conscript
play

ConScript Specifying and Enforcing Fine-Grained Security Policies - PowerPoint PPT Presentation

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich Benjamin Livshits UC Berkeley Microsoft Research Web Programmability Platform openid.net yelp.com adsense.com Google maps 2


  1. ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich Benjamin Livshits UC Berkeley Microsoft Research

  2. Web Programmability Platform openid.net yelp.com adsense.com Google maps 2

  3. Rich Internet Applications are Dynamic Yelp.com: main.js … jQuery.js … adSense.js … GoogleMaps.js … OpenID_API.js flexible runtime composition … but little control. 3

  4. Towards Safe Programmability for the Web Can’t trust other Mash-ups people’s code 4

  5. Goals and Contributions control loading • protect benign users • by giving control to hosting site and use of scripts • ConScript approach: aspects for security • 17 hand-written policies express many • correct policies are hard to write policies safely • proposed type system to catch common attacks • implemented 2 policy generators • built into IE 8 JavaScript interpreter browser support • runtime and space overheads under 1% (vs. 30-550%) • smaller trusted computing base (TCB) 5

  6. approach protect benign users by giving control to the hosting site : aspects for security 6

  7. ConScript • Approach – protect benign Web users – give control to the hosting site • How – Browser-supported aspects for security 7

  8. Contributions of ConScript A case for aspects • protect benign users by giving control to hosting site • ConScript approach: aspects for security in browser • built into IE 8 JavaScript interpreter Correctness • Policies are easy to get wrong checking • Type system to ensure policy correctness • 17 hand-written policies Expressiveness • Comprehensive catalog of policies from literature and practice • implemented 2 policy generators • Tested on real apps: Google Maps, Live Desktop, etc. Evaluation • runtime and space overheads under 1% (vs. 30-550%) • smaller trusted computing base (TCB) 8

  9. manifest of script URLs enforce public HTTP-only vs. private cookies resource no pop-ups blacklists Policies no URL limit eval redirection no foreign <noscript> links no hidden script whitelist frames 9

  10. C ON S CRIPT aspects implementing aspects in IE8 checking C ON S CRIPT policies generating C ON S CRIPT policies performance 10

  11. eval is evil function () { window.eval = throw „Disallowed‟ }; heap stack document window x eval y heap bar function foo z object … eval div eval 11

  12. No postMessage : A Simple Policy? Wrapping: [[Caja, DoCoMo, AOJS, lightweightjs , Web Sandbox, …]] window.postMessage = function () {}; frame1.postMessage(“ msg ”, “evil.com”) Aspects: [[AspectJ]] void around (String msg, String uri) : call DOM.postMessage (String m, String u) { /* do nothing instead of call */ } … no classes in JavaScript / DOM … 12

  13. Specifying Calls using References postMessage [Object window] function () { function () { [native code] throw ‘ exn ’; [Object } } frame] postMessage around(window.postMessage, function () { throw „ exn ‟; }); 13

  14. ConScript Interface 1. Functions DOM: a r o u n d E x t ( p o s t M e s s a g e, f u n c t i o n ( p m 2 , m , u r i ) { … } ) ; JS: a r o u n d N a t ( e v a l , f u n c t i o n ( e v a l , s t r ) { … } ) ; User-defined: a r o u n d F n c ( f o o , f u n c t i o n ( f o o 2 , a r g 1 ) { … } ) ; 2. Script introduction <script>: aroundScr(function (src) { return src + „;‟ + pol;}); inline: aroundInl(function (src) { return src + „;‟ + pol;}); 14

  15. C ON S CRIPT aspects implementing aspects in IE8 checking C ON S CRIPT policies generating C ON S CRIPT policies performance 15

  16. Problem: Implementation? Source Rewriting [[aojs, docomo, caja, sandbox, fbjs]] function f () { … } function f () {<before> … <after>}  50%-450% more to transfer, 30-70% slowdown  limited: native (DOM) functions, dynamic code?  big assumptions: adds parser to TCB, … 16

  17. Mediating DOM Functions window.postMessage IE8 libraries (HTML, Networking, …) JavaScript interpreter postMessage advice dispatch 0xff34e5 0xff34e5 arguments: “hello”, “evil.com” call advice off 0xff34e5 aroundExt(window.postMessage, ); [not found] off frame2.postMessage 17

  18. Resuming Calls function foo () { } function foo () { } advice off advice on } else throw ‘ ’; } function advice1 (foo2) { function advice2 (foo2) { if (ok()) { if (ok()) { bless(); foo2(); foo2(); } else throw ‘ exn ’; } } else throw ‘ exn ’; } throw ‘ ’; }} bless() temporarily disables advice for next call 18

