective security period as defined by the time period between time t8 and time t9 is also the highest.
- deciphering is a locally run operation which is generally faster than downloading the application.
- the deciphering key does not need to be transmitted over any secure channel, since in this scenario it is assumed that the attacker already resides in an infected user device, however would not have access to the application until it is deciphered. Therefore in this third aspect of code renewal a seamless transition between application instances is provided without compromising security.
- obfuscation techniques are used which maximise the time required to hack a particular application code.
- the security period is larger than the duration of a session. In an extreme case this security period is notably longer that the maximum session duration. In this case, there is no need to apply code renewal as just described.
- obfuscation might be applied even to a group of clients, and not necessarily be uniquely applied to every delivered client. For instance, if the security period is estimated to be 24 hours long, the system might apply obfuscation once a day, generating a day-client that will be used for every session starting within that specific period.
- the unique Client Access Tool in order to control which Client Access Tool is accessing which virtual environment, the unique Client Access Tool is bound to a specific Secure Browsing Instance at the server through two parameters: the session ID and the cipher key.
- the session ID allows the Connection Manager to identify incoming connections and determine the Secure Browsing Instance to which it is destined. Hence it serves for routing purposes, but does not provide an effective access control mechanism for many reasons, the most important of which is the fact that the tunnel ID is known by the Connection Manager 312.
- the cipher key on the other hand, is used to establish an end-to-end ciphered channel between the Client Access Tool and its corresponding container, and should only be known by these two players. Hence, this key could also be used as an access control token, if it was securely stored.
- Key negotiation processes of the prior art comprise two parties using asymmetric cryptography to agree on a channel cipher symmetric key, and the standard method used is the Diffie-Hellman key exchange method.
- the negotiation phase consists on an exchange of questions and answers (challenges and responses) that are used to determine a symmetric cipher key.
- both parties locally store the agreed key and start ciphering their communication using a symmetric algorithm.
- the Client Access Tool stores the key in the user device's local memory, it is exposed to the adversary.
- negotiation processes are aimed at two parties that never met before agreeing on a shared key, while the current scenario is quite different.
- Both the Client Access Tool and the Secure Browsing Instance are part of a bigger unique architecture.
- the Client Access Tool is actually issued by the Secure Server System - more specifically, by the Access Manager. Therefore, in this aspect of the invention no negotiation process is required, but it does need a mechanism that allows hiding of the key in the hostile environment.
- a symmetric key system is preferably used, where two ends - the Client Access Tool and the container - share a pre-established key, which is embedded in the Client Access Tool before sending it to the client device.
- the hard-coded key can be effectively hidden, even from an intruder with permissions in the user's environment.
- the client-server architecture of the present invention will need to attend a high number of concurrent sessions it is desirable to design a dynamically scalable system catered to the environment it will be integrated.
- multiplication of the elements in the Secure Server System environment is needed to attend to the expected demand, such as deploying a plurality of Secure Browsing Servers, so that a higher number of Secure Browsing Instances can be offered.
- the Connection Manager 312 is entrusted with this complex management task and its main responsibility is managing the creation of new Secure Browsing Instances upon request of the Access Manager 311.
- the Connection Manager when receiving the mentioned request, requests the Monitoring Manager 313 information on the Secure Browsing Servers' load information. Based on this, the Connection Manager chooses one of the Secure Browsing Servers to host the new environment and instructs it to create a new Secure Browsing Instance. The new Secure Browsing Instance then establishes a communication channel with its counterpart Client Access Tool at the client side.
- the Connection Manager also performs the function of dynamically assigning resources depending on current load usage. Therefore when acting as a load balancer, it optimises resource allocation depending on actual system capacity consumption and user needs.
- the Connection Manager replaces the Secure Browsing Server's IP address by its own, thus effectively hiding the inner network's addressing data as well as the possibility to discover its internal structure.
- the Secure Server System 210 presented herein is easily integrated into existing architectures to provide them with the advantages of the invention. Consequently, a strong compatibility with any architecture is desirable, such that no change or special configuration or adaptations, are required while integrating the Secure Server System. This is achieved due to the inherent characteristics of how the client-server architecture is deployed, which does not affect or change any existing infrastructures while being integrated. Complementarily, a particular provider or administrative architecture does not affect the Secure Server System, or its method of connecting, and deploying, and communicating.
