ConScript

ConScriptSpecifying and Enforcing Fine-Grained Security Policies

for JavaScript in the Browser

Leo MeyerovichUC Berkeley

Benjamin LivshitsMicrosoft Research

Complications

Benign but buggy:

who is to blame?

Benign but buggy:

who is to blame? Code constantly evolving

How do we maintain quality?

Code constantly evolving

How do we maintain quality?

Downright malicious

Prototype hijacking

Downright malicious

Prototype hijacking

Developer’s Dilemma

Only Allow eval of JSON

eval(“([{‘hello’: ‘Oakland’}, 2010])”)

eval(“(xhr.open(‘evil.com’);)”)

• Idea for a policy: – Parse input strings instead of running them– Use ConScript to advise eval calls

• AspectJ advice for Java

• How to do advice in JavaScript?– No classes to speak of

void around call Window::eval (String s) { … }void around call Window::eval (String s) { … }

Advising Calls is Tricky

window.eval = function allowJSON() { … }

windowobjectwindow

object

function allowJSON

frameobjectframeobject

function eval

ConScript approach– Deep advice for complete mediation– Implemented within the browser for

efficiency and reliability

ConScript approach– Deep advice for complete mediation– Implemented within the browser for

efficiency and reliability

Example of Applying Advice in ConScript

1. <SCRIPT SRC=”facebook.js" POLICY="

2. var substr = String.prototype.substring;

3. var parse = JSON.parse;

4. around(window.eval,

5. function(oldEval, str) {

6. var str2 = uCall(str, substr, 1,

7. str.length - 1);

8. var res = parse(str2);

9. if (res) return res;

10. else throw "eval only for JSON";

11. } );">

Contributions of ConScript

ImplementationA case for aspects in browserA case for aspects in browser

Correctness checkingCorrectness checking

ExpressivenessExpressiveness

Real-world EvaluationReal-world Evaluation

Advising JavaScript Functions in IE8

function withBoundChecks

function paint

around(paint, withBoundChecks);

dog.draw();

fish.display();

display

This is Just the Beginning…• Not just JavaScript functions

– native JavaScript calls: Math.round, …– DOM calls: document.getElementById, …

• Not just functions…– script introduction– …

• Optimizations– Blessing – Auto-blessing

A case for aspects in browserA case for aspects in browser

Type systemCorrectness checkingCorrectness checking

Policies are Easy to Get Wrong

var okOrigin={"http://www.google.com":true};

around(window.postMessage,

function (post, msg, target) {

if (!okOrigin[target]) {

throw ’err’;

} else {

return post.call(this, msg, target);

toString redefinition!toString redefinition!

Function.prototype poisoning!

Object.prototype poisoning!

How Do We Enforce Policy Correctness?

Application code

• Unperturbed usage of legacy code

• Disallow arguments.caller to avoid stack inspection

(disallowed by ES5’s strict mode)

Policy code

• Modify the JavaScript interpreter– introduce uCall, hasProp,

and toPrimitive– disable eval

• Propose a type system to enforce correct use of these primitives– disable with, …

Policy Type System

• ML-like type system• Uses security labels to denote privilege levels• Enforces access path integrity and reference isolation

Reference isolation•o does not leak through poisoning if f is a fieldReference isolation•o does not leak through poisoning if f is a field

Access path integrity for function calls•o.f remains unpoisoned if T in v : T is not poisonedAccess path integrity for function calls•o.f remains unpoisoned if T in v : T is not poisoned

PoliciesExpressivenessExpressiveness

ConScript Policies

• 17 hand-written policies

– Diverse: based on literature, bugs, and anti-patterns

– Short: wrote new HTML tags with only a few lines of code

• 2 automatic policy generators

– Using runtime analysis

– Using static analysis

Paper presents

17 ConScript

Policies

around(document.createElement, function (c : K, tag : U) { var elt : U = uCall(document, c, tag); if (elt.nodeName == "IFRAME") throw ’err’; else return elt; });

Generating Intrusion Detection Policies

ConScript instrumentationConScript instrumentation

ConScript enforcementConScript enforcement

evalnew Function(“string”)postMessageXDomainRequestxmlHttpRequest…

Observed method calls

Enforcing C# Access Modifiers

class File { public File () { … } private open () { … } …

C#C# JavaScriptJavaScript

function File () { … }File.construct = …File.open = ……

Script#compilerScript#

compiler

policygenerator

around(File, pubEntryPoint);around(File.construct, pubEntryPoint);around(File.open, privCall);

ConScriptConScript

EvaluationReal-world EvaluationReal-world Evaluation

Experimental Evaluation

DoCoMo Policy Enforcement Overhead

H. Kikuchi, D. Yu, A. Chander, H. Inamura, and I. Serikov, “JavaScript instrumentation in practice,” 2008

File Size Increase for Blacklisting Policy

Conclusions

QUESTIONS?

