Presentation is loading. Please wait.

Presentation is loading. Please wait.

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.

Published byColeen McKinney Modified over 9 years ago

Similar presentations

Presentation on theme: "ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft."— Presentation transcript:

1 ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft Research

2 2

3 Complications 3 Benign but buggy: who is to blame? Benign but buggy: who is to blame? Code constantly evolving How do we maintain quality? Code constantly evolving How do we maintain quality? Downright malicious Prototype hijacking Downright malicious Prototype hijacking

4 Developer’s Dilemma 4 Other people’s code can’t be trusted Mashups mean including code

5 Only Allow eval of JSON 5 eval(“([{‘hello’: ‘Oakland’}, 2010])”)eval(“(xhr.open(‘evil.com’);)”) Idea for a policy: – Parse input strings instead of running them – Use ConScript to advise eval calls AspectJ advice for Java How to do advice in JavaScript? – No classes to speak of void around call Window::eval (String s) { … }

6 heap Advising Calls is Tricky window.eval = function allowJSON() { … } window object window object function allowJSON function allowJSON eval frame object frame object eval function eval function eval ConScript approach – Deep advice for complete mediation – Implemented within the browser for efficiency and reliability ConScript approach – Deep advice for complete mediation – Implemented within the browser for efficiency and reliability 6

7 Example of Applying Advice in ConScript 7 1. <SCRIPT SRC=”facebook.js" POLICY=" 2. var substr = String.prototype.substring; 3. var parse = JSON.parse; 4. around(window.eval, 5. function(oldEval, str) { 6. var str2 = uCall(str, substr, 1, 7. str.length - 1); 8. var res = parse(str2); 9. if (res) return res; 10. else throw "eval only for JSON"; 11. } );">

8 Contributions of ConScript 8 Protect benign users by giving control to hosting site ConScript approach: browser-supported aspects A case for aspects in browser Policies are easy to get wrong Type system to ensure policy correctness Correctness checking Wide catalog of policies from literature and practice 17 concise hand-written policies Implemented 2 policy generators Expressiveness Built into IE8 JavaScript interpreter Tested on real apps: Google Maps, Live Desktop, etc. Runtime and space overheads under 1% (vs. 30-550%) Real-world Evaluation

9 9 Implementation A case for aspects in browser Correctness checking Expressiveness Real-world Evaluation

10 heap Advising JavaScript Functions in IE8 10 function withBound Checks function paint function paint around(paint, withBoundChecks); dog.draw(); fish.display(); draw display

11 This is Just the Beginning… Not just JavaScript functions – native JavaScript calls: Math.round, … – DOM calls: document.getElementById, … Not just functions… – script introduction –…–… Optimizations – Blessing – Auto-blessing 11

12 12 A case for aspects in browser Type system Correctness checking Expressiveness Real-world Evaluation

13 Policies are Easy to Get Wrong var okOrigin={"http://www.google.com":true}; around(window.postMessage, function (post, msg, target) { if (!okOrigin[target]) { throw ’err’; } else { return post.call(this, msg, target); } }); 13 1. 2. 3. 4. 5. 6. 7. 8. 9. toString redefinition! Function.prototype poisoning! Object.prototype poisoning!

14 Policies are Easy to Get Wrong var okOrigin={"http://www.google.com":true}; around(window.postMessage, function (post, msg, target) { var t = toPrimitive(target); if (!hasProp(okOrigin,target)) { throw ’err’; } else { return uCall(this,post, msg, t); } }); 14 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Reference isolation the whitelist is only referenced by policy code use hasProp instead of okOrigin[target] Reference isolation the whitelist is only referenced by policy code use hasProp instead of okOrigin[target] Access path integrity for function calls prevent prototype poisoning use uCall of post.call Access path integrity for function calls prevent prototype poisoning use uCall of post.call

15 How Do We Enforce Policy Correctness? Application code Unperturbed usage of legacy code Disallow arguments.caller to avoid stack inspection (disallowed by ES5’s strict mode) Policy code Modify the JavaScript interpreter – introduce uCall, hasProp, and toPrimitive – disable eval Propose a type system to enforce correct use of these primitives – disable with, … 15

16 Policy Type System ML-like type system Uses security labels to denote privilege levels Enforces access path integrity and reference isolation 16 Reference isolation o does not leak through poisoning if f is a field Reference isolation o does not leak through poisoning if f is a field Access path integrity for function calls o.f remains unpoisoned if T in v : T is not poisoned Access path integrity for function calls o.f remains unpoisoned if T in v : T is not poisoned

17 17 A case for aspects in browser Correctness checking Policies Expressiveness Real-world Evaluation