- a security policy commonly used in internal networks consists in limiting the protocols accepted within the network so that, for instance, HTTP and HTTPS connections are allowed, but SSH protocol might be blocked, in order to avoid possible intruders to remotely connect to any device.
- traffic is encapsulated using a Tunneling Protocol.
- Tunneling enables communication to be encapsulated inside a permitted protocol, so that the information exchanged between the Client Access Tool and the Secure Server System will not be discarded by network policies. For instance, going back to the previous example, traffic could be HTTP-encapsulated, since the HTTP protocol was permitted by the policies in place.
- the encapsulation and de- encapsulation process is applied by the Connection Manager 312 on each connection.
- Screen images sent from the Secure Browsing Instance 330 to the Client Access Tool 220 are encapsulated, for example, using an HTTP Tunnel, by the Connection Manager 312 before they are transmitted to the client device 110 through the public network 130.
- incoming data is encapsulated by the Client Access Tool 220 before it is transmitted to the Secure Server System 210.
- a session identifier ID is used to identify tunnels, so that every tunnel is linked to a Secure Browsing Instance 330.
- This session ID is attached by the Client Access Tool 220 in the tunnel's header and checked upon arrival by the Connection Manager. Since HTTP is the most common protocol used in browsing environments, this tunneling enhances the invention's compatibility with different kinds of network configurations, which makes the invention highly compatible. This characteristic is especially critical if the system is offered as a service by the web site provider.
- FIG. 7 is a graphic representation of the implementation of the Tunneling Protocol in the communication link between the Secure Server System 210 and the client device 110. Since Secure Browsing Servers 330 have intense resource requirements, the tunneling and de-tunneling operations are performed fully in the Connection Manager 312, which results in the load of the Secure Browsing Servers being lightened, as each and every Server 330 is no more responsible for performing these communication-related functions.
- the Connection Manager since the Connection Manager is responsible for redirecting connections to the intended Secure Browsing Instances, it also manages dynamically the growing farm of Secure Browsing Servers, however without necessitating a corresponding alteration of the external network. Moreover, since all communications, including the new requests for webpage download, or Internet browsing, to and from client devices always go through the Connection Manager, sessions can be transparently transported from one Secure Browsing Instance to another just by replicating the Secure Remote Browser's status and updating the redirection rules in the Connection Manager. Therefore, in case a particular session needs to be transported, the Connection Manager takes charge of coordinating the change and transports the remote browsing session to another instance by triggering the creation of a new Secure Browsing Instance.
- the manager then obtains a copy of the Secure Remote Browser status, requests the creation of one new instance including the given session data and the deletion of the former environment and changes its own records in order to redirect traffic to the new instance instead of the former. Note that, if the Connection Manager did not have this role, the Client Access Tool would have to be reconfigured to change its connection destination creating unnecessary exchange of control data and channel capacity usage.
- the Connection Manager is configured to request the closing of the client-server secure environment. It therefore shuts down the assigned Secure Browsing Instance, allows the Client Access Tool to lapse naturally, and deletes its information from the record, so that packets including the corresponding ID are discarded. Since the records kept at the Connection Manager are linked to Secure Browsing Instances' validity, the Connection Manager is also used to establish an expiration time for sessions, so that the environment and the related records will be erased after it and incoming connections using the given ID rejected.
- FIG. 8 depicts a Monitoring System 800 according to one embodiment of the invention.
- the Monitoring System comprises a plurality of Information Collectors 821, which log data received from the at least one Secure Browsing Server 320.
- the Monitoring System also comprises a Monitoring Manager 313 which evaluates the logged information, analyses the data statistically, and decides to perform certain actions in consequence.
- the Information Collectors are placed inside every Secure Browsing Instance 330 and every Secure Browsing Server in order to have constant access to the monitoring targets.
- the Information Collectors are configured to check and record regularly information and data relating to performance and resource consumption. For example, this could be information on RAM space, CPU time, and file system usage.
- the Monitoring Manager 313 compares the collected data with pre-established thresholds such that an alarm is triggered if these are reached. These indicators are aimed at detecting attempts to monopolize resources by a specific Secure Browsing Instance that could lead to a degradation of performance of other Secure Browsing Instances hosted inside one specific Secure Browsing Server. It is also intended to detect excessive resource usage amongst Secure Browsing Servers. Using this information, the Monitoring Manager takes decisions on how to dynamically reassign resources depending on current availability, needs, and overall system optimisation.
