SLIDE 1
ADsafety
Type-based Verification of JavaScript Sandboxing
Joe Gibbs Politz Spiridon Aristides Eliopoulos Arjun Guha Shriram Krishnamurthi
1
2
ADsafety Type-based Verification of JavaScript Sandboxing Joe - - PowerPoint PPT Presentation
ADsafety Type-based Verification of JavaScript Sandboxing Joe - - PowerPoint PPT Presentation
ADsafety Type-based Verification of JavaScript Sandboxing Joe Gibbs Politz Spiridon Aristides Eliopoulos Arjun Guha Shriram Krishnamurthi 1 2 3 third-party ad third-party ad 4 Who is running code in your browser? 5 Who is running
SLIDE 2
SLIDE 3
3
SLIDE 4
4
third-party ad third-party ad
SLIDE 5
5
Who is running code in your browser?
SLIDE 6
5
Who is running code in your browser?
SLIDE 7
5
Who is running code in your browser?
SLIDE 8
the host you visit
6
SLIDE 9
the host you visit
6
SLIDE 10
the host you visit the ad server
6
SLIDE 11
the host you visit the ad server
6
same JavaScript context
SLIDE 12
the host you visit the ad server
6
<iframe>
SLIDE 13
the host you visit the ad server
6
<iframe>
top.location.href
SLIDE 14
Facebook JavaScript (FBJS) Google Caja Yahoo! ADsafe
All are defining safe sub-languages
7
Microsoft Web Sandbox
SLIDE 15
8
SLIDE 16
eval
8
SLIDE 17
eval
8
SLIDE 18
eval e
8
SLIDE 19
eval e wrap(e)
8
SLIDE 20
wrap eval e wrap(e)
8
SLIDE 21
wrap eval e wrap(e)
“ fi l t e r s ” “wrappers” — Maffeis, Mitchell, and Taly, ESORICS 2009 “ r e w r i t e r s ”
8
SLIDE 22
9
SLIDE 23
eval
9
SLIDE 24
eval
ADSAFE.get(obj, x)
9
untrusted widget
SLIDE 25
ADSAFE.get
eval
ADSAFE.get(obj, x)
9
untrusted widget
SLIDE 26
- 1, 800 LOC adsafe.js library
- 50 calls to three kinds of assertions
- 40 type-tests
- 5 regular-expression based checks
- 60 privileged DOM method calls
10
SLIDE 27
- 1, 800 LOC adsafe.js library
- 50 calls to three kinds of assertions
- 40 type-tests
- 5 regular-expression based checks
- 60 privileged DOM method calls
10
?
SLIDE 28
Type-based Verification of
11
SLIDE 29
Definition 1 (ADsafety): If all embedded widgets pass JSLint, then:
12
SLIDE 30
Definition 1 (ADsafety): If all embedded widgets pass JSLint, then:
eval() document.write() document.createElement("script") ...
1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf;
12
SLIDE 31
Definition 1 (ADsafety): If all embedded widgets pass JSLint, then:
eval() document.write() document.createElement("script") ...
1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf;
12
SLIDE 32
Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.Widgets cannot obtain direct references to DOM nodes;
<div> <p> <div> <b>
ADsafe Untrusted Widget
12
SLIDE 33
Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.Widgets cannot obtain direct references to DOM nodes;
<div> <p> <div> <b>
ADsafe Untrusted Widget
12
SLIDE 34
Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.Widgets cannot obtain direct references to DOM nodes; 3.Widgets cannot affect the DOM outside of their subtree; and
<div id="WIDGET"> <p> <div> <b>
ADsafe Untrusted Widget
<div>
12
SLIDE 35
Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.Widgets cannot obtain direct references to DOM nodes; 3.Widgets cannot affect the DOM outside of their subtree; and
<div id="WIDGET"> <p> <div> <b>
ADsafe Untrusted Widget
<div>
12
SLIDE 36
Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.Widgets cannot obtain direct references to DOM nodes; 3.Widgets cannot affect the DOM outside of their subtree; and 4.Multiple widgets on the same page cannot communicate.
