ConScript

ConScript ConScript - Start

Added : 2017-04-02 Views :23K

Download Presentation

ConScript




Download Presentation - The PPT/PDF document "ConScript" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.



Presentations text content in ConScript

Slide1

ConScript

Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

Leo Meyerovich

UC Berkeley

Benjamin LivshitsMicrosoft Research

Slide2

2

Slide3

Complications

3

Benign but buggy:who is to blame?

Code constantly evolvingHow do we maintain quality?

Downright

malicious

Prototype hijacking

Slide4

Developer’s Dilemma

4

Slide5

Only Allow eval of JSON

5

eval(“([{‘hello

’: ‘Oakland’}, 2010])”)

eval(“

(xhr.open(‘evil.com

’);)”)

Idea for a policy:

Parse input strings instead of running themUse ConScript to advise eval callsAspectJ advice for JavaHow to do advice in JavaScript?No classes to speak of

void

around

call

Window::eval

(

String

s

) { …

}

Slide6

heap

Advising Calls is Tricky

window.eval

= function

allowJSON

() { … }

window

object

document

window

x

y

z

frames[0]

stack

function

allowJSON

eval

frame

object

eval

eval

function

eval

ConScript approach

Deep advice for complete mediation

Implemented within the browser for efficiency and reliability

6

Slide7

Example of Applying Advice in ConScript

7

1. <

SCRIPT

SRC

=

facebook.js

"

POLICY

=

"

2

.

var

substr

=

String.prototype.substring

;

3.

var

parse =

JSON.parse

;

4.

around

(

window.eval

,

5.

function

(

oldEval

,

str

) {

6.

var

str2 =

uCall

(

str

,

substr

, 1,

7.

str.length

- 1);

8.

var

res = parse(str2);

9.

if

(res)

return

res;

10.

else

throw

"

eval

only for JSON";

11. } );

"

>

Slide8

Contributions of ConScript

8

Slide9

9

Implementation

A case for aspects in browser

Correctness

checking

Expressiveness

Real-world Evaluation

Slide10

heap

Advising JavaScript Functions in IE8

10

fish

...

...

...

dog

stack

function

withBoundChecks

function

paint

around(paint,

withBoundChecks

);

dog.draw

();

fish.display

();

draw

display

Slide11

This is Just the Beginning…

Not just JavaScript functionsnative JavaScript calls: Math.round, …DOM calls: document.getElementById, …Not just functions…script introduction…OptimizationsBlessing Auto-blessing

11

Slide12

12

A case for aspects in browser

Type system

Correctness

checking

Expressiveness

Real-world Evaluation

Slide13

Policies are Easy to Get Wrong

var okOrigin={"http://www.google.com":true};around(window.postMessage, function (post, msg, target) { if (!okOrigin[target]) { throw ’err’; } else { return post.call(this, msg, target); }});

13

1.2.3.4.5.6.7.8.9.

toString redefinition!

Function.prototype poisoning!

Object.prototype

poisoning!

Slide14

Policies are Easy to Get Wrong

var okOrigin={"http://www.google.com":true};around(window.postMessage, function (post, msg, target) { var t = toPrimitive(target); if (!hasProp(okOrigin,target)) { throw ’err’; } else { return uCall(this,post, msg, t); }});

14

1.2.3.4.5.6.7.8.9.10.

Reference isolationthe whitelist is only referenced by policy codeuse hasProp instead of okOrigin[target]

Access path integrity for function calls

prevent prototype poisoning

use

uCall

of

post.call

Slide15

How Do We Enforce Policy Correctness?

Application code

Unperturbed usage of legacy codeDisallow arguments.caller to avoid stack inspection (disallowed by ES5’s strict mode)

Policy code

Modify the JavaScript interpreterintroduce uCall, hasProp, and toPrimitivedisable evalPropose a type system to enforce correct use of these primitivesdisable with, …

15

Slide16

Policy Type System

ML-like type systemUses security labels to denote privilege levelsEnforces access path integrity and reference isolation

16

Reference isolation

o

does not leak through poisoning if

f is a field

Access path integrity for function callso.f remains unpoisoned if T in v : T is not poisoned

Slide17

17

A case for aspects in browser

Correctness

checking

Policies

Expressiveness

Real-world Evaluation

Slide18

ConScript Policies

17 hand-written policiesDiverse: based on literature, bugs, and anti-patternsShort: wrote new HTML tags with only a few lines of code2 automatic policy generatorsUsing runtime analysisUsing static analysis

18

Slide19

Paper

presents 17 ConScript Policies

19

around

(

document.createElement

,

function

(c : K, tag : U) {

var

elt : U =

uCall

(document, c, tag);

if

(

elt.nodeName

== "IFRAME")

throw

’err’;

else

return

elt

; });

Slide20

Generating Intrusion Detection Policies

20

ConScript instrumentation

ConScript enforcement

eval

new Function(“string”)postMessageXDomainRequestxmlHttpRequest…

Observed method calls

Slide21

Enforcing C# Access Modifiers

21

class File {

public File () { … } private open () { … } …

C#

JavaScript

function File () { … }

File.construct = …File.open = ……

Script#compiler

policy

generator

around(File, pubEntryPoint);around(File.construct, pubEntryPoint);around(File.open, privCall);

ConScript

Slide22

22

A case for aspects in browser

Correctness

checking

Expressiveness

Evaluation

Real-world Evaluation

Slide23

Experimental Evaluation

23

Slide24

DoCoMo Policy Enforcement Overhead

24

H. Kikuchi, D. Yu, A.

Chander

, H.

Inamura

, and I.

Serikov

, “JavaScript instrumentation in practice,” 2008

Slide25

File Size Increase for Blacklisting Policy

25

Slide26

Conclusions

26

Slide27

Questions?

27

Slide28

28

Access Modifier Enforcement

Intrusion Detection System

Runtime Overhead

Slide29

Mediating DOM Functions

29

window.postMessage

frame2.postMessage

JavaScript interpreter

IE8 libraries(HTML, Networking, …)

postMessage

0xff34e5

arguments: “hello”, “evil.com”

call

advice

around(

window.postMessage

,

off

0xff34e5

off

);

advice dispatch

[not found]

0xff34e5

deep aspects

Slide30

function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; }

function foo () { }

Resuming Calls

30

function (eval, str) { if (ok(str)) { bless(); return eval(str); } else throw ‘exn’; }3. function (eval, str) { if (ok(str)) return eval(str); else { curse(); throw ‘exn’; }}

function advice2 (foo2) {

if (ok()) {

bless();

foo2(); } else throw ‘exn’; }

function foo () { }

advice on

advice off

bless()

temporarily disables advice for next call

Slide31

Optimizing the Critical Path

31

function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }

function foo () { }

advice on

function advice3 (foo2) {

if (ok()) foo2();

else {

curse();

throw ‘

exn

’; } }

function

foo () { }

advice off

advice on

calling advice turns advice off for next call

curse()

enables advice for next call


About DocSlides
DocSlides allows users to easily upload and share presentations, PDF documents, and images.Share your documents with the world , watch,share and upload any time you want. How can you benefit from using DocSlides? DocSlides consists documents from individuals and organizations on topics ranging from technology and business to travel, health, and education. Find and search for what interests you, and learn from people and more. You can also download DocSlides to read or reference later.
Youtube