- this information is used to block, ban or restrict one specific session, based on the assumption that it is malicious or, at least, dangerous.
- the Connection Manager 312 uses this information to deploy new Secure Browsing Instances, in order to balance the load of the system, as described before.
- security alerts are obtained through comparison between actions performed inside every instance, or Secure Browsing Server, and a model of expected behavior, following a mechanism that is similar to a white list of actions.
- white list usually refers to a set of entities which are given a special privilege as opposed to a black list, wherein the privileges are revoked for those entities.
- actions performed in the Secure Browsing Instance, or the Secure Browsing Server are under evaluation and compared to a white list. If an action is contained in the list, the system assumes it to be legitimate as a privilege, and actions not contained in the list are thus considered suspicious.
- the white list is enhanced by adding information on the likelihood of one action to legitimately take place given context information, such as previous events.
- the Monitoring Manager permits an overall configuration and number of Secure Browsing Instances to operate simultaneously as long as the indicators comply with the predetermined white list.
- such monitoring mechanisms tend to raise a high number of false positive alarms, where an event is mistakenly catalogued as dangerous or unwanted, due to the large variety of possible actions and the complexity of their context.
- the problem with trying to ameliorate such monitoring inaccuracy by an even more accurate behavioural model is that the data matching process becomes excessively cumbersome also as a consequence of the model's complexity, in addition to the inherent complexity of serving many thousands or even millions of browsing sessions.
- Alerts generated by the Information Collectors are sent to the Monitoring Manager, which furthermore has information about the overall Server System and thus is able to correlate information, or match events, taking place in different Secure Browsing Instances. Since the attacker could hypothetically still be successful at disabling the Information Collector, at modifying alerts or even eliminate them, in another aspect of this embodiment, the Information Collector is configured to regularly send keep-alive messages that contain hashes that enable verification of previous alerts' integrity. This way, the Monitoring Manager can detect any modifications of alarms and add yet another obstacle to malicious attacks to the Monitoring Manager.
- the Monitoring Manager is configured to assign a risk level to every active client-server browsing session.
- a risk parameter is determined based on three information sources, namely an initial risk parameter, the alarms issued relating to a particular Secure Browsing Instance, and an environmental status parameter.
- the risk parameter is set at an initial value, for example 0, and can only increase throughout the session.
- the Monitoring Manager decides whether to apply any additional security measures and issues corresponding instructions to the Connection Manager to execute these additional security measures.
- the initial risk parameter is obtained as a result of combining a series of parameters that are based either on objective predefined criteria or on system's learning, based on previous behaviors of users inside the system.
- the former allow verification of currently common risk-control checks, which can be compared to prejudices that identify unusual behaviour or configurations.
- parameters commonly used in prior art to identify sessions with a higher risk are browser and session language; i. e., if the application is mainly used by Europeans, sessions configured with languages from countries in other continents might be considered risky. These types of verifications are currently the most extended and can also be fed into the Monitoring System of the Secure Server System.
- Environment information allows the Monitor Manager to take into account risks taking place in neighbouring instances in order to build a broader system overview of risks by linking independent and separate risk events. Since many sessions coexist in the same Secure Browsing Server, events inside one Secure Browsing Instance can lead to risks in the others. Going back to the example of an attacker trying to sniff traffic, for instance, events occurring in the attacker's environment can have consequences in other environments, and thus the risk of Secure Browsing Instance inside the same physical machine would be increased based on this specific instance's alert. Once the risk level begins to rise, the system checks a set of thresholds and can limit some specific functions of the Secure Browsing Instance in use.
- FIG. 9 depicts a flow diagram according to another embodiment of the invention describing a method of triggering secure browsing.
- the Secure Server System assigns either a High Security environment or a Honeypot environment depending on whether the risk level as determined by the Monitoring Manager exceeds a threshold Eth representing a high level of risk when compared to the expected behaviour of a session.
- the objective here is to immediately assign high risk sessions to a high security browsing environment.
- sessions exceeding Eth can be divided in two groups depending on the knowledge on the error, or attack, that is taking place.
- the Monitoring Manager also obtains a parameter of knowledge K on the behaviour, which is compared to a second threshold Ath. Sessions with high risk and showing a known attack, or error, pattern are assigned to a High Security Browsing Server, while unknown ones are monitored in a separate environment where their security risks can be further tested as assigned to a Honeypot Secure Browsing Server.
