conscript specifying and enforcing fine-grained security policies for javascript in the browser leo...
TRANSCRIPT
![Page 1: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/1.jpg)
ConScriptSpecifying and Enforcing Fine-Grained Security Policies
for JavaScript in the Browser
Leo MeyerovichUC Berkeley
Benjamin LivshitsMicrosoft Research
![Page 2: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/2.jpg)
2
![Page 3: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/3.jpg)
3
Complications
Benign but buggy:
who is to blame? Code constantly evolving
How do we maintain quality?
Downright malicious
Prototype hijacking
![Page 4: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/4.jpg)
Developer’s Dilemma
4
![Page 5: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/5.jpg)
5
Only Allow eval of JSON
eval(“([{‘hello’: ‘Oakland’}, 2010])”)
eval(“(xhr.open(‘evil.com’);)”)
• Idea for a policy: – Parse input strings instead of running them– Use ConScript to advise eval calls
• AspectJ advice for Java
• How to do advice in JavaScript?– No classes to speak of
void around call Window::eval (String s) { … }
![Page 6: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/6.jpg)
heap
Advising Calls is Tricky
window.eval = function allowJSON() { … }
windowobject
document
window
x
y
z
…
frames[0]
stackfunction
allowJSONeval
frameobject
eval
eval
function eval
ConScript approach– Deep advice for complete mediation– Implemented within the browser for
efficiency and reliability
6
![Page 7: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/7.jpg)
7
Example of Applying Advice in ConScript
1. <SCRIPT SRC=”facebook.js" POLICY="2. var substr = String.prototype.substring;3. var parse = JSON.parse;4. around(window.eval,5. function(oldEval, str) {6. var str2 = uCall(str, substr, 1,7. str.length - 1);8. var res = parse(str2);9. if (res) return res;10. else throw "eval only for JSON";11. } );">
![Page 8: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/8.jpg)
8
Contributions of ConScript
![Page 9: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/9.jpg)
9
ImplementationA case for aspects in browser
Correctness checking
Expressiveness
Real-world Evaluation
![Page 10: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/10.jpg)
10
heap
Advising JavaScript Functions in IE8
fish
...
...
...
dog
stack
function withBoundChecks
function paint
around(paint, withBoundChecks);dog.draw();fish.display();
draw
display
![Page 11: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/11.jpg)
11
This is Just the Beginning…
• Not just JavaScript functions– native JavaScript calls: Math.round, …– DOM calls: document.getElementById, …
• Not just functions…– script introduction– …
• Optimizations– Blessing – Auto-blessing
![Page 12: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/12.jpg)
12
A case for aspects in browser
Type systemCorrectness checking
Expressiveness
Real-world Evaluation
![Page 13: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/13.jpg)
13
Policies are Easy to Get Wrong
var okOrigin={"http://www.google.com":true};around(window.postMessage, function (post, msg, target) { if (!okOrigin[target]) { throw ’err’; } else { return post.call(this, msg, target); }});
1.2.3.4.5.6.7.8.9.
toString redefinition!
Function.prototype poisoning!
Object.prototype poisoning!
![Page 14: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/14.jpg)
15
How Do We Enforce Policy Correctness?
Application code
• Unperturbed usage of legacy code
• Disallow arguments.caller to avoid stack inspection
(disallowed by ES5’s strict mode)
Policy code
• Modify the JavaScript interpreter– introduce uCall, hasProp,
and toPrimitive– disable eval
• Propose a type system to enforce correct use of these primitives– disable with, …
![Page 15: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/15.jpg)
16
Policy Type System
• ML-like type system• Uses security labels to denote privilege levels• Enforces access path integrity and reference isolation
Reference isolation• o does not leak through poisoning if f is a field
Access path integrity for function calls• o.f remains unpoisoned if T in v : T is not poisoned
![Page 16: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/16.jpg)
17
A case for aspects in browser
Correctness checking
PoliciesExpressiveness
Real-world Evaluation
![Page 17: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/17.jpg)
18
ConScript Policies
• 17 hand-written policies
– Diverse: based on literature, bugs, and anti-patterns
– Short: wrote new HTML tags with only a few lines of code
• 2 automatic policy generators
– Using runtime analysis
– Using static analysis
![Page 18: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/18.jpg)
19
Paper presents
17 ConScript
Policies
around(document.createElement, function (c : K, tag : U) { var elt : U = uCall(document, c, tag); if (elt.nodeName == "IFRAME") throw ’err’; else return elt; });
![Page 19: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/19.jpg)
20
Generating Intrusion Detection Policies
ConScript instrumentation
ConScript enforcement
evalnew Function(“string”)postMessageXDomainRequestxmlHttpRequest…
Observed method calls
![Page 20: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/20.jpg)
21
Enforcing C# Access Modifiers
class File { public File () { … } private open () { … } …
C# JavaScript
function File () { … }File.construct = …File.open = ……
Script#compiler
policygenerator
around(File, pubEntryPoint);around(File.construct, pubEntryPoint);around(File.open, privCall);
ConScript
![Page 21: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/21.jpg)
22
A case for aspects in browser
Correctness checking
Expressiveness
EvaluationReal-world Evaluation
![Page 22: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/22.jpg)
Experimental Evaluation
23
![Page 23: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/23.jpg)
24
DoCoMo Policy Enforcement Overhead
Google Maps (183ms) MSN (439ms) GMail (736ms)0%
10%
20%
30%
40%
50%
60%
70%
80%
7%1% 0%
30%
73%63%
ConScript DoCoMo (JavaScript rewriting)
Runti
me
over
head
H. Kikuchi, D. Yu, A. Chander, H. Inamura, and I. Serikov, “JavaScript instrumentation in practice,” 2008
![Page 24: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/24.jpg)
25
File Size Increase for Blacklisting Policy
ConScript Docomo Caja Sandbox1.0
4.0
7.0
10.0
13.0
1.01.7
4.8
1.21.0 1.5
3.9
10.4
1.0 1.5
4.4
1.5
MSN GMail Google Maps
![Page 25: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/25.jpg)
26
Conclusions
![Page 26: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/26.jpg)
27
QUESTIONS?
![Page 27: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/27.jpg)
29
Mediating DOM Functionswindow.postMessage
frame2.postMessage
JavaScript interpreter
IE8 libraries(HTML, Networking, …)
postMessage
0xff34e5arguments: “hello”, “evil.com”
call advice
around(window.postMessage,
off
0xff34e5 off
);
advice dispatch
[not found]
0xff34e5
deep aspects
![Page 28: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/28.jpg)
function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; }
function foo () { }
Resuming Calls
30
function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }
function foo () { }
advice onadvice off
bless() temporarily disables advice for next call
![Page 29: ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032709/56649eaa5503460f94baee33/html5/thumbnails/29.jpg)
Optimizing the Critical Path
31
function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }
function foo () { }
advice on
function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } }
function foo () { }
advice offadvice on
• calling advice turns advice off for next call• curse() enables advice for next call