Extending the Mashic Compiler Enforcing Security Policies in the Presence of Malicious Advertisements José Fragoso Santos Equipe Project INDES INRIA Sophia.

Slides:

Advertisements

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Advertisements

Overview Environment for Internet database connectivity

Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.

Operating System Security

Enhancing Spotfire with the Power of R

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.

Java Script Session1 INTRODUCTION.

JavaScript Part 6. Calling JavaScript functions on an event JavaScript doesn’t have a main function like other programming languages but we can imitate.

Lesson 12- Unit L Programming Web Pages with JavaScript.

The Web Warrior Guide to Web Design Technologies

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

An Evaluation of the Google Chrome Extension Security Architecture

Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013.

On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

Security of Mobile Applications Vitaly Shmatikov CS 6431.

Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

 What I hate about you things people often do that hurt their Web site’s chances with search engines.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,

UNIT-V The MVC architecture and Struts Framework.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements Mike Ter Louw, Karthik Thotta Ganesh, V.N. Venkatakrishnan.

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.

JavaScript & jQuery the missing manual Chapter 11

Server-side Scripting Powering the webs favourite services.

Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Cornell University.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

An Information Flow Inlining Compiler for a Core of JavaScript José Fragoso Santos Tamara Rezk Equipe Project INDES.

Client Scripting1 Internet Systems Design. Client Scripting2 n “A scripting language is a programming language that is used to manipulate, customize,

OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen UC Davis.

11 Web Services. 22 Objectives You will be able to Say what a web service is. Write and deploy a simple web service. Test a simple web service. Write.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Chapter 8 Cookies And Security JavaScript, Third Edition.

OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications.

JavaScript, Fourth Edition

INTRODUCTION TO JAVASCRIPT AND DOM Internet Engineering Spring 2012.

User Interface Toolkit Mechanisms For Securing Interface Elements Franziska Roesner, James Fogarty, Tadayoshi Kohno Computer Science & Engineering DUB.

Cross Site Integration “mashups” cross site scripting.

Chapter 6 Server-side Programming: Java Servlets

2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

Android Security Model that Provide a Base Operating System Presented: Hayder Abdulhameed.

SMash : Secure Component Model for Cross- Domain Mashups on Unmodified Browsers WWW 2008 Frederik De Keukelaere et al. Presenter : SJ Park.

Introduction to JavaScript CS101 Introduction to Computing.

Overview of Form and Javascript fundamentals. Brief matching exercise 1. This is the software that allows a user to access and view HTML documents 2.

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

Cloud Environment Spring  Microsoft Research Browser (2009)  Multi-Principal Environment with Browser OS  Next Step Towards Secure Browser 

Introduction to Javascript. What is javascript?  The most popular web scripting language in the world  Used to produce rich thin client web applications.

JavaScript and Ajax Week 10 Web site:

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

ArcGIS for Server Security: Advanced

Introduction to.

What Mobile Ads know about mobile users

Understanding Android Security

Static Detection of Cross-Site Scripting Vulnerabilities

JavaScript CS 4640 Programming Languages for Web Applications

Understanding Android Security

Web Programming and Design

JavaScript CS 4640 Programming Languages for Web Applications

Cross Site Request Forgery (CSRF)

Presentation transcript:

Extending the Mashic Compiler Enforcing Security Policies in the Presence of Malicious Advertisements José Fragoso Santos Equipe Project INDES INRIA Sophia Antipolis Méditerranée

Combine data and/or code from multiple origins to create a new service Mashups... Gadgets

Not all gadgets are equal Two major types of gadgets Gadgets that manipulate the integrator state directly Gadgets that provide an interface for the integrator Advertisements External Services Type I Type II

Not all gadgets are equal There are two major types of gadgets Type I Type II Integrator.js Gadget C Integrator.js Gadget C Communication happens from the gadget to the integrator Communication happens from the integrator to the gadget

Type I – A simple example Web Page with Simple Banner … Page with Simple Banner Write your remark here Submit Remark! Integrator Code function updateBanner(){ var taArray = document.getElementsByTagName("textarea"); var str = ""; for(var i=0; i<taArray.length; i++) str += taArray[i].value; var index = isAbout(str); var div = document.getElementById("bannerAd"); removeChildNodes(div); div.appendChild(anchors[index]); }; Gadget Code The gadget is accessing integrator information that does not belong to him to select which ad to present AD

Type II – A simple example Google Maps Hello World var initialize = function() { … } My Map Gadget Code var latlng = new google.maps.LatLng(36, -76); var options = { zoom: 12, center: latlng, mapTypeId:google.maps.MapTypeId.ROADMAP }; var mdiv = document.getElementById("map"); var map = new google.maps.Map(mdiv, options); Integrator Code

