1

A

SEMINAR ON

ACCESS CONTROL IN JAVASCRIPT

PRESENTED BY

MALLIKA MEWAR

INTRODUCTION TO JAVASCRIPT :

2

History:

Created by Netscape programmer Brendan Eich.

First known as LiveScript.

Renamed JavaScript on 4th December 1995.

3

What is JavaScript???

Prototype based scripting language.

Dynamic.

Where it is used ???

Primarily used in client-side JavaScript .

Provides a rich effect to personalized start pages such as those on iGoogle & My Yahoo!

Style of OOP wherein classes are not present & inheritance is performed

via cloning

Lets user interact with the page

4

C , Java & JavaScript …

Has a syntax influenced by that of C.

Copies many naming conventions and names from Java.

Otherwise, the 2 languages are totally unrelated.

5

NEED FOR SECURITY IN JAVASCRIPT :

Third party JavaScript code.

Code modifies the page layout and functionality.

Thus, maybe Third party => THREAT !!!

6

•However, JavaScript includes only basic access control features which is not enough.

• Help must be taken from tools such as runtime libraries.

• One such library is EASY ACCESS CONTROL i.e. ZAC

7

PREVIOUS & CURRENT

SOLUTIONS…

8

Name Enforcement

Based On Extensible

Specification Granularity

ADSafe Static Static Analysis

No None Script

FBJS Static + Dynamic

Object Wrappers

No None Page

Browsershield

Dynamic Program Monitoring

Yes Blacklisting Page

Caja Static + Dynamic

Object Capabilities

Yes Whitelisting Script

9

Then Why ZAC ???

10

PRINCIPLE OF ZAC :

Foreign code can access ANY feature of JavaScript including “the EVIL eval()” and can access every reference to any object in the system.

However, access control policy assigned to the foreign code DURING LOAD forbids dangerous actions before they happen at runtime.

Evaluates or executes an argument

11

FEATURES OF ZAC :

Dynamic Enforcement of Policies:

Enables execution of safe programs that use unsafe constructs.

Feature is present In ADSafe.

Dynamic Aspect Oriented Programming:

Policies are based on Dynamic AOP in ZAC

Enables the policies to reason about the program execution in its entirety.

Programming paradigm – aims

to improve modularity

12

Extensible Access Control Specifications:

Employed by ZAC because:

Different Usage Scenarios => Different Usage Requirements.

Feature is present in Browsershield as well as Caja.

Object Level Granularity … THIS IS WHY ZAC !!!

This feature is unique to ZAC

Different policies can co-exist for different scripts in a web page

Secure interaction among scripts is enabled

Objects from one script can use objects from another script.

13

THUS … ZAC IS :

OLD + NEW

14

HOW IT WORKS ??? ZAC is based on two major

approaches :

1. Blacklisting

2. Aspect Oriented Programming (AOP)

15

Blacklisting:

Specifies which system resources entities CANNOT access.

Although Whitelisting is a better architecture, blacklisting has been far more successfully used in practice.

Aspect Oriented Programming:

Is a Programming Paradigm.

Aims to increase modularity by allowing the separation of cross cutting concerns.

Which system resources entities can

access

Breaking down program

functions into modules.

Fundamental style of computer programming

Parts of a program which rely on or must affect

other parts of a system

16

WHAT IS DONE …

WHAT CAN BE DONE ???

&

17

DEFAULT ACCESS CONTROL POLICY :

• ZAC comes with a predefined set of restrictions i.e. the Default Access Control Policy.

18

DEFINING NEW POLICIES :

• Each restriction in a policy is targeted to restrict the access to common sensitive resources.

• It is possible to define a whole new set of policies i.e. restrictions in ZAC.

• Thus, giving control to the developer.

19

ADVANTAGES :

• Combines useful features from various approaches.

• Allows Object Level Granularity.

• Thus, allows powerful access control.

DISADVANTAGES :

• The approach of AspectScript (AOP) on which ZAC is based, is still in its development phase.

20

21

FUTURE SCOPE & CONCLUSION :

• There is still scope for improvement in the per-object restrictions that ZAC provides.

• Yet, ZAC provides a first step towards a solution for powerful security in JavaScript.

22

THANK YOU

23

QUESTIONS ???