Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sandboxing JavaScript via Libraries and Wrappers Phu H. Phung University of Gothenburg, Sweden, and University of Illinois at Chicago.

Published byStephen Blankenship Modified over 9 years ago

Similar presentations

Presentation on theme: "Sandboxing JavaScript via Libraries and Wrappers Phu H. Phung University of Gothenburg, Sweden, and University of Illinois at Chicago."— Presentation transcript:

1 Sandboxing JavaScript via Libraries and Wrappers Phu H. Phung University of Gothenburg, Sweden, and University of Illinois at Chicago

2 About Me Receipt of international postdoc grant (3 years) by Swedish Research Council (VR), employed by Univ. of Gothenburg. Research Associate at UIC. PhD in Computer Science in 2011 from Chalmers University, Sweden. Hosted by OWASP & the NYC Chapter

3 Selected research projects –European WebSand (complete) End-to-end secure web framework –Secure Web Advertisements, funded by NSF (on-going) –Defensive Optimizing Compiler, funded by DARPA (on-going) Hosted by OWASP & the NYC Chapter

4 This talk Based on the two published papers: – PH Phung, L Desmet. A two-tier sandbox architecture for untrusted JavaScript, invited paper, JSTools’12.A two-tier sandbox architecture for untrusted JavaScript – P Agten, S Van Acker, Y Brondsema, PH Phung, L Desmet, F Piessens. JSand: complete client-side sandboxing of third-party JavaScript without browser modifications, ACSAC’12.JSand: complete client-side sandboxing of third-party JavaScript without browser modifications

5 92% of all websites use JavaScript [w3techs.com] “88.45% of the Alexa top 10,000 web sites included at least one remote JavaScript library” CCS’12 “88.45% of the Alexa top 10,000 web sites included at least one remote JavaScript library” CCS’12 5

6 Third-party JavaScript is everywhere Advertisements – Adhese ad network Social web – Facebook Connect – Google+ – Twitter – Feedsburner Tracking – Scorecardresearch Web Analytics – Yahoo! Web Analytics – Google Analytics … 6

7 Two basic composition techniques Iframe integration 7 … … 3 rd party

8 Two basic composition techniques 8 … … 3 rd party Script inclusion

9 Third-party JavaScript issues Third-party script inclusion run with the same privilege of the hosting page. Security issues: – Malicious third-party code – Trusted third-party is compromised – Confidentiality, integrity, and other security risks 9

10 Difficult issues with JavaScript JavaScript is a powerful language, but the language design is bad for security, e.g.: – Dynamic scripts: document.write, eval,... – Encapsulation leakage –... document.write(‘<scr’); document.write(‘ipt> malic’); var i= 1; document.write(‘ious code; </sc’); document.write(‘ript>’); malicious code; A lot of attacks were launched in practice 10

11 Malicious third-party JavaScript example The most reliable, cost effective method to inject evil code is to buy an ad. Principles of Security. Douglas Crockford http://fromonesrc.com/blog/page/2/

12 An attack scenario Million Browser Botnet (July 2013) – Leverage Advertising Networks using JavaScript to launch Application-Level DDoS – Paid on 2 ad networks for displaying treacherous advertisements on pages visited by hundreds of thousands of people – One day, got 13.6 million views of the ads, just spent less than $100 Jeremiah Grossman & Matt Johansen WhiteHat SECURITY 12

13 State-of-the-art Limit third-party code to safe subset of JavaScript – Facebook JS, ADSafe, ADSafety,... Browser-based sandboxing solutions – ConScript, WebJail, Contego,... Server-side transformations of scripts to be included – Google Caja, BrowserShield,... 13 No compatibility with existing scripts Browser modifications imply short-term deployment issues No direct script delivery to browser Great runtime overhead

14 Our approach A sandbox model for third-party JavaScript – Using only JS libraries and wrappers – Whitelist (least-privilege) implementation approach Only properties and objects defined in policies are available to the untrusted code – No browser modification is required – The third-party code is keep in original – Easily dealing with dynamic features of JavaScript 14 “Lightweight Self-Protecting JavaScript”, ASIACCS’09

15 Two-tier sandbox architecture 15 Sandbox running untrusted code, defined in a separate file e.g. `untrusted.js’ Sandbox running policy code, defined in a separate JS e.g. `policy.js’ Base-line API implementation, in e.g. `api.js’ file JavaScript environment, e.g. the DOM The untrusted code can only access objects returned by the outer sandbox