ADsafe Widget A Widget B
12
SLIDE 37
13
ADSAFE.get
eval
ADSAFE.get(obj, x)
Goal: Verify ADsafe
SLIDE 38
13
ADSAFE.get
eval
ADSAFE.get(obj, x)
Goal: Verify ADsafe untrusted, but passes JSLint
SLIDE 39
13
ADSAFE.get
eval
ADSAFE.get(obj, x)
Goal: Verify ADsafe untrusted, but passes JSLint Goal: model JSLint
SLIDE 40
14
JSLint ensures: no DOM references
node “Widgets cannot obtain direct references to DOM nodes.”
<div> <p> <div> <b>
ADsafe Untrusted Widget
SLIDE 41
14
bunch = { __nodes__ : array of nodes, append: function ..., getText: function ..., ... 20 functions }
ADsafe ensures:
- nly “safe”
methods on bunches JSLint ensures: no DOM references
node “Widgets cannot obtain direct references to DOM nodes.”
<div> <p> <div> <b>
ADsafe Untrusted Widget
SLIDE 42
14
bunch = { __nodes__ : array of nodes, append: function ..., getText: function ..., ... 20 functions }
ADsafe ensures:
- nly “safe”
methods on bunches
bunch.__nodes__ No private fields in JavaScript!
JSLint ensures: no DOM references
node “Widgets cannot obtain direct references to DOM nodes.”
<div> <p> <div> <b>
ADsafe Untrusted Widget
SLIDE 43
14
bunch = { __nodes__ : array of nodes, append: function ..., getText: function ..., ... 20 functions }
ADsafe ensures:
- nly “safe”
methods on bunches JSLint ensures:
__nodes__ is
“private”
bunch.__nodes__
JSLint ensures: no DOM references
node “Widgets cannot obtain direct references to DOM nodes.”
<div> <p> <div> <b>
ADsafe Untrusted Widget
SLIDE 44
14
bunch = { __nodes__ : array of nodes, append: function ..., getText: function ..., ... 20 functions }
ADsafe ensures:
- nly “safe”
methods on bunches JSLint ensures:
__nodes__ is
“private”
bunch.append(...) bunch.__nodes__
JSLint ensures: no DOM references
node “Widgets cannot obtain direct references to DOM nodes.”
<div> <p> <div> <b>
ADsafe Untrusted Widget
Exploit append to return nodes?
SLIDE 45
14
bunch = { __nodes__ : array of nodes, append: function ..., getText: function ..., ... 20 functions }
ADsafe ensures:
- nly “safe”
methods on bunches JSLint ensures:
__nodes__ is
“private”
bunch.append(...)
ADsafe ensures: DOM nodes are not returned
bunch.__nodes__
JSLint ensures: no DOM references
node “Widgets cannot obtain direct references to DOM nodes.”
<div> <p> <div> <b>
ADsafe Untrusted Widget
SLIDE 46
15
ADSAFE.get
eval
ADSAFE.get(obj, x)
Goal 2: Verify ADsafe untrusted, but passes JSLint Goal 1: model JSLint
SLIDE 47
var n = 6 var s = "a string" var b = true
16
SLIDE 48
var n = 6 var s = "a string" var b = true
16
Widget := Number + String + Boolean + Undefined + Null +
SLIDE 49
17
Widget := Number + String + Boolean + Undefined + Null +
SLIDE 50
{ x: 6, b: "car" }
17
Widget := Number + String + Boolean + Undefined + Null +
SLIDE 51
★: Widget __nodes__: Array<Node> caller: prototype: ... code : Widget ⨉ ... → Widget __proto__: Object + Function + Array + ...
{ x: 6, b: "car" } { nested: { y: 10, b: false } }
17
Widget := Number + String + Boolean + Undefined + Null +
SLIDE 52
★: Widget __nodes__: Array<Node> caller: prototype: ... code : Widget ⨉ ... → Widget __proto__: Object + Function + Array + ...
{ x: 6, b: "car" } { nested: { y: 10, b: false } } { __nodes__: 90 } myObj.prototype = { };
17
Widget := Number + String + Boolean + Undefined + Null +
SLIDE 53
★: Widget __nodes__: Array<Node> caller: prototype: ... code : Widget ⨉ ... → Widget __proto__: Object + Function + Array + ...
