Department of Electrical Engineering and Computer Science CONSCRIPT: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
WEAVING CODE EXTENSIONS INTO JAVASCRIPT Benjamin Lerner, Herman Venter, and Dan Grossman University of Washington, Microsoft Research.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Aspect Oriented Programming. AOP Contents 1 Overview 2 Terminology 3 The Problem 4 The Solution 4 Join point models 5 Implementation 6 Terminology Review.
ASTA Aspect Software Testing Assistant Juha Gustafsson, Juha Taina, Jukka Viljamaa University of Helsinki.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.
An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.
C++ fundamentals.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
UNIT-V The MVC architecture and Struts Framework.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
FLOWFOX A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL.
JavaScript & jQuery the missing manual Chapter 11
Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.
Tutorial 10 Adding Spry Elements and Database Functionality Dreamweaver CS3 Tutorial 101.
Introduction to Aspect Oriented Programming Presented By: Kotaiah Choudary. Ravipati M.Tech IInd Year. School of Info. Tech.
JavaScript, Fourth Edition
Aspect Oriented Programming (AOP) in.NET Brent Krueger 12/20/13.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen UC Davis.
ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.
Chapter 8 Cookies And Security JavaScript, Third Edition.
OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications.
INTRODUCTION TO JAVASCRIPT AND DOM Internet Engineering Spring 2012.
Cross Site Integration “mashups” cross site scripting.
Extending HTML CPSC 120 Principles of Computer Science April 9, 2012.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
New & Improved Events List Relationships and Joins Large List Support Field & List Item Validation.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
AOP-1 Aspect Oriented Programming. AOP-2 Aspects of AOP and Related Tools Limitation of OO Separation of Concerns Aspect Oriented programming AspectJ.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Session: 1. © Aptech Ltd. 2Introduction to the Web / Session 1  Explain the evolution of HTML  Explain the page structure used by HTML  List the drawbacks.
C C Implementation  Prototype based on Firefox 3.0b2 codebase/ Spidermonkey VM  Uses SM contexts to manage multiple JavaScript execution contexts simultaneously.
Web Development 101 Presented by John Valance
Enhancing JavaScript with Transactions Mohan Dhawan †, Chung-chieh Shan ‡ and Vinod Ganapathy † † Department of Computer Science, Rutgers University ‡
M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.
Chapter 8: Aspect Oriented Programming Omar Meqdadi SE 3860 Lecture 8 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Ch- 8. Class Diagrams Class diagrams are the most common diagram found in modeling object- oriented systems. Class diagrams are important not only for.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 JSP Application Models.
1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
How to execute Program structure Variables name, keywords, binding, scope, lifetime Data types – type system – primitives, strings, arrays, hashes – pointers/references.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
JavaScript Introduction and Background. 2 Web languages Three formal languages HTML JavaScript CSS Three different tasks Document description Client-side.
1 CSC160 Chapter 1: Introduction to JavaScript Chapter 2: Placing JavaScript in an HTML File.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.
Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University
Aspect-Oriented Programming
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Security mechanisms and vulnerabilities in .NET
Chapter 29: Program Security
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Exploring DOM-Based Cross Site Attacks
Presentation transcript:

Department of Electrical Engineering and Computer Science CONSCRIPT: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo A. Meyerovich and Benjamin Livshits Presented by Josiah Matlack and Maciek Swiech

Department of Electrical Engineering and Computer Science Background and Motivation Webpages are a “mashup” of Javascript – on the page and in external files Inclusion of third party content is necessary, but untrusted Many policies and enforcement mechanisms Granularity, performance, and correctness CONSCRIPT is high performance, low complexity Example: eval Necessary evil (for JSON data) window.eval = function() { // safe code } Hiding is insufficient Use ConScript to advise the calls

Department of Electrical Engineering and Computer Science Background and Motivation Simple (shallow) aspect systems unable to detect all attacks Difficult (at best) to prove correctness Foiled by various prototyping attacks Not only JavaScript but native elements must be protected and validated Browser functionality provided by document and window

Department of Electrical Engineering and Computer Science Background and Motivation Aspect-oriented systems Breakdown logic into concerns Cohesive area of functionality Grouping and encapsulation of concerns Cross-cutting concerns Cut across multiple abstractions Alter behavior through advice and pointcuts Aspects: code (and included advice) Pointcut: specified moment of execution

Department of Electrical Engineering and Computer Science Aspect-Oriented Programming (AOP) Complementary to OOP model, allows for simplification of code Cross-cutting concerns: secondary functionality that may be replicated across various classes / primary functionalities Advice: additional code to be applied to the model Point-cut: a point of application execution at which cross- cutting needs to be applied Aspect: the combination of the point-cut and advice

Department of Electrical Engineering and Computer Science AOP Example void transfer(Account fromAcc, Account toAcc, int amount) throws Exception { if (fromAcc.getBalance() < amount) { throw new InsufficientFundsException(); } fromAcc.withdraw(amount); toAcc.deposit(amount); } Security??

Department of Electrical Engineering and Computer Science AOP Example (cont.) void transfer(Account fromAcc, Account toAcc, int amount, User user, Logger logger) throws Exception { logger.info("Transferring money..."); if (! checkUserPermission(user)){ logger.info("User has no permission."); throw new UnauthorizedUserException(); } if (fromAcc.getBalance() < amount) { logger.info("Insufficient funds."); throw new InsufficientFundsException(); } fromAcc.withdraw(amount); toAcc.deposit(amount); logger.info("Successful transaction."); } Now we have checks… What if security concerns change?

