ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.

Slides:



Advertisements
Similar presentations
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Advertisements

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.
WEAVING CODE EXTENSIONS INTO JAVASCRIPT Benjamin Lerner, Herman Venter, and Dan Grossman University of Washington, Microsoft Research.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.
Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
An Empirical Study on the Rewritability of the with Statement in JavaScript Changhee Park (Joint work with Hongki Lee and Sukyoung Ryu) KAIST October.
1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
Best and Worst Practices Building RIA from Adobe and Microsoft.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Department of Electrical Engineering and Computer Science CONSCRIPT: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser.
4.1 JavaScript Introduction
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
JavaScript & jQuery the missing manual Chapter 11
JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Securing Web Applications. IE 7 significantly reduced attack surface against the browser and local machine…
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Krishna Mohan Koyya Glarimy Technology Services
OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen UC Davis.
ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.
OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications.
Cross Site Integration “mashups” cross site scripting.
Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
AjaxScope & Doloto: Towards Optimizing Client-side Web 2.0 App Performance Ben Livshits Microsoft Research (joint work with Emre.
Module 5: Configuring Internet Explorer and Supporting Applications.
Introducing ASP.NET 2.0. Internet Technologies WWW Architecture Web Server Client Server Request Response Network HTTP TCP/IP PC/Mac/Unix + Browser (IE,
SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Enhancing JavaScript with Transactions Mohan Dhawan †, Chung-chieh Shan ‡ and Vinod Ganapathy † † Department of Computer Science, Rutgers University ‡
ASP. What is ASP? ASP stands for Active Server Pages ASP is a Microsoft Technology ASP is a program that runs inside IIS IIS stands for Internet Information.
M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Implementing and Using the SIRWEB Interface Setup of the CGI script and web procfile Connecting to your database using HTML Retrieving data using the CGI.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
What is a Servlet? Java Program that runs in a Java web server and conforms to the servlet api. A program that uses class library that decodes and encodes.
Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.
Web Login, Cookies Web Login | Old way HTML
Open Solutions for a Changing World™ Eddy Kleinjan Copyright 2005, Data Access WordwideNew Techniques for Building Web Applications June 6-9, 2005 Key.
Chapter 6 CS 3370 – C++ Functions.
Chapter 1 Introduction to Computers, Programs, and Java
Michael Robertson Yuta Takayama Google Closure Tools.
Security mechanisms and vulnerabilities in .NET
Web Caching? Web Caching:.
14 A Brief Look at JavaScript and jQuery.
The Application Lifecycle
Lesson 9: GUI HTML Editors and Mobile Web Sites
Introduction to JavaScript
Protecting Browsers from Extension Vulnerabilities
Presentation transcript:

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft Research

Web Programmability Platform 2 yelp.com openid.net adsense.com Google maps

Rich Internet Applications are Dynamic Yelp.com: main.js … jQuery.js … adSense.js … GoogleMaps.js … OpenID_API.js 3 flexible runtime composition … but little control.

Towards Safe Programmability for the Web 4 Can’t trust other people’s code Mash-ups

Goals and Contributions 5 protect benign users by giving control to hosting site ConScript approach: aspects for security control loading and use of scripts 17 hand-written policies correct policies are hard to write proposed type system to catch common attacks implemented 2 policy generators express many policies safely built into IE 8 JavaScript interpreter runtime and space overheads under 1% (vs %) smaller trusted computing base (TCB) browser support

approach protect benign users by giving control to the hosting site : aspects for security 6

ConScript Approach – protect benign Web users – give control to the hosting site How – Browser-supported aspects for security 7

Contributions of ConScript 8 protect benign users by giving control to hosting site ConScript approach: aspects for security built into IE 8 JavaScript interpreter A case for aspects in browser Policies are easy to get wrong Type system to ensure policy correctness Correctness checking 17 hand-written policies Comprehensive catalog of policies from literature and practice implemented 2 policy generators Expressiveness Tested on real apps: Google Maps, Live Desktop, etc. runtime and space overheads under 1% (vs %) smaller trusted computing base (TCB) Evaluation

manifest of script URLs HTTP-only cookies resource blacklists limit eval no foreign links no hidden frames script whitelist no URL redirection no pop-ups enforce public vs. private Policies 9

