Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013.

Slides:

Advertisements

Similar presentations

Bringing Procedural Knowledge to XLIFF Prof. Dr. Klemens Waldhör TAUS Labs & FOM University of Applied Science FEISGILTT 16 October 2012 Seattle, USA.

Advertisements

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.

Compiling Web Scripts for Apache Jacob Matthews Luke Hoban Robby Findler Rice University.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

Java Script Session1 INTRODUCTION.

1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

An Evaluation of the Google Chrome Extension Security Architecture

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.

IFC Inside: Retrofitting Languages with Dynamic Information Flow Control Stefan Heule, Deian Stefan, Edward Z. Yang, John C. Mitchell, Alejandro Russo.

Languages for Dynamic Web Documents

Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology.

An Empirical Study on the Rewritability of the with Statement in JavaScript Changhee Park (Joint work with Hongki Lee and Sukyoung Ryu) KAIST October.

Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,

UNIT-V The MVC architecture and Struts Framework.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

JavaScript CMPT 281. Outline Introduction to JavaScript Resources What is JavaScript? JavaScript in web pages.

INTRODUCTION TO WEB DATABASE PROGRAMMING

FORESEC Academy FORESEC Academy Security Essentials (II)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.

Beyond DHTML So far we have seen and used: CGI programs (using Perl ) and SSI on server side Java Script, VB Script, CSS and DOM on client side. For some.

AJAX Without the “J” George Lawniczak. What is Ajax?

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

An Information Flow Inlining Compiler for a Core of JavaScript José Fragoso Santos Tamara Rezk Equipe Project INDES.

Extending the Mashic Compiler Enforcing Security Policies in the Presence of Malicious Advertisements José Fragoso Santos Equipe Project INDES INRIA Sophia.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University.

OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen UC Davis.

OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications.

INTRODUCTION TO JAVASCRIPT AND DOM Internet Engineering Spring 2012.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Extending HTML CPSC 120 Principles of Computer Science April 9, 2012.

PERVASIVE COMPUTING MIDDLEWARE BY SCHIELE, HANDTE, AND BECKER A Presentation by Nancy Shah.

AjaxScope & Doloto: Towards Optimizing Client-side Web 2.0 App Performance Ben Livshits Microsoft Research (joint work with Emre.

Chapter 6 Server-side Programming: Java Servlets

SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.

SMash : Secure Component Model for Cross- Domain Mashups on Unmodified Browsers WWW 2008 Frederik De Keukelaere et al. Presenter : SJ Park.

1 MSCS 237 Overview of web technologies (A specific type of distributed systems)

Hop Operational Semantics

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

IS-907 Java EE World Wide Web - Overview. World Wide Web - History Tim Berners-Lee, CERN, 1990 Enable researchers to share information: Remote Access.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Plug-in Architectures Presented by Truc Nguyen. What’s a plug-in? “a type of program that tightly integrates with a larger application to add a special.

Introduction to JavaScript CSc 2320 Fall 2014 Disclaimer: All words, pictures are adopted from “Simple JavaScript”by Kevin Yank and Cameron Adams and also.

Cloud Environment Spring  Microsoft Research Browser (2009)  Multi-Principal Environment with Browser OS  Next Step Towards Secure Browser 

TTCN-3 Testing and Test Control Notation Version 3.

JavaScript Tutorial First lecture 19/2/2016. Javascript is a dynamic computer programming language. It is lightweight and most commonly used as a part.

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

Introduction to.

Static Detection of Cross-Site Scripting Vulnerabilities

JavaScript an introduction.

TS*: Taming the Un-typed Adversary in JavaScript

Carmine Abate Rob Blanco Deepak Garg Cătălin Hrițcu Jérémy Thibault

Message Passing Systems

Presentation transcript:

Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013

Web Client Mashup Client-side web application Integrating third- party gadgets Great way for code reuse! Google Maps Gadget Integrator’s Housing Data

Different kind of Mashups The integrator uses the gadget as a libraryThe gadget reads state from the integrator gadget

Programming model Mashups written in HTML + Javascript; Two ways to include external gadgets: – Using script tag – Using frame tag

Script tag - oversharing Gadget has integrator privileges Full exposure JS execution environment Google Maps GadgetIntegrator’s Housing Data

Script tag – security violations Confidentiality violation var steal = window[“integratorSecret”] Integrity violation window[“price”] = newPrice Google Maps GadgetIntegrator’s Housing Data

