Presentation is loading. Please wait.

Presentation is loading. Please wait.

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.

Published byAdele Bond Modified over 9 years ago

Similar presentations

Presentation on theme: "ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft."— Presentation transcript:

1 ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft Research

2 Web Programmability Platform 2 yelp.com openid.net adsense.com Google maps

3 Rich Internet Applications are Dynamic Yelp.com: main.js … jQuery.js … adSense.js … GoogleMaps.js … OpenID_API.js 3 flexible runtime composition … but little control.

4 Towards Safe Programmability for the Web 4 Can’t trust other people’s code Mash-ups

5 Goals and Contributions 5 protect benign users by giving control to hosting site ConScript approach: aspects for security control loading and use of scripts 17 hand-written policies correct policies are hard to write proposed type system to catch common attacks implemented 2 policy generators express many policies safely built into IE 8 JavaScript interpreter runtime and space overheads under 1% (vs. 30-550%) smaller trusted computing base (TCB) browser support

6 approach protect benign users by giving control to the hosting site : aspects for security 6

7 ConScript Approach – protect benign Web users – give control to the hosting site How – Browser-supported aspects for security 7

8 Contributions of ConScript 8 protect benign users by giving control to hosting site ConScript approach: aspects for security built into IE 8 JavaScript interpreter A case for aspects in browser Policies are easy to get wrong Type system to ensure policy correctness Correctness checking 17 hand-written policies Comprehensive catalog of policies from literature and practice implemented 2 policy generators Expressiveness Tested on real apps: Google Maps, Live Desktop, etc. runtime and space overheads under 1% (vs. 30-550%) smaller trusted computing base (TCB) Evaluation

9 manifest of script URLs HTTP-only cookies resource blacklists limit eval no foreign links no hidden frames script whitelist no URL redirection no pop-ups enforce public vs. private Policies 9

10 C ON S CRIPT aspects implementing aspects in IE8 checking C ON S CRIPT policies generating C ON S CRIPT policies performance 10

11 heap eval is evil window.eval = 11 function () { throw ‘Disallowed’ }; function eval function eval heap object eval foo bar

12 No postMessage : A Simple Policy? Wrapping: [[Caja, DoCoMo, AOJS, lightweightjs, Web Sandbox, …]] window.postMessage = function () {}; frame1.postMessage(“msg”, “evil.com”) Aspects: [[AspectJ]] void around(String msg, String uri) : call DOM.postMessage(String m, String u) { /* do nothing instead of call */ } … no classes in JavaScript / DOM … 12

13 function () { [native code] } function () { [native code] } function () { throw ‘exn’; } function () { throw ‘exn’; } Specifying Calls using References around(window.postMessage, function () { throw ‘exn’; }); [Object window] [Object frame] postMessage 13

14 1.Functions DOM: aroundExt(postMessage, function (pm2, m, uri) { … }); JS: aroundNat(eval, function (eval, str) { … }); User-defined: aroundFnc(foo, function (foo2, arg1) { … }); 2. Script introduction : aroundScr(function (src) { return src + ‘;’ + pol;}); inline: aroundInl(function (src) { return src + ‘;’ + pol;}); ConScript Interface 14

15 C ON S CRIPT aspects implementing aspects in IE8 checking C ON S CRIPT policies generating C ON S CRIPT policies performance 15

16 function f () { … } Problem: Implementation? Source Rewriting [[aojs, docomo, caja, sandbox, fbjs]]  50%-450% more to transfer, 30-70% slowdown  limited: native (DOM) functions, dynamic code?  big assumptions: adds parser to TCB, … 16

17 Mediating DOM Functions 17 window.postMessage frame2.postMessage JavaScript interpreter IE8 libraries (HTML, Networking, …) postMessage 0xff34e5 arguments: “hello”, “evil.com” calladvice aroundExt(window.postMessage, off 0xff34e5 off ); advice dispatch [not found] 0xff34e5

