Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Slides:

Advertisements

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu

Advertisements

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Ben Livshits and Úlfar Erlingsson Microsoft Research.

New Security Issues Raised by Open Cards Pierre GirardJean-Louis Lanet GERMPLUS R&D.

The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.

An Evaluation of the Google Chrome Extension Security Architecture

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

An Empirical Study on the Rewritability of the with Statement in JavaScript Changhee Park (Joint work with Hongki Lee and Sukyoung Ryu) KAIST October.

Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri.

Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

var site="s15gizmodo" var site="s15gizmodo"

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Department of Electrical Engineering and Computer Science CONSCRIPT: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser.

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

JavaScript: Control Structures September 27, 2005 Slides modified from Internet & World Wide Web: How to Program (3rd) edition. By Deitel, Deitel,

Lecture Roger Sutton CO530 Automation Tools 5: Class Libraries and Assemblies 1.

JavaScript & jQuery the missing manual Chapter 11

Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.

NDSS 2007 Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna.

Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Cornell University.

BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.

JavaScript, Fourth Edition

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.

I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,

HTML5 Communication. The Setup Somewhere on the web, a server makes a ”service” available, that we wish to use in a web application The service may offer.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Profile-based Web Application Security System Kyungtae Kim High Performance.

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.

Chapter 8 Cookies And Security JavaScript, Third Edition.

OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications.

JAVA SERVER PAGES. 2 SERVLETS The purpose of a servlet is to create a Web page in response to a client request Servlets are written in Java, with a little.

Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Cross Site Integration “mashups” cross site scripting.

Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.

Enhancing JavaScript with Transactions Mohan Dhawan †, Chung-chieh Shan ‡ and Vinod Ganapathy † † Department of Computer Science, Rutgers University ‡

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.

Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.

How to execute Program structure Variables name, keywords, binding, scope, lifetime Data types – type system – primitives, strings, arrays, hashes – pointers/references.

Rich Internet Applications 2. Core JavaScript. The importance of JavaScript Many choices open to the developer for server-side Can choose server technology.

Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Automatic Web Security Unit Testing: XSS Vulnerability Detection Mahmoud Mohammadi, Bill Chu, Heather Richter, Emerson Murphy-Hill Presenter:

Static Detection of Cross-Site Scripting Vulnerabilities

The Past, Present and Future of XSS Defense

BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML

Topic: Java Security Models

TS*: Taming the Un-typed Adversary in JavaScript

Presentation transcript:

Presented by Vaibhav Rastogi

 Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality of untrusted content, content that does not need that functionality

 A browser based, security oriented aspect system  Allow hosting page to specify policies  Restrict code execution in the context of the hosting page  Examples  Limiting eval to JSON parsing  Allowing only white-listed strings, scripts

 Security aspects in the browser  Deep aspects with native support  Static and runtime validation strategies for aspects  17 example security and reliability policies for JavaScript  Automatic policy generation  Evaluation

 eval considered unsafe  But a necessity for JSON parsing  Approach 1:  Redefine eval  Shallow redefinition  Other access paths to eval may exist

 Aspects:  Specify code to execute – advice  At particular moments of execution - pointcut  Approach 2  Require browser support  Uses aspects – advice and pointcuts

 Advice registration  Binding original advised function to new function  Use type safe calls

 The around advice  Call the function parameter instead of the function specified as the first parameter  The advice designer decides what to do in the new function  Throw exception  Do some safe execution  Invoke the original function

 Several access paths to designate an object/function var ge = document.getElementById;

 Current state of the art - wrapping of an access path  Shallow advice  Protects only one access path  Conscript’s approach  Deep advice  Registering advice on one access path suffices

 Browser is trusted  Host web site specifies the policies – advice  Advice is trusted – kernel level code  Untrusted scripts (user level code) are loaded after advice specification  Allow libraries to be loaded before advice  They should declare new code only  They should not change the environment in undesirable ways

 User defined functions  Represented as closures  Point closure to advice function  A bit indicates if advice is enables

 Native functions:  Analogous to user defined functions

 Foreign functions  Like frame[0].postMessage  Use translation table

 Problem of infinite recursion  Solution  Define two functions ▪ bless: enable the advice ▪ curse: disable the advice  Rewrite

 Autobless  Avoid verbosity  More efficient  What if the raw function is not called  Be explicit  curse

 Important pointcut  aroundScript

 Advice should not be tampered with  Should be written in a secure manner  A vulnerable advice definition  A whitelist policy for frame messaging

 Attack 1: toString redefinition  Attack 2: Function.prototype poisoning

 Attack 3: Object.prototype poisoning  Attack 4: Malicious getters

 Eliminate with and eval  Disallow caller access  Introduce a new primitive ucall  Circumvent prototype poisoning  Introduce a poisoning safe primitive hasProp

 Secure version of the whitelist policy

 Static validation  ML like type system  Types are annotated with security labels  Two properties  Reference isolation – kernel objects should not flow to user code  Access path integrity of explicitly invoked function

 Lattice with “is substitutable for” relation  Substitution represented with flow relation

 Primitive type: *  Other types similar to ML  Types annotated with security labels  Sample inference rule  Calling trusted foreign functions

 No dynamic scripts  No string arguments to setInterval, setTimeout

 Static: Instrument Script#  Script# converts C# to JS  JS does not have access qualifiers like private  Generate policies enforce private, protected accesses  Runtime  Test in a sandboxed environment what capabilities are used  Strip off all other capabilities

 Neat idea  Impressive performance  No with and eval  Needs browser support  Automatic policy generation  Policies come with host page  Third party developer (attacker) may choose to not use any ConScript supported frameworks

 SetTimeout also unsafe without policy enforcement  Most policies described can be checked statically  Rule set for type inference may not be complete

Presented by Vaibhav Rastogi

 Enable fine grained sharing of JavaScript objects between principals  Let different principals have different views of the objects  Views may be different in  Access rights  Overriding methods to hide some information  Aspects oriented approach

 Two settings  Server side script rewriters  Browsers  View sharer creates object view according to policies  Attacker is the view recipient  Tries to steal information that should not be accessible to it

 Both are very similar aspects oriented approaches  ConScript is for applying JavaScript policies  Object Views is for creating multiple views for sharing