C ON S CRIPT aspects implementing aspects in IE8 checking C ON S CRIPT policies generating C ON S CRIPT policies performance 10

heap eval is evil window.eval = 11 function () { throw ‘Disallowed’ }; function eval function eval heap object eval foo bar

No postMessage : A Simple Policy? Wrapping: [[Caja, DoCoMo, AOJS, lightweightjs, Web Sandbox, …]] window.postMessage = function () {}; frame1.postMessage(“msg”, “evil.com”) Aspects: [[AspectJ]] void around(String msg, String uri) : call DOM.postMessage(String m, String u) { /* do nothing instead of call */ } … no classes in JavaScript / DOM … 12

function () { [native code] } function () { [native code] } function () { throw ‘exn’; } function () { throw ‘exn’; } Specifying Calls using References around(window.postMessage, function () { throw ‘exn’; }); [Object window] [Object frame] postMessage 13

1.Functions DOM: aroundExt(postMessage, function (pm2, m, uri) { … }); JS: aroundNat(eval, function (eval, str) { … }); User-defined: aroundFnc(foo, function (foo2, arg1) { … }); 2. Script introduction : aroundScr(function (src) { return src + ‘;’ + pol;}); inline: aroundInl(function (src) { return src + ‘;’ + pol;}); ConScript Interface 14

C ON S CRIPT aspects implementing aspects in IE8 checking C ON S CRIPT policies generating C ON S CRIPT policies performance 15

function f () { … } Problem: Implementation? Source Rewriting [[aojs, docomo, caja, sandbox, fbjs]]  50%-450% more to transfer, 30-70% slowdown  limited: native (DOM) functions, dynamic code?  big assumptions: adds parser to TCB, … 16

Mediating DOM Functions 17 window.postMessage frame2.postMessage JavaScript interpreter IE8 libraries (HTML, Networking, …) postMessage 0xff34e5 arguments: “hello”, “evil.com” calladvice aroundExt(window.postMessage, off 0xff34e5 off ); advice dispatch [not found] 0xff34e5

function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; } function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; } function foo () { } Resuming Calls 18 1.function (eval, str) { if (ok(str)) { bless(); return eval(str); } else throw ‘exn’; } 3. function (eval, str) { if (ok(str)) return eval(str); else { curse(); throw ‘exn’; }} function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; } function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; } function foo () { } advice on advice off bless() temporarily disables advice for next call

Optimizing the Critical Path 19 function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; } function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; } function foo () { } advice on function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } } function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } } function foo () { } advice off advice on calling advice turns advice off for next call curse() enables advice for next call

C ON S CRIPT aspects implementing aspects in IE8 checking C ON S CRIPT policies generating C ON S CRIPT policies performance 20

Basic Usage Yelp.com: main.js, index.html … jQuery.js … adSense.js … GoogleMaps.js … OpenID_API.js 21 script whitelist no eval no innerHTML no hidden frames only HTTP cookies no inline scripts SURGEON GENERAL’S WARNING Policies are written in a small JavaScript subset. Applications only lose a few dangerous features. SURGEON GENERAL’S WARNING Policies are written in a small JavaScript subset. Applications only lose a few dangerous features.

Policy Integrity Objects defined with policy constructors do not flow out Old Policy around(postMessage, function (m, url) { w = {“msn.com”: true}; … 22

Policy Integrity Objects defined with policy constructors do not flow out Old Policy around(postMessage, function (m, url) { w = {“msn.com”: true}; … policy object: must protect unknown: do not pass privileged objects! 23

Policy Integrity Objects defined with policy constructors do not flow out Old Policy around(postMessage, function (m, url) { w = {“msn.com”: true}; … User Exploit postMessage(“”, “msn.com”); w[“evil.com”] = 1; postMessage(“”, “evil.com”); 24

Policy Integrity Objects defined with policy constructors do not flow out New Policy around(postMessage, function (m, url) { window.w = {“msn.com”: true}; … User Exploit postMessage(“”, “msn.com”); w[“evil.com”] = 1; postMessage(“”, “evil.com”); var w 25

Policy Integrity Objects defined with policy constructors do not flow out New Policy around(postMessage, function (m, url) { window.w = {“msn.com”: true}; … policy object: must protect unknown: do not pass privileged objects! var w 26

Maintaining Integrity 1.Policy objects do not leak out of policies 2.Access path integrity of calls (no prototype hijacking) ML-style type inference –  basic – program unmodified –  only manually tested on policies JavaScript interpreter support – call(ctx, fnc, arg1, …), hasOwnProperty(obj, “fld”) – caller 27

