mashup security by compilation tamara rezk these slides discuss joint work with zhengqin luo and...
TRANSCRIPT
Mashup Security by Compilation
Tamara RezkThese slides discuss joint work with
Zhengqin Luo and Jose Santos
February 22nd , 2013
Web Client Mashup
• Client-side web application
• Integrating third-party gadgets
• Great way for code reuse!
Google Maps Gadget Integrator’s Housing Data
Different kind of Mashups
The integrator uses the gadget as a library The gadget reads state from the integrator
gadget
Programming model
• Mashups written in HTML + Javascript;
• Two ways to include external gadgets:– Using script tag– Using frame tag
Script tag - oversharing
• Gadget has integrator privileges
• Full exposure JS execution environment
<script src="http://maps.google.com/maps/api/js?sensor=true"></script>
Google Maps Gadget Integrator’sHousing Data
Script tag – security violations
• Confidentiality violationvar steal =
window[“integratorSecret”]
• Integrity violationwindow[“price”] = newPrice
<script src="http://maps.google.com/maps/api/js?sensor=true"></script>
Google Maps Gadget Integrator’sHousing Data
Script tag – integrity violation<html><head> <script src=http://untrusted.com/untrustedAD.js></script> </head><body><script> var fac= function(x) { if (x <= 1) { return 1; } return x*fac(x-1); } r = fac(3); s = "alert("+r+")“ setTimeout(s, 100)</script></body></html>
Script tag - integrity violation
Content of http://untrusted.com/untrustedAD.js
setTimeout = function() { EVIL CODE HERE }
Embedded frame – undersharing
• Gadget has no privileges
• Isolation of JS execution environment between integrator and gadget
• Same Origin Policy
<iframe src="http://mapservice.com/maps.html"></iframe>
Google Maps Gadget Integrator’sHousing Data
X
Embedded frame – undersharing
Isolation of JS execution:
• Confidentiality violationvar steal =
window[“integratorSecret”]• Integrity violationwindow[“price”] = newPrice
<iframe src="http://mapservice.com/maps.html"></iframe>
Google Maps Gadget Integrator’sHousing Data
X
X
Script versus Frame Tag
• Script tag: – exposes the integrator’s JS environment– unlimited communication – not secure
• Frame tag: – isolates the environment of gadget and integrator– communication is limited– more secure than script
In practice: sacrifice security in the name of functionality!
HTML5 and Inter-frame communication
• Frame can communicate with integrator via PostMessage: – confidentiality – authentication
Gadget Integrator
listener in gadget
listener in integrator
HTML5 and Inter-frame communication
• The Postmash design was proposed by Barth, Jackson, and Li [09]
• Put untrusted code in embedded frame;
• Two stub libraries; • Proxy e.g. method invocation
by message-passing;
• No need to change untrusted code !!
Google Maps Gadget Integrator’sHousing Data
Stub library in gadget
Stub library in integrator
Postmash
• How to transform an insecure mashup to a mashup following the Postmash design? – Manually writing two stub libraries (gadget
dependent);– Manually rewriting of integrators’ code;
• Our proposal : automate it and characterize the security property that it enforces:
Mashic Compiler [CSF’ 12]
Our proposal: Mashic Compiler• A generic proxy and listener library
– Gadget independent!• Integrator transform:
– Adapt to asynchronous communication,
– Use the proxy library• Mashic compiler
– Input: insecure mashup– Output: secured mashup
• Proofs: – Correctness
• benign gadget
– Security• JS small-step semantics of Maffeis et
al. with rules to model the same origin policy
Mashic compiler - Overview
• Pg : gadget code• Pi : integrator code
Mashic compiler
<html> <script src = u> </script> <script> I </script></html>
<html> <iframe src = u’> </iframe> <script> Proxy </script> <script> Bootstrap-I </script> <script> C(I) </script></html>
where Web(u’ ) = <script> Listener </script> <script src = u> </script> <script>
Opaque Handle
• Opaque Handles– Integrator’s reference to gadget’s object– E.g.: { is_handle: true
id : 42}• Inside gadget – 42 maps to the real object.
• Gadget independent!
Integrator
Framed gadget
Proxy and listener
• Proxy provides interfaces using opaque handles:1. Example: GET_PROPERTY(ohandle,prop,cont)2. Send (“get property”, ohandle, prop) via
Postmessage3. Listener reacts to message:
1. E.g. if ohandle { is_handle: true, id : 42} -> { “prop”: 4}, then listener responds with 4.
4. Proxy receives the response, applies the continuation cont to 4.
Integrator
Framed gadget
A minimal set of Proxy Interfaces
• GET_GLOBAL_REF– Get global property
• CALL_METHOD– Call a method
• CALL_FUNCTION– Call a function
• ASSIGN_PROPERTY– Property assignment
• General enough to encode most real-world mashups!!
Integrator transformation
• PostMessage is asynchronous;
• So is our proxy interface;
• Automated CPS transformation and call to proxy interfaces of old integrator code
• An example of rule
Realistic core JS subset
• Small-step core JS semantics adopted from Maffeis et al. [08];
• Extended with DOM semantics and message-passing;
• A decorated (colored heap) semantics;
Decorated Semantics
programs run as colored principal
heaps contain objects with properties that are colored
Formal Guarantees
• Correctness guarantees:– If the gadget is benign, then the compiled mashup
behaves as the original one.
• Security guarantees:– If the gadget is not benign, nothing “bad” can
happen in the compiled mashup.
