Secure ECMAScript Name Subject To Change

Slides:

Advertisements

Similar presentations

Ajax Security Douglas Crockford Yahoo! javascript.crockford.com/security.ppt.

Advertisements

JavaScript: A Language of Many Contrasts

IPP Notification and Notification Services White Paper Hugo Parra; Novell, Inc. October 6, 1999 The intent of this paper is to supplement the discussions.

Ch:8 Design Concepts S.W Design should have following quality attribute: Functionality Usability Reliability Performance Supportability (extensibility,

Douglas Crockford Principles Security of. White hats vs. black hats. Security is not hats.

DATA STRUCTURES Lecture: Interfaces Slides adapted from Prof. Steven Roehrig.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

Operating System Security : David Phillips A Study of Windows Rootkits.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

An Evaluation of the Google Chrome Extension Security Architecture

Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.

DESIGN PATTERNS OZGUR RAHMI DONMEZ.

JSON, ADsafe, and Misty Douglas Crockford Yahoo!.

Component Patterns – Architecture and Applications with EJB copyright © 2001, MATHEMA AG Component Patterns Architecture and Applications with EJB JavaForum.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

Design Patterns Part IV (TIC++V2:C10) Yingcai Xiao 10/01/08.

Chapter 11 ASP.NET JavaScript, Third Edition. 2 Objectives Learn about client/server architecture Study server-side scripting Create ASP.NET applications.

Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.

OBJECT ORIENTED PROGRAMMING IN C++ LECTURE

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Proxy Design Pattern Source: Design Patterns – Elements of Reusable Object- Oriented Software; Gamma, et. al.

Starting Chapter 4 Starting. 1 Course Outline* Covered in first half until Dr. Li takes over. JAVA and OO: Review what is Object Oriented Programming.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

DAAD project “Joint Course on OOP using Java” Design Patterns in the course ‘OOP in Java’ - first experiences Ana Madevska Bogdanova Institute of informatics.

Lecture Roger Sutton CO530 Automation Tools 5: Class Libraries and Assemblies 1.

REFACTORING Lecture 4. Definition Refactoring is a process of changing the internal structure of the program, not affecting its external behavior and.

Design Patterns.

Overview of Previous Lesson(s) Over View  OOP  A class is a data type that you define to suit customized application requirements.  A class can be.

Ajax Runtime Toolkits IBM Emerging Technologies. What is an AJAX Toolkit/Framework? An AJAX Toolkit/Runtime is more than just XMLHTTPRequest Should includes:

Chapter 7: WORKING WITH GROUPS

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Chapter 3.5 Memory and I/O Systems. 2 Memory Management Memory problems are one of the leading causes of bugs in programs (60-80%) MUCH worse in languages.

CSCI-383 Object-Oriented Programming & Design Lecture 13.

Chapter 6 Object-Oriented Java Script JavaScript, Third Edition.

Chapter 14 Part II: Architectural Adaptation BY: AARON MCKAY.

Guided Notes Ch. 9 ADT and Modules Ch. 10 Object-Oriented Programming PHP support for OOP and Assignment 4 Term project proposal C++ and Java Designer.

ProgrammingLanguages Programming Languages The Extended Design Principles This lecture introduces a list of more specific principles that can be an aid.

PVSSProxy The first piece of the MACS procedure framework (ProShell) Angela Brett.

Object-Oriented Design Simple Program Design Third Edition A Step-by-Step Approach 11.

Privilege separation in Condor Bruce Beckles University of Cambridge Computing Service.

Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.

Software Design Patterns (1) Introduction. patterns do … & do not … Patterns do... provide common vocabulary provide “shorthand” for effectively communicating.

SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.

ECE450 - Software Engineering II1 ECE450 – Software Engineering II Today: Design Patterns IV Structural Patterns.

CSE 332: Design Patterns Review: Design Pattern Structure A design pattern has a name –So when someone says “Adapter” you know what they mean –So you can.

Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.

Secure ECMAScript Name Subject To Change Douglas Crockford Yahoo!

Behavioral Patterns CSE301 University of Sunderland Harry R Erwin, PhD.

Software Design Patterns Curtsy: Fahad Hassan (TxLabs)

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Introduction to Object-Oriented Programming Lesson 2.

C++ 程序语言设计 Chapter 12: Dynamic Object Creation. Outline  Object creation process  Overloading new & delete.

Development of a Web-Based Groupwork Assessment Tool Groupwork and Assessment Methods Demonstration of Software Discussion Hannah Whaley David Walker

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

Inheritance and Class Hierarchies Chapter 3. Chapter 3: Inheritance and Class Hierarchies2 Chapter Objectives To understand inheritance and how it facilitates.

Rich Internet Applications 2. Core JavaScript. The importance of JavaScript Many choices open to the developer for server-side Can choose server technology.

From Use Cases to Implementation 1. Structural and Behavioral Aspects of Collaborations  Two aspects of Collaborations Structural – specifies the static.

Basic Concepts of Software Architecture. What is Software Architecture? Definition: – A software system’s architecture is the set of principal design.

From Use Cases to Implementation 1. Mapping Requirements Directly to Design and Code  For many, if not most, of our requirements it is relatively easy.

GROUPROCKET - Choose Collaboration Software for Your Company.

Prof. Bhushan Trivedi Director GLS Institute of Computer Technology

Design Patterns Spring 2017.

Static Detection of Cross-Site Scripting Vulnerabilities

Introduction to Design Patterns

Data Abstraction: The Walls

Introduction To Networking

PRINCIPALES OF OBJECT ORIENTED PROGRAMMING

CPS120: Introduction to Computer Science

Presentation transcript:

Secure ECMAScript Name Subject To Change Douglas Crockford Yahoo! http://javascript.crockford.com/ses.ppt

JavaScript's Security Model Is Intolerable The global object-based design subjects all applications to XSS attacks. Third party scripts get first party privileges. Unintentional injection of third party scripts is called XSS. New mashup-based application patterns call for intentional injection of third party scripts. This is dangerous.

