View
30
Download
5
Category
Preview:
DESCRIPTION
ConScript. Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. Leo Meyerovich UC Berkeley. Benjamin Livshits Microsoft Research. Complications. Benign but buggy: who is to blame?. Code constantly evolving How do we maintain quality?. - PowerPoint PPT Presentation
Citation preview
ConScriptSpecifying and Enforcing Fine-Grained Security Policies
for JavaScript in the Browser
Leo MeyerovichUC Berkeley
Benjamin LivshitsMicrosoft Research
2
Complications
3
Benign but buggy:
who is to blame?
Benign but buggy:
who is to blame? Code constantly evolving
How do we maintain quality?
Code constantly evolving
How do we maintain quality?
Downright malicious
Prototype hijacking
Downright malicious
Prototype hijacking
Developer’s Dilemma
4
Only Allow eval of JSON
5
eval(“([{‘hello’: ‘Oakland’}, 2010])”)
eval(“(xhr.open(‘evil.com’);)”)
• Idea for a policy: – Parse input strings instead of running them– Use ConScript to advise eval calls
• AspectJ advice for Java
• How to do advice in JavaScript?– No classes to speak of
void around call Window::eval (String s) { … }void around call Window::eval (String s) { … }
heap
Advising Calls is Tricky
window.eval = function allowJSON() { … }
windowobjectwindow
object
stack
function allowJSON
function allowJSON
eval
frameobjectframeobject
eval
eval
function eval
function eval
ConScript approach– Deep advice for complete mediation– Implemented within the browser for
efficiency and reliability
ConScript approach– Deep advice for complete mediation– Implemented within the browser for
efficiency and reliability
6
Example of Applying Advice in ConScript
7
1. <SCRIPT SRC=”facebook.js" POLICY="
2. var substr = String.prototype.substring;
3. var parse = JSON.parse;
4. around(window.eval,
5. function(oldEval, str) {
6. var str2 = uCall(str, substr, 1,
7. str.length - 1);
8. var res = parse(str2);
9. if (res) return res;
10. else throw "eval only for JSON";
11. } );">
Contributions of ConScript
8
9
ImplementationA case for aspects in browserA case for aspects in browser
Correctness checkingCorrectness checking
ExpressivenessExpressiveness
Real-world EvaluationReal-world Evaluation
heap
Advising JavaScript Functions in IE8
10
stack
function withBoundChecks
function withBoundChecks
function paint
function paint
around(paint, withBoundChecks);
dog.draw();
fish.display();
draw
display
This is Just the Beginning…• Not just JavaScript functions
– native JavaScript calls: Math.round, …– DOM calls: document.getElementById, …
• Not just functions…– script introduction– …
• Optimizations– Blessing – Auto-blessing
11
12
A case for aspects in browserA case for aspects in browser
Type systemCorrectness checkingCorrectness checking
ExpressivenessExpressiveness
Real-world EvaluationReal-world Evaluation
Policies are Easy to Get Wrong
var okOrigin={"http://www.google.com":true};
around(window.postMessage,
function (post, msg, target) {
if (!okOrigin[target]) {
throw ’err’;
} else {
return post.call(this, msg, target);
}
});
13
1.
2.
3.
4.
5.
6.
7.
8.
9.
toString redefinition!toString redefinition!
Function.prototype poisoning!
Function.prototype poisoning!
Object.prototype poisoning!
Object.prototype poisoning!
How Do We Enforce Policy Correctness?
Application code
• Unperturbed usage of legacy code
• Disallow arguments.caller to avoid stack inspection
(disallowed by ES5’s strict mode)
Policy code
• Modify the JavaScript interpreter– introduce uCall, hasProp,
and toPrimitive– disable eval
• Propose a type system to enforce correct use of these primitives– disable with, …
15
Policy Type System
• ML-like type system• Uses security labels to denote privilege levels• Enforces access path integrity and reference isolation
16
Reference isolation•o does not leak through poisoning if f is a fieldReference isolation•o does not leak through poisoning if f is a field
Access path integrity for function calls•o.f remains unpoisoned if T in v : T is not poisonedAccess path integrity for function calls•o.f remains unpoisoned if T in v : T is not poisoned
17
A case for aspects in browserA case for aspects in browser
Correctness checkingCorrectness checking
PoliciesExpressivenessExpressiveness
Real-world EvaluationReal-world Evaluation
ConScript Policies
• 17 hand-written policies
– Diverse: based on literature, bugs, and anti-patterns
– Short: wrote new HTML tags with only a few lines of code
• 2 automatic policy generators
– Using runtime analysis
– Using static analysis
18
Paper presents
17 ConScript
Policies
19
around(document.createElement, function (c : K, tag : U) { var elt : U = uCall(document, c, tag); if (elt.nodeName == "IFRAME") throw ’err’; else return elt; });
around(document.createElement, function (c : K, tag : U) { var elt : U = uCall(document, c, tag); if (elt.nodeName == "IFRAME") throw ’err’; else return elt; });
Generating Intrusion Detection Policies
20
ConScript instrumentationConScript instrumentation
ConScript enforcementConScript enforcement
evalnew Function(“string”)postMessageXDomainRequestxmlHttpRequest…
evalnew Function(“string”)postMessageXDomainRequestxmlHttpRequest…
Observed method calls
Observed method calls
Enforcing C# Access Modifiers
21
class File { public File () { … } private open () { … } …
C#C# JavaScriptJavaScript
function File () { … }File.construct = …File.open = ……
Script#compilerScript#
compiler
policygenerator
policygenerator
around(File, pubEntryPoint);around(File.construct, pubEntryPoint);around(File.open, privCall);
ConScriptConScript
22
A case for aspects in browserA case for aspects in browser
Correctness checkingCorrectness checking
ExpressivenessExpressiveness
EvaluationReal-world EvaluationReal-world Evaluation
Experimental Evaluation
23
DoCoMo Policy Enforcement Overhead
24
H. Kikuchi, D. Yu, A. Chander, H. Inamura, and I. Serikov, “JavaScript instrumentation in practice,” 2008
File Size Increase for Blacklisting Policy
25
Conclusions
26
QUESTIONS?
27
Mediating DOM Functions
28
window.postMessage
frame2.postMessage
JavaScript interpreterJavaScript interpreter
IE8 libraries(HTML, Networking, …)
IE8 libraries(HTML, Networking, …)
postMessagepostMessage
0xff34e5arguments: “hello”, “evil.com”
call advice
around(window.postMessage,
offoff
0xff34e5 offoff
);
advice dispatch
[not found]
0xff34e5
deep aspects
function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; }
function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; }
function foo () { }function foo () { }
Resuming Calls
29
function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }
function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }
function foo () { }function foo () { }
advice onadvice off
bless() temporarily disables advice for next call
Optimizing the Critical Path
30
function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }
function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }
function foo () { }function foo () { }
advice on
function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } }
function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } }
function foo () { }function foo () { }
advice offadvice on
• calling advice turns advice off for next call• curse() enables advice for next call
Recommended