conscript - ieee symposium on security and privacy...
TRANSCRIPT
![Page 1: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/1.jpg)
ConScript
Specifying and Enforcing Fine-‐Grained Security Policies
for JavaScript in the Browser
Leo Meyerovich UC Berkeley
Benjamin Livshits MicrosoD Research
![Page 2: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/2.jpg)
2
![Page 3: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/3.jpg)
ComplicaFons
3
Benign but buggy:
who is to blame? Code constantly
evolving
How do we maintain quality?
Downright malicious
Prototype hijacking
![Page 4: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/4.jpg)
Developer’s Dilemma
4
Other people’s code can’t be
trusted
Mashups mean including code
![Page 5: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/5.jpg)
Only Allow eval of JSON
5
eval(“([{‘hello’: ‘Oakland’}, 2010])”)
eval(“(xhr.open(‘evil.com’);)”)
• Idea for a policy: – Parse input strings instead of running them – Use ConScript to advise eval calls
• AspectJ advice for Java
• How to do advice in JavaScript? – No classes to speak of
void around call Window::eval (String s) { … }
![Page 6: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/6.jpg)
Only Allow eval of JSON
6
eval(“([{‘hello’: ‘Oakland’}, 2010])”)
eval(“(xhr.open(‘evil.com’);)”)
![Page 7: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/7.jpg)
heap
Advising Calls is Tricky
window.eval = function allowJSON() { … }
window object
document window
x y z …
frames[0]
stack
eval
funcZon eval
7
![Page 8: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/8.jpg)
heap
Advising Calls is Tricky
window.eval = function allowJSON() { … }
window object
document window
x y z …
frames[0]
stack
funcZon allowJSON
eval
funcZon eval
8
![Page 9: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/9.jpg)
heap
Advising Calls is Tricky
window.eval = function allowJSON() { … }
window object
document window
x y z …
frames[0]
stack
funcZon allowJSON
eval
frame object
eval funcZon eval
9
![Page 10: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/10.jpg)
heap
Advising Calls is Tricky
window.eval = function allowJSON() { … }
window object
document window
x y z …
frames[0]
stack
funcZon allowJSON
eval
frame object
eval
eval
funcZon eval
ConScript approach – Deep advice for complete mediaZon
– Implemented within the browser for efficiency and reliability
10
![Page 11: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/11.jpg)
Example of Applying Advice in ConScript
11
1. <SCRIPT SRC=”facebook.js" POLICY=" 2. var substr = String.prototype.substring; 3. var parse = JSON.parse; 4. around(window.eval, 5. function(oldEval, str) { 6. var str2 = uCall(str, substr, 1, 7. str.length - 1); 8. var res = parse(str2); 9. if (res) return res; 10. else throw "eval only for JSON"; 11. } );">
![Page 12: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/12.jpg)
ContribuFons of ConScript
12
• Protect benign users by giving control to hosZng site • ConScript approach: browser-‐supported aspects
A case for aspects in browser
• Policies are easy to get wrong • Type system to ensure policy correctness
Correctness checking
• Wide catalog of policies from literature and pracZce • 17 concise hand-‐wriden policies • Implemented 2 policy generators
Expressiveness
• Built into IE8 JavaScript interpreter • Tested on real apps: Google Maps, Live Desktop, etc. • RunZme and space overheads under 1% (vs. 30-‐550%)
Real-‐world EvaluaFon
![Page 13: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/13.jpg)
13
ImplementaZon A case for aspects in browser
Correctness checking
Expressiveness
Real-‐world EvaluaFon
![Page 14: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/14.jpg)
heap
Advising JavaScript FuncFons in IE8
14
fish
...
...