Department of Electrical Engineering and Computer Science AOP Example (cont.) External interests (security checks, logging) have become tangled with the main interest of the application Aspects can contain advice – code that is joined to specific parts of a program Contain cross-cutting code in a central and easy to manage / reason about place

Department of Electrical Engineering and Computer Science AOP Example (cont.) aspect Logger { void Bank.transfer(Account fromAcc, Account toAcc, int amount, User user, Logger logger) { logger.info("Transferring money..."); } void Bank.getMoneyBack(User user, int transactionId, Logger logger) { logger.info("User requested money back."); } // other crosscutting code... }

Department of Electrical Engineering and Computer Science Basic Problem Create a browser-based aspect system that constrains the JavaScript code that can run on a webpage by specifying security policies Allow policies to be set by the webpage

Department of Electrical Engineering and Computer Science Basic Problem (cont.) Browser aspects Protect benign users by giving control to hosting site ConScript: browser-supported aspects Correctness checking Policies are easy to get wrong Remedy: type system Expressiveness Wide catalog of policies Real-world evaluation Built into IE8 JS interpreter and well tested

Department of Electrical Engineering and Computer Science Related Work Static analysis: instituting policies as properties Context sensitivity in JS is prohibitively high Small widgets are more tractable, but large systems aren’t Inference is well studied Browser tags Obviated need Isolation languages Correctness is hard

Department of Electrical Engineering and Computer Science Related Work (cont.) Shallow wrapping Not appropriate for large APIs Susceptible to policy integrity attacks Weaving aspects into the source Server cost too high Type-based pointcuts are too imprecise DOM API can’t be rewritten Aspect interfaces for dynamic languages The around function is much simpler around could be modified (before, after, etc.)

Department of Electrical Engineering and Computer Science Related Work (cont.) Secure aspects Don’t allow for behavioral modification of code CONSCRIPT is the opposite model Aspects are protected from subsequent code Others don’t interact with non-policy code

Department of Electrical Engineering and Computer Science Main Ideas around function Deep advice: advice propagates to function root, rather than references Depends on the runtime and browser being uncompromised Avoids shallow advice (wrapping), as leaks occur C++ interpreter Adds advice pointer and enabled bit to functions

Department of Electrical Engineering and Computer Science heap function withBound Checks function paint function paint draw display

Department of Electrical Engineering and Computer Science Main Ideas (cont.) C++ interpreter Native functions are handled like user-defined (bit + pointer) External functions are checked for advice registration Hits have advice processed, misses continue normally Bounded lookup table Bless/curse: flip advice bit to enable/disable advice function Automatic flipping is most efficient and effective New scripts are sent to advice automatically The return string is passed to the parser Isolated reasoning and static analysis in the interpreter to prevent vulnerabilities through poisoning

Department of Electrical Engineering and Computer Science

Main Ideas (cont.) Some functionality removed with and eval No caller access Policies 17 handwritten, 2 automatic generators No kernel to user flow allowed Functions must be known at policy invocation Privilege levels: u, k and o

Department of Electrical Engineering and Computer Science Main Ideas (cont.) Script introduction policies No scripts after a certain point No string arguments in setInterval or setTimeout No inline scripts Tags checked for whitelisted sources noinlinescript tag for certain elements Communication restrictions Restrict XMLHttpRequest to secure connections No access to cookies (http access only) Limit postMessage (cross-frame messages) to whitelist Limit cross-domain requests to a whitelist

Department of Electrical Engineering and Computer Science Main Ideas (cont.) DOM Interactions Prevent links from accessing cookies Limit the number of popup windows (or window movement) Disable dynamic iframe generation Whitelist for URL redirections Disable abuse of resources (modal dialogs) API Programming Reliability Constraints Simple comparisons for $ operator in Jquery No null returns for $ operator Staged eval restrictions

Department of Electrical Engineering and Computer Science Policies: Easy to get Wrong var okOrigin={" around(window.postMessage, function (post, msg, target) { if (!okOrigin[target]) { throw ’err’; } else { return post.call(this, msg, target); } });

Department of Electrical Engineering and Computer Science Main Ideas (cont.) Static typing system Use ML-like typing system to annotate privilege level of objections K (‘kernel’), U (‘user’), O (protected ‘object’) Track how information can flow Automatic policy generation (Script#) Look for unused methods in training data, and blacklist errors as malicious Integrate with rules auto-generated from other libraries (private methods)

Department of Electrical Engineering and Computer Science

Evaluation and Results 969 lines of JavaScript at 60 locations Without boilerplate code, about 8 lines per location Some features disabled arguments.callee Performance cost is 2-3x better than others 10,000 invocations of each target function Advice mechanism + original function counted Tried on native, user-defined, and DOM functions 24 microsecond cost for environment creation

Department of Electrical Engineering and Computer Science Evaluation and Results (cont.) CPU bound Considerably faster than the DoCoMo system For private methods, at most 0.3% overhead Less than 3.5% range of error Intrusion detection policy very small 7% overhead with a 46% standard deviation No intrusion detection alarms while testing 0.7KB average file size increase Policy file size mostly constant, even with large source

Department of Electrical Engineering and Computer Science Micro Benchmarks

Department of Electrical Engineering and Computer Science Macro Benchmarks

Department of Electrical Engineering and Computer Science Code Size Increase

Department of Electrical Engineering and Computer Science Open Issues Library loading and static analysis If code is loaded before aspect registration Static analysis could be preferable with and eval are missing SetTimeout unsafe without policy enforcement Type inference incomplete Browser support is required

Department of Electrical Engineering and Computer Science Open Issues (cont.) Automatic policy generation Policies come with host page Attackers could use unsupported frameworks

Department of Electrical Engineering and Computer Science Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.