GRADUAL TYPING EMBEDDED SECURELY IN JAVASCRIPT Aseem Rastogi University of Maryland, College Park Joint Work With: Nikhil Swamy, Cédric Fournet, Karthikeyan.

Slides:



Advertisements
Similar presentations
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Advertisements

Safe TypeScript Aseem Rastogi University of Maryland, College Park
Taming JavaScript with F* Nikhil Swamy Microsoft Research.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
WEAVING CODE EXTENSIONS INTO JAVASCRIPT Benjamin Lerner, Herman Venter, and Dan Grossman University of Washington, Microsoft Research.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture
Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, David Becker, Marc.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Safe & Efficient Gradual Typing for TypeScript Aseem Rastogi University of Maryland, College Park Nikhil Swamy Cédric Fournet Gavin Bierman Panagiotis.
Active Messages: a Mechanism for Integrated Communication and Computation von Eicken et. al. Brian Kazian CS258 Spring 2008.
A Type System for Expressive Security Policies David Walker Cornell University.
Tcl Agent : A flexible and secure mobile-agent system Paper by Robert S. Gray Dartmouth College Presented by Vipul Sawhney University of Pennsylvania.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
Web Services & Widgets Godmar Back. Mash-Ups Applications that combine information from different sources in one web page Different architectural choices.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
JQuery CS 268. What is jQuery? From their web site:
The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Sandboxing JavaScript via Libraries and Wrappers Phu H. Phung University of Gothenburg, Sweden, and University of Illinois at Chicago.
Department of Electrical Engineering and Computer Science CONSCRIPT: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,
Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Java Introduction Lecture 1. Java Powerful, object-oriented language Free SDK and many resources at
Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
Computer Security and Penetration Testing
The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.
ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.
OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications.
CSE 425: Object-Oriented Programming I Object-Oriented Programming A design method as well as a programming paradigm –For example, CRC cards, noun-verb.
{ Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Cristiano Giuffrida, Anton Kuijsten & Andrew S.Tanenbaum.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
SMash : Secure Component Model for Cross- Domain Mashups on Unmodified Browsers WWW 2008 Frederik De Keukelaere et al. Presenter : SJ Park.
 2006 Pearson Education, Inc. All rights reserved Classes: A Deeper Look, Part 2.
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
A Universe-Type-Based Verification Technique for Mutable Static Fields and Methods Alexander J Summers Sophia Drossopoulou Imperial College London Peter.
Enhancing JavaScript with Transactions Mohan Dhawan †, Chung-chieh Shan ‡ and Vinod Ganapathy † † Department of Computer Science, Rutgers University ‡
CSCI Rational Purify 1 Rational Purify Overview Michel Izygon - Jim Helm.
Operating Systems Security
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
CS533 Concepts of Operating Systems Jonathan Walpole.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
The Ins and Outs of Gradual Type Inference Avik Chaudhuri Basil Hosmer Adobe Systems Aseem Rastogi Stony Brook University.
Browser code isolation John Mitchell CS 155 Spring 2016.
Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.
Introduction to Operating Systems
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TS*: Taming the Un-typed Adversary in JavaScript
Language-based Security
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

GRADUAL TYPING EMBEDDED SECURELY IN JAVASCRIPT Aseem Rastogi University of Maryland, College Park Joint Work With: Nikhil Swamy, Cédric Fournet, Karthikeyan Bhargavan, Juan Chen, Pierre-Yves Strub, Gavin Bierman POPL'14TS* 1

Architecture of JavaScript Applications POPL'14TS* 2 Application Libraries (e.g. JQuery) Libraries (e.g. JQuery) Untrusted (e.g. ads) Untrusted (e.g. ads) Shared Global State (e.g. Object.prototype, String.prototype, Array.prototype) Shared Global State (e.g. Object.prototype, String.prototype, Array.prototype) All scripts execute in the same environment

