Presentation is loading. Please wait.

Presentation is loading. Please wait.

GRADUAL TYPING EMBEDDED SECURELY IN JAVASCRIPT Aseem Rastogi University of Maryland, College Park Joint Work With: Nikhil Swamy, Cédric Fournet, Karthikeyan.

Published byCecil Adams Modified over 9 years ago

Similar presentations

Presentation on theme: "GRADUAL TYPING EMBEDDED SECURELY IN JAVASCRIPT Aseem Rastogi University of Maryland, College Park Joint Work With: Nikhil Swamy, Cédric Fournet, Karthikeyan."— Presentation transcript:

1 GRADUAL TYPING EMBEDDED SECURELY IN JAVASCRIPT Aseem Rastogi University of Maryland, College Park Joint Work With: Nikhil Swamy, Cédric Fournet, Karthikeyan Bhargavan, Juan Chen, Pierre-Yves Strub, Gavin Bierman POPL'14TS* 1

2 Architecture of JavaScript Applications POPL'14TS* 2 Application Libraries (e.g. JQuery) Libraries (e.g. JQuery) Untrusted (e.g. ads) Untrusted (e.g. ads) Shared Global State (e.g. Object.prototype, String.prototype, Array.prototype) Shared Global State (e.g. Object.prototype, String.prototype, Array.prototype) All scripts execute in the same environment

3 At Least It’s Dynamically Type Safe POPL'14TS* 3 var x = 0; x(17); ~>* TypeError /* cannot apply a non-function */ Provides some useful security properties var x = 0x1234567; x.f(); ~>* TypeError /* cannot forge an address */

4 function protect(rawSend) { var whitelist = { “www.microsoft.com/mail” : true, “www.microsoft.com/owa” : true }; return function(url, msg) { if(whitelist[url]) rawSend(msg); } Or Is It ? POPL'14TS* 4 function send(url, msg) { /* e.g. XMLHttpRequest */ … } Object.prototype[“evil.com”] = true; Goal : Protect the send message function to restrict malicious URLs send(“evil.com”, “gotcha”); Attacker Succeeds ! Also looks up in Object.prototype window.send = protect(send);

5 Type Errors ≈ Security Vulnerabilities POPL'14TS* 5 Attacker can exploit missing property accesses Can execute arbitrary JavaScript Need a stronger notion of type safety !

6 Stronger Type Safety for JavaScript ? DJS (Chugh et. al.), DJS(Maffeis et. al.), JSVerify(Swamy et. al.), JSVerify(Gardner et. al.), Adsafety(Guha et. al.), SES-light(Taly et. al.), Moller et. al., … POPL'14TS* 6 Handle only subsets of JavaScript Cannot ignore the adversary Lots of crazy stuff eval Proxies Stack walking Prototype poisoning Global namespace corruption …

7 Attempts to Handle Full JavaScript ? TypeScript, Closure Great in increasing programmer productivity But Not Type Safe POPL'14TS* 7

8 We ask … Can we provide stronger JS type safety While accounting for the full ECMAScript5 language Unrestricted adversary And still retaining idiomatic JS programming interface 8 TS*POPL'14

9 TS ★ : Gradual Type System for All of JavaScript Statically typed core number, bool, string T 1 T 2 { f i : T i } (mutable, extensible) ADTs Dynamically typed fragment any JSON Runtime type tests Un typed adversary arbitrary JavaScript unmodified unverified unrestricted Run time checks mediate interactions 9 TS*POPL'14 U U D D S S

10 Key Invariants of TS ★ 10 TS*POPL'14 U U D D S S Static Safety: Statically typed code is safe without any runtime checks Dynamic Safety: Runtime types are always refinements of static types Memory Isolation: No un-location referenced directly in static/any code No static/any reference leaked to un-code

11 Key Idea: Gradual Security ad.js lib.js app.js function protect(rawSend) { var whitelist = { “www.microsoft.com/mail” : true, “www.microsoft.com/owa” : true }; return function(url, msg) { if(whitelist[url]) rawSend(msg); } 11 TS*POPL'14 Identify security critical code

