access control in javascript
Post on 02-Aug-2015
130 Views
Preview:
TRANSCRIPT
INTRODUCTION TO JAVASCRIPT :
2
History:
Created by Netscape programmer Brendan Eich.
First known as LiveScript.
Renamed JavaScript on 4th December 1995.
3
What is JavaScript???
Prototype based scripting language.
Dynamic.
Where it is used ???
Primarily used in client-side JavaScript .
Provides a rich effect to personalized start pages such as those on iGoogle & My Yahoo!
Style of OOP wherein classes are not present & inheritance is performed
via cloning
Lets user interact with the page
4
C , Java & JavaScript …
Has a syntax influenced by that of C.
Copies many naming conventions and names from Java.
Otherwise, the 2 languages are totally unrelated.
5
NEED FOR SECURITY IN JAVASCRIPT :
Third party JavaScript code.
Code modifies the page layout and functionality.
Thus, maybe Third party => THREAT !!!
6
•However, JavaScript includes only basic access control features which is not enough.
• Help must be taken from tools such as runtime libraries.
• One such library is EASY ACCESS CONTROL i.e. ZAC
8
Name Enforcement
Based On Extensible
Specification Granularity
ADSafe Static Static Analysis
No None Script
FBJS Static + Dynamic
Object Wrappers
No None Page
Browsershield
Dynamic Program Monitoring
Yes Blacklisting Page
Caja Static + Dynamic
Object Capabilities
Yes Whitelisting Script
10
PRINCIPLE OF ZAC :
Foreign code can access ANY feature of JavaScript including “the EVIL eval()” and can access every reference to any object in the system.
However, access control policy assigned to the foreign code DURING LOAD forbids dangerous actions before they happen at runtime.
Evaluates or executes an argument
11
FEATURES OF ZAC :
Dynamic Enforcement of Policies:
Enables execution of safe programs that use unsafe constructs.
Feature is present In ADSafe.
Dynamic Aspect Oriented Programming:
Policies are based on Dynamic AOP in ZAC
Enables the policies to reason about the program execution in its entirety.
Programming paradigm – aims
to improve modularity
12
Extensible Access Control Specifications:
Employed by ZAC because:
Different Usage Scenarios => Different Usage Requirements.
Feature is present in Browsershield as well as Caja.
Object Level Granularity … THIS IS WHY ZAC !!!
This feature is unique to ZAC
Different policies can co-exist for different scripts in a web page
Secure interaction among scripts is enabled
Objects from one script can use objects from another script.
14
HOW IT WORKS ??? ZAC is based on two major
approaches :
1. Blacklisting
2. Aspect Oriented Programming (AOP)
15
Blacklisting:
Specifies which system resources entities CANNOT access.
Although Whitelisting is a better architecture, blacklisting has been far more successfully used in practice.
Aspect Oriented Programming:
Is a Programming Paradigm.
Aims to increase modularity by allowing the separation of cross cutting concerns.
Which system resources entities can
access
Breaking down program
functions into modules.
Fundamental style of computer programming
Parts of a program which rely on or must affect
other parts of a system
17
DEFAULT ACCESS CONTROL POLICY :
• ZAC comes with a predefined set of restrictions i.e. the Default Access Control Policy.
18
DEFINING NEW POLICIES :
• Each restriction in a policy is targeted to restrict the access to common sensitive resources.
• It is possible to define a whole new set of policies i.e. restrictions in ZAC.
• Thus, giving control to the developer.
19
ADVANTAGES :
• Combines useful features from various approaches.
• Allows Object Level Granularity.
• Thus, allows powerful access control.
DISADVANTAGES :
• The approach of AspectScript (AOP) on which ZAC is based, is still in its development phase.
21
FUTURE SCOPE & CONCLUSION :
• There is still scope for improvement in the per-object restrictions that ZAC provides.
• Yet, ZAC provides a first step towards a solution for powerful security in JavaScript.
top related