18 function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; } function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; } function foo () { } Resuming Calls 18 1.function (eval, str) { if (ok(str)) { bless(); return eval(str); } else throw ‘exn’; } 3. function (eval, str) { if (ok(str)) return eval(str); else { curse(); throw ‘exn’; }} function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; } function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; } function foo () { } advice on advice off bless() temporarily disables advice for next call

19 Optimizing the Critical Path 19 function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; } function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; } function foo () { } advice on function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } } function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } } function foo () { } advice off advice on calling advice turns advice off for next call curse() enables advice for next call

20 C ON S CRIPT aspects implementing aspects in IE8 checking C ON S CRIPT policies generating C ON S CRIPT policies performance 20

21 Basic Usage Yelp.com: main.js, index.html … jQuery.js … adSense.js … GoogleMaps.js … OpenID_API.js 21 script whitelist no eval no innerHTML no hidden frames only HTTP cookies no inline scripts SURGEON GENERAL’S WARNING Policies are written in a small JavaScript subset. Applications only lose a few dangerous features. SURGEON GENERAL’S WARNING Policies are written in a small JavaScript subset. Applications only lose a few dangerous features.

22 Policy Integrity Objects defined with policy constructors do not flow out Old Policy around(postMessage, function (m, url) { w = {“msn.com”: true}; … 22

23 Policy Integrity Objects defined with policy constructors do not flow out Old Policy around(postMessage, function (m, url) { w = {“msn.com”: true}; … policy object: must protect unknown: do not pass privileged objects! 23

24 Policy Integrity Objects defined with policy constructors do not flow out Old Policy around(postMessage, function (m, url) { w = {“msn.com”: true}; … User Exploit postMessage(“”, “msn.com”); w[“evil.com”] = 1; postMessage(“”, “evil.com”); 24

25 Policy Integrity Objects defined with policy constructors do not flow out New Policy around(postMessage, function (m, url) { window.w = {“msn.com”: true}; … User Exploit postMessage(“”, “msn.com”); w[“evil.com”] = 1; postMessage(“”, “evil.com”); var w 25

26 Policy Integrity Objects defined with policy constructors do not flow out New Policy around(postMessage, function (m, url) { window.w = {“msn.com”: true}; … policy object: must protect unknown: do not pass privileged objects! var w 26

27 Maintaining Integrity 1.Policy objects do not leak out of policies 2.Access path integrity of calls (no prototype hijacking) ML-style type inference –  basic – program unmodified –  only manually tested on policies JavaScript interpreter support – call(ctx, fnc, arg1, …), hasOwnProperty(obj, “fld”) – caller 27

28 Transparency If running with policies throws no errors – … for same input, running without should be safe – empty advice should not be functionally detectable Difficult with wrapping or rewriting – Function.prototype.apply, exn.stacktrace, myFunction.callee, arguments.caller, myFunction.toString, Function.prototype.call – correctness vs. compatibility vs. performance … Simpler at interpreter level – rest up to developer – no proof 28

29 C ON S CRIPT aspects implementing aspects in IE8 checking C ON S CRIPT policies generating C ON S CRIPT policies performance 29

30 Automatically Generating Policies Intrusion detection – can we infer and disable unneeded DOM functions? C# access modifiers – can we enforce access modifiers like private? ASP policies – can we guarantee no scripts get run in ? 30

31 Intrusion Detection 1: Learn Blacklist 31 eval new Function(“string”) postMessage XDomainRequest xmlHttpRequest … eval new Function(“string”) postMessage XDomainRequest xmlHttpRequest … log audit

32 Intrusion Detection 2: Enforce Blacklist 32

33 Enforcing C# Access Modifiers 33 class File { public File () { … } private open () { … } … C# JavaScript function File () { … } File.construct = … File.open = … … Script# compiler Script# compiler policy generator policy generator around(File, pubEntryPoint); around(File.construct, pubEntryPoint); around(File.open, privCall); ConScript