16 Two-tier sandbox architecture 16 var api = loadAPI(…); var outerSandbox = cajaVM.compileModule(policyCode); var enforcedAPI = outerSandbox(api); var innerSandbox = cajaVM.compileModule(untrustedCode); innerSandbox(enforcedAPI);

17 The architecture in multiple- principal untrusted code 17 Policy 2 Policy 1 untrusted Policy 3 untrusted Base-line API implementation, in e.g. `api.js’ file

18 Sandboxing untrusted code Use Secure ECMAScript (SES) library developed by Google Caja team – Load a piece of code to execute within an isolated environment The code can only interact with the outside world via provided APIs 18 var api = {...}; //constructing var makeSandbox = cajaVM.compileModule(untrustedCodeSrc); var sandboxed = makeSandbox(api);

19 Isolation technique: The SES library Object-capability environment Scripts can access – Objects they create themselves – Objects explicitly handed to them API Global context untrustedCode sandbox untrustedCode sandbox 19

20 Isolation technique: The SES library 20

21 Base-line APIs implementation Create a Virtual DOM – Intercepting wrapper around real DOM – Use Harmony Proxies to generically intercept property accesses on objects Virtual DOM implementation uses the Membrane Pattern – Wrap any object passed from DOM to sandbox (return values) – Unwrap any object passed from sandbox to DOM (arguments) 21

22 Wrapper example 22

23 Policy definition Base-line APIs implementation – Can enforce coarse-grained, generic policies, e.g.: Sanitize HTML Ensure complete mediation Fine-grained policies for multiple untrusted JavaScript code – Modular, principal-specific, e.g.: script1 is allowed to read/write elemt_A, script2 is allowed to read elemt_A – Stafeful, e.g.: limit the number of popups to 3 – Cross-principal stateful policies, e.g: after script1 write to elemt_A, disallow access from script2 to elemt_A 23

24 Deployment model Untrusted code is loaded into a string variable – Using server-side proxy + XMLHttpRequest (to overcome same origin policy) – CORS (Cross-Origin Resource Sharing) /UMP(Uniform Messaging Policy) headers set by the script provider var script = get(“http://3rdparty.com/script.js”); ses.execute(script,policy0); before after 24

25 Secure dynamic script evaluation Special handlers to intercept all methods that allow script tags to be added – node.appendChild, node.insertBefore, node.replaceChild, node.insertAfter – document.write, … – Event handlers in HTML, e.g. 1.Parse partial DOM tree/HTML 2.Execute scripts in the sandbox environment 25

26 Dynamic script loading in JavaScript Example from Google Maps 26

27 Different parsing techniques Via a sandboxed iframe 1.Create sandbox iframe 2.Set content via srcdoc attribute – Better performance – Parsed exactly as will be interpreted by browser – Executed asynchronously (Alternative) Via a HTML parsing library in JavaScript 27

28 Loading additional code in the sandbox External code needs to be executed in a previously set up sandbox – Loading API + glue code – Dynamic script loading Two new operations: – innerEval(code) – innerLoadScript(url) 28

29 Case studies Single principal code Multiple-principal code – Context-aware ads 29

30 Implementation challenges Legacy scripts need additional pre- processing to be compatible with the framework – Secure ECMAScript restrictions A subset of ECMAScritp strict mode Global variables aliased as window properties No ‘this’ auto coercion 30

31 JS transformation examples 31

32 Summary – A client-side JavaScript architecture for untrusted JavaScript Only using libraries and wrappers – Complete mediation using Secure ECMAScript DOM node operations JavaScript APIs – Backward compatibility No browser modifications Direct script delivery to the browser Support for legacy scripts 32

33 33

Download ppt "Sandboxing JavaScript via Libraries and Wrappers Phu H. Phung University of Gothenburg, Sweden, and University of Illinois at Chicago."

Similar presentations

Secure ECMAScript Name Subject To Change

Secure ECMAScript Name Subject To Change
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.

Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.
The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.

The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
HTML 5 and CSS 3, Illustrated Complete Unit L: Programming Web Pages with JavaScript.

HTML 5 and CSS 3, Illustrated Complete Unit L: Programming Web Pages with JavaScript.
I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
The Web Warrior Guide to Web Design Technologies

The Web Warrior Guide to Web Design Technologies
Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.

Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,

Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,
var site=s15gizmodo var site=s15gizmodo

var site="s15gizmodo" var site="s15gizmodo"

Similar presentations

Ads by Google