Script tag – integrity violation var fac= function(x) { if (x <= 1) { return 1; } return x*fac(x-1); } r = fac(3); s = "alert("+r+")“ setTimeout(s, 100)

Script tag - integrity violation Content of setTimeout = function() { EVIL CODE HERE }

Embedded frame – undersharing Gadget has no privileges Isolation of JS execution environment between integrator and gadget Same Origin Policy Google Maps GadgetIntegrator’s Housing Data X

Embedded frame – undersharing Isolation of JS execution: Confidentiality violation var steal = window[“integratorSecret”] Integrity violation window[“price”] = newPrice Google Maps GadgetIntegrator’s Housing Data X X

Script versus Frame Tag Script tag: – exposes the integrator’s JS environment – unlimited communication – not secure Frame tag: – isolates the environment of gadget and integrator – communication is limited – more secure than script In practice: sacrifice security in the name of functionality!

HTML5 and Inter-frame communication Frame can communicate with integrator via PostMessage: – confidentiality – authentication GadgetIntegrator listener in gadget listener in integrator

HTML5 and Inter-frame communication The Postmash design was proposed by Barth, Jackson, and Li [09] Put untrusted code in embedded frame; Two stub libraries; Proxy e.g. method invocation by message- passing; No need to change untrusted code !! Google Maps GadgetIntegrator’s Housing Data Stub library in gadget Stub library in integrator

Postmash How to transform an insecure mashup to a mashup following the Postmash design? – Manually writing two stub libraries (gadget dependent); – Manually rewriting of integrators’ code; Our proposal : automate it and characterize the security property that it enforces: Mashic Compiler [CSF’ 12]

Our proposal: Mashic Compiler A generic proxy and listener library – Gadget independent! Integrator transform: – Adapt to asynchronous communication, – Use the proxy library Mashic compiler – Input: insecure mashup – Output: secured mashup Proofs: – Correctness benign gadget – Security JS small-step semantics of Maffeis et al. with rules to model the same origin policy

Mashic compiler - Overview P g : gadget code P i : integrator code Mashic compiler I Proxy Bootstrap-I C(I) where Web(u’ ) = Listener

Opaque Handle Opaque Handles – Integrator’s reference to gadget’s object – E.g.: { is_handle: true id : 42} Inside gadget – 42 maps to the real object. Gadget independent! Integrator Framed gadget

Proxy and listener Proxy provides interfaces using opaque handles: 1.Example: GET_PROPERTY(ohandle,prop,cont) 2.Send (“get property”, ohandle, prop) via Postmessage 3.Listener reacts to message: 1.E.g. if ohandle { is_handle: true, id : 42} -> { “prop”: 4}, then listener responds with 4. 4.Proxy receives the response, applies the continuation cont to 4. Integrator Framed gadget

A minimal set of Proxy Interfaces GET_GLOBAL_REF – Get global property CALL_METHOD – Call a method CALL_FUNCTION – Call a function ASSIGN_PROPERTY – Property assignment General enough to encode most real-world mashups!!

Integrator transformation PostMessage is asynchronous; So is our proxy interface; Automated CPS transformation and call to proxy interfaces of old integrator code An example of rule

Realistic core JS subset Small-step core JS semantics adopted from Maffeis et al. [08]; Extended with DOM semantics and message-passing; A decorated (colored heap) semantics;

Decorated Semantics programs run as colored principal heaps contain objects with properties that are colored

Formal Guarantees Correctness guarantees: – If the gadget is benign, then the compiled mashup behaves as the original one. Security guarantees: – If the gadget is not benign, nothing “bad” can happen in the compiled mashup.

Benign gadget Intuitively: Integrity: A gadget does not try to write a property belonging to the integrator; Confidentiality: A gadget does not try to read a property of the integrator; Formally defined:

Correctness Theorem For a benign gadget, the compiled mashup reaches a final configuration indistinguishable with the one reachable from the original mashup.

Security Theorem For any gadget, the compiled mashup provides integrity and confidentiality for the integrator.