Including External Gadgets… dom integrator.html Internal script that combines the external content Gadget A Gadget A Integrator.js External Code Gadget C

Including External Gadgets… dom Gadget A Gadget A Integrator.js Tag Gadget C Tag “A page within a page” integrator.html

versus dom Gadget A Gadget A Integrator.js Gadget C Gadgets included using the script tag can read/write page information directly Gadgets included within an iframe cannot access the external page directly integrator.html

: Security Vulnerabilities dom Integrator.js Gadget AGadget BGadget C Gadgets included using the script tag can circumvent the integrator code!!! integrator.html

: Security Vulnerabilities dom Integrator.js Gadget AGadget BGadget C Confidentiality Integrity integrator.html

: Security Vulnerabilities External gadgets represent real threats to existing mashups!!! “Readers of the New York Times were greeted with by an animated image of a fake virus scan” “Members of Facebook were presented with ads deceptively portraying private images of their family and friends” 2009 These threats are real! External gadgets cannot be trusted in security sensitive mashups

integrator.html and PostMessage dom Gadget A Gadget A Integrator.js Gadget C PostMessage Only strings can be passed between frames integrator.html Interframe communication is asynchronous

Same Origin Policy A script cannot read the content of a document from a different ORIGIN than the page that contains the script dom pageA.html src: Integrator Gadget I dom pageB.html Gadget I Integrator src: Gadget I Domain Name App Layer Protocol Port number

Mashup Security Problem Gadgets with the script tag Gadgets with the iframe tag Communication Security Security Issues Communication Programmers resign security for the sake of functionality!!!

Mashup Isolation: a recipe dom integrator.html Integrator.js Gadget C Proxy Interface Part of the dom for gadget interaction Gadget C Listener Interface iframe … Messages via PostMessage API Attacks on Javascript Mashup Communication Adam Barth and Colin Jackson and William Li Web 2.0 Security and Privacy 2009

Mashup Isolation: A Recipe dom integrator.ht ml Integrator.js Gadget C Proxy Interface Gadget C Listener Interface iframe N1: A N2 The gadget exposes function f and the integrator wants to compute f(A) and store its value on N2 whenever N3 is clicked N3 is clicked N3 Click! The integrator reads the value stored in N1. A The integrator proxy marshals A as a string and invokes the respective function of the gadget listener library. mAmA The gadget listener function demarshals m A and invokes the appropriate gadget function. The integrator awaits blocked. f(A) = B The gadget listener function marshals B as a string and sends it to the integrator via PostMessage. mBmB The integrator demarshalls B from m B and updates node N2. N2 B … N2: B

Mashic: Automating Mashup Isolation Automatically secure mashups Correctness and Security guarantees! Goals How? Apply a CPS transformation to the integrator code Use Opaque Object Handles (OOH) Integrator can refer to objects that are defined inside the gadget... An unique number associated with an object in a frame. Mashic Compiler Zhengqin Luo and Tamara Rezk CSF 2012

Mashic: Soundness and Security Benign Gadget: Type II Gadget Assumption The compiled mashup preserves the original semantics Theorem After Mashic compilation, the malicious gadget cannot read/write information belonging to the integrator. CorrectenessSecurity

Extending Mashic Challenge Handle Type I Gadgets How? The same way the integrator is allowed to access the objects belonging to the gadget Apply a CPS transformation to the gadget code Use Opaque Object Handles (OOH) on the gadget side Recalling… Almost!

Supporting Type I Gadgets Integrator.js Gadget A iframe Page.html Allow two-sided communication Current Mashic Goal Add proxy and listener libraries to both the gadget iframe and to the integrator code Listener Proxy Listener Proxy Control the communication from the gadget to the integrator Uncontrolled Controlled

Controlling Gadget – Integrator Com. Integrator.js Gadget A iframe Page.html How? Listener Proxy Listener Proxy Uncontrolled Controlled 1 Establish a lattice of security levels 2 Assign a security level to each integrator resource 4 Check all the gadget – integrator accesses at runtime 3 Assign a security level to each gadget Confidentiality Integrity LcLc LILI LcxLILcxLI v l where l is in L c x L I ∑ : Gadgets → L c x L I 5 Track Information Flow in the integrator

Controlling Gadget – Integrator Com. Integrator.js Gadget A iframe Page.html The gadget wants to acess the property p of the object o Listener Proxy Listener Proxy 1 The gadget proxy library sends a request to the integrator listener library with the id of the object and the name of the property {o id,p} 2 The integrator listener checks if gadget C has permission to read property p of object o Γ(o[p])| C <= ∑(Gadget A )| C ? 3 If yes, the integrator listener builds a response and sends it to the gadget proxy {4}

Tracking IF in the Integrator Keep track of the information that can be sent to each gadget! Why? Instrument integrator code with IF tracking operations Label runtime values with security levels How? Because the integrator is TRUSTED ! Highly DYNAMIC approach!