...
dog
stack
funcZon withBoundChecks
funcZon paint
around(paint, withBoundChecks); dog.draw(); fish.display();
draw
display
![Page 15: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/15.jpg)
This is Just the Beginning…
• Not just JavaScript funcZons – naZve JavaScript calls: Math.round, … – DOM calls: document.getElementById, …
• Not just funcZons… – script introducZon – …
• OpZmizaZons – Blessing – Auto-‐blessing
15
![Page 16: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/16.jpg)
16
A case for aspects in browser
Type system Correctness checking
Expressiveness
Real-‐world EvaluaFon
![Page 17: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/17.jpg)
Policies are Easy to Get Wrong
var okOrigin={"http://www.google.com":true}; around(window.postMessage, function (post, msg, target) { if (!okOrigin[target]) { throw ’err’; } else { return post.call(this, msg, target); } });
17
1. 2. 3. 4. 5. 6. 7. 8. 9.
![Page 18: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/18.jpg)
Policies are Easy to Get Wrong
var okOrigin={"http://www.google.com":true}; around(window.postMessage, function (post, msg, target) { if (!okOrigin[target]) { throw ’err’; } else { return post.call(this, msg, target); } });
18
1. 2. 3. 4. 5. 6. 7. 8. 9.
toString redefiniFon!
Function.prototype poisoning!
Object.prototype poisoning!
![Page 19: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/19.jpg)
How Do We Enforce Policy Correctness?
ApplicaFon code
• Unperturbed usage of legacy code
• Disallow arguments.caller to avoid stack inspecZon
(disallowed by ES5’s strict mode)
Policy code
• Modify the JavaScript interpreter – introduce uCall, hasProp,
and toPrimitive – disable eval
• Propose a type system to enforce correct use of these primiZves – disable with, …
19
![Page 20: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/20.jpg)
Policy Type System
• ML-‐like type system
• Uses security labels to denote privilege levels • Enforces access path integrity and reference isola3on
20
![Page 21: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/21.jpg)
Policy Type System
• ML-‐like type system
• Uses security labels to denote privilege levels • Enforces access path integrity and reference isola3on
21
Reference isolaFon
• o does not leak through poisoning if f is a field
Access path integrity for funcFon calls
• o.f remains unpoisoned if T in v : T is not poisoned
![Page 22: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/22.jpg)
22
A case for aspects in browser
Correctness checking
Policies Expressiveness
Real-‐world EvaluaFon
![Page 23: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/23.jpg)
ConScript Policies
• 17 hand-‐wri[en policies
– Diverse: based on literature, bugs, and anZ-‐paderns
– Short: wrote new HTML tags with only a few lines of code
• 2 automaFc policy generators
– Using runZme analysis
– Using staZc analysis
23
![Page 24: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/24.jpg)
manifest of script URLs
HTTP-‐only cookies
resource blacklists
limit eval
no foreign links
no dynamic IFRAME creaZon script whitelist
<noscript>
no URL redirecZon
no pop-‐ups
enforce public vs. private
Paper presents
17 ConScript Policies
24
![Page 25: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/25.jpg)
manifest of script URLs
HTTP-‐only cookies
resource blacklists
limit eval
no foreign links
no dynamic IFRAME creaZon script whitelist
<noscript>
no URL redirecZon
no pop-‐ups
enforce public vs. private
Paper presents
17 ConScript Policies
25
around(document.createElement, function (c : K, tag : U) { var elt : U = uCall(document, c, tag); if (elt.nodeName == "IFRAME") throw ’err’; else return elt; });
![Page 26: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/26.jpg)
GeneraFng Intrusion DetecFon Policies
26
ConScript instrumentaZon
ConScript enforcement
eval new Function(“string”) postMessage XDomainRequest xmlHttpRequest …
Observed method calls
![Page 27: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/27.jpg)
Enforcing C# Access Modifiers
27
class File { public File () { … } private open () { … } …
C# JavaScript
funcZon File () { … } File.construct = … File.open = … …
Script# compiler
![Page 28: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/28.jpg)
