Transcript
Page 1: Sandboxing JavaScript via Libraries and Wrappers

Sandboxing JavaScript via Libraries and Wrappers

Phu H. PhungUniversity of Gothenburg, Sweden, andUniversity of Illinois at Chicago

Page 2: Sandboxing JavaScript via Libraries and Wrappers

About Me

• Receipt of international postdoc grant (3 years) by Swedish Research Council (VR), employed by Univ. of Gothenburg.

• Research Associate at UIC.• PhD in Computer Science in 2011 from

Chalmers University, Sweden.

Hosted by OWASP & the NYC Chapter

Page 3: Sandboxing JavaScript via Libraries and Wrappers

• Selected research projects– European WebSand (complete)

• End-to-end secure web framework– Secure Web Advertisements, funded by NSF

(on-going)– Defensive Optimizing Compiler, funded by

DARPA (on-going)

Hosted by OWASP & the NYC Chapter

Page 5: Sandboxing JavaScript via Libraries and Wrappers

92% of all websites use JavaScript[w3techs.com]

“88.45% of the Alexa top 10,000 web sites included at least one remote

JavaScript library”CCS’12

5

Page 6: Sandboxing JavaScript via Libraries and Wrappers

6

Third-party JavaScript is everywhere

• Advertisements– Adhese ad network

• Social web– Facebook Connect– Google+– Twitter– Feedsburner

• Tracking– Scorecardresearch

• Web Analytics– Yahoo! Web Analytics– Google Analytics

• …

Page 7: Sandboxing JavaScript via Libraries and Wrappers

Two basic composition techniques

Iframe integration

7

<html><body>…<iframe src=“http://3rdparty.com/frame.html”></iframe>…</body></html>

3rd party

Page 8: Sandboxing JavaScript via Libraries and Wrappers

8

Two basic composition techniques

<html><body>…<script src=“http://3rdparty.com/script.js”></script>…</body></html>

3rd party

Script inclusion

Page 9: Sandboxing JavaScript via Libraries and Wrappers

Third-party JavaScript issues

• Third-party script inclusion run with the same privilege of the hosting page.

• Security issues:– Malicious third-party code– Trusted third-party is compromised – Confidentiality, integrity, and other security risks

9

Page 10: Sandboxing JavaScript via Libraries and Wrappers

10

Difficult issues with JavaScript

• JavaScript is a powerful language, but the language design is bad for security, e.g.:– Dynamic scripts: document.write, eval, ...– Encapsulation leakage– ...

<script> document.write(‘<scr’);document.write(‘ipt> malic’);var i= 1;document.write(‘ious code; </sc’);document.write(‘ript>’);</script>

<script> malicious code; </script>

A lot of attacks were launched in

practice

Page 11: Sandboxing JavaScript via Libraries and Wrappers

Malicious third-party JavaScript example

The most reliable, cost effective method to inject evil code is to buy an ad.

Principles of Security. Douglas Crockfordhttp://fromonesrc.com/blog/page/2/

Page 12: Sandboxing JavaScript via Libraries and Wrappers

An attack scenario

Million Browser Botnet (July 2013)

– Leverage Advertising Networks using JavaScript to launch Application-Level DDoS

– Paid on 2 ad networks for displaying treacherous advertisements on pages visited by hundreds of thousands of people

– One day, got 13.6 million views of the ads, just spent less than $100

Jeremiah Grossman & Matt JohansenWhiteHat SECURITY

12

Page 13: Sandboxing JavaScript via Libraries and Wrappers

13

State-of-the-art

• Limit third-party code to safe subset of JavaScript– Facebook JS, ADSafe, ADSafety, ...

• Browser-based sandboxing solutions– ConScript, WebJail, Contego, ...

• Server-side transformations of scripts to be included– Google Caja, BrowserShield, ...

No compatibility with existing scripts

Browser modifications imply short-term deployment issues

No direct script delivery to browserGreat runtime overhead

Page 14: Sandboxing JavaScript via Libraries and Wrappers

Our approach

• A sandbox model for third-party JavaScript– Using only JS libraries and wrappers– Whitelist (least-privilege) implementation approach

• Only properties and objects defined in policies are available to the untrusted code

– No browser modification is required – The third-party code is keep in original– Easily dealing with dynamic features of JavaScript

14

“Lightweight Self-Protecting JavaScript”, ASIACCS’09

Page 15: Sandboxing JavaScript via Libraries and Wrappers

Two-tier sandbox architecture

15

Sandbox running untrusted code,

defined in a separate file e.g.