- step 910 the risk level of the current session being monitored is determined.
- step 920 this determined risk level is compared to a predetermined threshold Eth representing a high risk level. If the determined risk level is below Eth, as in step 930, the session is allowed to stay in its current security settings. These could be the client's default settings, or self-configured security settings.
- the session's risk reaches, or exceeds, a threshold representing high risk Eth, it will be transported to one of those specific functions depending on the system's knowledge about the attack in course as gathered by the Monitoring Manager. Session transportation implies reproducing the status of the browser at a specific instant and redirection of incoming connections from that moment on. Hence, upon transportation, the session is replicated in a new and completely reset Secure Browsing Instance.
- step 940 the previous events are analysed and compared to patterns of known attacks.
- step 950 a test is performed to determine whether the events analysed reasonably correspond to any attack already known by the Monitoring Manager. If positive 960, these sessions will be transported to the High Security Secure Browsing Server. On the other hand, risks not corresponding to known patterns are transported 970 to the Honeypot Secure Browsing Server.
- Transporting instances inside the High Security SBS results in their capabilities being strictly limited due to stronger security configurations so as to minimize the risk of an attacker achieving intrusion in the system. Restricted functions can include downloading, uploading and printing files, browsing any third party's web-pages whereas security and isolation are enforced, for instance using a more restrictive virtualization technology or deploying independent file systems, instead of sharing immutable files.
- sessions transported to the Honeypot SBS are offered a dummy environment in order to analyze and understand the new attack process. Sessions are provided a copy of the production environment where neighboring instances host fake users, such that attacks do not target real ones. Since the security test is performed recursively, as can be seen from arrow 980, if the attacker ever reaches a point where the attack matches a known pattern, it can be transported to the High Security SBS from that point on. This behavior not only enables identification of future occurrences of the attack, but is also a tool to improve the security mechanisms in place inside regular Secure Browsing Instances and Secure Browsing Servers.
- FIG. 10 depicts a first method 1000 for providing Internet browsing capabilities according to a first embodiment of the invention.
- This embodiment comprises all the various aspects and configurations already described so far, either in isolation or in combination, resulting in differing technical effects and advantages over the prior art as has been described.
- the downloading process begins at step 1010 when the user introduces in his pre-installed local browser the URL of a web site (for example, http://www.example.com). If the site is secured it responds with a redirection to the Secure Server System, as in step 1020 (for example, redirect to https://securedbrowsing.example.com). In response the client device is prompted to formally request an instance of a container in a Secure Browsing Server, which creates a Secure Browsing Instance. At the same time, at step 1040, the Secure Browsing Server also prepares and serves to the client device 110 the binary code of a Client Access Tool. When the software download is completed, the device executes it.
- a web site for example, http://www.example.com
- the Secure Server System for example, redirect to https://securedbrowsing.example.com.
- the client device is prompted to formally request an instance of a container in a Secure Browsing Server, which creates
- Execution can be implemented in one aspect of this embodiment as starting a new process independent from the original local browser.
- the Client Access Tool is created inside the local browser. This option depends on configuration of the platform and has some implications on the solution's look and feel: if the client is executed as an independent process, it will be shown as an independent window, while execution inside the browser shows the contents of the Secure Remote Browser as a new tab inside the local browser, which results in a more transparent implementation. These settings also have some security implications: when executed inside the browser, the Client Access Tool can be subject to attempts of manipulation from the Local Browser, since it is a process running inside this latter. On the contrary, when shown in a different window, the Client Access Tool is run as a process independent of the Local Browser. This enhances security but requires higher permissions in the user device.
- step 1050 the Client Access Tool proceeds to establish a connection with its respective Secure Browsing Instance, and displays the contents of the Secure Remote Browser on the client device's display.
- the Client Access Tool proceeds to establish a connection with its respective Secure Browsing Instance, and displays the contents of the Secure Remote Browser on the client device's display.
- another possibility would be not redirecting the user to the Secure Server System, but simply retrieving the Client Access Tool and delivering it directly to the original web site (http://www.example.com) via the Web Application Server.
- the request 1030 for a new Secure Browsing Instance triggers the Secure Browsing Server to prepare a new instance of a container which is assigned specific for the user.
- This process implies different configuration actions like setting the web site address, session permissions, and others.
- the Client Access Tool is also specifically prepared for that session, and all the data required for establishing the connection between the user device and the container (session ID and encryption keys) is embedded in the binary code before signing the software.
- FIG. 11 depicts a second method 1100 for providing Internet browsing capabilities according to a second embodiment of the invention wherein authentication procedures are performed before accessing the Secure Server System. This embodiment is based on the first embodiment of FIG. 10.
- Authentication can either be performed at the web site once the connection is established with the Secure Browsing Server. Alternatively, the authentication can be performed from the Local Browser so that the session is transported once the user has been authenticated. This has the additional advantage of reducing the amount of petitions received by the Secure Server System.
- FIG. 11 depicts this aspect of the invention wherein the Secure System Server takes over the session once the user is authenticated.
- the web site initially sends a login form so that the user can respond by introducing his credentials using the Local Browser in step 1120. Once the credentials are validated, the web site communicates with the platform in step 1130 to authorize the user to request a secure browsing container, which is performed in step 1020. While the first method of FIG.
- the second method of FIG. 11 is offered to save platform resources as only authorized users can request a Secure Browsing Instance. This could prevent, for instance, Deny of Service attacks against the Secure Server System, where a large amount of petitions are sent to the server, so that it runs out of resources.
- the process in FIG. 10 offers enhanced security during login, which is a security sensitive process.
- the Access Manager is configured to include a mechanism that identifies the client device where the request has been originated and can establish limits on the number of sessions one device can open. Since the parameters that identify the device must be collected at the user's computing device and might be available or not depending on its permissions, these limits can also be made variable depending on the quality of the data collected. Once the Access Manager has verified that the device is allowed to open a new connection, it delivers the Client Access Tool.
- FIG. 12 depicts a third method 1200 for providing Internet browsing capabilities according to a third embodiment of the invention wherein the connection to the secured platform could start at any moment during the usage of the web site, and not necessarily right after login is completed.
- This embodiment is a modification of either the first or second embodiments of FIGs. 10 and 11.
- step 1130 it notifies the Secure Server System that the user is authorized to request a container instance in step 1130, which retrieves the necessary session information in steps 1240 and 1250, so that the Secure Remote Browser can replicate the status of the user's local browser.
- the platform replies to the user request with the Client Access Tool software and when the download is completed (step 1040) the connection is established in step 1050.
- the Secure Remote Browser would have asked the Application Server for the current state of the session (step 1240).
- FIG. 13 depicts some examples of the messages that are exchanged between these entities.
- the Secure Remote Browser within its corresponding Secure Browsing Instance sends 1301 a web page request to the Web Application Server, which processes it and responds 1302 with a document.
- the Secure Remote Browser then processes the contents of the document and renders the result to deliver them to the Client Access Tool window in 1303, showing the updated contents in the user's screen.
- Keyboard and mouse events occurring in the Client Access Tool are transmitted 1304 to the Secure Remote Browser to process them and update 1305 the display, if needed. Some events will cause the browser to issue 1308 a new request to the server but others can cause the display to update without requiring interaction with the Web Application Server. This might be the case while filling in a form, where typed content is shown to the user before the form is sent to the server. Similar as in previous steps, a document is requested and transmitted 1309 in return for it to be rendered in the Secure Remote Browser before the display of the client's device is updated 1310, however with the new contents.
- the Secure Remote Browser In case the Secure Remote Browser is shown as an independent window from the local browser, the former can be configured to support tab functionality in order to display as many tabs as necessary following the regular process. However, if the Secure Remote Browser is integrated into the local browser's window, tabs need to be managed independently so that every tab can be shown as a tab of the local browser.
- FIG. 14 depicts this aspect of the invention showing the process by which a new tab is opened in the local browser, displaying a new tab in the system.
- the user requests 1410 a new webpage, for instance by clicking on a link.
- This petition is transmitted through the thin-client reaching the Secure Browsing Instance and is processed, determining that a new tab needs to be opened.
- the Secure Browsing Instance then informs 1420 the Client Access Tool 220 that a new Client Access Tool 1450 should be downloaded to be displayed in a new tab. Simultaneously the Secure Browsing Server is informed 1430 that it should accept the incoming petition.