Prototype Implementation A prototype compiler written in Bigloo (a dialect of scheme) – 3.3k loc of bigloo and 0.8k loc of Javascript Applied to various mashups:

Benign Gadget: Passive Gadget Assumption The compiled mashup preserves the original semantics Theorem After Mashic compilation, the malicious gadget cannot read/write information belonging to the integrator. CorrectenessSecurity Mashic: Summary Plus Browser Independence Gadget Independence

Extending Mashic Challenge Handle Active Gadgets How? Gadgets must be allowed to access integrator objects Add an Access Control layer between gadgets and the integrator

Supporting Active Gadgets Integrator.js Gadget A iframe Page.html Allow two-sided communication Current Mashic Goal Add proxy and listener libraries to both the gadget iframe and to the integrator code Listener Proxy Listener Proxy Control the communication from the gadget to the integrator Uncontrolled Controlled Integrator

Controlling Gadget – Integrator Com. Integrator.js Gadget A iframe Page.html How? Listener Proxy Listener Proxy Uncontrolled Controlled 1 Establish a lattice of security levels 2 Assign a security level to each integrator resource 4 Check all the gadget – integrator accesses at runtime 3 Assign a security level to each gadget Confidentiality Integrity LcLc LILI LcxLILcxLI v l where l is in L c x L I ∑ : Gadgets → L c x L I Integrator Gadget A

Ext Mashic: Soundness and Security Benign Gadget: A gadget that only tries to access integrator information compatible with its security level Assumption The compiled mashup preserves the original semantics Theorem After Mashic compilation, the malicious gadget can only read/write integrator information compatible with its security level. CorrectenessSecurity

Information Flow control needed for the integrator code! (and only the integrator code)

Information Flow Control needed Separation of the gadget using iframe : no need to analyze gadget code Existing work on dynamic monitors (browser dependent): Hedin and Sabelfeld, 12 Austin and Flanagan, 09,10,12 Inlining of dynamic security monitors (browser independent) : Sabelfeld et al ‘’10 Chudnov and Naumann’ 10

Information Flow Control Labeling in JavaScript Confidentiality Integrity LcLc LILI LcxLILcxLI var o = {}; o[f()] = 1 f() is a function that returns a dynamically computed string In the final memory o has a new property unknown before execution! Static labeling is not always possible.

Labeling Values Original Object Runtime Labeling p 1 : v 1 p 2 : v 2 p 3 : v 3 p n : v n … Labeled Object p 1 : (v 1,,l 1 ) p 2 : (v 2, l 2 ) p 3 : (v 3, l 3 ) p n : (v n, l n ) … l o : l Security Level of the object Security levels of the object property values

Labeling Values and Instrumentation Source Integrator Code … if(x) { y = y + x; } else { alert(“hello world”) } Source Integrator Code … if(x.value) { l pc = x.level ˅ l pc ; y.value = y.value + x.value; y.level = x.level ˅ y.level ˅ l pc ; } else { alert(“hello world”) }

Labeling Values and Instrumentation Source Integrator Code … if(x) { y = y + x; } else { alert(“hello world”) } Source Integrator Code … if(x.value) { l pc = x.level ˅ l pc ; y.value = y.value + x.value; y.level = x.level ˅ y.level ˅ l pc ; } else { alert(“hello world”) } code instrumentation: a new object for each value in the program!

Labeling Properties Original Object Runtime Labeling p 1 : v 1 p 2 : v 2 p 3 : v 3 p n : v n … Labeled Object (p 1,l 1 ) : v 1 (p 2,l 2 ): v 2 (p n,l n ) : v n … l o : l

Labeling Properties Original Object Runtime Labeling p 1 : v 1 p 2 : v 2 p 3 : v 3 p n : v n … Labeled Object (p 1,l 1 ) : v 1 (p 2,l 2 ): v 2 (p n,l n ) : v n … l o : l code instrumentation: a property for each object (mapping properties of the object to labels)

Labeling Properties Inlining security monitors becomes more efficient (no need for an object per value in the program) Opens the path to combining dynamic and static JavaScript analysis

Dynamic Semantics, extracting constrains constrains

Conclusions Mashic Compiler: – assumption: gadgets used as libraries – correctness under assumption – security guarantees based on SOP, characterized as IF where everything in the integrator is treated as top security level – compilation: gadget and browser independent!

Conclusions Mashic Compiler Extension: – assumption: two way communication with AC – correctness under assumption – security guarantees based on information flow security – compilation: IF analysis for the integrator using code instrumentation gadget independence regarding IF analysis browser independence

Open Questions IF analysis for the integrator using code instrumentation: – Combining with static analysis? If part of the code is in a static typable subset [Maffeis 2010] then type check and instrument the rest. Gadget independence regarding IF analysis: – Still have to adapt to asynchrony of PostMessage … what’s a good solution to this? shadow pages? [Adjail 2010] Making the web ad business model secure and practical?