Secure Cooperative Sharing of JavaScript, Browser, and Physical Resources

Tags:

Preview:

Click to see full reader

DESCRIPTION

Secure Cooperative Sharing of JavaScript, Browser, and Physical Resources. Leo Meyerovich , David Zhu. Benjamin Livshits. UC Berkeley. Web Application Security. l ipstick on a pig?. Not Your Mother’s Browser. browser kernels. JIT compilers. p artitioned hardware. Mashup Manifesto. - PowerPoint PPT Presentation

Citation preview

Secure Cooperative Sharing of JavaScript, Browser, and Physical Resources

Benjamin Livshits

UC Berkeley

Leo Meyerovich, David Zhu

Web Application Security

lipstick on a pig?

JIT compilers

partitioned hardware

Not Your Mother’s Browserbrowser kernels

Mashup Manifesto1. sharing requires control

2. sharing must be natural

3. sharing must be cheap

What to Share?

diskHardware

JavaScript

Browser APIs parser, DOM, network, ...

1. <CoFrame src=http://gadget.com/page id=gadget 2. passthroughBrowser="html css js" 3. delegatePhysical=".1 cpu"/> ...4. var toggle = true; 5. delegateBrowser(“network”, gadget, "http://gadget.com", 6. function () { if (toggle) return true; }); 7. function getData() { 8. toggle = false; 9. return "profile data"; } 10. aroundJS(gadget, getData, 11. function proceed (continue) { return continue(); });

JS Sharing with Cross-Principal Advice

function getData

Function.prototype

Alice Bob

__proto__

JS Sharing with Cross-Principal Advice

function getData

Function.prototype

__proto__

Alice Bob

JS Sharing with Cross-Principal Advice

function getData

Function.prototype

__proto__

function proceed

execute

function defaultDeny

Messagesexecuteset fld val get fldaddField fld valremoveField fld

Alice Bob

set, get, …function proceed (continue) { return continue(); }

function defaultDeny (continue) { throw ‘err’ }

JS Sharing with Cross-Principal Advice

function getData

Function.prototype

__proto__

function proceed

execute

function defaultDeny

Messagesexecuteset fld val get fldaddField fld valremoveField fld

Alice Bob

set, …, get

JS Sharing with Cross-Principal Advice

function getData

Function.prototype

__proto__

function proceed

execute

function defaultDeny

Messagesexecuteset fld val get fldaddField fld valremoveField fld

Alice Bob

execute, set, get, addField, removeField

set, …, get

Cornelia

set, …

browser

Browser API Sharing with Non-Tampering Advice

facebook.com

gadget.com

gadget.com

delegateBrowser(“network”, gadget, "http://gadget.com", function () { if (toggle) return true; });

delegation: non-tampering advicefacebook.com

parser, DOM, CSS, ...

Physical Resource Sharing with TessellationOS

disk

layout

render

layout

render

layout

render

… … …

Mashup Manifesto1. sharing requires control

2. sharing must be natural

3. control must be cheap

Related Work

Physical Resource Sharing Resource Containers E Gazelle TessellationOS Chrome

JavaScript Sharing Caja MashupOS Object Views ConScript

Browser API Sharing OP Browser ConScript ServiceOS

backup slides.

Sharing Browser APIs: Today

Facebook.comadvice

DOM (FFI)

Sharing Browser APIs: Tomorrow

Facebook.com

DOM (FFI)

advice

browser

kernel

container.com

gadget.com

BROWSER

container.com

gadget.com

gadget.com

BROWSER

gadgetfork

bomb!!!

YouTubepolicy?

container.com

gadget.com

gadget.com

BROWSER

A New Hope

Recommended

JavaScript - introducere - seap.usv.rodtiliute/webtech/JavaScript-introducere.pdf · JavaScript - introducer. e. 4. Primul script - ascunderea codului . 1. Browser-ele moderne recunosc
Documents
WEB MASTERY WITH JAVASCRIPT - NEUGC - … Mastery with JavaScript 17 Features of JavaScript (cont’d.) •Runs on client, in browser • Code is downloaded from server
Documents
Enhancing JavaScript with Transactionshomes.soic.indiana.edu/ccshan/browser/ecoop2012b.pdf · Enhancing JavaScript with Transactions Mohan Dhawan 1Chung-chieh Shan2 Vinod Ganapathy
Documents
JavaScript - Valdosta State University JavaScript Homework Follow the links below for w3schools tutorials on JavaScript, JavaScript HTML DOM, and JavaScript Browser BOM.. Each tutorial
Documents
DOM, Javascript, and jQueryaryo.lecture.ub.ac.id/files/2014/11/DesainWeb-08-DOM-Javascript-and-jQuery.pdf · Java ! Cannot interact with Browser or control content ! JavaScript is
Documents
Browser Objects Navigator, Windows and Frames. Browser Object Model JavaScript programs are associated with a browser window and the document displayed
Documents
Javascript in practice Davide Morelli. one language to rule them all Browser: JavaScript Server: JavaScript NoSQL: JSON
Documents
Your browser doesn't seem to support Javascript!
Documents
Javascript Browser – Client Side Processing Activity page/examples: rosely/js/ Browser – Client Side Processing Activity page/examples:
Documents
Prime+Probe 1, JavaScript 0: Overcoming Browser ... - BGUPrime+Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses (Extended Version) Anatoly Shusterman Ben-Gurion
Documents
Efficient Browser Identification with 0.5cm JavaScript ...JavaScript Engine Fingerprinting Philipp Reschl, Martin Mulazzani, Markus Huber, Edgar Weippl SBA Research, Vienna Browser
Documents
Dalek.js - Automated cross browser testing with JavaScript
Software
Javascript / Browser Integration Testing with Ruby
Documents
JavaScript, Fourth Edition Chapter 4 Manipulating the Browser Object Model
Documents
Apostila de JavaScript - LRodrigolrodrigo.sgs.lncc.br/.../2016/04/apostila-javascript.2005.03.22.pdf · Se o browser não suportar JavaScript e não inserirmos o comentário HTML,
Documents
Javascript and browser games
Technology
Chapter 4 The Browser Object Model JavaScript, Third Edition
Documents
VisibleV8: In-browser Monitoringof JavaScript in the Wild
Documents
cross-platform browser instrumentation using JavaScript
Documents
WebGL and the Visual Web Ecosystem - Khronos Group · 2014-04-08 · JavaScript, HTML, CSS, ... WebGL Implementation Anatomy JavaScript Middleware WebGL HTML5 JavaScript CSS Browser
Documents