12 Key Idea: Gradual Security ad.js lib.js app.js 12 TS*POPL'14 function protect(rawSend) function protect(rawSend:(string,string)=>any) { var whitelist = { “www.microsoft.com/mail” : true, “www.microsoft.com/owa” : true }; return function(url:string, msg:string) { if(whitelist[url]) rawSend(msg); } Identify security critical code Port to TS ★

13 Key Idea: Gradual Security ad.js lib.js app.js 13 TS*POPL'14 function protect(rawSend) function protect(rawSend:(string,string)=>any) { var whitelist = { “www.microsoft.com/mail” : true, “www.microsoft.com/owa” : true }; return function(url:string, msg:string) { if(whitelist[url]) rawSend(msg); } Identify security critical code Port to TS ★ function protected() { function protect(rawSend) { … } return wrap (protect); } window.send = protected(); TS ★ Compile

14 Key Idea: Gradual Security ad.js lib.js app.js 14 TS*POPL'14 function protect(rawSend) Identify security critical code Port to TS ★ Compile function protected() { function protect(rawSend) { … } return wrap (protect); } window.send = protected(); Drop-in in the app function protect(rawSend:(string,string)=>any) { var whitelist = { “www.microsoft.com/mail” : true, “www.microsoft.com/owa” : true }; return function(url:string, msg:string) { if(whitelist[url]) rawSend(msg); } TS ★

15 Gradual Security – Initial Experience OWASP CSRFGuard and Facebook API Reported many attacks Both widely used and security critical libraries Ported critical fragments to TS ★ Easy to argue correctness in the presence of memory isolation Secure, High Integrity, and Efficient HTML5 localStorage POPL'14TS* 15 (http://rise4fun.com/FStar/tutorial/tsStar)http://rise4fun.com/FStar/tutorial/tsStar

16 TS ★ Gradual Typing Overview POPL'14TS* 16 U U D D S S Based on runtime type information (RTTI) Point { x = 2, y = 3 } type Point = { x:number; y:number } Compiled as is Compiled with runtime checks to respect RTTI tags Library provided wrappers ensure memory isolation

17 var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } TS ★ Tour with Example type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS 17 TS*POPL'14

18 var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } Compilation of Statically Typed Code type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS 18 TS*POPL'14 function diag(p) { bar(p); p.x = p.y; return p; } (Statically typed code is safe as is )

19 var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } RTTI Instrumentation type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS 19 TS*POPL'14 diag.rtti = [[Point Point]] function diag(p) { bar(p); p.x = p.y; return p; } (Statically typed code is safe as is )

20 var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } RTTI Instrumentation type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS 20 TS*POPL'14 diag.rtti = [[Point Point]] function diag(p) { bar(p); p.x = p.y; return p; } (Statically typed code is safe as is ) (Compiled with runtime type checks)

21 var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } ◄ Runtime Checks on RTTI (Dynamic Safety) type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS any { x = true } o:o: 21 TS*POPL'14

22 var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } ◄ Runtime Checks on RTTI (Dynamic Safety) type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS any { x = true } o:o: Is o a record ? Does o.x = 2 respect o ’s rtti ? ✔ any { x = 2 } o:o: 22 TS*POPL'14

23 var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } ◄ Runtime Checks on RTTI (Dynamic Safety) type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS any { x = true } o:o: Is o a record ? Does o.y = 3 respect o ’s rtti ? ✔ any { x = 2 } o:o: any { x = 2, y = 3 } o:o: 23 TS*POPL'14

24 var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } ◄ Dynamically Typed to Statically Typed type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS any { x = 2, y = 3 } o:o: 24 TS*POPL'14

25 var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } ◄ Attempt 1 : Use Higher Order Casts for Mutable Records type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS 25 TS*POPL'14 var o’ = { get x() { if hasOwnProperty(o, “x”) … }; get y() { … }; set x(v) { … }; set y(v) { … }; } diag(o’);

26 var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } ◄ Problems with Higher Order Casts type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS 26 TS*POPL'14 var o’ = { get x() { … }; get y() { … }; set x(v) { … }; set y(v) { … }; } diag(o’); 1.Lazy failures in statically typed code Undesirable for security critical applications Performance penalty for casts reduction 2.Space inefficient Might recover with fancy coercion reductions 3.Breaks object identity o === o’ ?