`untrusted.js’

Sandbox running policy code, defined in a separate JS e.g. `policy.js’

Base-line API implementation,in e.g. `api.js’ file

JavaScript environment, e.g. the DOM

The policy code can only access the base-line API and provided

wrapper functions (ensuring no leaks to global)

The untrusted code can only access objects returned by the outer sandbox

Page 16: Sandboxing JavaScript via Libraries and Wrappers

16

Two-tier sandbox architecture

var api = loadAPI(…);var outerSandbox = cajaVM.compileModule(policyCode);var enforcedAPI = outerSandbox(api);var innerSandbox = cajaVM.compileModule(untrustedCode);innerSandbox(enforcedAPI);

Page 17: Sandboxing JavaScript via Libraries and Wrappers

17

The architecture in multiple-principal untrusted code

Policy 2Policy 1

untrusted

Policy 3

untrusted

untrusted

Base-line API implementation,in e.g. `api.js’ file

Page 18: Sandboxing JavaScript via Libraries and Wrappers

18

Sandboxing untrusted code

• Use Secure ECMAScript (SES) library developed by Google Caja team– Load a piece of code to execute within an isolated

environment• The code can only interact with the outside world via provided

APIs

var api = {...}; //constructingvar makeSandbox = cajaVM.compileModule(untrustedCodeSrc);var sandboxed = makeSandbox(api);

Page 19: Sandboxing JavaScript via Libraries and Wrappers

Isolation technique: The SES library

Object-capability environment• Scripts can access

– Objects they create themselves– Objects explicitly handed to them

APIGlobal context

untrustedCodesandbox

19

Page 20: Sandboxing JavaScript via Libraries and Wrappers

Isolation technique: The SES library

20

Page 21: Sandboxing JavaScript via Libraries and Wrappers

Base-line APIs implementation

• Create a Virtual DOM– Intercepting wrapper around real DOM– Use Harmony Proxies to generically intercept property

accesses on objects

• Virtual DOM implementation uses the Membrane Pattern– Wrap any object passed from DOM to sandbox (return values)– Unwrap any object passed from sandbox to DOM (arguments)

21

Page 22: Sandboxing JavaScript via Libraries and Wrappers

Wrapper example

22

Page 23: Sandboxing JavaScript via Libraries and Wrappers

23

Policy definition

• Base-line APIs implementation– Can enforce coarse-grained, generic policies, e.g.:

• Sanitize HTML• Ensure complete mediation

• Fine-grained policies for multiple untrusted JavaScript code– Modular, principal-specific, e.g.: script1 is allowed to read/write

elemt_A, script2 is allowed to read elemt_A – Stafeful, e.g.: limit the number of popups to 3 – Cross-principal stateful policies, e.g: after script1 write to

elemt_A, disallow access from script2 to elemt_A

Page 24: Sandboxing JavaScript via Libraries and Wrappers

Deployment model

• Untrusted code is loaded into a string variable– Using server-side proxy + XMLHttpRequest (to

overcome same origin policy)– CORS (Cross-Origin Resource Sharing)

/UMP(Uniform Messaging Policy) headers set by the script provider

<script src=“http://3rdparty.com/script.js”></script>

<script src=“ses.js”></script><script src=“api.js”></script><script src=“policy0.js”></script><script>var script = get(“http://3rdparty.com/script.js”);ses.execute(script,policy0);</script>before

after 24

Page 25: Sandboxing JavaScript via Libraries and Wrappers

25

Secure dynamic script evaluation

• Special handlers to intercept all methods that allow script tags to be added– node.appendChild, node.insertBefore,

node.replaceChild, node.insertAfter– document.write, …– Event handlers in HTML, e.g. <…onclick=“javascript:xyz(…)”>

1. Parse partial DOM tree/HTML2. Execute scripts in the sandbox environment

Page 26: Sandboxing JavaScript via Libraries and Wrappers

26

Dynamic script loading in JavaScript

• Example from Google Maps

Page 27: Sandboxing JavaScript via Libraries and Wrappers

Different parsing techniques

• Via a sandboxed iframe1. Create sandbox iframe2. Set content via srcdoc attribute– Better performance– Parsed exactly as will be interpreted by browser– Executed asynchronously

• (Alternative) Via a HTML parsing library in JavaScript

27

Page 28: Sandboxing JavaScript via Libraries and Wrappers

28

Loading additional code in the sandbox

• External code needs to be executed in a previously set up sandbox– Loading API + glue code– Dynamic script loading

• Two new operations:– innerEval(code)– innerLoadScript(url)

Page 29: Sandboxing JavaScript via Libraries and Wrappers

Case studies

• Single principal code

• Multiple-principal code– Context-aware ads

29

Page 30: Sandboxing JavaScript via Libraries and Wrappers

Implementation challenges

• Legacy scripts need additional pre-processing to be compatible with the framework– Secure ECMAScript restrictions

• A subset of ECMAScritp strict mode• Global variables aliased as window

properties• No ‘this’ auto coercion

30

Page 31: Sandboxing JavaScript via Libraries and Wrappers

31

JS transformation examples

Page 32: Sandboxing JavaScript via Libraries and Wrappers

Summary

– A client-side JavaScript architecture for untrusted JavaScript• Only using libraries and wrappers

– Complete mediation using Secure ECMAScript• DOM node operations• JavaScript APIs

– Backward compatibility• No browser modifications• Direct script delivery to the browser• Support for legacy scripts

32

Page 33: Sandboxing JavaScript via Libraries and Wrappers

33

Thank you!


Top Related