- the Client Access Tool then requests 1030 the Secure Browsing Server for a new Client Access Tool and downloads 1040 the new thin-Client Access Tool in return. Once downloaded and executing the new Client Access Tool, the Secure Cloud Browser Server is requested 1050 to establish the connection with the Secure Browsing Instance.
- the Secure Browsing Instance when processing the request 1410 for a new URL, could also determine that the URL corresponds to a page that does not need to be secured. This could for instance apply if secure browsing capability is being offered as a security service by the provider of a web site "www.example.com” and the user requests access to a different site, for example "www.otherprovider.com”. In this case, the system could request to open a new tab on the local browser and specify the URL to be loaded, and the user would in turn access "www.otherprovider.com” from his local browser.
- the embodiments described herein may be implemented by hardware, software, firmware, middleware, microcode, or any combination thereof.
- systems and/or methods are implemented in software, firmware, middleware or microcode, program code or code segments, a computer program, they may be stored in a machine-readable medium, such as a storage component.
- a computer program or a code segment may represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software package, a class, or any combination of instructions, data structures, or program statements.
- a code segment may be coupled to another code segment or a hardware circuit by passing and/or receiving information, data, arguments, parameters, or memory contents. Information, arguments, parameters, data, etc. may be passed, forwarded, or transmitted using any suitable means including memory sharing, message passing, token passing, network transmission, or others.
- the techniques described herein may be implemented with modules (e.g., procedures, functions, and so on) that perform the functions described herein.
- the software codes may be stored in memory units and executed by processors.
- the memory unit may be implemented within the processor or external to the processor, in which case it can be communicatively coupled to the processor through various means as is known in the art.
- at least one processor may include one or more modules operable to perform the functions described herein.
- various aspects or features described herein may be implemented, on one hand, as a method or process or function, and on the other as an apparatus, a device, a system, or an article of manufacture using standard programming and/or engineering techniques.
- article of manufacture as used herein is intended to encompass a computer program accessible from any computer-readable device, carrier, or media.
- computer-readable media can include but are not limited to magnetic storage devices (e.g., hard disk, floppy disk, magnetic strips, etc.), optical disks (e.g., compact disk (CD), digital versatile disk (DVD), etc.), smart cards, and flash memory devices (e.g., EPROM, card, stick, key drive, etc.).
- various storage media described herein can represent one or more devices and/or other machine- readable media for storing information.
- the term "machine-readable medium" can include, without being limited to, various media capable of storing, containing, and/or carrying instruction(s) and/or data.
- a computer program product may include a computer readable medium having one or more instructions or codes operable to cause a computer to perform the functions described herein.
- DSP digital signal processor
- ASIC application specific integrated circuit
- FPGA field programmable gate array
- a general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine.
- a software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Data Mining & Analysis (AREA)
- Medical Informatics (AREA)
- Computer And Data Communications (AREA)
Abstract