27 var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } ◄ Gradual Typing with RTTI type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } TS ★ JS ✔ any { x = 2, y = 3 } o:o: Does o look like a Point ? If so, tag it. ( setTag ) Point { x = 2, y = 3 } o, p : 27 TS*POPL'14

28 Monotonic Evolution of RTTI POPL'14TS* 28 t0 v0 t2 v2 t1 v1 tn vn v0:t0 v1:t 1 v2:t2 vn:tn … RTTI is always a sound approximation of a runtime value RTTI evolves monotonically w.r.t the subtyping relation t0 :> t1 :> t2 :> … :> tn

29 type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } var o = { x : true }; o.x = 2; o.y = 3; diag(o); function bar(q) { q.x = true; } ◄ Seamless Transition from Statically Typed to Dynamically Typed TS ★ JS Seamless via subtyping – Point <: any. Point { x = 2, y = 3 } o, p : 29 TS*POPL'14

30 function bar(q) { q.x = true; } type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } var o = { x : true }; o.x = 2; o.y = 3; diag(o); ◄ RTTI Violations Cause Runtime Failures TS ★ JS Point { x = 2, y = 3 } o, p, q : Is q a record ? Does q.x = true respect q ’s rtti ? ✗ Runtime failure 30 TS*POPL'14

31 function bar(q) { q.color = “red”; } type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } var o = { x : true }; o.x = 2; o.y = 3; diag(o); ◄ Runtime Checks on RTTI (Dynamic Safety) TS ★ JS Point { x = 2, y = 3 } o, p, q : Is q a record ? Does q.color = “red” respect q ’s rtti ? ✔ Point { x = 2, y = 3, color = “red” } o, p, q : 31 TS*POPL'14

32 function bar(q) { q.color = “red”; } type Point = { x:number; y:number } function diag(p:Point) : Point { bar(p); p.x = p.y; return p; } var o = { x : true }; o.x = 2; o.y = 3; diag(o); ◄ Statically Typed Code Executes As Is TS ★ JS Point { x = 2, y = 3, color = “red” } o, p, q : Executes as expected, without any checks. 32 TS*POPL'14

33 Key Invariants of TS ★ 33 TS*POPL'14 U U D D S S Static Safety: Statically typed code is safe without any runtime checks Dynamic Safety: Runtime types are always refinements of static types Memory Isolation: No un-location referenced directly in static/any code No static/any reference leaked to un-code

34 type Point = { x:number; y:number } function diag(p:Point) : Point { baz(p); p.x = p.y; return p; } function baz(q) { … } Memory Isolation from Un TS ★ JS Unmodified, unverified, unrestricted. 34 TS*POPL'14

35 type Point = { x:number; y:number } function diag(p:Point) : Point { baz(p); p.x = p.y; return p; } function baz(q) { delete q.x; } Memory Isolation from Un TS ★ JS Unmodified, unverified, unrestricted. 35 TS*POPL'14 function baz(q) { delete q.rtti; } function baz(q) { q.rtti = “junk”; } How to protect invariants ?

36 type Point = { x:number; y:number } baz : Un function diag(p:Point) : Point { baz(p); p.x = p.y; return p; } function baz(q) { … } Memory Isolation from Un TS ★ A second dynamic type Un Abstract type: not related to any other type Point <: any <\: Un { f : number; g : Un } <: { g : Un } <\: { } 36 TS*POPL'14

37 type Point = { x:number; y:number } baz : Un function diag(p:Point) : Point { baz(p); p.x = p.y; return p; } function baz(q) { … } Memory Isolation from Un TS ★ Compile error : Cannot apply an Un typed term 37 TS*POPL'14

