presented by vaibhav rastogi
DESCRIPTION
Presented by Vaibhav Rastogi. ConScript : Specifying and Enforcing Fine Grained Security Policies fpr JavaScript in the Browser. Introduction. Advent of Web 2.0 and Mashups Inclusion of untrusted third party content a necessity - PowerPoint PPT PresentationTRANSCRIPT
ConScript: Specifying and Enforcing Fine Grained Security Policies fpr JavaScript in the Browser
Presented by Vaibhav Rastogi
Introduction
Advent of Web 2.0 and Mashups Inclusion of untrusted third party
content a necessity Need to restrict the functionality of
untrusted content, content that does not need that functionality
ConScript
A browser based, security oriented aspect system
Allow hosting page to specify policies Restrict code execution in the context of
the hosting page Examples
Limiting eval to JSON parsing Allowing only white-listed strings, scripts
Looking Ahead
Security aspects in the browser Deep aspects with native support
Static and runtime validation strategies for aspects
17 example security and reliability policies for JavaScript
Automatic policy generation Evaluation
An example
eval considered unsafe But a necessity for JSON parsing Approach 1:
Redefine eval
Shallow redefinition Other access paths to eval may exist
An example
Aspects: Specify code to execute – advice At particular moments of execution -
pointcut Approach 2
Require browser support Uses aspects – advice and pointcuts
An example
Salient Points
Advice registration Binding original advised function to
new function Use type safe calls
Aspects: Binding Pointcuts to Advice
The around advice Call the function parameter instead
of the function specified as the first parameter
The advice designer decides what to do in the new function Throw exception Do some safe execution Invoke the original function
Deep Advice
Several access paths to designate an object/function
var ge = document.getElementById;
Deep Advice
Current state of the art - wrapping of an access path Shallow advice Protects only one access path
Conscript’s approach Deep advice Registering advice on one access path
suffices
Attack Model and Boot Sequence
Browser is trusted Host web site specifies the policies –
advice Advice is trusted – kernel level code Untrusted scripts (user level code)
are loaded after advice specification Allow libraries to be loaded before
advice They should declare new code only They should not change the environment
in undesirable ways
Advising functions: Implementation
User defined functions Represented as closures Point closure to advice function A bit indicates if advice is enables
Native functions: Analogous to user defined functions
Advising functions: Implementation
Advising functions: Implementation
Foreign functions Like
frame[0].postMessage
Use translation table
Blessing and Advice Optimizations
Problem of infinite recursion
Solution Define two functions▪ bless: enable the advice▪ curse: disable the advice
Rewrite
Autobless Avoid verbosity More efficient
What if the raw function is not called Be explicit curse
Blessing and Advice Optimizations
Advising Script Introduction
Important pointcut aroundScript
Securing Advice
Advice should not be tampered with Should be written in a secure manner
A vulnerable advice definition A whitelist policy for frame messaging
Attack 1: toString redefinition
Attack 2: Function.prototype poisoning
Securing Advice
Attack 3: Object.prototype poisoning
Attack 4: Malicious getters
Securing Advice
Eliminate with and eval Disallow caller access Introduce a new primitive ucall
Circumvent prototype poisoning Introduce a poisoning safe primitive
hasProp
Securing Advice: Improvements
Securing Advice
Secure version of the whitelist policy
Policy Validation
Static validation ML like type system Types are annotated with security
labels Two properties
Reference isolation – kernel objects should not flow to user code
Access path integrity of explicitly invoked function
Security Labels
Lattice with “is substitutable for” relation
Substitution represented with flow relation
Type system
Primitive type: * Other types similar to ML Types annotated with security labels Sample inference rule
Calling trusted foreign functions
Policy examples
No dynamic scripts
No string arguments to setInterval, setTimeout
Automatic Policy Generation
Static: Instrument Script# Script# converts C# to JS JS does not have access qualifiers like
private Generate policies enforce private,
protected accesses Runtime
Test in a sandboxed environment what capabilities are used
Strip off all other capabilities
Evaluation: Micro Benchmarks
Evaluation: Macro Benchmarks
Evaluation: Code Size Increase
Impressions
Neat idea Impressive performance
No with and eval Needs browser support Automatic policy generation
Policies come with host page Third party developer (attacker) may
choose to not use any ConScript supported frameworks
Impressions
SetTimeout also unsafe without policy enforcement
Most policies described can be checked statically
Rule set for type inference may not be complete
Object Views: Fine Grained Sharing in BrowsersPresented by Vaibhav Rastogi
Key Idea
Enable fine grained sharing of JavaScript objects between principals
Let different principals have different views of the objects
Views may be different in Access rights Overriding methods to hide some
information Aspects oriented approach
Threat model
Two settings Server side script rewriters Browsers
View sharer creates object view according to policies
Attacker is the view recipient Tries to steal information that should not
be accessible to it
View designs: Example
Comparison with ConScript
Both are very similar aspects oriented approaches
ConScript is for applying JavaScript policies
Object Views is for creating multiple views for sharing