Mediating DOM Functions

window.postMessage

frame2.postMessage

JavaScript interpreterJavaScript interpreter

IE8 libraries(HTML, Networking, …)

postMessagepostMessage

0xff34e5arguments: “hello”, “evil.com”

call advice

around(window.postMessage,

offoff

0xff34e5 offoff

advice dispatch

[not found]

0xff34e5

deep aspects

function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; }

function foo () { }function foo () { }

Resuming Calls

function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }

advice onadvice off

bless() temporarily disables advice for next call

Optimizing the Critical Path

function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }

advice on

function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } }

advice offadvice on

• calling advice turns advice off for next call• curse() enables advice for next call

ConScript

Documents

The Quality of the Finnish Defence University s Student ... · PDF fileCompetence and Knowledge Management ... conscript training and ... Besides, in general the good performance of

Annual Report 2009 - Henkilöasiakkaat - kela.fi · PDF fileAnnual Report 2009. 5 ... that perfect performance would have been a sheer miracle. ... conscript allowance and special

Conscript Your Friends into Larger Anonymity Sets with JavaScript

Sunday - USNLP Index.docx · Web viewAttempted Desertion from the Conscript Camp:One Man Shot Dead05.07.64. ... Battle of Rich Mountain, The07.21.61. Battle of Richmond, The06.29.62

SIMSAM MEB nodesimsam.nu/wp-content/uploads/2013/11/MEB-131104-Ye.pdf · IT support, data management . ... WP 7 – To tackle performance, legal, and ethical challenges on ... Conscript

R C Confident Veteran. (i C - Flames of War...Rifle Company Reluctant confident feaRless conscRipt tRained VeteRan motivation and Skill A Panzer division had just two battalions of

The Enlivened - jeffdegraff.com · An unwilling conscript in the Great Angling Crusade, I learned early that our world is as alive as we are, animated by the dynamic signs of energy

Early vascular aging syndrome: background and proposed ......from the national military conscript register [20]. Lithell also found that impaired fetal growth was especially detrimental

CONSCRIPT: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

Wanted: Leaders and Diagnosticians - BCG · PDF fileWanted: Leaders and Diagnosticians ... and improved performance. It is time to ... honed the skills required to conscript, feed,

VICTOR R. MC JR - Texas Tech · PDF fileVictor R. McCrary, ... NIST’s Office of the Deputy Chief Counsel and Technology Partnerships to negotiate and conscript ... High Performance

Reassessing the Fighting Performance of Conscript Soldiers ... · Reassessing the Fighting Performance of Conscript ... The reasons for such differences in behavior beg for analysis,

Conscript 2020 - PuolustusvoimatGuide+2018/0… · Conscript 2020 A guide for you who are preparing to carry out your military service. ISBN 978-951-25-3099-1 ISBN 978-951-25-3100-4

pol.illinoisstate.edu · Web viewFor example, WWI demonstrated that a well-trained conscript Germany Army could sufficiently defeat a volunteer British Army. Thus, history has shown

In reSealedDocketSheets Associated No.1 LPMf reSealedDocketSheets Associated ... debate regarding whether the government can use the Act to conscript ... and there isnopublicly available

NBER Olin Fellowship. I am indebted to (Iris Paxson for ... · PDF fileSloan School of Management ... (predominantly conscript) armies, ... productivity performance of the East Asian

Department of Electrical Engineering and Computer Science CONSCRIPT: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

Wehrmacht Conscript

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft

Armoured SquAdron Reluctant conscRipt ompAny - Flames of · PDF fileArmoured Squadron HQ Major Major Company HQ Armoured Platoon Subaltern Subaltern HQ Tank ... Hell’s Highway, the