Labeling Runtime Values Information Flow Security for a Core of JavaScript Daniel Hedin and Andrei Sabelfeld CSF 2012 Original Object Runtime Labeling p 1 : v 1 p 2 : v 2 p 3 : v 3 p n : v n … Labeled Object p 1 : v 1 p 2 : v 2 p 3 : v 3 p n : v n … l 1 : l 1 l 2 : l 2 l 3 : l 3 l n : l n l o : l Stubs … Original Properties of the object and respective values Security Level of the object Security levels of the object properties Stubs to mediate the interaction with the labeled object

Expressing Security Policies AdJail: Practical Enforcement of Confidentiality… Mike Ter Louw et al USENIX Security Symposium 2010 The programmer has to specify the security level of each integrator resource 1 Label the original dom in a separate configuration file dom 2 Label values that occur directly in integrator code Object Literals and priimitive values var names = {P1: “vader”, P2: “luke”}; var secretPins = {P1: “father”, P2: “force”}; var names = {P1: “vader”, P2: “luke”}; var secretPins = new ObjEnv( {P1: “father”, P2: “force”}, {P1: “secret”, P2: “secret”}, “secret”); 3 Label other sources/sinks of information XmlHTTPRequest…

Integrator Instrumentation Source Integrator Code … if(x) { y = y + x; } else { alert(“hello world”) } Source Integrator Code … if(x.value) { l pc = x.level ˅ l pc ; y.value = y.value + x.value; y.level = x.level ˅ y.level ˅ l pc ; } else { alert(“hello world”) } On-the-fly Inlining of Dynamic Security Monitors Jonas Magazinius, Alejandro Russo, Andrei Sabelfeld COSE 2011 IFlow Tracker

Tracking IFlow Why track information flow dynamically instead of statically enforcing a pre-established policy? Javascript is TOO dynamic!!! function f(x) { if(h) { eval(“var l”); } l = 0 } var l = 1; f(3) Abstruse scoping rules if(h) { g = function() { l = 1}; } else { g = function() { l = 0}; } Higher order functions var x = f(); if(h) { o[x] = 0 } Dynamic properties And MANY MANY more…

Ext Mashic: Soundness and Security Benign Gadget: A gadget that only tries to access integrator information compatible with its security level Assumption The compiled mashup preserves the original semantics Theorem After Mashic compilation, the malicious gadget can only read/write integrator information compatible with its security level. CorrectenessSecurity

Controlling Integrator – Gadget Com. Integrator.js Gadget A iframe Page.html Communication Integrator- Gadget is not verified Listener Proxy Listener Proxy Uncontrolled Controlled Why? Because the gadget is trusted! However… The programmer can make mistakes The integrator can declassify/endorse whatever he wants A model for delimited information release Andrei Sabelfeld and Andrew Meyers ISSS 2003

Controlling Integrator – Gadget Com. Integrator.js Gadget A iframe Page.html The integrator wants to invoke gadget function f with arg o.p Listener Proxy Listener Proxy 1 The integrator proxy library verifies if the argument o can be seen by the gadget {v} Γ(o,p)| C <= ∑(Gadget A )| C ? {o id, f} 2 If it can the integrator proxy constroys a message with the identifier of the object and the name of the function to invoke and sends it to the gadget iframe 3 After computing f(o) the gadget sends the result value to the integrator 4 Upon receiving v the integrator encapsules it in an envelop with the security level of gadget A Γ(v) := ∑(Gadget A )

Conclusions – Our Goals Type II Integrator.js Gadget C Type I Integrator.js Gadget C Provide a solution for Web Ads based on Mashic 1 Browser Independent 2 To be applied to existing mashups 3 Correctness and Security guarantees

Related Work IFlow in JS IFlow Secure Mashups IF Secuirity for Core JS Hedin et al, CSF’12 Staged Iflow for Js Jhala et al, PLDI’09 Efficient Purely-Dynamic IF Analysis Flanagan et al, PLAS’09 An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications Jang et al, CCS’10 A model for delimited Information release Sabelfed et al, ISSS’03 On-the-fly inlining of dynamic Security monitors Magazinius et al, COSE’11 AdJail – Pratical Enforcement of Confidentiality and Integrity Policies Louw et al, USENIX’10 AdSafety – Type Based Verification of JS SandBoxing Politz et al, USENIX’11 Mashic: Automated Mashup Sandboxing Luo et al, CSF’12

Thank you!