18 ConScript Policies 17 hand-written policies – Diverse: based on literature, bugs, and anti-patterns – Short: wrote new HTML tags with only a few lines of code 2 automatic policy generators – Using runtime analysis – Using static analysis 18

19 manifest of script URLs HTTP-only cookies resource blacklists limit evalno foreign links no dynamic IFRAME creation script whitelist no URL redirection no pop-ups enforce public vs. private Paper presents 17 ConScript Policies 19 around(document.createElement, function (c : K, tag : U) { var elt : U = uCall(document, c, tag); if (elt.nodeName == "IFRAME") throw ’err’; else return elt; }); around(document.createElement, function (c : K, tag : U) { var elt : U = uCall(document, c, tag); if (elt.nodeName == "IFRAME") throw ’err’; else return elt; });

20 Generating Intrusion Detection Policies 20 ConScript instrumentation ConScript enforcement eval new Function(“string”) postMessage XDomainRequest xmlHttpRequest … eval new Function(“string”) postMessage XDomainRequest xmlHttpRequest … Observed method calls

21 Enforcing C# Access Modifiers 21 class File { public File () { … } private open () { … } … C# JavaScript function File () { … } File.construct = … File.open = … … Script# compiler Script# compiler policy generator policy generator around(File, pubEntryPoint); around(File.construct, pubEntryPoint); around(File.open, privCall); ConScript

22 22 A case for aspects in browser Correctness checking Expressiveness Evaluation Real-world Evaluation

23 Experimental Evaluation Implemented on top of the IE 8 JavaScript interpreter TCB increase: under 1,000 lines added to IE8’s JavaScript engine Changed a few language constructs to disallow arguments.caller Low adoption barrier Function, DOM call, eval overhead 2.5x faster than previously published source-level wrapping Advice optimizations make it faster still Micro-benchmarks Google Maps, MSN, Gmail, Live Desktop, Google Calendar Hundreds of KB of JavaScript code Runtime overhead due to ConScript advice: mostly under 1% File size increase due to ConScript advice: under 1% Macro-benchmarks 23

24 DoCoMo Policy Enforcement Overhead 24 H. Kikuchi, D. Yu, A. Chander, H. Inamura, and I. Serikov, “JavaScript instrumentation in practice,” 2008

25 File Size Increase for Blacklisting Policy 25

26 Conclusions 26 To provide reliable enforcement, browser changes are required and can be minimal A case for aspects in browser Previous attempts illustrate that hand-written policies are buggy. ConScript addresses this with a type system without affecting legacy code Correctness checking Provide a catalog of 17 hand-written policies for other researchers to use and show how polices can be generated by translators like Script# Expressiveness Implementing policy enforcement in the browser and not at the source level has tremendous performance advantages Real-world Evaluation

27 QUESTIONS? 27

28 28 Access Modifier Enforcement Intrusion Detection System Runtime Overhead

29 Mediating DOM Functions 29 window.postMessage frame2.postMessage JavaScript interpreter IE8 libraries (HTML, Networking, …) postMessage 0xff34e5 arguments: “hello”, “evil.com” calladvice around(window.postMessage, off 0xff34e5 off ); advice dispatch [not found] 0xff34e5 deep aspects

30 function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; } function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; } function foo () { } Resuming Calls 30 1.function (eval, str) { if (ok(str)) { bless(); return eval(str); } else throw ‘exn’; } 3. function (eval, str) { if (ok(str)) return eval(str); else { curse(); throw ‘exn’; }} function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; } function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; } function foo () { } advice on advice off bless() temporarily disables advice for next call

31 Optimizing the Critical Path 31 function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; } function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; } function foo () { } advice on function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } } function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } } function foo () { } advice off advice on calling advice turns advice off for next call curse() enables advice for next call

Download ppt "ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft."

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Microsoft Research March 20, 2000 A Programming Language for Developing Interactive Web Services Claus Brabrand BRICS, University of Aarhus, Denmark.

Microsoft Research March 20, 2000 A Programming Language for Developing Interactive Web Services Claus Brabrand BRICS, University of Aarhus, Denmark.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.

1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.
WEAVING CODE EXTENSIONS INTO JAVASCRIPT Benjamin Lerner, Herman Venter, and Dan Grossman University of Washington, Microsoft Research.

WEAVING CODE EXTENSIONS INTO JAVASCRIPT Benjamin Lerner, Herman Venter, and Dan Grossman University of Washington, Microsoft Research.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.

1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.
InkTag: Secure Applications on an Untrusted Operating system

InkTag: Secure Applications on an Untrusted Operating system
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri.

Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
Bending Binary Programs to your Will Rajeev Barua.

Bending Binary Programs to your Will Rajeev Barua.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Similar presentations

Ads by Google