Presentation is loading. Please wait.

Presentation is loading. Please wait.

Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri."— Presentation transcript:

1 Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri

2 Widgets are everywhere Widget sources (web and desktop):  Live web widgets  Google/IG web widgets  Vista Sidebar desktop widgets  … Lots of widget producers Various levels of quality and trust A web widget is a portable chunk of code that can be installed and executed within any separate HTML-based web page by an end user without requiring additional compilation. They are derived from the idea of code reuse. Other terms used to describe web widgets include: gadget, badge, module, webjit, capsule, snippet, mini and flake. Web widgets usually but not always use DHTML, JavaScript, or Adobe Flash.HTMLcompilationcode reuseDHTMLJavaScriptAdobe Flash A web widget is a portable chunk of code that can be installed and executed within any separate HTML-based web page by an end user without requiring additional compilation. They are derived from the idea of code reuse. Other terms used to describe web widgets include: gadget, badge, module, webjit, capsule, snippet, mini and flake. Web widgets usually but not always use DHTML, JavaScript, or Adobe Flash.HTMLcompilationcode reuseDHTMLJavaScriptAdobe Flash

3 M OTIVATION & P ROJECT G OALS

4 Widget host is interested in ensuring widget security and quality Bad widgets: host is blamed Widget checking eliminates issues for users Static analysis advantage: all paths, no overhead, detect early

5 Gatekeeper: Protecting the Widget Host

6 Gatekeeper Contributions Propose a statically analyzable subset JavaScript SAFE Propose the first points-to analysis for JavaScript Formulate 9 security and reliability policies using Datalog. – restricting widget capabilities – making sure built-in objects are not modified – preventing code injection attempts, etc. Evaluation on 8,000+ publicly available JavaScript widgets – Live.com – Vista Sidebar, and – Google We flag a total of 1,341 policy violations spanning 684 widgets, with 113 false positives affecting only two widgets.

7 T ECHNIQUES

8 Basic Approach Represent the program as a database of facts – Normalize the JavaScript program AST – Introduce temporaries as necessary – Store facts in a compressed form Query this database using Datalog – This is how all analyses are implemented – Implement a points-to analysis to reason about the program heap – A very declarative, extensible approach – Propose 9 different analyses/policies

9 Gatekeeper Architecture

10 Enemies of Static Analysis 10 var x = new Object(); x[a+b] =...; var x = new Object(); x[a+b] =...;

11 Start with Entire JavaScript… 11 EcmaScript-262

12 Remove eval & Friends… 12 EcmaScript 262 - eval - setTimeout - setInterval - Function - with - arguments array - [innerHtml] ----------------------- = JavaScript GK - eval - setTimeout - setInterval - Function - with - arguments array - [innerHtml] ----------------------- = JavaScript GK

13 Remove Unresolved Array Accesses… 13 EcmaScript 262 JavaScript GK - non-const array access a[x+y] -------------------------------- = JavaScript SAFE - non-const array access a[x+y] -------------------------------- = JavaScript SAFE

14 Now, this is Amenable to Analysis! 14 EcmaScript 262 JavaScript GK JavaScript SAFE s ::= // assignments v1=v2 v = bot return v // calls v = new v0(v1,…,vn) v=v0(vthis,v1,…,vn) // heap v1=v2.f v1.f=v2 // declarations v=function(v1,…,vn){s} JavaScript SAFE s ::= // assignments v1=v2 v = bot return v // calls v = new v0(v1,…,vn) v=v0(vthis,v1,…,vn) // heap v1=v2.f v1.f=v2 // declarations v=function(v1,…,vn){s}

15 Two language subsets: JavaScript SAFE and JavaScript GK JavaScript SAFE – can analyze fully statically without resorting to runtime checks JavaScript GK – need basic instrumentation to prevent runtime code instroduction

16 JavaScript Language Features

17 TODO: discussion of 1) prototypes and 2) safe reflection

18 Analysis Process 18 JavaScript AST IR Normalizer Output to Datalog BDDBDDB solver Analysis Results Datalog analysis rules

19 Converting JavaScript Statements to Facts 19

20 Pointer Analysis Inference Rules 20

21 E XPERIMENTAL R ESULTS

22 Widget Corpus Collected by scraping widget galleries 22

23 Language Subsets in Practice 23

24 Policies for Widget Security & Reliability

25 Query Results 1,210 violations total 25 QueryLive [2,714]Sidebar [4,501]Google [1,171] Alert 8728781 Frozen Violation 311419 document.write 5175158 Location change 5919230 Totals 154768288

26 Conclusions Static analysis for JavaScript Technique: points-to analysis Focus: analyzing widgets We feel that static analysis of JavaScript is a key building block for enabling an environment in which code from different parties can safely co-exist and interact

Download ppt "Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri."

Similar presentations

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.

Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
WEAVING CODE EXTENSIONS INTO JAVASCRIPT Benjamin Lerner, Herman Venter, and Dan Grossman University of Washington, Microsoft Research.

WEAVING CODE EXTENSIONS INTO JAVASCRIPT Benjamin Lerner, Herman Venter, and Dan Grossman University of Washington, Microsoft Research.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
01/05/2015Leiden Institute of Advanced Computer Science 1 The Open Kernel Environment - spinning Linux - Herbert Bos Bart Samwel

01/05/2015Leiden Institute of Advanced Computer Science 1 The Open Kernel Environment - spinning Linux - Herbert Bos Bart Samwel
Various languages….  Could affect performance  Could affect reliability  Could affect language choice.

Various languages….  Could affect performance  Could affect reliability  Could affect language choice.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
1 / 28 Modeling the HTML DOM and Browser API in Static Analysis of JavaScript Web Applications ESEC/FSE 2011 Anders Møller, Magnus Madsen and Simon Holm.

1 / 28 Modeling the HTML DOM and Browser API in Static Analysis of JavaScript Web Applications ESEC/FSE 2011 Anders Møller, Magnus Madsen and Simon Holm.
JSON, ADsafe, and Misty Douglas Crockford Yahoo!.

JSON, ADsafe, and Misty Douglas Crockford Yahoo!.
An Empirical Study on the Rewritability of the with Statement in JavaScript Changhee Park (Joint work with Hongki Lee and Sukyoung Ryu) KAIST October.

An Empirical Study on the Rewritability of the with Statement in JavaScript Changhee Park (Joint work with Hongki Lee and Sukyoung Ryu) KAIST October.
CS 898N – Advanced World Wide Web Technologies Lecture 14: JavaScript Chin-Chih Chang

CS 898N – Advanced World Wide Web Technologies Lecture 14: JavaScript Chin-Chih Chang
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Database Management Systems (DBMS)

Database Management Systems (DBMS)
Peter Juszczyk CS 492/493 - ISGS. // Is this C# or Java? class TestApp { static void Main() { int counter = 0; counter++; } } The answer is C# - In C#

Peter Juszczyk CS 492/493 - ISGS. // Is this C# or Java? class TestApp { static void Main() { int counter = 0; counter++; } } The answer is C# - In C#
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
Query Processing Presented by Aung S. Win.

Query Processing Presented by Aung S. Win.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Gulfstream Salvatore Guarnieri University of Washington Ben Livshits Microsoft Research Staged Static Analysis for Streaming JavaScript Applications.

Gulfstream Salvatore Guarnieri University of Washington Ben Livshits Microsoft Research Staged Static Analysis for Streaming JavaScript Applications.

Similar presentations

Ads by Google