{ x: 6, b: "car" } { nested: { y: 10, b: false } } { __nodes__: 90 } myObj.prototype = { }; function foo(x) { return x + 1; } foo(900) foo.w = "functions are objects" ["array", "of", "strings"] /regular[ \t]*expressions/
17
Widget := Number + String + Boolean + Undefined + Null +
SLIDE 54
JSLint Widget type-checker
typable widgets widgets that pass JSLint
18
SLIDE 55
JSLint Widget type-checker
typable widgets widgets that pass JSLint
- r, passing JSLint ⇒Widget-typable
Claim:
evidence: 1,100 LOC of tests
18
SLIDE 56
JSLint Widget type-checker
typable widgets widgets that pass JSLint
- r, passing JSLint ⇒Widget-typable
type-based arguments about widgets
Claim:
evidence: 1,100 LOC of tests
18
SLIDE 57
19
ADSAFE.get
eval
ADSAFE.get(obj, x)
untrusted, but passes JSLint Goal 1: model JSLint Goal 2: Verify ADsafe
SLIDE 58
20
window.setTimeout(callback, delay);
eval
window.setTimeout Widget→Widget String
SLIDE 59
20
window.setTimeout(callback, delay);
eval
window.setTimeout Widget→Widget String
S t r i n g W i d g e t → W i d g e t W i d g e t → W i d g e t Object Number
/*: Widget ⨉ Widget → Widget */ ADSAFE.later = function(callback, delay) { if (typeof callback !== "function") { throw "expected function"; } }
SLIDE 60
20
window.setTimeout(callback, delay);
window : { eval: ☠, setTimeout : (Widget ⨉ ... → Widget) ⨉ Widget → Undefined, ... }
eval
window.setTimeout Widget→Widget String
S t r i n g W i d g e t → W i d g e t W i d g e t → W i d g e t Object Number
/*: Widget ⨉ Widget → Widget */ ADSAFE.later = function(callback, delay) { if (typeof callback !== "function") { throw "expected function"; } }
SLIDE 61
20
window.setTimeout(callback, delay);
window : { eval: ☠, setTimeout : (Widget ⨉ ... → Widget) ⨉ Widget → Undefined, ... }
eval
window.setTimeout Widget→Widget String
S t r i n g W i d g e t → W i d g e t W i d g e t → W i d g e t Object Number
/*: Widget ⨉ Widget → Widget */ ADSAFE.later = function(callback, delay) { if (typeof callback !== "function") { throw "expected function"; } }
Widget
SLIDE 62
20
window.setTimeout(callback, delay);
window : { eval: ☠, setTimeout : (Widget ⨉ ... → Widget) ⨉ Widget → Undefined, ... }
Widget ⨉ ... → Widget
eval
window.setTimeout Widget→Widget String
S t r i n g W i d g e t → W i d g e t W i d g e t → W i d g e t Object Number
/*: Widget ⨉ Widget → Widget */ ADSAFE.later = function(callback, delay) { if (typeof callback !== "function") { throw "expected function"; } }
Widget
SLIDE 63
20
window.setTimeout(callback, delay);
window : { eval: ☠, setTimeout : (Widget ⨉ ... → Widget) ⨉ Widget → Undefined, ... }
Widget ⨉ ... → Widget
—Politz et al. USENIX Security 2011 and Guha, Saftoiu, Krishnamurthi. ESOP 2011.
eval
window.setTimeout Widget→Widget String
S t r i n g W i d g e t → W i d g e t W i d g e t → W i d g e t Object Number
/*: Widget ⨉ Widget → Widget */ ADSAFE.later = function(callback, delay) { if (typeof callback !== "function") { throw "expected function"; } }
Widget
This is just one kind of if-split we handle.
