1. JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California, Berkeley This presentation is copyright © 2009 Joel Weinberger

2. JavaScript Contexts JavaScript Context 1 JavaScript Context 2JavaScript Context 3

3. Overview Current JavaScript Security Model Cross-Origin JavaScript Capability Leaks Capability Leak Detection Browser Defense Mechanism Safe JavaScript Subsets

4. The DOM and Access Control DOM Reference Monitor Object JavaScript Context Granted Access?

5. The DOM and Access Control DOM Reference Monitor Object JavaScript Context Granted Access?

6. The DOM and Access Control DOM Reference Monitor Object JavaScript Context Denied Access?

7. The JS Engine and Capabilities Object 1Object 2 AccessibleInaccessible JavaScript Context

8. DOM vs JS Engine The DOM provides an access control layer

9. DOM vs JS Engine The DOM provides an access control layer The JavaScript engine treats objects as capabilities

10. Overview Current JavaScript Security Model Cross-Origin JavaScript Capability Leaks Capability Leak Detection Browser Defense Mechanism Safe JavaScript Subsets

11. Cross-Context References Window 1Window 2 Global Object document function foo () document function bar ()

12. Cross-Context References Window 1Window 2 Global Object document function foo () document function bar ()

13. Cross-Context References Window 1Window 2 Global Object document function foo () document function bar ()

14. Cross-Context References Window 1Window 2 Global Object document function foo () document function bar ()

15. DOM meets JS Engine JavaScript Context 1JavaScript Context 2 DOM Reference Monitor Object Access?

16. DOM meets JS Engine JavaScript Context 1JavaScript Context 2 DOM Reference Monitor Object Access Granted

17. DOM meets JS Engine JavaScript Context 1JavaScript Context 2 DOM Reference Monitor Object Granted Access?

18. DOM meets JS Engine JavaScript Context 1JavaScript Context 2 DOM Reference Monitor Object Granted Access?

19. DOM meets JS Engine JavaScript Context 1JavaScript Context 2 DOM Reference Monitor Object Granted Access? Cross-Origin JavaScript Capability Leak

20. Overview Current JavaScript Security Model Cross-Origin JavaScript Capability Leaks Capability Leak Detection Browser Defense Mechanism Safe JavaScript Subsets

21. JavaScript Heap Inspection ObjectGlobal ObjectObject ? Global Object

22. Instrumentation In the JavaScript Engine object system Object creation, destruction, and reference Calls into analysis library

23. Empty Page Heap Graph

24. google.com Heap Graph

25. Graph Stats empty page – 82 nodes – 170 edges google.com – 384 nodes – 733 edges store.apple.com/us – 5332 nodes – 11691 edges gmail.com – 55106 nodes – 133567 edges

26. Computing JavaScript Contexts Object Prototype Global Object Object

27. Computing JavaScript Contexts Object Prototype Object Global Object Object __proto__

28. Generated Coverage Total WebKit tests: – 9957 tests …but most of these tests are for drawing Security tests: – 143 tests

29. Example Vulnerability

30. 2 WebKit Vulnerabilities Major flaws in CrossSafe cross-domain JSON request library

31. Overview Current JavaScript Security Model Cross-Origin JavaScript Capability Leaks Capability Leak Detection Browser Defense Mechanism Safe JavaScript Subsets

32. Access Control Checks Window 1Window 2 Global Object document function foo () document function bar ()

33. Access Control Checks Window 1Window 2 Global Object document function foo () document function bar ()

34. General Benchmarks

35. Overview Current JavaScript Security Model Cross-Origin JavaScript Capability Leaks Capability Leak Detection Browser Defense Mechanism Safe JavaScript Subsets

36. Safe JavaScript Subets

38. Dynamically Enforced Containment readwrite Cajita21%20% Valija1493%1000% Microsoft Web Sandbox1217%634% Slowdown on the “read” and “write” micro-benchmarks, average of 10 runs

39. Statically Verified Containment ADsafe Dojo Secure Jacaranda

40. Statically Verified Containment ADsafe Dojo Secure Jacaranda

41. Statically Verified Containment

43. Potential Exploits in Alexa 100

45. ADsafe Guest Accessible Object Safe Object foo bar

46. ADsafe Guest Accessible Object Unsafe Object Safe Object foo bar Safe Object

47. Blancura Guest Accessible Object Safe Object BLANCURA_OBJ_foo BLANCURA_OBJ_bar Unsafe Object

48. Conclusion Heap Graph Analysis can be used to find vulnerabilities in web browsers – And these exploits can be eliminated Heap Graph Analysis can reveal properties of JavaScript code Static Containment for JavaScript subsets can be useful and safe

49. Conclusion Check out http://webblaze.cs.berkeley.edu http://webblaze.cs.berkeley.edu/2009/heapgraph – Heap Graph Tool and Access Control Prototype for WebKit – USENIX Security 2009 Paper

50. WebKit Unmodified vs. Access Control