/
ConScript ConScript

ConScript - PowerPoint Presentation

danika-pritchard
danika-pritchard . @danika-pritchard
Follow
376 views
Uploaded On 2016-07-17

ConScript - PPT Presentation

Specifying and Enforcing Fine Grained Security Policies fpr JavaScript in the Browser Presented by Vaibhav Rastogi Introduction Advent of Web 20 and Mashups Inclusion of untrusted ID: 408393

function advice aspects policies advice function policies aspects access policy code security functions browser type views object conscript securing

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "ConScript" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

ConScript: Specifying and Enforcing Fine Grained Security Policies fpr JavaScript in the Browser

Presented by

Vaibhav

RastogiSlide2

IntroductionAdvent of Web 2.0 and Mashups

Inclusion of

untrusted

third party content a necessity

Need to restrict the functionality of

untrusted

content, content that does not need that functionalitySlide3

ConScriptA browser based, security oriented aspect systemAllow hosting page to specify policies

Restrict code execution in the context of the hosting page

Examples

Limiting

eval

to JSON parsing

Allowing only white-listed strings, scriptsSlide4

Looking AheadSecurity aspects in the browserDeep aspects with native support

Static and runtime validation strategies for aspects

17 example security and reliability policies for JavaScript

Automatic policy generation

EvaluationSlide5

An exampleeval considered unsafeBut a necessity for JSON parsing

Approach 1:

Redefine

eval

Shallow redefinition

Other access paths to

eval

may existSlide6

An exampleAspects:Specify code to execute – advice

At particular moments of execution -

pointcut

Approach 2

Require browser support

Uses aspects – advice and

pointcutsSlide7

An exampleSlide8

Salient PointsAdvice registrationBinding original advised function to new function

Use type safe callsSlide9

Aspects: Binding Pointcuts to Advice

The

around advice

Call the function parameter instead of the function specified as the first parameter

The advice designer decides what to do in the new function

Throw exception

Do some safe execution

Invoke the original functionSlide10

Deep AdviceSeveral access paths to designate an object/function

var

ge

=

document.getElementById

;Slide11

Deep AdviceCurrent state of the art - wrapping of an access path

Shallow advice

Protects only one access path

Conscript’s approach

Deep advice

Registering advice on one access path sufficesSlide12

Attack Model and Boot SequenceBrowser is trustedHost web site specifies the policies – advice

Advice is trusted – kernel level code

Untrusted

scripts (user level code) are loaded after advice specification

Allow libraries to be loaded before advice

They should declare new code only

They should not change the environment in undesirable waysSlide13

Advising functions: ImplementationUser defined functionsRepresented as closures

Point closure to advice function

A bit indicates if advice is enablesSlide14

Native functions:Analogous to user defined functionsAdvising functions: ImplementationSlide15

Advising functions: ImplementationForeign functionsLike frame[0].

postMessage

Use

translation tableSlide16

Blessing and Advice OptimizationsProblem of infinite recursion

Solution

Define two functions

bless: enable the advice

curse: disable the advice

RewriteSlide17

AutoblessAvoid verbosityMore efficientWhat if the raw function is not calledBe explicit

curse

Blessing and Advice OptimizationsSlide18

Advising Script IntroductionImportant pointcut

aroundScriptSlide19

Securing AdviceAdvice should not be tampered withShould be written in a secure manner

A vulnerable advice definition

A

whitelist

policy for frame messagingSlide20

Attack 1: toString redefinition

Attack 2:

Function.prototype

poisoning

Securing AdviceSlide21

Attack 3: Object.prototype poisoningAttack 4: Malicious getters

Securing AdviceSlide22

Eliminate with and evalDisallow caller accessIntroduce a new primitive ucall

Circumvent prototype poisoning

Introduce a poisoning safe primitive

hasProp

Securing Advice: ImprovementsSlide23

Securing AdviceSecure version of the whitelist policy Slide24

Policy ValidationStatic validationML like type systemTypes are annotated with security labels

Two properties

Reference isolation – kernel objects should not flow to user code

Access path integrity of explicitly invoked functionSlide25

Security Labels

Lattice with “is substitutable for” relation

Substitution represented with flow relation Slide26

Type systemPrimitive type: *Other types similar to MLTypes annotated with security labels

Sample inference rule

Calling trusted foreign functions Slide27

Policy examplesNo dynamic scriptsNo string arguments to

setInterval

,

setTimeoutSlide28

Automatic Policy GenerationStatic: Instrument Script#Script# converts C# to JS

JS does not have access qualifiers like private

Generate policies enforce private, protected accesses

Runtime

Test in a sandboxed environment what capabilities are used

Strip off all other capabilitiesSlide29

Evaluation: Micro BenchmarksSlide30

Evaluation: Macro BenchmarksSlide31

Evaluation: Code Size IncreaseSlide32

ImpressionsNeat ideaImpressive performance

No with and

eval

Needs browser support

Automatic policy generation

Policies come with host page

Third party developer (attacker) may choose to not use any

ConScript

supported frameworksSlide33

ImpressionsSetTimeout also unsafe without policy enforcementMost policies described can be checked statically

Rule set for type inference may not be completeSlide34

Object Views: Fine Grained Sharing in BrowsersPresented by

Vaibhav

RastogiSlide35

Key IdeaEnable fine grained sharing of JavaScript objects between principalsLet different principals have different views of the objects

Views may be different in

Access rights

Overriding methods to hide some information

Aspects oriented approachSlide36

Threat modelTwo settingsServer side script rewriters

Browsers

View sharer creates object view according to policies

Attacker is the view recipient

Tries to steal information that should not be accessible to itSlide37

View designs: ExampleSlide38

Comparison with ConScriptBoth are very similar aspects oriented approaches

ConScript

is for applying JavaScript policies

Object Views is for creating multiple views

for

sharing