conscript
DESCRIPTION
ConScript. Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. Leo Meyerovich UC Berkeley. Benjamin Livshits Microsoft Research. Web Programmability Platform. openid.net. yelp.com. adsense.com. Google maps. Rich Internet Applications are Dynamic. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/1.jpg)
ConScript
Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
Leo MeyerovichUC Berkeley
Benjamin LivshitsMicrosoft Research
![Page 2: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/2.jpg)
2
Web Programmability Platform
yelp.com
openid.net
adsense.com
Google maps
![Page 3: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/3.jpg)
3
Rich Internet Applications are Dynamic
Yelp.com: main.js … jQuery.js … adSense.js … GoogleMaps.js … OpenID_API.js
flexible runtime composition … but little control.
![Page 4: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/4.jpg)
Towards Safe Programmability for the Web
4
Can’t trust other people’s codeMash-ups
![Page 5: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/5.jpg)
5
Goals and Contributions
• protect benign users• by giving control to hosting site• ConScript approach: aspects for security
control loading and use of scripts
• 17 hand-written policies• correct policies are hard to write• proposed type system to catch common attacks• implemented 2 policy generators
express many policies safely
• built into IE 8 JavaScript interpreter• runtime and space overheads under 1% (vs. 30-550%)• smaller trusted computing base (TCB)
browser support
![Page 6: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/6.jpg)
6
approach protect benign users by giving control to the hosting site
: aspects for security
![Page 7: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/7.jpg)
7
ConScript
• Approach– protect benign Web users – give control to the hosting site
• How– Browser-supported aspects for security
![Page 8: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/8.jpg)
8
Contributions of ConScript• protect benign users by giving control to hosting site• ConScript approach: aspects for security• built into IE 8 JavaScript interpreter
A case for aspects in browser
• Policies are easy to get wrong• Type system to ensure policy correctness
Correctness checking
• 17 hand-written policies• Comprehensive catalog of policies from literature and practice• implemented 2 policy generators
Expressiveness
• Tested on real apps: Google Maps, Live Desktop, etc.• runtime and space overheads under 1% (vs. 30-550%)• smaller trusted computing base (TCB)
Evaluation
![Page 9: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/9.jpg)
9
manifest of script URLs
HTTP-only cookies
resource blacklists
limit eval
no foreign links
no hidden frames
script whitelist
<noscript>
no URL redirection
no pop-ups
enforce public vs. private
Policies
![Page 10: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/10.jpg)
10
CONSCRIPT aspectsimplementing aspects in IE8checking CONSCRIPT policiesgenerating CONSCRIPT policiesperformance
![Page 11: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/11.jpg)
11
heap
eval is evil
window.eval =function () { throw ‘Disallowed’};
function
eval
heap object
documentwindow
xyz…
div
stack
eval
eval
foo bar
![Page 12: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/12.jpg)
12
No postMessage: A Simple Policy?
Wrapping: [[Caja, DoCoMo, AOJS, lightweightjs, Web Sandbox, …]]
window.postMessage = function () {};frame1.postMessage(“msg”, “evil.com”)
Aspects: [[AspectJ]]
void around(String msg, String uri) : call DOM.postMessage(String m, String u) { /* do nothing instead of call */ }
… no classes in JavaScript / DOM …
![Page 13: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/13.jpg)
13
function () { [native code] }
function () { throw ‘exn’;}
Specifying Calls using References
around(window.postMessage, function () { throw ‘exn’; });
[Object window]
[Object frame] postMessage
postMessage
![Page 14: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/14.jpg)
14
1. FunctionsDOM: aroundExt(postMessage, function (pm2, m, uri) { … });
JS: aroundNat(eval, function (eval, str) { … });
User-defined: aroundFnc(foo, function (foo2, arg1) { … });
2. Script introduction<script>: aroundScr(function (src) { return src + ‘;’ + pol;});
inline: aroundInl(function (src) { return src + ‘;’ + pol;});
ConScript Interface
![Page 15: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/15.jpg)
15
CONSCRIPT aspectsimplementing aspects in IE8checking CONSCRIPT policiesgenerating CONSCRIPT policiesperformance
![Page 16: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/16.jpg)
16
function f () { … }
function f () {<before> … <after>}
Problem: Implementation?
