Embed Size (px)
Citation preview
ConScriptSpecifying and Enforcing Fine-Grained Security Policies
for JavaScript in the Browser
Leo MeyerovichUC Berkeley
Benjamin LivshitsMicrosoft Research
2
3
Complications
Benign but buggy:
who is to blame? Code constantly evolving
How do we maintain quality?
Downright malicious
Prototype hijacking
Developer’s Dilemma
4
5
Only Allow eval of JSON
eval(“([{‘hello’: ‘Oakland’}, 2010])”)
eval(“(xhr.open(‘evil.com’);)”)
• Idea for a policy: – Parse input strings instead of running them– Use ConScript to advise eval calls
• AspectJ advice for Java
• How to do advice in JavaScript?– No classes to speak of
void around call Window::eval (String s) { … }
heap
Advising Calls is Tricky
window.eval = function allowJSON() { … }
windowobject
document
window
x
y
z
…
frames[0]
stackfunction
allowJSONeval
frameobject
eval
eval
function eval
ConScript approach– Deep advice for complete mediation– Implemented within the browser for
efficiency and reliability
6
7
Example of Applying Advice in ConScript
1. <SCRIPT SRC=”facebook.js" POLICY="2. var substr = String.prototype.substring;3. var parse = JSON.parse;4. around(window.eval,5. function(oldEval, str) {6. var str2 = uCall(str, substr, 1,7. str.length - 1);8. var res = parse(str2);9. if (res) return res;10. else throw "eval only for JSON";11. } );">
8
Contributions of ConScript
9
ImplementationA case for aspects in browser
Correctness checking
Expressiveness
Real-world Evaluation
10
heap
Advising JavaScript Functions in IE8
fish
...
...
...
dog
stack
function withBoundChecks
function paint
around(paint, withBoundChecks);dog.draw();fish.display();
draw
display
11
This is Just the Beginning…
• Not just JavaScript functions– native JavaScript calls: Math.round, …– DOM calls: document.getElementById, …
• Not just functions…– script introduction– …
• Optimizations– Blessing – Auto-blessing
12
A case for aspects in browser
Type systemCorrectness checking
Expressiveness
Real-world Evaluation
13
Policies are Easy to Get Wrong
var okOrigin={"http://www.google.com":true};around(window.postMessage, function (post, msg, target) { if (!okOrigin[target]) { throw ’err’; } else { return post.call(this, msg, target); }});
1.2.3.4.5.6.7.8.9.
toString redefinition!
Function.prototype poisoning!
Object.prototype poisoning!
15
How Do We Enforce Policy Correctness?
Application code
• Unperturbed usage of legacy code
• Disallow arguments.caller to avoid stack inspection
(disallowed by ES5’s strict mode)
Policy code
• Modify the JavaScript interpreter– introduce uCall, hasProp,
and toPrimitive– disable eval
• Propose a type system to enforce correct use of these primitives– disable with, …
16
Policy Type System
• ML-like type system• Uses security labels to denote privilege levels• Enforces access path integrity and reference isolation
Reference isolation• o does not leak through poisoning if f is a field
Access path integrity for function calls• o.f remains unpoisoned if T in v : T is not poisoned
17
A case for aspects in browser
Correctness checking
PoliciesExpressiveness
Real-world Evaluation
18
ConScript Policies
• 17 hand-written policies
– Diverse: based on literature, bugs, and anti-patterns
– Short: wrote new HTML tags with only a few lines of code
• 2 automatic policy generators
– Using runtime analysis
– Using static analysis
19
Paper presents
17 ConScript
Policies
around(document.createElement, function (c : K, tag : U) { var elt : U = uCall(document, c, tag); if (elt.nodeName == "IFRAME") throw ’err’; else return elt; });
20
Generating Intrusion Detection Policies
ConScript instrumentation
ConScript enforcement
evalnew Function(“string”)postMessageXDomainRequestxmlHttpRequest…
Observed method calls
21
Enforcing C# Access Modifiers
class File { public File () { … } private open () { … } …
C# JavaScript
function File () { … }File.construct = …File.open = ……
Script#compiler
policygenerator
around(File, pubEntryPoint);around(File.construct, pubEntryPoint);around(File.open, privCall);
ConScript
22
A case for aspects in browser
Correctness checking
Expressiveness
EvaluationReal-world Evaluation
Experimental Evaluation
23
24
DoCoMo Policy Enforcement Overhead
Google Maps (183ms) MSN (439ms) GMail (736ms)0%
10%
20%
30%
40%
50%
60%
70%
80%
7%1% 0%
30%
73%63%
ConScript DoCoMo (JavaScript rewriting)
Runti
me
over
head
H. Kikuchi, D. Yu, A. Chander, H. Inamura, and I. Serikov, “JavaScript instrumentation in practice,” 2008
25
File Size Increase for Blacklisting Policy
ConScript Docomo Caja Sandbox1.0
4.0
7.0
10.0
13.0
1.01.7
4.8
1.21.0 1.5
3.9
10.4
1.0 1.5
4.4
1.5
MSN GMail Google Maps
26
Conclusions
27
QUESTIONS?
29
Mediating DOM Functionswindow.postMessage
frame2.postMessage
JavaScript interpreter
IE8 libraries(HTML, Networking, …)
postMessage
0xff34e5arguments: “hello”, “evil.com”
call advice
around(window.postMessage,
off
0xff34e5 off
);
advice dispatch
[not found]
0xff34e5
deep aspects
function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; }
function foo () { }
Resuming Calls
30
function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }
function foo () { }
advice onadvice off
bless() temporarily disables advice for next call
Optimizing the Critical Path
31
function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }
function foo () { }
advice on
function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } }
function foo () { }
advice offadvice on
• calling advice turns advice off for next call• curse() enables advice for next call
