![Page 1: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/1.jpg)
On the (Same) Origin of ScriptiesEvolving a new security policy for the web
Jasvir Nagra and Mike Samuel
Google, Inc.{jasvir,msamuel}@google.com
23 June 2010
![Page 2: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/2.jpg)
OWASP
Argument in a nutshellSocial Networks compose web applications from small apps
This breaks the same origin policy
A network that gives developers the most authority will grow.
The bigger networks can neither trust nor police developers.
And they can't predict all the threats they will face.
Virtualization lets you promiscuously grant authority to grow.
And dial it back later, after you understand threats.
Without breaking APIs.
![Page 3: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/3.jpg)
OWASP
What is Authority?
Authority : ability to influence or exercise power
In browsers, web applications can:initiate network requestsdisplay a user interfaceobserve user activity...
Most of this authority is available "ambiently".
Ambient Authority: authority available regardless of how a web application was loaded
![Page 4: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/4.jpg)
OWASP
Ambient Authority in Browserstop.location = ...Content-Disposition: attachmentwindow.open(...)window.getComputedStyle(...)<img src=http://... onerror=...><form action=http://...><script src=http://...><html>...</html>xhr.open(..., ..., false)<iframe><input type=file></iframe>
document.cookie document.bodyxhr.open(...)body.onkeypressObject.prototype.toString = ...window.forms<input autocomplete=yes>window.createEventObject
In same origin
Irrespective of origin
![Page 5: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/5.jpg)
OWASP
Ambient Authority in Browserstop.location = ...Content-Disposition: attachmentwindow.open(...)window.getComputedStyle(...)<img src=http://... onerror=...><form action=http://...><script src=http://...><html>...</html>xhr.open(..., ..., false)<iframe><input type=file></iframe>
document.cookie document.bodyxhr.open(...)body.onkeypressObject.prototype.toString = ...window.forms<input autocomplete=yes>window.createEventObject
In same origin
Irrespective of originredirect any reachable frameinitiate a downloadcreate a window (modulo user interaction)sniff browser historyscan local networkGET or POST to any domain with cookiesload code from any sourceimpersonate another websitedeny servicepresent file upload controls
modify and read cookiesmodify and inspect the entire UIread result of GET or POST to same originintercept user eventschange behavior of language intrinsicsread forms before submissionpresent an input that might be autofilledspoof user events
![Page 6: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/6.jpg)
OWASP
What's a Social Network To Do?Introduces New Tools Improves Existing Tools
Large Audience (All Web Devs)
Limited. Slow to take hold.
E.g. window.toStaticHtml
Good, but doesn't address zero-days.
E.g. PHP magic quotes.
Small Audience (Library Authors & Security folk)
Good, but targets very particular attacks.
E.g. Uniform Messaging
The sweet spot. A small group can address emerging threats.
E.g. native JSON
![Page 7: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/7.jpg)
Virtualization
Caja, browser virtualization. No plugins required.
A layer of software between the real authority and the invoker.
When a threat emerges, tame the APIs involved.
Preserve APIs, but bound authority.
OWASP
![Page 8: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/8.jpg)
Dealing with Ambient APIs
Real Browser Authority Virtual Browser Authority
OWASP
![Page 9: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/9.jpg)
Dealing with Ambient APIs
Real Browser Authority Virtual Browser Authority
OWASP
![Page 10: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/10.jpg)
Dealing with Ambient APIs
Real Browser Authority Virtual Browser Authority
OWASP
![Page 11: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/11.jpg)
Dealing with Ambient APIs
Real Browser Authority Virtual Browser Authority
OWASP
![Page 12: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/12.jpg)
Dealing with Ambient APIs
Real Browser Authority Virtual Browser Authority
OWASP
![Page 13: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/13.jpg)
What do we want to Protect?
Real Browser Authority Virtual Browser Authority
OWASP
![Page 14: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/14.jpg)
Dealing with Ambient APIs
Real Browser Authority Virtual Browser Authority
OWASP
![Page 15: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/15.jpg)
Dealing with Ambient APIs
Real Browser Authority Virtual Browser Authority
OWASP
![Page 16: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/16.jpg)
Dealing with Ambient APIs
Real Browser Authority Virtual Browser Authority
OWASP
![Page 17: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/17.jpg)
Architecture
OWASP
![Page 18: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/18.jpg)
Architecture
OWASP
![Page 19: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/19.jpg)
Architecture
OWASP
![Page 20: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/20.jpg)
Architecture
OWASP
![Page 21: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/21.jpg)
Architecture
OWASP
![Page 22: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/22.jpg)
Architecture
OWASP
![Page 23: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/23.jpg)
Architecture
OWASP
![Page 24: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/24.jpg)
Example App
OWASP
![Page 25: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/25.jpg)
Example App
OWASP
![Page 26: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/26.jpg)
Example App
![Page 27: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/27.jpg)
Why Virtualize?
Problem: Implemented policy is not what you want
If youcan't wait for new standardscan't wait for browsers to roll out fixes to most of your userscan't wait for third party dev to rewrite their code
Solution: You need your security policy in code you control.
OWASP
![Page 28: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/28.jpg)
Why Virtualize?
Problem: Required security policy changes
If your threat model changes becausecost of an exploit may decreasecost of weaponizing an exploit may decreasethe value your are protecting may increaseyou may overlook an attack vector
Solution: You need your security policy in code you control.
OWASP
![Page 29: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/29.jpg)
Argument in a nutshell
Social Networks compose web applications from small apps
This breaks the same origin policy
A network that gives developers the most authority will grow.
The bigger networks can neither trust nor police developers.
And they can't predict all the threats they will face.
Virtualization lets you promiscuously grant authority to grow.
And dial it back later, after you understand threats.
Without breaking APIs. OWASP
![Page 30: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/30.jpg)
Software Interposition for the Web
Google Caja
http://code.google.com/p/google-caja/
[email protected]@google.com
http://caja.appspot.com/
OWASP
![Page 31: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/31.jpg)
Appendix: What is an OCAP Language
Authority follows from Object references.
If you can reference an object then you have all the authority its public API exposes.
To grant authority to a piece of code, you pass it objects.
In an OCAP LanguageObjects are inviolable - only manipulable through public APIObjects are unforgeable. To create an object you must have authority to do so granted via an object reference. Objects are not ambiently available. All authority flows from granted references.
OWASP
![Page 32: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/32.jpg)
Appendix: Language Support
EcmaScript version 5Backwards compatible strict modeStatically Analyzable scopesRuntime message interception (no doesNotUnderstand)Object freezing
EcmaScript Harmony (version 6?)ProxiesEphemeron tables
OWASP
![Page 33: On the (Same) Origin of Scripties - OWASP · 2020-01-17 · EcmaScript 5 Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)](https://reader036.vdocument.in/reader036/viewer/2022070917/5fb70a3656eed77ee10b0e85/html5/thumbnails/33.jpg)
Appendix: EfficiencyOverhead from
Code bloatRuntime checksVirtualization
StrategiesSpeed : do as much analysis statically as possible.Latency : memoize work per module
EcmaScript 5Our transformer becomes a verifier. No runtime checks / code bloat. (except when code dynamically loaded)
EcmaScript 6Proxies reduce virtualization overhead
OWASP