Source Rewriting [[aojs, docomo, caja, sandbox, fbjs]]
50%-450% more to transfer, 30-70% slowdown limited: native (DOM) functions, dynamic code? big assumptions: adds parser to TCB, …
![Page 17: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/17.jpg)
17
Mediating DOM Functionswindow.postMessage
frame2.postMessage
JavaScript interpreter
IE8 libraries(HTML, Networking, …)
postMessage
0xff34e5arguments: “hello”, “evil.com”
call advice
aroundExt(window.postMessage,
off
0xff34e5 off
);
advice dispatch
[not found]
0xff34e5
![Page 18: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/18.jpg)
function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; }
function foo () { }
Resuming Calls
18
function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }
function foo () { }
advice onadvice off
bless() temporarily disables advice for next call
![Page 19: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/19.jpg)
Optimizing the Critical Path
19
function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }
function foo () { }
advice on
function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } }
function foo () { }
advice offadvice on
• calling advice turns advice off for next call• curse() enables advice for next call
![Page 20: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/20.jpg)
20
CONSCRIPT aspectsimplementing aspects in IE8checking CONSCRIPT policiesgenerating CONSCRIPT policiesperformance
![Page 21: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/21.jpg)
21
Basic Usage
Yelp.com: main.js, index.html … jQuery.js … adSense.js … GoogleMaps.js … OpenID_API.js
script whitelist
no eval
no innerHTML
no hidden frames
only HTTP cookies
no inline scripts
<script src=“main.js” policy=“noEval()”/>
SURGEON GENERAL’S WARNING
Policies are written in a small JavaScript subset.
Applications only lose a few dangerous features.
![Page 22: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/22.jpg)
22
Policy Integrity
Objects defined with policy constructors do not flow out
Old Policyaround(postMessage, function (m, url) { w = {“msn.com”: true}; …
![Page 23: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/23.jpg)
23
Policy Integrity
Objects defined with policy constructors do not flow out
Old Policyaround(postMessage, function (m, url) { w = {“msn.com”: true}; …
policy object: must protectunknown: do not pass privileged objects!
![Page 24: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/24.jpg)
24
Policy Integrity
Objects defined with policy constructors do not flow out
Old Policyaround(postMessage, function (m, url) { w = {“msn.com”: true}; …
User ExploitpostMessage(“”, “msn.com”);w[“evil.com”] = 1;postMessage(“”, “evil.com”);
![Page 25: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/25.jpg)
25
Policy Integrity
Objects defined with policy constructors do not flow out
New Policyaround(postMessage, function (m, url) { window.w = {“msn.com”: true}; …
User ExploitpostMessage(“”, “msn.com”);w[“evil.com”] = 1;postMessage(“”, “evil.com”);
var w
![Page 26: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/26.jpg)
26
Policy Integrity
Objects defined with policy constructors do not flow out
New Policyaround(postMessage, function (m, url) { window.w = {“msn.com”: true}; …
policy object: must protectunknown: do not pass privileged objects!
var w
![Page 27: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/27.jpg)
27
Maintaining Integrity
1. Policy objects do not leak out of policies2. Access path integrity of calls (no prototype hijacking)
• ML-style type inference– basic– program unmodified– only manually tested on policies
• JavaScript interpreter support– call(ctx, fnc, arg1, …), hasOwnProperty(obj, “fld”)– caller
![Page 28: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/28.jpg)
28
Transparency
• If running with policies throws no errors– … for same input, running without should be safe– empty advice should not be functionally detectable
• Difficult with wrapping or rewriting– Function.prototype.apply, exn.stacktrace, myFunction.callee,
arguments.caller, myFunction.toString, Function.prototype.call
– correctness vs. compatibility vs. performance …• Simpler at interpreter level– rest up to developer– no proof
![Page 29: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/29.jpg)
29
CONSCRIPT aspectsimplementing aspects in IE8checking CONSCRIPT policiesgenerating CONSCRIPT policiesperformance
![Page 30: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/30.jpg)
30
Automatically Generating Policies
• Intrusion detection– can we infer and disable unneeded DOM functions?
• C# access modifiers– can we enforce access modifiers like private?
