Specifying and Enforcing Fine Grained Security Policies fpr JavaScript in the Browser Presented by Vaibhav Rastogi Introduction Advent of Web 20 and Mashups Inclusion of untrusted ID: 408393
Download Presentation The PPT/PDF document "ConScript" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
ConScript: Specifying and Enforcing Fine Grained Security Policies fpr JavaScript in the Browser
Presented by
Vaibhav
RastogiSlide2
IntroductionAdvent of Web 2.0 and Mashups
Inclusion of
untrusted
third party content a necessity
Need to restrict the functionality of
untrusted
content, content that does not need that functionalitySlide3
ConScriptA browser based, security oriented aspect systemAllow hosting page to specify policies
Restrict code execution in the context of the hosting page
Examples
Limiting
eval
to JSON parsing
Allowing only white-listed strings, scriptsSlide4
Looking AheadSecurity aspects in the browserDeep aspects with native support
Static and runtime validation strategies for aspects
17 example security and reliability policies for JavaScript
Automatic policy generation
EvaluationSlide5
An exampleeval considered unsafeBut a necessity for JSON parsing
Approach 1:
Redefine
eval
Shallow redefinition
Other access paths to
eval
may existSlide6
An exampleAspects:Specify code to execute – advice
At particular moments of execution -
pointcut
Approach 2
Require browser support
Uses aspects – advice and
pointcutsSlide7
An exampleSlide8
Salient PointsAdvice registrationBinding original advised function to new function
Use type safe callsSlide9
Aspects: Binding Pointcuts to Advice
The
around advice
Call the function parameter instead of the function specified as the first parameter
The advice designer decides what to do in the new function
Throw exception
Do some safe execution
Invoke the original functionSlide10
Deep AdviceSeveral access paths to designate an object/function
var
ge
=
document.getElementById
;Slide11
Deep AdviceCurrent state of the art - wrapping of an access path
Shallow advice
Protects only one access path
Conscript’s approach
Deep advice
Registering advice on one access path sufficesSlide12
Attack Model and Boot SequenceBrowser is trustedHost web site specifies the policies – advice
Advice is trusted – kernel level code
Untrusted
scripts (user level code) are loaded after advice specification
Allow libraries to be loaded before advice
They should declare new code only
They should not change the environment in undesirable waysSlide13
Advising functions: ImplementationUser defined functionsRepresented as closures
Point closure to advice function
A bit indicates if advice is enablesSlide14
Native functions:Analogous to user defined functionsAdvising functions: ImplementationSlide15
Advising functions: ImplementationForeign functionsLike frame[0].
postMessage
Use
translation tableSlide16
Blessing and Advice OptimizationsProblem of infinite recursion
Solution
Define two functions
bless: enable the advice
curse: disable the advice
RewriteSlide17
AutoblessAvoid verbosityMore efficientWhat if the raw function is not calledBe explicit
curse
Blessing and Advice OptimizationsSlide18
Advising Script IntroductionImportant pointcut
aroundScriptSlide19
Securing AdviceAdvice should not be tampered withShould be written in a secure manner
A vulnerable advice definition
A
whitelist
policy for frame messagingSlide20
Attack 1: toString redefinition
Attack 2:
Function.prototype
poisoning
Securing AdviceSlide21
Attack 3: Object.prototype poisoningAttack 4: Malicious getters
Securing AdviceSlide22
Eliminate with and evalDisallow caller accessIntroduce a new primitive ucall
Circumvent prototype poisoning
Introduce a poisoning safe primitive
hasProp
Securing Advice: ImprovementsSlide23
Securing AdviceSecure version of the whitelist policy Slide24
Policy ValidationStatic validationML like type systemTypes are annotated with security labels
Two properties
Reference isolation – kernel objects should not flow to user code
Access path integrity of explicitly invoked functionSlide25
Security Labels
Lattice with “is substitutable for” relation
Substitution represented with flow relation Slide26
Type systemPrimitive type: *Other types similar to MLTypes annotated with security labels
Sample inference rule
Calling trusted foreign functions Slide27
Policy examplesNo dynamic scriptsNo string arguments to
setInterval
,
setTimeoutSlide28
Automatic Policy GenerationStatic: Instrument Script#Script# converts C# to JS
JS does not have access qualifiers like private
Generate policies enforce private, protected accesses
Runtime
Test in a sandboxed environment what capabilities are used
Strip off all other capabilitiesSlide29
Evaluation: Micro BenchmarksSlide30
Evaluation: Macro BenchmarksSlide31
Evaluation: Code Size IncreaseSlide32
ImpressionsNeat ideaImpressive performance
No with and
eval
Needs browser support
Automatic policy generation
Policies come with host page
Third party developer (attacker) may choose to not use any
ConScript
supported frameworksSlide33
ImpressionsSetTimeout also unsafe without policy enforcementMost policies described can be checked statically
Rule set for type inference may not be completeSlide34
Object Views: Fine Grained Sharing in BrowsersPresented by
Vaibhav
RastogiSlide35
Key IdeaEnable fine grained sharing of JavaScript objects between principalsLet different principals have different views of the objects
Views may be different in
Access rights
Overriding methods to hide some information
Aspects oriented approachSlide36
Threat modelTwo settingsServer side script rewriters
Browsers
View sharer creates object view according to policies
Attacker is the view recipient
Tries to steal information that should not be accessible to itSlide37
View designs: ExampleSlide38
Comparison with ConScriptBoth are very similar aspects oriented approaches
ConScript
is for applying JavaScript policies
Object Views is for creating multiple views
for
sharing