SLIDE 64
JSLinted widget adsafe.js
21
SLIDE 65
JSLinted widget adsafe.js
21
SLIDE 66
JSLinted widget adsafe.js
21
SLIDE 67
JSLinted widget
Widget W i d g e t Widget W i d g e t
adsafe.js
21
SLIDE 68
JSLinted widget
Widget W i d g e t Widget W i d g e t
adsafe.js
21
SLIDE 69
JSLinted widget
Widget W i d g e t Widget W i d g e t
adsafe.js
Widget Widget Widget Widget
21
SLIDE 70
JSLinted widget
Widget W i d g e t Widget W i d g e t
adsafe.js
Widget Widget Widget Widget Array<Node> Node
21
SLIDE 71
JSLinted widget
Widget W i d g e t Widget W i d g e t
adsafe.js
Widget Widget Widget Widget Array<Node> Node N
- d
e Node
21
SLIDE 72
22
typable widgets widgets that pass JSLint
JSLinted widget
Widget Widget W i d g e t Widget
adsafe.js
Widget Widget Widget W i d g e t Array<Node> N
- d
e
JSLint model Type-checked ADsafe
+ = ⋯
SLIDE 73
23
typable widgets widgets that pass JSLint
var fakeNode = { tagName: "div", appendChild: function(elt) { var win = elt.ownerDocument.defaultView; win.eval("alert('hacked')"); } };
SLIDE 74
23
typable widgets widgets that pass JSLint
var fakeNode = { tagName: "div", appendChild: function(elt) { var win = elt.ownerDocument.defaultView; win.eval("alert('hacked')"); } }; var fakeBunch = { __nodes__: [fakeNode] }; Rejected by JSLint
SLIDE 75
23
typable widgets widgets that pass JSLint
var fakeNode = { tagName: "div", appendChild: function(elt) { var win = elt.ownerDocument.defaultView; win.eval("alert('hacked')"); } }; var fakeBunch = { __nodes__: [fakeNode] }; Rejected by JSLint var fakeBunch = { '__nodes__': [fakeNode] }; Accepted by JSLint
type error: expected Array<HTML>, received Array<Widget>
SLIDE 76
/*: Widget ⨉ Widget → Widget */ WrappedElt.prototype.style = function(name, val) { var regexp = new Regexp("url"); if (regexp.test(val)) { return error(); } ... this.__node__.style[name] = val ... }
24
SLIDE 77
/*: Widget ⨉ Widget → Widget */ WrappedElt.prototype.style = function(name, val) { var regexp = new Regexp("url"); if (regexp.test(val)) { return error(); } ... this.__node__.style[name] = val ... } expected String, received Widget
24
SLIDE 78
/*: Widget ⨉ Widget → Widget */ WrappedElt.prototype.style = function(name, val) { var regexp = new Regexp("url"); if (regexp.test(val)) { return error(); } ... this.__node__.style[name] = val ... } expected String, received Widget var firstCall = true; var badName = { toString: function() { if (firstCall) { firstCall = false; return "font"; } else { return "url('/evil.xml')"; } } };
passes safety check returns bad value
24
SLIDE 79
/*: Widget ⨉ Widget → Widget */ WrappedElt.prototype.style = function(name, val) { var regexp = new Regexp("url"); if (regexp.test(val)) { return error(); } ... this.__node__.style[name] = val ... } expected String, received Widget var firstCall = true; var badName = { toString: function() { if (firstCall) { firstCall = false; return "font"; } else { return "url('/evil.xml')"; } } };
passes safety check returns bad value
Fix: check_string assertion inserted here, and in 16
- ther places
24
SLIDE 80
Definition 1 (ADsafety): If all embedded widgets pass JSLint, then:
eval() document.write() document.createElement("script") ...
1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.Widgets cannot obtain direct references to DOM nodes; 3.Widgets cannot affect the DOM outside of their subtree; and 4.Multiple widgets on the same page cannot communicate.
<div> <p> <div> <b>
ADsafe Untrusted Widget
<div id="WIDGET"> <p> <div> <b>
ADsafe Untrusted Widget
<div>
ADsafe Widget A Widget B
25
SLIDE 81
Definition 1 (ADsafety): If all embedded widgets pass JSLint, then:
eval() document.write() document.createElement("script") ...
1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.Widgets cannot obtain direct references to DOM nodes; 3.Widgets cannot affect the DOM outside of their subtree; and 4.Multiple widgets on the same page cannot communicate.
<div> <p> <div> <b>
ADsafe Untrusted Widget
<div id="WIDGET"> <p> <div> <b>
ADsafe Untrusted Widget
<div>
ADsafe Widget A Widget B
25
SLIDE 82
Definition 1 (ADsafety): If all embedded widgets pass JSLint, then:
eval() document.write() document.createElement("script") ...