• ASP policies– can we guarantee no scripts get run in <% echo %>?
![Page 31: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/31.jpg)
31
Intrusion Detection 1: Learn Blacklist
evalnew Function(“string”)postMessageXDomainRequestxmlHttpRequest…
log
audit
![Page 32: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/32.jpg)
32
Intrusion Detection 2: Enforce Blacklist
![Page 33: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/33.jpg)
33
Enforcing C# Access Modifiers
class File { public File () { … } private open () { … } …
C# JavaScript
function File () { … }File.construct = …File.open = ……
Script#compiler
policygenerator
around(File, pubEntryPoint);around(File.construct, pubEntryPoint);around(File.open, privCall);
ConScript
![Page 34: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/34.jpg)
34
CONSCRIPT aspectsimplementing aspects in IE8checking CONSCRIPT policiesgenerating CONSCRIPT policiesperformance
![Page 35: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/35.jpg)
35
Performance
Microbenchmarks: 1.2x (vs. 3.4x)
Initialization time: 0-1%Runtime: 0-7% (vs. 30+%)File size blowup: < 1% (vs. 50+%)
![Page 36: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/36.jpg)
36
Microbenchmark: Mediation Overhead
function advice2 (foo2) { bless(); foo2();}
function advice3 (foo2) { foo2();
}
var raw = obj.f;obj.f = function () { raw();}
0
0.5
1
1.5
2
2.5
3
3.5
4
wrap bless autobless3.42x
1.44x
1.24x
![Page 37: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/37.jpg)
37
File Size Increase (IDS)
ConScript Docomo Caja Sandbox0.01.02.03.04.05.06.07.08.09.0
10.011.0
1.01.7
4.8
1.21.0 1.5
3.9
10.4
1.0 1.5
4.4
1.5
MSN GMail Google Maps
![Page 38: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/38.jpg)
38
Access Modifier
Enforcement
Intrusion Detection System
Runtime Overhead
Google Maps (183ms)
MSN (439ms) GMail (736ms)0%
20%40%60%80%
7%1% 0%
30%
73%63%
ConScript DoCoMo (JavaScript rewriting)
Runti
me
over
head
Application Loading Opening a Folder0
100200300400
291.05
155.5
297.45
156.9
Uninstrumented Secured Private Methods
Runti
me
(ms)
![Page 39: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/39.jpg)
39
Goals and Contributions
•protect benign users•by giving control to hosting site•ConScript approach: aspects for security
control loading and use of scripts
•16 hand-written policies•correct policies are hard to write•proposed type system to catch common attacks•implemented 2 policy generators
express many policies safely
•built into IE 8 JavaScript interpreter•runtime and space overheads under 1% (vs. 30-550%)•smaller trusted computing base (TCB)
browser support
![Page 40: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/40.jpg)
manifest of URLslimit eval
no foreign links
resource blacklists
no hidden frames
script whitelist
<noscript>
no URL redirectio
n
HTTP-only cookies
no pop-ups
enforce public vs.
private
Questions?
40ConScript Docomo Caja Sandbox
0.0
2.0
4.0
6.0
8.0
10.0
1.01.7
4.8
1.21.0 1.5
3.9
10.4
1.0 1.5
4.4
1.5
MSN GMail Google Maps
Math.ta
n(5)
eval(
"1")
eval(
"if (tr
ue) tru
e; fal
se")
documen
t.getE
lemen
tsByT
agNam
e...
documen
t.crea
teElem
ent("
div");
function ()
{} 10x m
ore ite
rations
add1(1) 1
0x more
iterati
ons0
0.51
1.52
2.53
3.54
wrap bless autobless
Google Maps (183ms)
MSN (439ms) GMail (736ms)0%
20%40%60%80%
7% 1% 0%
30%
73% 63%ConScript DoCoMo (JavaScript rewriting)
Runti
me
over
head
Application Load-ing
Opening a Folder0
300291.05 155.5297.45 156.9
UninstrumentedSecured Private Methods
Runti
me
(ms)
![Page 41: ConScript](https://reader035.vdocument.in/reader035/viewer/2022070401/5681375b550346895d9ee98d/html5/thumbnails/41.jpg)
41
END.