38 type Point = { x:number; y:number } baz : Un function diag(p:Point) : Point { wrap (baz)(p); p.x = p.y; return p; } function baz(q) { … } Memory Isolation from Un TS ★ Library provided wrappers, ensure memory isolation 38 TS*POPL'14

39 Wrappers Enforce Heap Shape Invariant POPL'14TS* 39 un fragmentStatic and any-typed DMZ (stubs) Non-Un values completely independent of untrusted global state (prototypes etc.) – thus send/protect example is secure in TS ★ TS ★ runtime system needs “first starter privileges” on the page

40 Facebook API Example POPL'14TS* 40 Untrusted web page Facebook API Iframe Retrieves user’s access token Gives access token to the untrusted page if it’s authorized by user Wants to connect to Facebook on current user’s credentials

41 Facebook API Sample Code POPL'14TS* 41 function decode(s) { var res = { }; if(s === “”) return res; var p = String.split(s,“&”); for(var k in p) { var kv = String.split(p[k],“=“); res[kv[“0”]] = kv[“1”]; } return res; } function checkOrigins(g, e) { for(var k in e) { if(g === e[k]) return true; } return false; }

42 Example Vulnerabilities in Facebook API POPL'14TS* 42 function checkOrigins(g, e) { for(var k in e) { if(g === e[k]) return true; } return false; } Attacks similar to protect/send (Using Object.prototype) function decode(s) { var res = { }; if(s === “”) return res; var p = String.split(s,“&”); for(var k in p) { var kv = String.split(p[k],“=“); res[kv[“0”]] = kv[“1”]; } return res; }

43 function decode(s:string):any { var res = { }; if(s === “”) return res; var p = String.split(s,“&”); for(var k in p) { var kv = String.split(p[k],“=“); res[kv[“0”]] = kv[“1”]; } return res; } Porting Facebook API to TS ★ POPL'14TS* 43 function checkOrigins(g:string, e:array string):bool { for(var k in e) { if(g === e[k]) return true; } return false; }

44 Also in the paper … More details on the wrappers Formal translation from TS ★ to JavaScript Formalization of TS ★ in JSVerify † Type soundness theorem and proof sketch A standards based mechanism for first starter privileges More examples † Swamy et. al. PLDI’ 13 See our paper ! 44 TS*POPL'14

45 TS ★ :The First JavaScript Type System To Provide strong type safety in a modular way While accounting for ALL of JavaScript http://research.microsoft.com/en- us/um/people/nswamy/Playground/TSSecure/index. html POPL'14TS* 45

Download ppt "GRADUAL TYPING EMBEDDED SECURELY IN JAVASCRIPT Aseem Rastogi University of Maryland, College Park Joint Work With: Nikhil Swamy, Cédric Fournet, Karthikeyan."

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Safe TypeScript Aseem Rastogi University of Maryland, College Park

Safe TypeScript Aseem Rastogi University of Maryland, College Park
Taming JavaScript with F* Nikhil Swamy Microsoft Research.

Taming JavaScript with F* Nikhil Swamy Microsoft Research.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
WEAVING CODE EXTENSIONS INTO JAVASCRIPT Benjamin Lerner, Herman Venter, and Dan Grossman University of Washington, Microsoft Research.

WEAVING CODE EXTENSIONS INTO JAVASCRIPT Benjamin Lerner, Herman Venter, and Dan Grossman University of Washington, Microsoft Research.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013.

Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, David Becker, Marc.

Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, David Becker, Marc.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Safe & Efficient Gradual Typing for TypeScript Aseem Rastogi University of Maryland, College Park Nikhil Swamy Cédric Fournet Gavin Bierman Panagiotis.

Safe & Efficient Gradual Typing for TypeScript Aseem Rastogi University of Maryland, College Park Nikhil Swamy Cédric Fournet Gavin Bierman Panagiotis.
Active Messages: a Mechanism for Integrated Communication and Computation von Eicken et. al. Brian Kazian CS258 Spring 2008.

Active Messages: a Mechanism for Integrated Communication and Computation von Eicken et. al. Brian Kazian CS258 Spring 2008.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.

Similar presentations

Ads by Google