adsafety
play

ADsafety Type-based Verification of JavaScript Sandboxing Joe - PowerPoint PPT Presentation

Oct 21, 2023 •305 likes •1.26k views

ADsafety Type-based Verification of JavaScript Sandboxing Joe Gibbs Politz Spiridon Aristides Eliopoulos Arjun Guha Shriram Krishnamurthi 1 2 3 third-party ad third-party ad 4 Who is running code in your browser? 5 Who is running

  1. ADsafety Type-based Verification of JavaScript Sandboxing Joe Gibbs Politz Spiridon Aristides Eliopoulos Arjun Guha Shriram Krishnamurthi 1

  2. 2

  3. 3

  4. third-party ad third-party ad 4

  5. Who is running code in your browser? 5

  6. Who is running code in your browser? 5

  7. Who is running code in your browser? 5

  8. the host you visit 6

  9. the host you visit 6

  10. the host the ad server you visit 6

  11. the host the ad server you visit same JavaScript context 6

  12. the host the ad server you visit <iframe> 6

  13. the host the ad server you visit <iframe> top.location.href 6

  14. Microsoft Web Sandbox Google Facebook JavaScript Caja (FBJS) Yahoo! ADsafe All are defining safe sub-languages 7

  15. 8

  16. eval 8

  17. eval 8

  18. eval e 8

  19. eval e wrap(e) 8

  20. eval e wrap wrap(e) 8

  21. ” s r e t l fi “ eval “wrappers” e ” s r e t i r w e r “ wrap wrap(e) — Maffeis, Mitchell, and Taly, ESORICS 2009 8

  22. 9

  23. eval 9

  24. eval untrusted ADSAFE.get(obj, x) widget 9

  25. eval untrusted ADSAFE.get ADSAFE.get(obj, x) widget 9

  26. • 1, 800 LOC adsafe.js library • 50 calls to three kinds of assertions • 40 type-tests • 5 regular-expression based checks • 60 privileged DOM method calls 10

  27. ? • 1, 800 LOC adsafe.js library • 50 calls to three kinds of assertions • 40 type-tests • 5 regular-expression based checks • 60 privileged DOM method calls 10

  28. Type-based Verification of 11

  29. Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 12

  30. Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: eval() document.write() document.createElement("script") 1.Widgets cannot load new code ... at runtime, or cause ADsafe to load new code on their behalf; 12

  31. Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: eval() document.write() document.createElement("script") 1.Widgets cannot load new code ... at runtime, or cause ADsafe to load new code on their behalf; 12

  32. Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.Widgets cannot obtain direct <div> references to DOM nodes; Untrusted ADsafe <p> <div> Widget <b> 12

  33. Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.Widgets cannot obtain direct <div> references to DOM nodes; Untrusted ADsafe <p> <div> Widget <b> 12

  34. Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.Widgets cannot obtain direct <div> references to DOM nodes; 3.Widgets cannot affect the <div id="WIDGET"> DOM outside of their subtree; and Untrusted ADsafe <p> <div> Widget <b> 12

  35. Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.Widgets cannot obtain direct <div> references to DOM nodes; 3.Widgets cannot affect the <div id="WIDGET"> DOM outside of their subtree; and Untrusted ADsafe <p> <div> Widget <b> 12

  36. Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.Widgets cannot obtain direct references to DOM nodes; 3.Widgets cannot affect the DOM outside of their subtree; and 4.Multiple widgets on the same page cannot communicate. Widget A ADsafe Widget B 12

  37. eval Goal: Verify ADsafe ADSAFE.get ADSAFE.get(obj, x) 13

  38. eval Goal: Verify ADsafe ADSAFE.get ADSAFE.get(obj, x) untrusted, but passes JSLint 13

  39. eval Goal: Verify ADsafe Goal: model JSLint ADSAFE.get ADSAFE.get(obj, x) untrusted, but passes JSLint 13

  40. JSLint ensures: no DOM node references <div> Untrusted ADsafe <p> <div> Widget <b> “Widgets cannot obtain direct references to DOM nodes.” 14

  41. JSLint ensures: no DOM node references bunch = { ADsafe ensures: __nodes__ : array of nodes , only “safe” append: function ..., methods on getText: function ..., bunches ... 20 functions } <div> Untrusted ADsafe <p> <div> Widget <b> “Widgets cannot obtain direct references to DOM nodes.” 14

  42. JSLint ensures: no DOM node references bunch = { ADsafe ensures: __nodes__ : array of nodes , only “safe” append: function ..., methods on getText: function ..., bunches ... 20 functions } <div> No private fields in JavaScript! bunch.__nodes__ Untrusted ADsafe <p> <div> Widget <b> “Widgets cannot obtain direct references to DOM nodes.” 14