1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.Widgets cannot obtain direct references to DOM nodes; 3.Widgets cannot affect the DOM outside of their subtree; and 4.Multiple widgets on the same page cannot communicate.
<div> <p> <div> <b>
ADsafe Untrusted Widget
<div id="WIDGET"> <p> <div> <b>
ADsafe Untrusted Widget
<div>
ADsafe Widget A Widget B
25
SLIDE 83
Definition 1 (ADsafety): If all embedded widgets pass JSLint, then:
eval() document.write() document.createElement("script") ...
1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.Widgets cannot obtain direct references to DOM nodes; 3.Widgets cannot affect the DOM outside of their subtree; and 4.Multiple widgets on the same page cannot communicate.
<div> <p> <div> <b>
ADsafe Untrusted Widget
<div id="WIDGET"> <p> <div> <b>
ADsafe Untrusted Widget
<div>
ADsafe Widget A Widget B
25
SLIDE 84
Definition 1 (ADsafety): If all embedded widgets pass JSLint, then:
eval() document.write() document.createElement("script") ...
1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.Widgets cannot obtain direct references to DOM nodes; 3.Widgets cannot affect the DOM outside of their subtree; and 4.Multiple widgets on the same page cannot communicate.
<div> <p> <div> <b>
ADsafe Untrusted Widget
<div id="WIDGET"> <p> <div> <b>
ADsafe Untrusted Widget
<div>
ADsafe Widget A Widget B
Retracted
25
SLIDE 85
Caveats:
- 11 LOC unverified
- subtree property unverified
26
!
SLIDE 86
JavaScript program
Proofs for JavaScript?
27
SLIDE 87
JavaScript program λJS program
desugar
Proofs for JavaScript? Proofs for λJS.
27
SLIDE 88
JavaScript program λJS program “their answer” “our answer”
desugar
SpiderMonkey, V8, Rhino 100 LOC interpreter
identical for Mozilla JS test suite*
Proofs for JavaScript? Proofs for λJS.
— Guha, Saftoiu, Krishnamurthi. ECOOP 2010.
27
SLIDE 89
banned = { 'arguments' : true, callee : true, caller : true, constructor : true, 'eval' : true, prototype : true, stack : true, unwatch : true, valueOf : true, watch : true }
function reject_global(that) { if (that.window) { error(); } }
+
if (/url/i.test(string_check(value[i]))) { error('ADsafe error.'); }
+
and other patterns...
28
SLIDE 90
banned = { 'arguments' : true, callee : true, caller : true, constructor : true, 'eval' : true, prototype : true, stack : true, unwatch : true, valueOf : true, watch : true }
function reject_global(that) { if (that.window) { error(); } }
+
if (/url/i.test(string_check(value[i]))) { error('ADsafe error.'); }
+
and other patterns...
28
... can be succinctly expressed with types
Widget := Number + String + Boolean + Undefined + Null + ★: Widget __nodes__: Array<Node> caller: prototype: ... code : Widget ⨉ ... → Widget __proto__: Object + Function + Array + ...
SLIDE 91
★: Widget __proto__: Object + Function + Array + ... code : Widget ⨉ ... → Widget arguments: caller: ... Widget := Number + String + Boolean + Undefined + Null +
JavaScript program λJS program “their answer” “our answer”
SpiderMonkey, V8, Rhino 100 LOC interpreterdesugar identical for Mozilla JS test suite*
wrap wrap(e) e eval
u n t y p a b l e typable typable
1.Model sandbox as a type system 2.Object types for JavaScript (★ and ☠) 3.Proofs over tractable JavaScript semantics
Conclusion
29
SLIDE 92
Extra Slides
30 Spiridon Aristides Eliopoulos
SLIDE 93
Unverified Code
31 function F() {}; ADSAFE.create = typeof Object.create === 'function' ? Object.create : function (o) { F.prototype = typeof o === 'object' && o ? o : Object.prototype; return new F(); }; /*: (banned → True) & (not_banned → False) */ function reject_name(name) { return banned[name] || ((typeof name !== 'number' || name < 0) && (typeof name !== 'string' || name.charAt(0) === '_' || name.slice(-1) === '_' || name.charAt(0) === '-')); }
SLIDE 94
Theorems
32
SLIDE 95
Full Widget Type
33