Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013.

Published byConstance Gibson Modified over 9 years ago

Similar presentations

Presentation on theme: "Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013."— Presentation transcript:

1 Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013

2 Web Client Mashup Client-side web application Integrating third- party gadgets Great way for code reuse! Google Maps Gadget Integrator’s Housing Data

3 Different kind of Mashups The integrator uses the gadget as a libraryThe gadget reads state from the integrator gadget

4 Programming model Mashups written in HTML + Javascript; Two ways to include external gadgets: – Using script tag – Using frame tag

5 Script tag - oversharing Gadget has integrator privileges Full exposure JS execution environment Google Maps GadgetIntegrator’s Housing Data

6 Script tag – security violations Confidentiality violation var steal = window[“integratorSecret”] Integrity violation window[“price”] = newPrice Google Maps GadgetIntegrator’s Housing Data

7 Script tag – integrity violation var fac= function(x) { if (x <= 1) { return 1; } return x*fac(x-1); } r = fac(3); s = "alert("+r+")“ setTimeout(s, 100)

8 Script tag - integrity violation Content of http://untrusted.com/untrustedAD.js setTimeout = function() { EVIL CODE HERE }

9 Embedded frame – undersharing Gadget has no privileges Isolation of JS execution environment between integrator and gadget Same Origin Policy Google Maps GadgetIntegrator’s Housing Data X

10 Embedded frame – undersharing Isolation of JS execution: Confidentiality violation var steal = window[“integratorSecret”] Integrity violation window[“price”] = newPrice Google Maps GadgetIntegrator’s Housing Data X X

11 Script versus Frame Tag Script tag: – exposes the integrator’s JS environment – unlimited communication – not secure Frame tag: – isolates the environment of gadget and integrator – communication is limited – more secure than script In practice: sacrifice security in the name of functionality!

12 HTML5 and Inter-frame communication Frame can communicate with integrator via PostMessage: – confidentiality – authentication GadgetIntegrator listener in gadget listener in integrator

13 HTML5 and Inter-frame communication The Postmash design was proposed by Barth, Jackson, and Li [09] Put untrusted code in embedded frame; Two stub libraries; Proxy e.g. method invocation by message- passing; No need to change untrusted code !! Google Maps GadgetIntegrator’s Housing Data Stub library in gadget Stub library in integrator

14 Postmash How to transform an insecure mashup to a mashup following the Postmash design? – Manually writing two stub libraries (gadget dependent); – Manually rewriting of integrators’ code; Our proposal : automate it and characterize the security property that it enforces: Mashic Compiler [CSF’ 12]

15 Our proposal: Mashic Compiler A generic proxy and listener library – Gadget independent! Integrator transform: – Adapt to asynchronous communication, – Use the proxy library Mashic compiler – Input: insecure mashup – Output: secured mashup Proofs: – Correctness benign gadget – Security JS small-step semantics of Maffeis et al. with rules to model the same origin policy

16 Mashic compiler - Overview P g : gadget code P i : integrator code Mashic compiler I Proxy Bootstrap-I C(I) where Web(u’ ) = Listener

17 Opaque Handle Opaque Handles – Integrator’s reference to gadget’s object – E.g.: { is_handle: true id : 42} Inside gadget – 42 maps to the real object. Gadget independent! Integrator Framed gadget

18 Proxy and listener Proxy provides interfaces using opaque handles: 1.Example: GET_PROPERTY(ohandle,prop,cont) 2.Send (“get property”, ohandle, prop) via Postmessage 3.Listener reacts to message: 1.E.g. if ohandle { is_handle: true, id : 42} -> { “prop”: 4}, then listener responds with 4. 4.Proxy receives the response, applies the continuation cont to 4. Integrator Framed gadget

19 A minimal set of Proxy Interfaces GET_GLOBAL_REF – Get global property CALL_METHOD – Call a method CALL_FUNCTION – Call a function ASSIGN_PROPERTY – Property assignment General enough to encode most real-world mashups!!

20 Integrator transformation PostMessage is asynchronous; So is our proxy interface; Automated CPS transformation and call to proxy interfaces of old integrator code An example of rule

21 Realistic core JS subset Small-step core JS semantics adopted from Maffeis et al. [08]; Extended with DOM semantics and message-passing; A decorated (colored heap) semantics;

22 Decorated Semantics programs run as colored principal heaps contain objects with properties that are colored

23 Formal Guarantees Correctness guarantees: – If the gadget is benign, then the compiled mashup behaves as the original one. Security guarantees: – If the gadget is not benign, nothing “bad” can happen in the compiled mashup.

24 Benign gadget Intuitively: Integrity: A gadget does not try to write a property belonging to the integrator; Confidentiality: A gadget does not try to read a property of the integrator; Formally defined:

25 Correctness Theorem For a benign gadget, the compiled mashup reaches a final configuration indistinguishable with the one reachable from the original mashup.