L'invention concerne une architecture client-serveur dans laquelle un serveur sécurisé communique avec une application informatique sur un dispositif client permettant un accès à un navigateur à distance hébergé dans le serveur sécurisé. Par conséquent, l'utilisateur navigue sur Internet d'une manière transparente, cependant, depuis l'intérieur d'un environnement de navigation hautement sécurisé tel que fourni par le serveur sécurisé. De cette manière, l'exposition à des attaques de logiciel malveillant directement au niveau du dispositif client est réduite au minimum.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/EP2011/071507 WO2013079113A1 (fr) | 2011-12-01 | 2011-12-01 | Système client-serveur de navigation en nuage sécurisée et procédé de navigation à distance sécurisée l'utilisant |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/EP2011/071507 WO2013079113A1 (fr) | 2011-12-01 | 2011-12-01 | Système client-serveur de navigation en nuage sécurisée et procédé de navigation à distance sécurisée l'utilisant |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2013079113A1 true WO2013079113A1 (fr) | 2013-06-06 |
Family
ID=45063154
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/EP2011/071507 WO2013079113A1 (fr) | 2011-12-01 | 2011-12-01 | Système client-serveur de navigation en nuage sécurisée et procédé de navigation à distance sécurisée l'utilisant |
Country Status (1)
| Country | Link |
|---|---|
| WO (1) | WO2013079113A1 (fr) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015078500A1 (fr) * | 2013-11-28 | 2015-06-04 | Fundació Privada Barcelona Digital Centre Tecnològic | Procédé et système d'exécution sécurisée d'applications web pour des appareils mobiles |
| DE102014007789A1 (de) * | 2014-05-23 | 2015-11-26 | Giesecke & Devrient Gmbh | Browserbasierte Applikation |
| US9740390B2 (en) | 2013-03-11 | 2017-08-22 | Spikes, Inc. | Dynamic clip analysis |
| EP3220600A1 (fr) * | 2016-03-14 | 2017-09-20 | Palo Alto Research Center Incorporated | Système et procédé de protection de la vie privée à base de mandataire |
| EP3247084A1 (fr) | 2016-05-17 | 2017-11-22 | Nolve Developments S.L. | Serveur et procédé pour fournir un accès sécurisé à des services web |
| EP3292468A4 (fr) * | 2015-05-06 | 2018-10-31 | Alibaba Group Holding Limited | Isolation d'hôtes virtuels |
| CN110493329A (zh) * | 2019-08-08 | 2019-11-22 | 西藏宁算科技集团有限公司 | 一种基于用户态协议栈的并发推送服务方法和系统 |
| US10554722B2 (en) | 2016-05-19 | 2020-02-04 | Panasonic Avionics Corporation | Methods and systems for secured remote browsing from a transportation vehicle |
| US10838842B2 (en) | 2015-04-30 | 2020-11-17 | Alibaba Group Holding Limited | Method and system of monitoring a service object |
| CN112292669A (zh) * | 2018-05-04 | 2021-01-29 | 思杰系统有限公司 | 用于嵌入式浏览器的系统和方法 |
| CN112799815A (zh) * | 2021-01-28 | 2021-05-14 | 北京钛星数安科技有限公司 | 一种实现远程浏览器分布式调度系统及方法 |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070174915A1 (en) * | 2006-01-23 | 2007-07-26 | University Of Washington | Detection of spyware threats within virtual machine |
| US7587669B2 (en) * | 2001-04-09 | 2009-09-08 | Aol Llc | Server-based browser system |
-
2011
- 2011-12-01 WO PCT/EP2011/071507 patent/WO2013079113A1/fr active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7587669B2 (en) * | 2001-04-09 | 2009-09-08 | Aol Llc | Server-based browser system |
| US20070174915A1 (en) * | 2006-01-23 | 2007-07-26 | University Of Washington | Detection of spyware threats within virtual machine |
Non-Patent Citations (1)
| Title |
|---|
| NILS GRUSCHKA ET AL: "Browser as a Service (BaaS): Security and Performance Enhancements for the Rich Web", 17TH GI/ITG CONFERENCE ON COMMUNICATION IN DISTRIBUTED SYSTEMS (KIVS'11), 11 March 2011 (2011-03-11), XP055023357, Retrieved from the Internet <URL:http://drops.dagstuhl.de/opus/volltexte/2011/2975/pdf/22.pdf> [retrieved on 20120329], DOI: 10.4230/OASIcs.KiVS.2011.208 * |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9740390B2 (en) | 2013-03-11 | 2017-08-22 | Spikes, Inc. | Dynamic clip analysis |
| WO2015078500A1 (fr) * | 2013-11-28 | 2015-06-04 | Fundació Privada Barcelona Digital Centre Tecnològic | Procédé et système d'exécution sécurisée d'applications web pour des appareils mobiles |
| DE102014007789A1 (de) * | 2014-05-23 | 2015-11-26 | Giesecke & Devrient Gmbh | Browserbasierte Applikation |
| US10838842B2 (en) | 2015-04-30 | 2020-11-17 | Alibaba Group Holding Limited | Method and system of monitoring a service object |
| EP3292468A4 (fr) * | 2015-05-06 | 2018-10-31 | Alibaba Group Holding Limited | Isolation d'hôtes virtuels |
| US11068586B2 (en) | 2015-05-06 | 2021-07-20 | Alibaba Group Holding Limited | Virtual host isolation |
