Download presentation
Presentation is loading. Please wait.
Published byConstance Gibson Modified over 9 years ago
1
Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013
2
Web Client Mashup Client-side web application Integrating third- party gadgets Great way for code reuse! Google Maps Gadget Integrator’s Housing Data
3
Different kind of Mashups The integrator uses the gadget as a libraryThe gadget reads state from the integrator gadget
4
Programming model Mashups written in HTML + Javascript; Two ways to include external gadgets: – Using script tag – Using frame tag
5
Script tag - oversharing Gadget has integrator privileges Full exposure JS execution environment Google Maps GadgetIntegrator’s Housing Data
6
Script tag – security violations Confidentiality violation var steal = window[“integratorSecret”] Integrity violation window[“price”] = newPrice Google Maps GadgetIntegrator’s Housing Data
7
Script tag – integrity violation var fac= function(x) { if (x <= 1) { return 1; } return x*fac(x-1); } r = fac(3); s = "alert("+r+")“ setTimeout(s, 100)
8
Script tag - integrity violation Content of http://untrusted.com/untrustedAD.js setTimeout = function() { EVIL CODE HERE }
9
Embedded frame – undersharing Gadget has no privileges Isolation of JS execution environment between integrator and gadget Same Origin Policy Google Maps GadgetIntegrator’s Housing Data X
10
Embedded frame – undersharing Isolation of JS execution: Confidentiality violation var steal = window[“integratorSecret”] Integrity violation window[“price”] = newPrice Google Maps GadgetIntegrator’s Housing Data X X
11
Script versus Frame Tag Script tag: – exposes the integrator’s JS environment – unlimited communication – not secure Frame tag: – isolates the environment of gadget and integrator – communication is limited – more secure than script In practice: sacrifice security in the name of functionality!
12
HTML5 and Inter-frame communication Frame can communicate with integrator via PostMessage: – confidentiality – authentication GadgetIntegrator listener in gadget listener in integrator
13
HTML5 and Inter-frame communication The Postmash design was proposed by Barth, Jackson, and Li [09] Put untrusted code in embedded frame; Two stub libraries; Proxy e.g. method invocation by message- passing; No need to change untrusted code !! Google Maps GadgetIntegrator’s Housing Data Stub library in gadget Stub library in integrator
14
Postmash How to transform an insecure mashup to a mashup following the Postmash design? – Manually writing two stub libraries (gadget dependent); – Manually rewriting of integrators’ code; Our proposal : automate it and characterize the security property that it enforces: Mashic Compiler [CSF’ 12]
15
Our proposal: Mashic Compiler A generic proxy and listener library – Gadget independent! Integrator transform: – Adapt to asynchronous communication, – Use the proxy library Mashic compiler – Input: insecure mashup – Output: secured mashup Proofs: – Correctness benign gadget – Security JS small-step semantics of Maffeis et al. with rules to model the same origin policy
16
Mashic compiler - Overview P g : gadget code P i : integrator code Mashic compiler I Proxy Bootstrap-I C(I) where Web(u’ ) = Listener
17
Opaque Handle Opaque Handles – Integrator’s reference to gadget’s object – E.g.: { is_handle: true id : 42} Inside gadget – 42 maps to the real object. Gadget independent! Integrator Framed gadget
18
Proxy and listener Proxy provides interfaces using opaque handles: 1.Example: GET_PROPERTY(ohandle,prop,cont) 2.Send (“get property”, ohandle, prop) via Postmessage 3.Listener reacts to message: 1.E.g. if ohandle { is_handle: true, id : 42} -> { “prop”: 4}, then listener responds with 4. 4.Proxy receives the response, applies the continuation cont to 4. Integrator Framed gadget
19
A minimal set of Proxy Interfaces GET_GLOBAL_REF – Get global property CALL_METHOD – Call a method CALL_FUNCTION – Call a function ASSIGN_PROPERTY – Property assignment General enough to encode most real-world mashups!!
20
Integrator transformation PostMessage is asynchronous; So is our proxy interface; Automated CPS transformation and call to proxy interfaces of old integrator code An example of rule
21
Realistic core JS subset Small-step core JS semantics adopted from Maffeis et al. [08]; Extended with DOM semantics and message-passing; A decorated (colored heap) semantics;
22
Decorated Semantics programs run as colored principal heaps contain objects with properties that are colored
23
Formal Guarantees Correctness guarantees: – If the gadget is benign, then the compiled mashup behaves as the original one. Security guarantees: – If the gadget is not benign, nothing “bad” can happen in the compiled mashup.
24
Benign gadget Intuitively: Integrity: A gadget does not try to write a property belonging to the integrator; Confidentiality: A gadget does not try to read a property of the integrator; Formally defined:
25
Correctness Theorem For a benign gadget, the compiled mashup reaches a final configuration indistinguishable with the one reachable from the original mashup.
26
Security Theorem For any gadget, the compiled mashup provides integrity and confidentiality for the integrator.