Vats Adapting Google's Gears or Adobe's AIR to provide communicating containment vessels is a partial solution. Provides cooperation under mutual suspicion. Heavyweight. Deployment is difficult. Still subject to XSS attacks.

JavaScript Is the Problem We need to replace JavaScript with a similar language that has the same expressive power, but that provides cooperation under mutual suspicion at the language level. The new language must break compatibility with ES3. The ES4 proposal is attempting to solve a different problem.

Safe JavaScript Subsets Interim Solution Safe JavaScript Subsets

ADsafe ADsafe is a JavaScript subset that adds capability discipline by deleting features that cause capability leakage. JSLint understands ADsafe. No global variables or functions may be defined. No global variables or functions can be accessed except the ADSAFE object. The [] subscript operator may not be used. These words cannot be used: apply call callee caller clone constructor eval new prototype source this toSource toString watch Words ending in __ cannot be used.

ADSAFE The ADSAFE object provides all the capabilities to the guest program. The guest program must not be allowed direct access to the global object or any form of eval. The guest program must not be allowed direct access any DOM element. The guest program's access to the DOM must be restricted to its assigned subtree.

Dangers There may still be undiscovered weaknesses in ECMAScript and its many implementations. Those implementations are changing, introducing new weaknesses. The wrappers must be flawless. We are still subject to XSS attacks.

Proposed Design a new language, beginning with the ADsafe dialect as the seed, growing new features to enhance expressiveness and productivity without compromising security. The new language is designed for capability containment.

Object A has state and behavior. A is an Object. Object A has state and behavior.

has-a Object A has a reference to Object B. An object can have references to other objects.

Object A can communicate with Object B... ...because it has a reference to Object B.

Object A does not get access to Object B's innards. Object B provides an interface that constrains access to its own state and references. Object A does not get access to Object B's innards.

Object A does not have a reference to Object C, so Object A cannot communicate with Object C. In an Object Capability System, an object can only communicate with objects that it has references to.

An Object Capability System is produced by constraining the ways that references are obtained. A reference cannot be obtained simply by knowing the name of a global variable or a public class.

There are exactly three ways to obtain a reference. By Creation. By Construction. By Introduction.

If a function creates an object, it gets a reference to that object. 1. By Creation If a function creates an object, it gets a reference to that object.

An object may be endowed by its constructor with references. 2. By Construction An object may be endowed by its constructor with references. This can include references in the constructor's context and inherited references.

3. By Introduction A has a references to B and C. B has no references, so it cannot communicate with A or C. C has no references, so it cannot communicate with A or B.

A calls B, passing a reference to C. 3. By Introduction A calls B, passing a reference to C.

B is now able to communicate with C. 3. By Introduction B is now able to communicate with C. It has the capability.

If references can only be obtained by Creation, Construction, or Introduction, then you may have a safe system.

If references can be obtained in any other way, you do not have a safe system.

Potential weaknesses include Arrogation. Corruption. Confusion. Collusion.

1. Arrogation To take or claim for oneself without right. Global variables. public static variables. Standard libraries that grant powerful capabilities like access to the file system or the network or the operating system to all programs. Address generation.

2. Corruption It should not be possible to tamper with or circumvent the system or other objects.

3. Confusion It should be possible to create objects that are not subject to confusion. A confused object can be tricked into misusing its capabilities.

4. Collusion It must not be possible for two objects to communicate until they are introduced. If two independent objects can collude, they might be able to pool their capabilities to cause harm. For example, I can give gasoline to one object, and matches to another. I need to be confident that they cannot collude.

Stepping down the power Some objects are too dangerous to give to guest code. We can give those capabilities to intermediate objects that will constrain the capability. For example, an intermediate object for a file system might limit access to a particular device or directory, or limit the size of files, or the number of files, or the longevity of files, or the types of files.

Ultimately, every object should be given exactly the capabilities it needs to do its work. Capabilities should be granted on a need-to-do basis. Information Hiding - Capability Hiding.

Intermediate objects, or facets, can be very light weight. Class-free languages can be especially effective.

The Facet object limits the Guest object's access to the Dangerous object. The Guest object cannot tamper with the Facet to get a direct reference to the Dangerous object.

References are not revocable. Once you introduce an object, you can't ask it to forget it. You can ask, but you should not depend on your request being honored.

The Guest object has a reference to an Agency object The Guest object has a reference to an Agency object. The Guest asks for an introduction to the Dangerous object.

The Agency object makes a Facet, and gives it to the Guest. The Facet might be a simple pass through.

The Facet is now useless to the Guest. When the Agency wants to revoke the capability, it tells the Facet to forget its capability. The Facet is now useless to the Guest.

A Facet can mark requests so that the Dangerous object can know where the request came from.

Facets Very expressive. Easy to construct. Lightweight. Power Reduction. Revocation. Notification. Delegation. The best OO patterns are also capability patterns

Good Object Capability Design is Good Object Oriented Design

Secure ECMAScript Must Be Incompatible With ES3 If it were compatible, it would share the weaknesses of ES3. Incompatibility gives us license to correct many of the blunders that ES4 must preserve. Lacking compatibility in the design process could lead to a lack of feature discipline.

Minimal An elegant, minimal language is easier to reason about than an over-featured, maximal language. Committees are generally unable to produce minimal designs. Design-by-committee.

Competition We invite members to submit designs. The TC drafts the rules for the competition, and selects the winner based on the criteria of security, expressiveness, and minimalism.

The web needs a secure programming language.