Cross-Origin JavaScript Capability Leaks: Detection, Exploitation and Defense

1. Cross-Origin JavaScript Capability Leaks: Detection, Exploitation and Defense By Adam Barth, Joel Weinberger and Dawn Song

2. Overview • Current JavaScript Security Model • Cross-Origin JavaScript Capability Leaks • Capability Leak Detection • Browser Defense Mechanism

3. The DOM and Access Control

4. The DOM and Access Control

5. The JS Engine and Capabilities

6. DOM vs JS Engine • The DOM provides an access control layer • The JavaScript engine treats objects as capabilities

7. Overview • Current JavaScript Security Model • Cross-Origin JavaScript Capability Leaks • Capability Leak Detection • Browser Defense Mechanism

8. Cross-Context References

9. Cross-Context References

10. DOM meets JS Engine

11. DOM meets JS Engine

12. Overview • Current JavaScript Security Model • Cross-Origin JavaScript Capability Leaks • Capability Leak Detection • Browser Defense Mechanism

13. JavaScript Heap Inspection

14. Instrumentation • In the JavaScript Engine object system • Object creation, destruction and reference • Calls into analysis library

15. Computing JavaScript Contexts

16. Overview • Current JavaScript Security Model • Cross-Origin JavaScript Capability Leaks • Capability Leak Detection • Browser Defense Mechanism

17. Access Control Checks

18. Conclusion • Heap Graph Analysis can be used to find vulnerabilities in web browser • Web Browser can provide mechanism to eliminate these vulnerabilities • Heap Graph Tool and Access Control Prototype for WebKit: