An Information Flow Inlining Compiler for a Core of JavaScript José Fragoso Santos Tamara Rezk Equipe Project INDES

Combine data and/or code from multiple origins to create a new service Web Applications Are commonly implemented in JavaScript

Security Vulnerabilities dom Integrator.js Gadget AGadget BGadget C Confidentiality Integrity integrator.html External Code Internal script that combines the external content Solution: Information Flow Control

JavaScript Security Leaks Security Leaks due to: 1 Extensible Objects address_table = {}; … register_addr = function(name, addr) { if (!address_table[name]) { address_table[name] = addr; } } register_add(“Jose Santos”, POLICY: Addresses are SECRET (H) address_table[“Jose Santos”] leaks Information at level H

JavaScript Security Leaks Defining Features of JavaScript 1 Extensible Objects 2 Prototypical Inheritance o1 = {}; o1.p = h ; o2 = {}; o2.__proto__ = o1; o2.p o2.p leaks information at level H

JavaScript Security Leaks Defining Features of JavaScript 1 Extensible Objects 2 Prototypical Inheritance 3 Constructs for Checking the Existence of Properties o1 = {}; if (h()) { o1.p = 1 } o1.p o1.p leaks information at level H

JavaScript Security Leaks Defining Features of JavaScript 1 Extensible Objects 2 Prototypical Inheritance 3 Constructs for Checking the Existence of Properties 4 Binding of Global Variables x = h ; f = function (x) { return this.x; } l = f(0); l leaks information at level H

Information Flow Control Public Outputs Should NOT Depend on Secret Inputs 1 Establish a Lattice of Security Levels 2 Label Variables with Security Levels 3 Label Object Properties with Security Levels 4 Assign a Level to the Domain of Every Object Levels Γ : Variables → Levels Σ : References x Property Names → Levels Σ : References → Levels

Attacker Model What can an attacker see? 1 Values of variables labeled with L 2 Values of properties labeled with L 3 The domains of the objects labeled with L

Attacker Model What can an attacker see? Memory Low-Proj High-Proj

Attacker Model What can an attacker see? o1o1 p 1 H : v 1 p 2 L : v 2 p 3 L : v 3 Low-Projection Domain L : p 1, p 2, p 3 p 2 L : v 2 p 3 L : v 3 Domain L : p 1, p 2, p 3

Attacker Model What can an attacker see? o1o1 p 1 H : v 1 p 2 L : v 2 p 3 L : v 3 Low-Projection p 2 L : v 2 p 3 L : v 3 Domain H : p 1, p 2, p 3

Security Property When should a program P be allowed to execute? HP 0 LP 0 HP 0 ’ LP 0 ’ LP 0 = LP 0 ’ HP 1 LP 1 HP 1 ’ LP 1 ’ Initial Mems Final Mems Execution of P: LP 1 = LP 1 ’ Divergent Executions Are Assumed NOT To Leak Information

Security By Compilation Rewrite a program P as P’ so that: 1 P’ only executes if the execution of P is SECURE 2 The semantics of P’ is contained in the semantics of P

Security By Compilation A Recipe for Designing Inlining Transformations: 1 Specify a Monitored Semantics 2 Prove the Monitored Semantics Secure 3 Specify a Program Transformation that Inlines the Monitor 4 Prove the Inlining Transformation Correct

Monitored Semantics Execute the Program in the: 1 Real Memory 2 Security Labeling = Abstract Memory r, pc ├ → Current Scope Object Level of the Current Context Initial MemoryVariable Labeling Object LabelingExpression to Evaluate Final MemoryFinal Variable Labeling Final Object Labeling Final ValueLevel of the Expression

Monitored Semantics No-Sensitive Upgrades Idea: Visible Resources cannot be updated in invisible contexts High Executions do NOT change the low projection of the memory

Monitored Semantics No-Sensitive Upgrades o1 = {}; o1.p = l; if (h()) { o1.p = 0 } Low-Projections p L : l o1 dom L : {p} h() Є {false, 0, null, undefined} o1 dom L : {p} h() Є {false, 0, null, undefined}

Monitored Semantics Property Assignment: e 0 [e 1 ] = e 2 r, pc ├ → Evaluate sub-expressions:

Monitored Semantics Property Assignment r, pc ├ → Evaluate sub-expressions:

Monitored Semantics Property Assignment r, pc ├ → Evaluate sub-expressions:

Monitored Semantics Property Assignment r, pc ├ → e 0 → r 0, σ 0, e 1 → m 1, σ 1, e 2 → v 2, σ 2 No-sensitive upgrades: σ 0 ˅ σ 1 ˅ pc ≤ Σ(r 0, m 1 ) if m Є μ 2 (r 0, dom ) σ 0 ˅ σ 1 ˅ pc ≤ Σ(r 0, dom) if m Є μ 2 (r 0, dom )

Monitored Semantics Property Assignment r, pc ├ → e 0 → r 0, σ 0, e 1 → m 1, σ 1, e 2 → v 2, σ 2 Memory and Labeling Updates: μ’ = μ 2 [(r 0, m 1 ) → σ 0 ˅ σ 1 ˅ σ 2 ˅ pc ] Σ’ = Σ 2 [(r 0, m 1 ) → σ 0 ˅ σ 1 ˅ σ 2 ˅ pc ]

Instrumentation Encode the labelings in the memory Memory μ Labeling Γ, Σ Instrumented Memory μ' S Similarity Relation

Instrumentation Pair Up Each Variable with a Shadow Variable that holds its level Variable: x Value: μ(x) Level: Γ(x ) Labeled Memory μ, Γ, Σ Instrumented Memory μ inst Variable: x Shadow Variable: lev x Value: μ inst (x) Level: μ inst ( lev x )

Instrumentation Object: o (r o ) Property: p Value: μ( r o )(p) Level: Σ(r o )(p) Labeled Memory μ, Γ, Σ Instrumented Memory μ inst Object: o (r o ) Property: p Shadow Property: lev p Value: μ inst ( r o )(p) Level: μ inst ( r o ) ( lev p ) Pair Up Each Property with a Shadow Property that holds its level

Instrumenting Objects p: v p q: v q s: v s o Σ(o) p: σ p q: σ q s: σ s domain: σ dom S p: v p q: v q s: v s lev_p: σ p lev_q: σ q lev_dom: σ dom o’ lev_s: σ s

Instrumentation Encode the labelings in the memory μΓ, Σ μiμi S μ'μ' Γ’, Σ’ μi'μi' Monitored Execution of P Execution of P’ S Comp(P) = P’

Compiler Specification Comp(e) = 1 e’ simulates the execution of e in the monitored semantics 2 x bookkeeps the value to which e evaluates 3 l bookkeeps the level of e

Compiler Specification Property Assignment: e 0 [e 1 ] = e 2 Comp(e 0 ) = Compile SubExpressions: Comp(e 1 ) = Comp(e 2 ) =

Compiler Specification Property Assignment: e 0 [e 1 ] = e 2 Comp(e i ) = i = 0,1,2 Constraint: if (x 1 Є dom( x 0 )) { check( l 0 ˅ l 1 ˅ pc ≤ x 0 [shadow(x 1 )]) } else { check( l 0 ˅ l 1 ˅ pc ≤ x 0 [“lev_dom”]) }

Compiler Specification Property Assignment: e 0 [e 1 ] = e 2 Comp(e i ) = i = 0,1,2 Comp(e 0 [e 1 ] = e 2 ) = e 0 ’; e 1 ’; e 2 ’ Constraint x 0 [x 1 ] = x 2 ; x 0 [shadow(x 1 )] = l 0 ˅ l 1 ˅ l 2

Conclusions In Summary: 1 An information flow monitor for a a core of JavaScript 2 A program transformation that inlines the monitor 3 A prototype implementation

Thank you!