  43. JSLint ensures: no DOM node references bunch = { ADsafe ensures: __nodes__ : array of nodes , only “safe” append: function ..., methods on getText: function ..., bunches ... 20 functions } <div> JSLint ensures: __nodes__ is bunch.__nodes__ Untrusted ADsafe <p> <div> Widget “private” <b> “Widgets cannot obtain direct references to DOM nodes.” 14

  44. JSLint ensures: no DOM node references bunch = { ADsafe ensures: __nodes__ : array of nodes , only “safe” append: function ..., methods on getText: function ..., bunches ... 20 functions } <div> JSLint ensures: __nodes__ is bunch.__nodes__ Untrusted ADsafe <p> <div> Widget “private” <b> “Widgets cannot obtain direct bunch.append(...) references to DOM nodes.” Exploit append to return nodes? 14

  45. JSLint ensures: no DOM node references bunch = { ADsafe ensures: __nodes__ : array of nodes , only “safe” append: function ..., methods on getText: function ..., bunches ... 20 functions } <div> JSLint ensures: __nodes__ is bunch.__nodes__ Untrusted ADsafe <p> <div> Widget “private” <b> ADsafe ensures: DOM nodes are “Widgets cannot obtain direct bunch.append(...) references to DOM nodes.” not returned 14

  46. eval Goal 2: Verify ADsafe Goal 1: model JSLint ADSAFE.get ADSAFE.get(obj, x) untrusted, but passes JSLint 15

  47. var n = 6 var s = "a string" var b = true 16

  48. var n = 6 var s = "a string" var b = true Widget := Number + String + Boolean + Undefined + Null + 16

  49. Widget := Number + String + Boolean + Undefined + Null + 17

  50. { x: 6, b: "car" } Widget := Number + String + Boolean + Undefined + Null + 17

  51. { x: 6, b: "car" } { nested: { y: 10, b: false } } Widget := Number + String + Boolean + Undefined + Null + ★ : Widget __nodes__: Array<Node> caller: � prototype: � ... code : Widget ⨉ ... → Widget __proto__: Object + Function + Array + ... 17

  52. { x: 6, b: "car" } { nested: { y: 10, b: false } } { __nodes__: 90 } myObj.prototype = { }; Widget := Number + String + Boolean + Undefined + Null + ★ : Widget __nodes__: Array<Node> caller: � prototype: � ... code : Widget ⨉ ... → Widget __proto__: Object + Function + Array + ... 17

  53. { x: 6, b: "car" } { nested: { y: 10, b: false } } { __nodes__: 90 } myObj.prototype = { }; function foo(x) { return x + 1; } foo(900) foo.w = "functions are objects" ["array", "of", "strings"] /regular[ \t]*expressions/ Widget := Number + String + Boolean + Undefined + Null + ★ : Widget __nodes__: Array<Node> caller: � prototype: � ... code : Widget ⨉ ... → Widget __proto__: Object + Function + Array + ... 17

  54. JSLint Widget type-checker typable widgets widgets that pass JSLint 18

  55. JSLint Widget type-checker typable widgets widgets that Claim: pass JSLint evidence: 1,100 LOC of tests or, passing JSLint ⇒ Widget-typable 18

  56. JSLint Widget type-checker type-based typable arguments about widgets widgets widgets that Claim: pass JSLint evidence: 1,100 LOC of tests or, passing JSLint ⇒ Widget-typable 18

  57. eval Goal 2: Verify ADsafe Goal 1: model JSLint ADSAFE.get ADSAFE.get(obj, x) untrusted, but passes JSLint 19

  58. window.setTimeout(callback, delay); String eval window.setTimeout Widget → Widget 20

  59. Object W i d g e t → W i d g e t g n i r t S Number /*: Widget ⨉ Widget → Widget */ ADSAFE.later = function(callback, delay) { if (typeof callback !== "function") { throw "expected function"; W i d g e t → W i } d g e t window.setTimeout(callback, delay); } String eval window.setTimeout Widget → Widget 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Analysing Object-Capability Security Toby Murray Oxford University Computing Laboratory

Analysing Object-Capability Security Toby Murray Oxford University Computing Laboratory

Analysing Object-Capability Security 01 Analysing Object-Capability Security Toby Murray Oxford University Computing Laboratory Analysing Object-Capability Security 02 Cooperation and Vulnerability Much of the power and utility of modern

542 views • 50 slides
CLIENT-SIDE RUNTIME ANALYSIS AND ENFORCEMENT Ben Livshits, Microsoft Research Overview of