Enforcing C# Access Modifiers
28
class File { public File () { … } private open () { … } …
C# JavaScript
funcZon File () { … } File.construct = … File.open = … …
Script# compiler
![Page 29: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/29.jpg)
Enforcing C# Access Modifiers
29
class File { public File () { … } private open () { … } …
C# JavaScript
funcZon File () { … } File.construct = … File.open = … …
Script# compiler
around(File, pubEntryPoint); around(File.construct, pubEntryPoint); around(File.open, privCall);
ConScript
![Page 30: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/30.jpg)
30
A case for aspects in browser
Correctness checking
Expressiveness
EvaluaZon Real-‐world EvaluaFon
![Page 31: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/31.jpg)
Experimental EvaluaFon
• Implemented on top of the IE 8 JavaScript interpreter • TCB increase: under 1,000 lines added to IE8’s JavaScript engine • Changed a few language constructs to disallow arguments.caller
Low adopFon barrier
• FuncZon, DOM call, eval overhead • 2.5x faster than previously published source-‐level wrapping • Advice opZmizaZons make it faster sZll
Micro-‐benchmarks
• Google Maps, MSN, Gmail, Live Desktop, Google Calendar • Hundreds of KB of JavaScript code • RunZme overhead due to ConScript advice: mostly under 1% • File size increase due to ConScript advice: under 1%
Macro-‐benchmarks
31
![Page 32: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/32.jpg)
DoCoMo Policy Enforcement Overhead
32
7% 1%
30%
73% 63%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Google Maps (183ms) MSN (439ms) GMail (736ms)
RunF
me overhe
ad
ConScript DoCoMo (JavaScript rewriZng)
H. Kikuchi, D. Yu, A. Chander, H. Inamura, and I. Serikov, “JavaScript instrumentaZon in pracZce,” 2008
![Page 33: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/33.jpg)
File Size Increase for BlacklisFng Policy
33
1.0 1.7
4.8
1.2 1.0 1.5
3.9
10.4
1.0 1.5
4.4
1.5 1.0
4.0
7.0
10.0
13.0
ConScript Docomo Caja Sandbox
MSN GMail Google Maps
![Page 34: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/34.jpg)
Conclusions
34
• To provide reliable enforcement, browser changes are required and can be minimal
A case for aspects in browser
• Previous a[empts illustrate that hand-‐wri[en policies are buggy. ConScript addresses this with a type system without affecFng legacy code
Correctness checking
• Provide a catalog of 17 hand-‐wri[en policies for other researchers to use and show how polices can be generated by translators like Script#
Expressiveness
• ImplemenFng policy enforcement in the browser and not at the source level has tremendous performance advantages
Real-‐world EvaluaFon
![Page 35: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/35.jpg)
QUESTIONS?
35
![Page 36: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/36.jpg)
MediaFng DOM FuncFons
36
window.postMessage
frame2.postMessage
JavaScript interpreter
IE8 libraries (HTML, Networking, …)
postMessage
0xff34e5 arguments: “hello”, “evil.com”
call advice
around(window.postMessage,
off
0xff34e5 off
);
advice dispatch
[not found]
0xff34e5
deep aspects
![Page 37: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/37.jpg)
funcZon advice1 (foo2) { if (ok()) {
foo2(); } else throw ‘exn’; }
funcZon foo () { }
Resuming Calls
37
1. funcZon (eval, str) {
bless(); return eval(str); } else throw ‘exn’; } 3. funcZon (eval, str) { if (ok(str)) return eval(str); else {
funcZon advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }
funcZon foo () { }
advice on advice off
bless() temporarily disables advice for next call
![Page 38: ConScript - IEEE Symposium on Security and Privacy 2010oakland10.cs.virginia.edu/slides/conscript.pdf · Complicaons 3 Benignbutbuggy: whoistoblame? Codeconstantly. evolving. Howdowemaintain](https://reader033.vdocument.in/reader033/viewer/2022041420/5e1e4806686c9d6f844c04de/html5/thumbnails/38.jpg)
OpFmizing the CriFcal Path
38
funcZon advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }
funcZon foo () { }
advice on
funcZon advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } }
funcZon foo () { }
advice off advice on
• calling advice turns advice off for next call • curse() enables advice for next call