Benign gadget
Intuitively:• Integrity: A gadget does not try to write a
property belonging to the integrator;• Confidentiality: A gadget does not try to read
a property of the integrator;• Formally defined:
Correctness Theorem
For a benign gadget, the compiled mashup reaches a final configuration indistinguishable with the one reachable from the original mashup.
Security Theorem
For any gadget, the compiled mashup provides integrity and confidentiality for the integrator.
Prototype Implementation
• A prototype compiler written in Bigloo (a dialect of scheme)– 3.3k loc of bigloo and 0.8k loc of Javascript
• Applied to various mashups:
Benign Gadget: Passive Gadget
Assumption
The compiled mashup preserves the original semantics
Theorem
Theorem
After Mashic compilation, the malicious gadget cannot read/write information belonging to the integrator.
Correcteness
Security
Mashic: Summary
Plus
Browser IndependenceGadget Independence
Extending Mashic
Challenge
Handle Active Gadgets
How?
Gadgets must be allowed to access integrator objects
Add an Access Control layer between gadgets and the integrator
Supporting Active Gadgets
Integrator.js
Gadget A
ifra
me
Pag
e.h
tml
Allow two-sided communication
Current MashicGoal
Add proxy and listener libraries to both the gadget iframe and to the integrator code
Listener
Proxy
Listener
Proxy Control the communication from the gadget to the integrator
Uncontrolled
Controlled
Integrator
Controlling Gadget – Integrator Com.
Integrator.js
Gadget A
ifra
me
Pag
e.h
tml
How?
Listener
Proxy
Listener
Proxy
Uncontrolled
Controlled
1 Establish a lattice of security levels
2 Assign a security level to each integrator resource
4 Check all the gadget – integrator accesses at runtime
3 Assign a security level to each gadget
Confidentiality Integrity
Lc LI
LcxLI
vl where l is in LcxLI
∑ : Gadgets → LcxLI
Integrator
Gadget A
Ext Mashic: Soundness and Security
Benign Gadget: A gadget that only tries to access integrator information compatible with its security level
Assumption
The compiled mashup preserves the original semantics
Theorem
Theorem
After Mashic compilation, the malicious gadget can only read/write integrator information compatible with its security level.
Correcteness
Security
Information Flow Control needed
• Separation of the gadget using iframe : no need to analyze gadget code
• Existing work on dynamic monitors (browser dependent): • Hedin and Sabelfeld, 12• Austin and Flanagan, 09,10,12
• Inlining of dynamic security monitors (browser independent) :• Sabelfeld et al ‘’10• Chudnov and Naumann’ 10
Information Flow Control
Labeling in JavaScript
Confidentiality Integrity
Lc LI
LcxLI
var o = {};o[f()] = 1
f() is a function that returns a dynamically computed string
In the final memory o has a new property unknown before
execution! Static labeling is not always possible.
Labeling Values
Original Object
Runtime Labeling
p1: v1
p2: v2
p3: v3
pn: vn
…
Labeled Object
p1: (v1,,l1)
p2: (v2, l2)
p3: (v3, l3)
pn: (vn, ln)
…
lo: lSecurity Level of the object
Security levels of the object
property values
Labeling Values and Instrumentation
Source Integrator Code
…if(x) { y = y + x; } else { alert(“hello world”)}
Source Integrator Code
…if(x.value) { lpc = x.level ˅ lpc; y.value = y.value + x.value; y.level = x.level ˅ y.level ˅ lpc;} else { alert(“hello world”)}
Labeling Values and Instrumentation
Source Integrator Code
…if(x) { y = y + x; } else { alert(“hello world”)}
Source Integrator Code
…if(x.value) { lpc = x.level ˅ lpc; y.value = y.value + x.value; y.level = x.level ˅ y.level ˅ lpc;} else { alert(“hello world”)}
code in
strumentation:
a new object for e
ach va
lue in th
e progra
m!
Labeling Properties
Original Object
Runtime Labeling
p1: v1
p2: v2
p3: v3
pn: vn
…
Labeled Object
(p1,l1) : v1
(p2 ,l2): v2
(pn,ln) : vn
…
lo: l
Labeling Properties
Original Object
Runtime Labeling
p1: v1
p2: v2
p3: v3
pn: vn
…
Labeled Object
(p1,l1) : v1
(p2 ,l2): v2
(pn,ln) : vn
…
lo: l
code in
strumentation:
a property
for e
ach object
(mapping p
roperti
es of t
he object to
labels)
Labeling Properties
• Inlining security monitors becomes more efficient (no need for an object per value in the program)
• Opens the path to combining dynamic and static JavaScript analysis
Conclusions
Mashic Compiler: – assumption: gadgets used as libraries– correctness under assumption– security guarantees based on SOP, characterized
as IF where everything in the integrator is treated as top security level
– compilation: gadget and browser independent!
Conclusions
Mashic Compiler Extension: – assumption: two way communication with AC – correctness under assumption– security guarantees based on information flow
security– compilation: • IF analysis for the integrator using code
instrumentation• gadget independence regarding IF analysis• browser independence
Open Questions
• IF analysis for the integrator using code instrumentation: – Combining with static analysis? If part of the code is
in a static typable subset [Maffeis 2010] then type check and instrument the rest.
• Gadget independence regarding IF analysis: – Still have to adapt to asynchrony of PostMessage … what’s a
good solution to this? shadow pages? [Adjail 2010]
• Making the web ad business model secure and practical?