CLIENT-SIDE RUNTIME ANALYSIS AND ENFORCEMENT Ben Livshits, Microsoft Research Overview of

CLIENT-SIDE RUNTIME ANALYSIS AND ENFORCEMENT Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Background (rehash) Better runtimes CSP HTML5 Sandbox Language restrictions AdSafe FBJS Tradeoffs of

998 views • 48 slides
CPN Models as Enhancements to a Traditional Software Specification for an Elevator Controller

CPN Models as Enhancements to a Traditional Software Specification for an Elevator Controller

CPN Models as Enhancements to a Traditional Software Specification for an Elevator Controller Jens Bk Jrgensen Department of Computer Science University of Aarhus Denmark MOCA04, Aarhus, October 2004 1 Problem: design of an elevator

351 views • 10 slides
Overview of this module Course 02429 Analysis of correlated data: Mixed Linear Models Different

Overview of this module Course 02429 Analysis of correlated data: Mixed Linear Models Different

Overview of this module Overview of this module Course 02429 Analysis of correlated data: Mixed Linear Models Different view on the random effects approach 1 Module 12: Repeated measures II, advanced methods Example: Activity of rats

65 views • 5 slides
Gulfstream Staged Sta4c Analysis for Streaming JavaScript Applica4ons

Gulfstream Staged Sta4c Analysis for Streaming JavaScript Applica4ons

Gulfstream Staged Sta4c Analysis for Streaming JavaScript Applica4ons Salvatore Guarnieri Ben Livshits University of Washington Microso3 Research Web applica4on

661 views • 27 slides
The Future of JavaScript I mean ECMAScript Douglas Crockford Yahoo! Welcome to the Future!

The Future of JavaScript I mean ECMAScript Douglas Crockford Yahoo! Welcome to the Future!

The Future of JavaScript I mean ECMAScript Douglas Crockford Yahoo! Welcome to the Future! Such as it is. The Worlds Most Popular Programming Language The Worlds Most Popular Programming Language The Worlds Most Unpopular

716 views • 58 slides
The Web of Confusion Douglas Crockford Yahoo! Inc. http://crockford.com/codecamp/confusion.ppt

The Web of Confusion Douglas Crockford Yahoo! Inc. http://crockford.com/codecamp/confusion.ppt

The Web of Confusion Douglas Crockford Yahoo! Inc. http://crockford.com/codecamp/confusion.ppt Web 2.0 Security and Privacy The problems started in 1995. We have made no progress on the fundamental problems since then. Will the web ever

585 views • 39 slides
JavaScript Security: Lets Fix It Brendan Eich CTO, Mozilla Corporation (We could bundle it)

JavaScript Security: Lets Fix It Brendan Eich CTO, Mozilla Corporation (We could bundle it)

JavaScript Security: Lets Fix It Brendan Eich CTO, Mozilla Corporation (We could bundle it) bugs to fix &lt;script&gt; injection: perl.com pr0n.com (http://radar.oreilly.com/2008/01/dangers-of-remote-javascript.html) lure.org

345 views • 17 slides
A Widely Used Machine Translation Service and its Migration to a Free/Open-Source Solution: the

A Widely Used Machine Translation Service and its Migration to a Free/Open-Source Solution: the

A Widely Used Machine Translation Service and its Migration to a Free/Open-Source Solution: the Case of Softcatal Xavier Ivars-Ribes Victor M. Snchez-Cartagena II FreeRBMT (Barcelona) January 21, 2011 Table of Contents Brief History of

417 views • 23 slides
Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript

Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript

Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript Imperial College, March 2018 Risk as Attack Surface a Expected Risk: likelihood * damage Potential damage Likelihood of exploitable

592 views • 48 slides
Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer

Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer

Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer Science, Stanford

1.01k views • 43 slides
CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL

CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL

CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL Injections This month: XSS / CSRF Next month: DDoS / DoS Meetup Group for times/dates https://www.meetup.com/CLICK_HERE-exe/ Plan of Attack

1.76k views • 58 slides
Finance, Growth and Fragility: The Role of Government Thorsten Beck Maxwell Fry Lecture 2012

Finance, Growth and Fragility: The Role of Government Thorsten Beck Maxwell Fry Lecture 2012

Finance, Growth and Fragility: The Role of Government Thorsten Beck Maxwell Fry Lecture 2012 Finance is pro-growth and pro -poor but also fragile Output losses relative to potential output; Source: Laeven and Valencia (2010) Finance,

676 views • 38 slides
CS5412: HOW IT WORKS Lecture II Ken Birman Today: Lets look at some real apps 2 Well