  19. Optimizing the Critical Path function foo () { } function foo () { } advice on advice off advice on function advice3 (foo2) { function advice2 (foo2) { if (ok()) foo2(); if (ok()) { else { bless(); curse(); foo2(); throw ‘ exn ’; } } } else throw ‘ exn ’; } • calling advice turns advice off for next call • curse() enables advice for next call 19

  20. C ON S CRIPT aspects implementing aspects in IE8 checking C ON S CRIPT policies generating C ON S CRIPT policies performance 20

  21. Basic Usage script whitelist Yelp.com : main.js, index.html no eval … jQuery.js SURGEON GENERAL’S WARNING no innerHTML … adSense.js no hidden frames Policies are written in a small JavaScript subset. … GoogleMaps.js no inline scripts Applications only lose a few dangerous features. … OpenID_API.js only HTTP cookies <script src =“ main.js ” policy=“ noEval ()”/> 21

  22. Policy Integrity Objects defined with policy constructors do not flow out Old Policy around(postMessage, function (m, url) { w = {“ msn.com ”: true}; … 22

  23. Policy Integrity Objects defined with policy constructors do not flow out Old Policy around(postMessage, function (m, url) { w = {“ msn.com ”: true}; … policy object: must protect unknown: do not pass privileged objects! 23

  24. Policy Integrity Objects defined with policy constructors do not flow out Old Policy around(postMessage, function (m, url) { w = {“ msn.com ”: true}; … User Exploit postMessage (“”, “ msn.com ”); w [“evil.com”] = 1; postMessage (“”, “ evil.com ”); 24

  25. Policy Integrity Objects defined with policy constructors do not flow out New Policy around(postMessage, function (m, url) { window.w = {“ msn.com ”: true}; var w … User Exploit postMessage (“”, “ msn.com ”); w[“evil.com”] = 1; postMessage (“”, “ evil.com ”); 25

  26. Policy Integrity Objects defined with policy constructors do not flow out New Policy around(postMessage, function (m, url) { window.w = {“ msn.com ”: true}; var w … policy object: must protect unknown: do not pass privileged objects! 26

  27. Maintaining Integrity 1. Policy objects do not leak out of policies 2. Access path integrity of calls (no prototype hijacking) • ML-style type inference –  basic –  program unmodified –  only manually tested on policies • JavaScript interpreter support – call(ctx, fnc , arg1, …), hasOwnProperty(obj , “ fld ”) – caller 27

  28. Transparency • If running with policies throws no errors – … for same input, running without should be safe – empty advice should not be functionally detectable • Difficult with wrapping or rewriting – Function.prototype.apply, exn.stacktrace, myFunction.callee, arguments.caller, myFunction.toString, Function.prototype.call – correctness vs. compatibility vs. performance … • Simpler at interpreter level – rest up to developer – no proof 28

  29. C ON S CRIPT aspects implementing aspects in IE8 checking C ON S CRIPT policies generating C ON S CRIPT policies performance 29

  30. Automatically Generating Policies • Intrusion detection – can we infer and disable unneeded DOM functions? • C# access modifiers – can we enforce access modifiers like private ? • ASP policies – can we guarantee no scripts get run in <% echo %>? 30

  31. Intrusion Detection 1: Learn Blacklist log eval new Function(“string”) postMessage XDomainRequest audit xmlHttpRequest … 31

  32. Intrusion Detection 2: Enforce Blacklist 32

  33. Enforcing C# Access Modifiers function File () { … } class File { File.construct = … public File () { … } Script# compiler File.open = … private open () { … } … … C# JavaScript around(File, pubEntryPoint); around(File.construct, pubEntryPoint); around(File.open, privCall); ConScript 33

  34. C ON S CRIPT aspects implementing aspects in IE8 checking C ON S CRIPT policies generating C ON S CRIPT policies performance 34

  35. Performance Microbenchmarks: 1.2x (vs. 3.4x) Initialization time: 0-1% Runtime: 0-7% (vs. 30+%) File size blowup: < 1% (vs. 50+%) 35

  36. Microbenchmark: Mediation Overhead wrap bless autobless 3.42x var raw = obj.f; obj.f = function () { raw();} 4 3.5 3 2.5 1.44x function advice2 (foo2) { 2 1.5 bless(); 1 foo2(); 0.5 } 0 function advice3 (foo2) { 1.24x foo2(); } 36

  37. File Size Increase (IDS) MSN GMail Google Maps 10.4 11.0 10.0 9.0 8.0 7.0 6.0 4.8 4.4 5.0 3.9 4.0 3.0 1.7 1.5 1.5 1.5 2.0 1.2 1.0 1.0 1.0 1.0 0.0 ConScript Docomo Caja Sandbox 37

More recommend