34 C ON S CRIPT aspects implementing aspects in IE8 checking C ON S CRIPT policies generating C ON S CRIPT policies performance 34

35 Performance Microbenchmarks: 1.2x (vs. 3.4x) Initialization time: 0-1% Runtime: 0-7% (vs. 30+%) File size blowup: < 1% (vs. 50+%) 35

36 Microbenchmark: Mediation Overhead 36 function advice2 (foo2) { bless(); foo2(); } function advice2 (foo2) { bless(); foo2(); } function advice3 (foo2) { foo2(); } function advice3 (foo2) { foo2(); } var raw = obj.f; obj.f = function () { raw();} var raw = obj.f; obj.f = function () { raw();} 3.42x 1.44x 1.24x

37 File Size Increase (IDS) 37

38 38 Access Modifier Enforcement Intrusion Detection System Runtime Overhead

39 Goals and Contributions 39 protect benign users by giving control to hosting site ConScript approach: aspects for security control loading and use of scripts 16 hand-written policies correct policies are hard to write proposed type system to catch common attacks implemented 2 policy generators express many policies safely built into IE 8 JavaScript interpreter runtime and space overheads under 1% (vs. 30-550%) smaller trusted computing base (TCB) browser support

40 manifest of URLs limit evalno foreign links resource blacklists no hidden frames script whitelist no URL redirection HTTP-only cookies no pop-ups enforce public vs. private Questions? 40

41 END. 41

42 Conclusion Security mechanisms should be deep & in browser –around –aroundScr, aroundInl – optimized around Expressing policies is hard – 16 handwritten policies [[TODO average size]] – designed static analysis – blacklist generator prototype – private function policy generator Policy enforcement must be cheap – file size increase: < 1% (vs. 50-104%) – initialization: could not detect! – runtime: could not detect! 42

43 Integrity 2/2: No Hijacked Calls objects defined with policy constructors do not flow out Old Policy around(window.eval, function (oldEval, str) { var hash = str.reverse(); … User Exploit String.prototype.reverse = function () { return “forged”; }; eval(“alert()”); 43

44 Integrity 2/2: No Hijacked Calls objects defined with policy constructors do not flow out Old Policy around(window.eval, function (oldEval, str) { var hash = str.reverse(); … policy object: privileged, callable object environment object: untrusted, unhijacked ( directly callable ) unknown: untrusted, uncallable object 44

45 Integrity 2/2: No Hijacked Calls objects defined with policy constructors do not flow out New Policy around(window.eval, function (oldEval, str) { var hash = str.reverse(); … User Exploit String.prototype.reverse = function () { return “forged”; }; eval(“alert()”); var r = “”.reverse; call(str, r) 45

46 Integrity 2/2: No Hijacked Calls objects defined with policy constructors do not flow out New Policy around(window.eval, function (oldEval, str) { var hash = str.reverse(); … policy object: privileged, callable object environment object: untrusted, unhijacked ( directly callable) unknown: untrusted, uncallable object var r = “”.reverse; call(str, r) 46

Download ppt "ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft."

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.

The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.

1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.
WEAVING CODE EXTENSIONS INTO JAVASCRIPT Benjamin Lerner, Herman Venter, and Dan Grossman University of Washington, Microsoft Research.

WEAVING CODE EXTENSIONS INTO JAVASCRIPT Benjamin Lerner, Herman Venter, and Dan Grossman University of Washington, Microsoft Research.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.

1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.
Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013.

Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
An Empirical Study on the Rewritability of the with Statement in JavaScript Changhee Park (Joint work with Hongki Lee and Sukyoung Ryu) KAIST October.

An Empirical Study on the Rewritability of the with Statement in JavaScript Changhee Park (Joint work with Hongki Lee and Sukyoung Ryu) KAIST October.
1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.

1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
Best and Worst Practices Building RIA from Adobe and Microsoft.

Best and Worst Practices Building RIA from Adobe and Microsoft.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Similar presentations

Ads by Google