27
Prototype Implementation A prototype compiler written in Bigloo (a dialect of scheme) – 3.3k loc of bigloo and 0.8k loc of Javascript Applied to various mashups:
28
Benign Gadget: Passive Gadget Assumption The compiled mashup preserves the original semantics Theorem After Mashic compilation, the malicious gadget cannot read/write information belonging to the integrator. CorrectenessSecurity Mashic: Summary Plus Browser Independence Gadget Independence
29
Extending Mashic Challenge Handle Active Gadgets How? Gadgets must be allowed to access integrator objects Add an Access Control layer between gadgets and the integrator
30
Supporting Active Gadgets Integrator.js Gadget A iframe Page.html Allow two-sided communication Current Mashic Goal Add proxy and listener libraries to both the gadget iframe and to the integrator code Listener Proxy Listener Proxy Control the communication from the gadget to the integrator Uncontrolled Controlled Integrator
31
Controlling Gadget – Integrator Com. Integrator.js Gadget A iframe Page.html How? Listener Proxy Listener Proxy Uncontrolled Controlled 1 Establish a lattice of security levels 2 Assign a security level to each integrator resource 4 Check all the gadget – integrator accesses at runtime 3 Assign a security level to each gadget Confidentiality Integrity LcLc LILI LcxLILcxLI v l where l is in L c x L I ∑ : Gadgets → L c x L I Integrator Gadget A
32
Ext Mashic: Soundness and Security Benign Gadget: A gadget that only tries to access integrator information compatible with its security level Assumption The compiled mashup preserves the original semantics Theorem After Mashic compilation, the malicious gadget can only read/write integrator information compatible with its security level. CorrectenessSecurity
33
Information Flow control needed for the integrator code! (and only the integrator code)
34
Information Flow Control needed Separation of the gadget using iframe : no need to analyze gadget code Existing work on dynamic monitors (browser dependent): Hedin and Sabelfeld, 12 Austin and Flanagan, 09,10,12 Inlining of dynamic security monitors (browser independent) : Sabelfeld et al ‘’10 Chudnov and Naumann’ 10
35
Information Flow Control Labeling in JavaScript Confidentiality Integrity LcLc LILI LcxLILcxLI var o = {}; o[f()] = 1 f() is a function that returns a dynamically computed string In the final memory o has a new property unknown before execution! Static labeling is not always possible.
36
Labeling Values Original Object Runtime Labeling p 1 : v 1 p 2 : v 2 p 3 : v 3 p n : v n … Labeled Object p 1 : (v 1,,l 1 ) p 2 : (v 2, l 2 ) p 3 : (v 3, l 3 ) p n : (v n, l n ) … l o : l Security Level of the object Security levels of the object property values
37
Labeling Values and Instrumentation Source Integrator Code … if(x) { y = y + x; } else { alert(“hello world”) } Source Integrator Code … if(x.value) { l pc = x.level ˅ l pc ; y.value = y.value + x.value; y.level = x.level ˅ y.level ˅ l pc ; } else { alert(“hello world”) }
38
Labeling Values and Instrumentation Source Integrator Code … if(x) { y = y + x; } else { alert(“hello world”) } Source Integrator Code … if(x.value) { l pc = x.level ˅ l pc ; y.value = y.value + x.value; y.level = x.level ˅ y.level ˅ l pc ; } else { alert(“hello world”) } code instrumentation: a new object for each value in the program!
39
Labeling Properties Original Object Runtime Labeling p 1 : v 1 p 2 : v 2 p 3 : v 3 p n : v n … Labeled Object (p 1,l 1 ) : v 1 (p 2,l 2 ): v 2 (p n,l n ) : v n … l o : l
40
Labeling Properties Original Object Runtime Labeling p 1 : v 1 p 2 : v 2 p 3 : v 3 p n : v n … Labeled Object (p 1,l 1 ) : v 1 (p 2,l 2 ): v 2 (p n,l n ) : v n … l o : l code instrumentation: a property for each object (mapping properties of the object to labels)
41
Labeling Properties Inlining security monitors becomes more efficient (no need for an object per value in the program) Opens the path to combining dynamic and static JavaScript analysis
42
Dynamic Semantics, extracting constrains constrains
43
Conclusions Mashic Compiler: – assumption: gadgets used as libraries – correctness under assumption – security guarantees based on SOP, characterized as IF where everything in the integrator is treated as top security level – compilation: gadget and browser independent!
44
Conclusions Mashic Compiler Extension: – assumption: two way communication with AC – correctness under assumption – security guarantees based on information flow security – compilation: IF analysis for the integrator using code instrumentation gadget independence regarding IF analysis browser independence
45
Open Questions IF analysis for the integrator using code instrumentation: – Combining with static analysis? If part of the code is in a static typable subset [Maffeis 2010] then type check and instrument the rest. Gadget independence regarding IF analysis: – Still have to adapt to asynchrony of PostMessage … what’s a good solution to this? shadow pages? [Adjail 2010] Making the web ad business model secure and practical?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.