Transparency If running with policies throws no errors – … for same input, running without should be safe – empty advice should not be functionally detectable Difficult with wrapping or rewriting – Function.prototype.apply, exn.stacktrace, myFunction.callee, arguments.caller, myFunction.toString, Function.prototype.call – correctness vs. compatibility vs. performance … Simpler at interpreter level – rest up to developer – no proof 28

C ON S CRIPT aspects implementing aspects in IE8 checking C ON S CRIPT policies generating C ON S CRIPT policies performance 29

Automatically Generating Policies Intrusion detection – can we infer and disable unneeded DOM functions? C# access modifiers – can we enforce access modifiers like private? ASP policies – can we guarantee no scripts get run in ? 30

Intrusion Detection 1: Learn Blacklist 31 eval new Function(“string”) postMessage XDomainRequest xmlHttpRequest … eval new Function(“string”) postMessage XDomainRequest xmlHttpRequest … log audit

Intrusion Detection 2: Enforce Blacklist 32

Enforcing C# Access Modifiers 33 class File { public File () { … } private open () { … } … C# JavaScript function File () { … } File.construct = … File.open = … … Script# compiler Script# compiler policy generator policy generator around(File, pubEntryPoint); around(File.construct, pubEntryPoint); around(File.open, privCall); ConScript

C ON S CRIPT aspects implementing aspects in IE8 checking C ON S CRIPT policies generating C ON S CRIPT policies performance 34

Performance Microbenchmarks: 1.2x (vs. 3.4x) Initialization time: 0-1% Runtime: 0-7% (vs. 30+%) File size blowup: < 1% (vs. 50+%) 35

Microbenchmark: Mediation Overhead 36 function advice2 (foo2) { bless(); foo2(); } function advice2 (foo2) { bless(); foo2(); } function advice3 (foo2) { foo2(); } function advice3 (foo2) { foo2(); } var raw = obj.f; obj.f = function () { raw();} var raw = obj.f; obj.f = function () { raw();} 3.42x 1.44x 1.24x

File Size Increase (IDS) 37

38 Access Modifier Enforcement Intrusion Detection System Runtime Overhead

Goals and Contributions 39 protect benign users by giving control to hosting site ConScript approach: aspects for security control loading and use of scripts 16 hand-written policies correct policies are hard to write proposed type system to catch common attacks implemented 2 policy generators express many policies safely built into IE 8 JavaScript interpreter runtime and space overheads under 1% (vs %) smaller trusted computing base (TCB) browser support

manifest of URLs limit evalno foreign links resource blacklists no hidden frames script whitelist no URL redirection HTTP-only cookies no pop-ups enforce public vs. private Questions? 40

END. 41

Conclusion Security mechanisms should be deep & in browser –around –aroundScr, aroundInl – optimized around Expressing policies is hard – 16 handwritten policies [[TODO average size]] – designed static analysis – blacklist generator prototype – private function policy generator Policy enforcement must be cheap – file size increase: < 1% (vs %) – initialization: could not detect! – runtime: could not detect! 42

Integrity 2/2: No Hijacked Calls objects defined with policy constructors do not flow out Old Policy around(window.eval, function (oldEval, str) { var hash = str.reverse(); … User Exploit String.prototype.reverse = function () { return “forged”; }; eval(“alert()”); 43

Integrity 2/2: No Hijacked Calls objects defined with policy constructors do not flow out Old Policy around(window.eval, function (oldEval, str) { var hash = str.reverse(); … policy object: privileged, callable object environment object: untrusted, unhijacked ( directly callable ) unknown: untrusted, uncallable object 44

Integrity 2/2: No Hijacked Calls objects defined with policy constructors do not flow out New Policy around(window.eval, function (oldEval, str) { var hash = str.reverse(); … User Exploit String.prototype.reverse = function () { return “forged”; }; eval(“alert()”); var r = “”.reverse; call(str, r) 45

Integrity 2/2: No Hijacked Calls objects defined with policy constructors do not flow out New Policy around(window.eval, function (oldEval, str) { var hash = str.reverse(); … policy object: privileged, callable object environment object: untrusted, unhijacked ( directly callable) unknown: untrusted, uncallable object var r = “”.reverse; call(str, r) 46

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.