| EP3220600A1 (fr) * | 2016-03-14 | 2017-09-20 | Palo Alto Research Center Incorporated | Système et procédé de protection de la vie privée à base de mandataire |
| KR20170106912A (ko) * | 2016-03-14 | 2017-09-22 | 팔로 알토 리서치 센터 인코포레이티드 | 프록시 기반 프라이버시 보호 시스템 및 방법 |
| KR102407305B1 (ko) | 2016-03-14 | 2022-06-13 | 팔로 알토 리서치 센터 인코포레이티드 | 프록시 기반 프라이버시 보호 시스템 및 방법 |
| US10044679B2 (en) | 2016-03-14 | 2018-08-07 | Palo Alto Research Center Incorporated | System and method for proxy-based privacy protection |
| EP3247084A1 (fr) | 2016-05-17 | 2017-11-22 | Nolve Developments S.L. | Serveur et procédé pour fournir un accès sécurisé à des services web |
| US11232167B2 (en) | 2016-05-17 | 2022-01-25 | Randed Technologies Partners S.L. | Server and method for providing secure access to web-based services |
| WO2017198740A1 (fr) * | 2016-05-17 | 2017-11-23 | Nolve Developments S.L. | Serveur et procédé de fourniture d'accès sécurisé à des services basés sur le web |
| US11797636B2 (en) * | 2016-05-17 | 2023-10-24 | Netskope, Inc. | Intermediary server for providing secure access to web-based services |
| US10834168B2 (en) | 2016-05-19 | 2020-11-10 | Panasonic Avionics Corporation | Methods and systems for secured remote browsing from a transportation vehicle |
| US10554722B2 (en) | 2016-05-19 | 2020-02-04 | Panasonic Avionics Corporation | Methods and systems for secured remote browsing from a transportation vehicle |
| CN112292669A (zh) * | 2018-05-04 | 2021-01-29 | 思杰系统有限公司 | 用于嵌入式浏览器的系统和方法 |
| CN110493329A (zh) * | 2019-08-08 | 2019-11-22 | 西藏宁算科技集团有限公司 | 一种基于用户态协议栈的并发推送服务方法和系统 |
| CN112799815A (zh) * | 2021-01-28 | 2021-05-14 | 北京钛星数安科技有限公司 | 一种实现远程浏览器分布式调度系统及方法 |
| CN112799815B (zh) * | 2021-01-28 | 2024-04-02 | 北京钛星数安科技有限公司 | 一种实现远程浏览器分布式调度系统及方法 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11616811B2 (en) | Tracking usage of corporate credentials | |
| Ferrara et al. | Static analysis for discovering IoT vulnerabilities | |
| US20210334359A1 (en) | Mobile device policy enforcement | |
| CA3113673C (fr) | Systemes et procedes pour une politique d'application coherente entre differentes applications saas par l'intermediaire d'un navigateur integre | |
| US8806618B2 (en) | Security by construction for distributed applications | |
| WO2013079113A1 (fr) | Système client-serveur de navigation en nuage sécurisée et procédé de navigation à distance sécurisée l'utilisant | |
| CA3118495C (fr) | Systemes et procedes de redirection securisee d'architectures unifiees d'applications (saa) a partir d'applications natives | |
| US11797636B2 (en) | Intermediary server for providing secure access to web-based services | |
| Kumar et al. | A study on web application security and detecting security vulnerabilities | |
| US11281744B2 (en) | Systems and methods for improved remote display protocol for HTML applications | |
| US11586726B2 (en) | Secure web framework | |
| GB2574283A (en) | Detecting triggering events for distributed denial of service attacks | |
| Niakanlahiji et al. | Webmtd: defeating web code injection attacks using web element attribute mutation | |
| Sasi et al. | A comprehensive survey on IoT attacks: Taxonomy, detection mechanisms and challenges | |
| Sanfilippo et al. | Stride-based threat modeling for mysql databases | |
| Rauti et al. | Man-in-the-browser attacks in modern web browsers | |
| Singh | Detecting and prevention cross–site scripting techniques | |
| Clementson | Client-side threats and a honeyclient-based defense mechanism, Honeyscout | |
| Chinprutthiwong | The Service Worker Hiding in Your Browser: Novel Attacks and Defenses in Appified Websites | |
| Borders | Protecting confidential information from malicious software | |
| van Dongen | Browser security | |
| Stevens | Lessons Learned from Detecting and Analyzing Android Advertisement Malpractices | |
| Ofuonye | Web-client runtime security system based on dynamic code instrumentation and policy injection. | |
| Steiner | Least Privilege 2.0: Access Control for Web 2.0 applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11788863 Country of ref document: EP Kind code of ref document: A1 |
|
| DPE1 | Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101) | ||
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 11788863 Country of ref document: EP Kind code of ref document: A1 |