26 Security Theorem For any gadget, the compiled mashup provides integrity and confidentiality for the integrator.

27 Prototype Implementation A prototype compiler written in Bigloo (a dialect of scheme) – 3.3k loc of bigloo and 0.8k loc of Javascript Applied to various mashups:

28 Benign Gadget: Passive Gadget Assumption The compiled mashup preserves the original semantics Theorem After Mashic compilation, the malicious gadget cannot read/write information belonging to the integrator. CorrectenessSecurity Mashic: Summary Plus Browser Independence Gadget Independence

29 Extending Mashic Challenge Handle Active Gadgets How? Gadgets must be allowed to access integrator objects Add an Access Control layer between gadgets and the integrator

30 Supporting Active Gadgets Integrator.js Gadget A iframe Page.html Allow two-sided communication Current Mashic Goal Add proxy and listener libraries to both the gadget iframe and to the integrator code Listener Proxy Listener Proxy Control the communication from the gadget to the integrator Uncontrolled Controlled Integrator

31 Controlling Gadget – Integrator Com. Integrator.js Gadget A iframe Page.html How? Listener Proxy Listener Proxy Uncontrolled Controlled 1 Establish a lattice of security levels 2 Assign a security level to each integrator resource 4 Check all the gadget – integrator accesses at runtime 3 Assign a security level to each gadget Confidentiality Integrity LcLc LILI LcxLILcxLI v l where l is in L c x L I ∑ : Gadgets → L c x L I Integrator Gadget A

32 Ext Mashic: Soundness and Security Benign Gadget: A gadget that only tries to access integrator information compatible with its security level Assumption The compiled mashup preserves the original semantics Theorem After Mashic compilation, the malicious gadget can only read/write integrator information compatible with its security level. CorrectenessSecurity

33 Information Flow control needed for the integrator code! (and only the integrator code)

34 Information Flow Control needed Separation of the gadget using iframe : no need to analyze gadget code Existing work on dynamic monitors (browser dependent): Hedin and Sabelfeld, 12 Austin and Flanagan, 09,10,12 Inlining of dynamic security monitors (browser independent) : Sabelfeld et al ‘’10 Chudnov and Naumann’ 10

35 Information Flow Control Labeling in JavaScript Confidentiality Integrity LcLc LILI LcxLILcxLI var o = {}; o[f()] = 1 f() is a function that returns a dynamically computed string In the final memory o has a new property unknown before execution! Static labeling is not always possible.

36 Labeling Values Original Object Runtime Labeling p 1 : v 1 p 2 : v 2 p 3 : v 3 p n : v n … Labeled Object p 1 : (v 1,,l 1 ) p 2 : (v 2, l 2 ) p 3 : (v 3, l 3 ) p n : (v n, l n ) … l o : l Security Level of the object Security levels of the object property values

37 Labeling Values and Instrumentation Source Integrator Code … if(x) { y = y + x; } else { alert(“hello world”) } Source Integrator Code … if(x.value) { l pc = x.level ˅ l pc ; y.value = y.value + x.value; y.level = x.level ˅ y.level ˅ l pc ; } else { alert(“hello world”) }

38 Labeling Values and Instrumentation Source Integrator Code … if(x) { y = y + x; } else { alert(“hello world”) } Source Integrator Code … if(x.value) { l pc = x.level ˅ l pc ; y.value = y.value + x.value; y.level = x.level ˅ y.level ˅ l pc ; } else { alert(“hello world”) } code instrumentation: a new object for each value in the program!

39 Labeling Properties Original Object Runtime Labeling p 1 : v 1 p 2 : v 2 p 3 : v 3 p n : v n … Labeled Object (p 1,l 1 ) : v 1 (p 2,l 2 ): v 2 (p n,l n ) : v n … l o : l

40 Labeling Properties Original Object Runtime Labeling p 1 : v 1 p 2 : v 2 p 3 : v 3 p n : v n … Labeled Object (p 1,l 1 ) : v 1 (p 2,l 2 ): v 2 (p n,l n ) : v n … l o : l code instrumentation: a property for each object (mapping properties of the object to labels)

41 Labeling Properties Inlining security monitors becomes more efficient (no need for an object per value in the program) Opens the path to combining dynamic and static JavaScript analysis

42 Dynamic Semantics, extracting constrains constrains

43 Conclusions Mashic Compiler: – assumption: gadgets used as libraries – correctness under assumption – security guarantees based on SOP, characterized as IF where everything in the integrator is treated as top security level – compilation: gadget and browser independent!

44 Conclusions Mashic Compiler Extension: – assumption: two way communication with AC – correctness under assumption – security guarantees based on information flow security – compilation: IF analysis for the integrator using code instrumentation gadget independence regarding IF analysis browser independence

45 Open Questions IF analysis for the integrator using code instrumentation: – Combining with static analysis? If part of the code is in a static typable subset [Maffeis 2010] then type check and instrument the rest. Gadget independence regarding IF analysis: – Still have to adapt to asynchrony of PostMessage … what’s a good solution to this? shadow pages? [Adjail 2010] Making the web ad business model secure and practical?

Download ppt "Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013."

Similar presentations

Bringing Procedural Knowledge to XLIFF Prof. Dr. Klemens Waldhör TAUS Labs & FOM University of Applied Science FEISGILTT 16 October 2012 Seattle, USA.

Bringing Procedural Knowledge to XLIFF Prof. Dr. Klemens Waldhör TAUS Labs & FOM University of Applied Science FEISGILTT 16 October 2012 Seattle, USA.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.

Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.
Compiling Web Scripts for Apache Jacob Matthews Luke Hoban Robby Findler Rice University.

Compiling Web Scripts for Apache Jacob Matthews Luke Hoban Robby Findler Rice University.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.

The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Java Script Session1 INTRODUCTION.

Java Script Session1 INTRODUCTION.
1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.

1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.

On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.
IFC Inside: Retrofitting Languages with Dynamic Information Flow Control Stefan Heule, Deian Stefan, Edward Z. Yang, John C. Mitchell, Alejandro Russo.

IFC Inside: Retrofitting Languages with Dynamic Information Flow Control Stefan Heule, Deian Stefan, Edward Z. Yang, John C. Mitchell, Alejandro Russo.
Languages for Dynamic Web Documents

Languages for Dynamic Web Documents
Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology.

Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology.

Similar presentations

Ads by Google