CS5412: HOW IT WORKS Lecture II Ken Birman Today: Lets look at some real apps 2 Well

CS5412 Spring 2012 (Cloud Computing: Birman) 1 CS5412: HOW IT WORKS Lecture II Ken Birman Today: Lets look at some real apps 2 Well focus on two very standard examples Netflix movie player Siri, Apples new digital

917 views • 54 slides
Expressing Security Constraints using capabilities Mark S. Miller and the Cajadores Overview

Expressing Security Constraints using capabilities Mark S. Miller and the Cajadores Overview

Expressing Security Constraints using capabilities Mark S. Miller and the Cajadores Overview This talk The What and Why of object-capabilities (ocaps) My Securing EcmaScript 5 talk tomorrow The How of doing ocaps in JavaScript Patterns

853 views • 67 slides
A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web Tangled Itself: Uncovering the History of Client- Side Web (In)Security, USENIX Security 2017 But first..JavaScript security Pages now loaded

482 views • 46 slides
Basic housekeeping Plugging obvious security holes in web sites. Chris9an Heilmann, Paris Web,

Basic housekeeping Plugging obvious security holes in web sites. Chris9an Heilmann, Paris Web,

Basic housekeeping Plugging obvious security holes in web sites. Chris9an Heilmann, Paris Web, Paris, October 2009 A few things to remember about basic web security. A bit of pimping... Grer la scurit de vos applica9ons web (Salle 1)

1.08k views • 89 slides
There are no Accidents !!!! 17 th September is a very important date for Indian Solar Industry

There are no Accidents !!!! 17 th September is a very important date for Indian Solar Industry

There are no Accidents !!!! 17 th September is a very important date for Indian Solar Industry Autonic / UNSW 2019 1 Kungfu Panda, copywrite: Dreamworks for educational purpose Birthday of our Hon. Prime Minister Shri Narandra Modi Principle

940 views • 54 slides
Incremental construction and maintenance of morphological analysers based on augmented letter

Incremental construction and maintenance of morphological analysers based on augmented letter

Incremental construction and maintenance of morphological analysers based on augmented letter transducers Alicia Garrido-Alenda, Mikel L. Forcada and Rafael C. Carrasco www. interNOSTRUM .com Departament de Llenguatges i Sistemes Inform`

426 views • 30 slides
Veiled A Browser Darknet Matt Wood &amp; Billy Hoffman matt.wood@hp.com

Veiled A Browser Darknet Matt Wood &amp; Billy Hoffman matt.wood@hp.com

Veiled A Browser Darknet Matt Wood &amp; Billy Hoffman matt.wood@hp.com billy.hoffman@hp.com Web Security Research Group -- HP Software What is a Darknet? A private network where users can freely exchange ideas and content.

742 views • 42 slides
Mondragon 2013 a personal perspective William Franklin Partner Pett, Franklin &amp; Co. LLP 17

Mondragon 2013 a personal perspective William Franklin Partner Pett, Franklin &amp; Co. LLP 17

Mondragon 2013 a personal perspective William Franklin Partner Pett, Franklin &amp; Co. LLP 17 September 2013 www.pettfranklin.com Mondragon Town in Gipuzkoa region of Basque country An hours drive from Bilbao Mountainous area

605 views • 39 slides
CMU 15-896 Fair division 1: Cake cutting Teacher: Ariel Procaccia Single heterogeneous

CMU 15-896 Fair division 1: Cake cutting Teacher: Ariel Procaccia Single heterogeneous

CMU 15-896 Fair division 1: Cake cutting Teacher: Ariel Procaccia Single heterogeneous good, represented as Set of players Piece of cake finite union of disjoint intervals 15896 Spring 2016: Lecture 6 2 Each player has a

790 views • 28 slides
CAKE CUTTING How to fairly divide a heterogeneous divisible good between players with different

CAKE CUTTING How to fairly divide a heterogeneous divisible good between players with different

T RUTH J USTICE A LGOS Fair Division I: Cake Cutting Basics Teachers: Ariel Procaccia (this time) and Alex Psomas CAKE CUTTING How to fairly divide a heterogeneous divisible good between players with different preferences? THE PROBLEM

417 views • 24 slides
Tutorial on Fair Division Ulle Endriss Institute for Logic, Language and Computation University

Tutorial on Fair Division Ulle Endriss Institute for Logic, Language and Computation University

Fair Division COST-ADT School 2010 Tutorial on Fair Division Ulle Endriss Institute for Logic, Language and Computation University of Amsterdam &quot; # COST-ADT Doctoral School on Computational Social Choice Estoril, Portugal, 914 April

867 views • 69 slides

More recommend