At Least It’s Dynamically Type Safe POPL'14TS* 3 var x = 0; x(17); ~>* TypeError /* cannot apply a non-function */ Provides some useful security properties var x = 0x ; x.f(); ~>* TypeError /* cannot forge an address */

function protect(rawSend) { var whitelist = { “ : true, “ : true }; return function(url, msg) { if(whitelist[url]) rawSend(msg); } Or Is It ? POPL'14TS* 4 function send(url, msg) { /* e.g. XMLHttpRequest */ … } Object.prototype[“evil.com”] = true; Goal : Protect the send message function to restrict malicious URLs send(“evil.com”, “gotcha”); Attacker Succeeds ! Also looks up in Object.prototype window.send = protect(send);

Type Errors ≈ Security Vulnerabilities POPL'14TS* 5 Attacker can exploit missing property accesses Can execute arbitrary JavaScript Need a stronger notion of type safety !

Stronger Type Safety for JavaScript ? DJS (Chugh et. al.), DJS(Maffeis et. al.), JSVerify(Swamy et. al.), JSVerify(Gardner et. al.), Adsafety(Guha et. al.), SES-light(Taly et. al.), Moller et. al., … POPL'14TS* 6 Handle only subsets of JavaScript Cannot ignore the adversary Lots of crazy stuff eval Proxies Stack walking Prototype poisoning Global namespace corruption …

Attempts to Handle Full JavaScript ? TypeScript, Closure Great in increasing programmer productivity But Not Type Safe POPL'14TS* 7

We ask … Can we provide stronger JS type safety While accounting for the full ECMAScript5 language Unrestricted adversary And still retaining idiomatic JS programming interface 8 TS*POPL'14

TS ★ : Gradual Type System for All of JavaScript Statically typed core number, bool, string T 1 T 2 { f i : T i } (mutable, extensible) ADTs Dynamically typed fragment any JSON Runtime type tests Un typed adversary arbitrary JavaScript unmodified unverified unrestricted Run time checks mediate interactions 9 TS*POPL'14 U U D D S S

Key Invariants of TS ★ 10 TS*POPL'14 U U D D S S Static Safety: Statically typed code is safe without any runtime checks Dynamic Safety: Runtime types are always refinements of static types Memory Isolation: No un-location referenced directly in static/any code No static/any reference leaked to un-code

Key Idea: Gradual Security ad.js lib.js app.js function protect(rawSend) { var whitelist = { “ : true, “ : true }; return function(url, msg) { if(whitelist[url]) rawSend(msg); } 11 TS*POPL'14 Identify security critical code

Key Idea: Gradual Security ad.js lib.js app.js 12 TS*POPL'14 function protect(rawSend) function protect(rawSend:(string,string)=>any) { var whitelist = { “ : true, “ : true }; return function(url:string, msg:string) { if(whitelist[url]) rawSend(msg); } Identify security critical code Port to TS ★

Key Idea: Gradual Security ad.js lib.js app.js 13 TS*POPL'14 function protect(rawSend) function protect(rawSend:(string,string)=>any) { var whitelist = { “ : true, “ : true }; return function(url:string, msg:string) { if(whitelist[url]) rawSend(msg); } Identify security critical code Port to TS ★ function protected() { function protect(rawSend) { … } return wrap (protect); } window.send = protected(); TS ★ Compile

Key Idea: Gradual Security ad.js lib.js app.js 14 TS*POPL'14 function protect(rawSend) Identify security critical code Port to TS ★ Compile function protected() { function protect(rawSend) { … } return wrap (protect); } window.send = protected(); Drop-in in the app function protect(rawSend:(string,string)=>any) { var whitelist = { “ : true, “ : true }; return function(url:string, msg:string) { if(whitelist[url]) rawSend(msg); } TS ★

Gradual Security – Initial Experience OWASP CSRFGuard and Facebook API Reported many attacks Both widely used and security critical libraries Ported critical fragments to TS ★ Easy to argue correctness in the presence of memory isolation Secure, High Integrity, and Efficient HTML5 localStorage POPL'14TS* 15 (

