1 / 29

ConScript

ConScript. Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. Leo Meyerovich UC Berkeley. Benjamin Livshits Microsoft Research. Complications. Benign but buggy: who is to blame?. Code constantly evolving How do we maintain quality?.

preston-kline
Download Presentation

ConScript

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft Research

  2. Complications Benign but buggy: who is to blame? Code constantly evolving How do we maintain quality? Downright malicious Prototype hijacking

  3. Developer’s Dilemma

  4. Only Allow eval of JSON • Idea for a policy: • Parse input strings instead of running them • Use ConScript to adviseeval calls • AspectJ advice for Java • How to do advice in JavaScript? • No classes to speak of eval(“([{‘hello’: ‘Oakland’}, 2010])”) void aroundcallWindow::eval (String s) { … } eval(“(xhr.open(‘evil.com’);)”)

  5. Advising Calls is Tricky ConScript approach • Deep advice for complete mediation • Implemented within the browser for efficiency and reliability = function allowJSON() { … } window.eval heap stack function allowJSON window object eval document window eval x function eval y z … frames[0] frame object eval

  6. Example of Applying Advice in ConScript 1. <SCRIPTSRC=”facebook.js"POLICY=" 2. var substr = String.prototype.substring; 3. var parse = JSON.parse; 4. around(window.eval, 5. function(oldEval, str) { 6. var str2 = uCall(str, substr, 1, 7. str.length - 1); 8. var res = parse(str2); 9. if (res) return res; 10. else throw "eval only for JSON"; 11. } );">

  7. Contributions of ConScript

  8. A case for aspects in browser • Implementation Correctnesschecking Expressiveness Real-world Evaluation

  9. Advising JavaScript Functions in IE8 around(paint, withBoundChecks); dog.draw(); fish.display(); heap stack function withBoundChecks fish ... ... display ... dog function paint draw

  10. This is Just the Beginning… • Not just JavaScript functions • native JavaScript calls: Math.round, … • DOM calls: document.getElementById, … • Not just functions… • script introduction • … • Optimizations • Blessing • Auto-blessing

  11. A case for aspects in browser Correctnesschecking • Type system Expressiveness Real-world Evaluation

  12. Policies are Easy to Get Wrong toString redefinition! 1. 2. 3. 4. 5. 6. 7. 8. 9. var okOrigin={"http://www.google.com":true}; around(window.postMessage, function (post, msg, target) { if (!okOrigin[target]) { throw’err’; } else { return post.call(this, msg, target); } }); Function.prototype poisoning! Object.prototype poisoning!

  13. How Do We Enforce Policy Correctness? Application code Policy code Modify the JavaScript interpreter introduce uCall, hasProp, and toPrimitive disable eval Propose a type system to enforce correct use of these primitives disable with, … • Unperturbed usage of legacy code • Disallow arguments.caller to avoid stack inspection (disallowed by ES5’s strict mode)

  14. Policy Type System Reference isolation • o does not leak through poisoning if f is a field • ML-like type system • Uses security labels to denote privilege levels • Enforces access path integrity and reference isolation Access path integrity for function calls • o.f remains unpoisoned if T in v : T is not poisoned

  15. A case for aspects in browser Correctnesschecking Expressiveness • Policies Real-world Evaluation

  16. ConScript Policies • 17 hand-written policies • Diverse: based on literature, bugs, and anti-patterns • Short: wrote new HTML tags with only a few lines of code • 2 automatic policy generators • Using runtime analysis • Using static analysis

  17. Paper presents 17 ConScript Policies around(document.createElement, function (c : K, tag : U) { var elt : U = uCall(document, c, tag); if (elt.nodeName == "IFRAME") throw ’err’; else return elt; });

  18. Generating Intrusion Detection Policies ConScript instrumentation Observed method calls eval new Function(“string”) postMessage XDomainRequest xmlHttpRequest … ConScript enforcement

  19. Enforcing C# Access Modifiers function File () { … } File.construct = … File.open = … … class File { public File () { … } private open () { … } … Script# compiler C# JavaScript policy generator around(File, pubEntryPoint); around(File.construct, pubEntryPoint); around(File.open, privCall); ConScript

  20. A case for aspects in browser Correctnesschecking Expressiveness Real-world Evaluation • Evaluation

  21. Experimental Evaluation

  22. DoCoMo Policy Enforcement Overhead H. Kikuchi, D. Yu, A. Chander, H. Inamura, and I. Serikov, “JavaScript instrumentation in practice,” 2008

  23. File Size Increase for Blacklisting Policy

  24. Conclusions

  25. QUESTIONS?

  26. Mediating DOM Functions window.postMessage IE8 libraries(HTML, Networking, …) JavaScript interpreter postMessage deep aspects advice dispatch 0xff34e5 0xff34e5 arguments: “hello”, “evil.com” off 0xff34e5 around(window.postMessage, off ); [not found] frame2.postMessage

  27. Resuming Calls • function (eval, str) { if (ok(str)) { • bless(); • return eval(str); • } else throw ‘exn’; } • 3. function (eval, str) { if (ok(str)) return eval(str); • else { curse(); throw ‘exn’; }} function foo () { } function foo () { } advice on advice off function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; } function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; } bless() temporarily disables advice for next call

  28. Optimizing the Critical Path function foo () { } function foo () { } advice off advice on advice on function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } } function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; } • calling advice turns advice off for next call • curse()enables advice for next call

More Related