TS ★ Gradual Typing Overview POPL'14TS* 16 U U D D S S Based on runtime type information (RTTI) Point { x = 2, y = 3 } type Point = { x:number; y:number } Compiled as is Compiled with runtime checks to respect RTTI tags Library provided wrappers ensure memory isolation

var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } TS ★ Tour with Example type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS 17 TS*POPL'14

var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } Compilation of Statically Typed Code type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS 18 TS*POPL'14 function diag(p) { bar(p); p.x = p.y; return p; } (Statically typed code is safe as is )

var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } RTTI Instrumentation type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS 19 TS*POPL'14 diag.rtti = [[Point Point]] function diag(p) { bar(p); p.x = p.y; return p; } (Statically typed code is safe as is )

var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } RTTI Instrumentation type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS 20 TS*POPL'14 diag.rtti = [[Point Point]] function diag(p) { bar(p); p.x = p.y; return p; } (Statically typed code is safe as is ) (Compiled with runtime type checks)

var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } ◄ Runtime Checks on RTTI (Dynamic Safety) type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS any { x = true } o:o: 21 TS*POPL'14

var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } ◄ Runtime Checks on RTTI (Dynamic Safety) type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS any { x = true } o:o: Is o a record ? Does o.x = 2 respect o ’s rtti ? ✔ any { x = 2 } o:o: 22 TS*POPL'14

var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } ◄ Runtime Checks on RTTI (Dynamic Safety) type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS any { x = true } o:o: Is o a record ? Does o.y = 3 respect o ’s rtti ? ✔ any { x = 2 } o:o: any { x = 2, y = 3 } o:o: 23 TS*POPL'14

var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } ◄ Dynamically Typed to Statically Typed type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS any { x = 2, y = 3 } o:o: 24 TS*POPL'14

var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } ◄ Attempt 1 : Use Higher Order Casts for Mutable Records type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS 25 TS*POPL'14 var o’ = { get x() { if hasOwnProperty(o, “x”) … }; get y() { … }; set x(v) { … }; set y(v) { … }; } diag(o’);

var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } ◄ Problems with Higher Order Casts type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS 26 TS*POPL'14 var o’ = { get x() { … }; get y() { … }; set x(v) { … }; set y(v) { … }; } diag(o’); 1.Lazy failures in statically typed code Undesirable for security critical applications Performance penalty for casts reduction 2.Space inefficient Might recover with fancy coercion reductions 3.Breaks object identity o === o’ ?

var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } ◄ Gradual Typing with RTTI type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS ✔ any { x = 2, y = 3 } o:o: Does o look like a Point ? If so, tag it. ( setTag ) Point { x = 2, y = 3 } o, p : 27 TS*POPL'14

Monotonic Evolution of RTTI POPL'14TS* 28 t0 v0 t2 v2 t1 v1 tn vn v0:t0 v1:t 1 v2:t2 vn:tn … RTTI is always a sound approximation of a runtime value RTTI evolves monotonically w.r.t the subtyping relation t0 :> t1 :> t2 :> … :> tn

type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } ◄ Seamless Transition from Statically Typed to Dynamically Typed TS ★ JS Seamless via subtyping – Point <: any. Point { x = 2, y = 3 } o, p : 29 TS*POPL'14

function bar(q) { q.x = true; } type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } var o = { x : true }; o.x = 2; o.y = 3; diag(o); ◄ RTTI Violations Cause Runtime Failures TS ★ JS Point { x = 2, y = 3 } o, p, q : Is q a record ? Does q.x = true respect q ’s rtti ? ✗ Runtime failure 30 TS*POPL'14

function bar(q) { q.color = “red”; } type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } var o = { x : true }; o.x = 2; o.y = 3; diag(o); ◄ Runtime Checks on RTTI (Dynamic Safety) TS ★ JS Point { x = 2, y = 3 } o, p, q : Is q a record ? Does q.color = “red” respect q ’s rtti ? ✔ Point { x = 2, y = 3, color = “red” } o, p, q : 31 TS*POPL'14

function bar(q) { q.color = “red”; } type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } var o = { x : true }; o.x = 2; o.y = 3; diag(o); ◄ Statically Typed Code Executes As Is TS ★ JS Point { x = 2, y = 3, color = “red” } o, p, q : Executes as expected, without any checks. 32 TS*POPL'14

Key Invariants of TS ★ 33 TS*POPL'14 U U D D S S Static Safety: Statically typed code is safe without any runtime checks Dynamic Safety: Runtime types are always refinements of static types Memory Isolation: No un-location referenced directly in static/any code No static/any reference leaked to un-code

type Point = { x:number; y:number } function diag(p:Point) : Point { baz(p); p.x = p.y; return p; } function baz(q) { … } Memory Isolation from Un TS ★ JS Unmodified, unverified, unrestricted. 34 TS*POPL'14

type Point = { x:number; y:number } function diag(p:Point) : Point { baz(p); p.x = p.y; return p; } function baz(q) { delete q.x; } Memory Isolation from Un TS ★ JS Unmodified, unverified, unrestricted. 35 TS*POPL'14 function baz(q) { delete q.rtti; } function baz(q) { q.rtti = “junk”; } How to protect invariants ?

type Point = { x:number; y:number } baz : Un function diag(p:Point) : Point { baz(p); p.x = p.y; return p; } function baz(q) { … } Memory Isolation from Un TS ★ A second dynamic type Un Abstract type: not related to any other type Point <: any <\: Un { f : number; g : Un } <: { g : Un } <\: { } 36 TS*POPL'14

type Point = { x:number; y:number } baz : Un function diag(p:Point) : Point { baz(p); p.x = p.y; return p; } function baz(q) { … } Memory Isolation from Un TS ★ Compile error : Cannot apply an Un typed term 37 TS*POPL'14

type Point = { x:number; y:number } baz : Un function diag(p:Point) : Point { wrap (baz)(p); p.x = p.y; return p; } function baz(q) { … } Memory Isolation from Un TS ★ Library provided wrappers, ensure memory isolation 38 TS*POPL'14

Wrappers Enforce Heap Shape Invariant POPL'14TS* 39 un fragmentStatic and any-typed DMZ (stubs) Non-Un values completely independent of untrusted global state (prototypes etc.) – thus send/protect example is secure in TS ★ TS ★ runtime system needs “first starter privileges” on the page

Facebook API Example POPL'14TS* 40 Untrusted web page Facebook API Iframe Retrieves user’s access token Gives access token to the untrusted page if it’s authorized by user Wants to connect to Facebook on current user’s credentials

Facebook API Sample Code POPL'14TS* 41 function decode(s) { var res = { }; if(s === “”) return res; var p = String.split(s,“&”); for(var k in p) { var kv = String.split(p[k],“=“); res[kv[“0”]] = kv[“1”]; } return res; } function checkOrigins(g, e) { for(var k in e) { if(g === e[k]) return true; } return false; }

Example Vulnerabilities in Facebook API POPL'14TS* 42 function checkOrigins(g, e) { for(var k in e) { if(g === e[k]) return true; } return false; } Attacks similar to protect/send (Using Object.prototype) function decode(s) { var res = { }; if(s === “”) return res; var p = String.split(s,“&”); for(var k in p) { var kv = String.split(p[k],“=“); res[kv[“0”]] = kv[“1”]; } return res; }

function decode(s:string):any { var res = { }; if(s === “”) return res; var p = String.split(s,“&”); for(var k in p) { var kv = String.split(p[k],“=“); res[kv[“0”]] = kv[“1”]; } return res; } Porting Facebook API to TS ★ POPL'14TS* 43 function checkOrigins(g:string, e:array string):bool { for(var k in e) { if(g === e[k]) return true; } return false; }

Also in the paper … More details on the wrappers Formal translation from TS ★ to JavaScript Formalization of TS ★ in JSVerify † Type soundness theorem and proof sketch A standards based mechanism for first starter privileges More examples † Swamy et. al. PLDI’ 13 See our paper ! 44 TS*POPL'14

TS ★ :The First JavaScript Type System To Provide strong type safety in a modular way While accounting for ALL of JavaScript us/um/people/nswamy/Playground/TSSecure/index. html POPL'14TS* 45

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.