protecting users by confining javascript with cowl
play

Protecting Users by Confining JavaScript with COWL Deian Stefan, - PowerPoint PPT Presentation

Jul 29, 2023 •418 likes •989 views

Protecting Users by Confining JavaScript with COWL Deian Stefan, Edward Z. Yang, Petr Marchenko, Alejandro Russo, Dave Herman, Brad Karp, David Mazires The Web No longer just a way of publishing static content The Web Now app

  1. Protecting Users by Confining JavaScript with COWL Deian Stefan, Edward Z. Yang, Petr Marchenko, 
 Alejandro Russo, Dave Herman, Brad Karp, David Mazières

  2. The Web No longer just a way of publishing static content

  3. 
 The Web Now app platform; lot of client-side functionality Core reason: Easy to create complex client-side apps ➤ Combine code and data from different parties! 


  4. Many apps handle sensitive data Political views Finances Location info

  5. Third-party code? Sensitive data? What do browsers do to ensure that the weather site cannot access my bank statements? chase.com weather.com

  6. 
 
 
 
 
 
 In the beginning: Same-origin Policy Idea: isolate content from different origins ➤ Compartmentalize code into contexts (tabs, iframes,…) ➤ Disallow cross-origin reads from contexts & servers 
 chase.com weather.com chase.com weather.com

  7. 
 
 
 
 
 
 In the beginning: Same-origin Policy Idea: isolate content from different origins ➤ Compartmentalize code into contexts (tabs, iframes,…) ➤ Disallow cross-origin reads from contexts & servers 
 chase.com weather.com chase.com weather.com

  8. 
 
 
 
 
 
 In the beginning: Same-origin Policy Idea: isolate content from different origins ➤ Compartmentalize code into contexts (tabs, iframes,…) ➤ Disallow cross-origin reads from contexts & servers 
 ❌ ❌ chase.com ❌ weather.com chase.com weather.com

  9. Problems with SOP Not strict enough: 
 can disclose data arbitrarily chase.com evil.biz ➤ Third-party code can leak data ➤ Code runs with authority of page Not flexible enough: 
 ❌ can’t read cross-origin data chase.com ❌ ➤ No secure third-party mashups! mint.cc hsbc.com

  10. Today: SOP + CSP + CORS Content Security Policy: ❌ ➤ Whitelist origins page can chase.com evil.biz communicate with 
 Cross-origin Resource Sharing: ❌ chase.com ➤ Server whitelists origins allowed ✓ to read the data mint.cc hsbc.com

  11. Today: SOP + CSP + CORS Content Security Policy: ➤ Whitelist origins page can communicate with 
 Discretionary Access Control Cross-origin Resource Sharing: ➤ Server whitelists origins allowed to read the data

  12. 
 
 
 DAC is not enough! Forces choice between functionality and privacy ➤ E.g., mint.com-like client-side third-party mashup 
 ? ? mint.cc chase.com hsbc.com ➤ Privacy: bank doesn’t give mint.cc access to data ➤ Functionality: bank cedes user data to mint.cc 
 (or worse: user cedes bank credentials)

  13. DAC is not enough! Reality: we give up privacy for functionality!

  14. DAC is not enough! Third-party mashups Mutually distrusting services docs.google.com mint.cc eff.org hsbc.com chase.com Libraries with narrow APIs Tightly-coupled libraries sketchy.ru chase.com chase.com

  15. 
 
 Third-party code + sensitive data Challenge: allow untrusted code to compute on data ➤ E.g., chase wants to use password-strength checker 
 library needs to fetch list of common passwords Safe to fetch list before looking at password! - Need: confinement (MAC) ➤ Impose restrictions on how code uses data 
 p4ssw0rd chase.com sketchy.ru sketchy.ru

  16. 
 
 Third-party code + sensitive data Challenge: allow untrusted code to compute on data ➤ E.g., chase wants to use password-strength checker 
 library needs to fetch list of common passwords Safe to fetch list before looking at password! - Need: confinement (MAC) ➤ Impose restrictions on how code uses data 
 ❌ p4ssw0rd chase.com sketchy.ru sketchy.ru

  17. 
 
 Third-party code + sensitive data Challenge: allow untrusted code to compute on data ➤ E.g., chase wants to use password-strength checker 
 library needs to fetch list of common passwords Safe to fetch list before looking at password! - Need: confinement (MAC) ➤ Impose restrictions on how code uses data 
 p4ssw0rd ❌ p4ssw0rd p4ssw0rd chase.com sketchy.ru sketchy.ru

  18. 
 
 Third-party code + sensitive data Challenge: allow untrusted code to compute on data ➤ E.g., chase wants to use password-strength checker 
 library needs to fetch list of common passwords Safe to fetch list before looking at password! - Need: confinement (MAC) ➤ Impose restrictions on how code uses data 
 p4ssw0rd ❌ p4ssw0rd p4ssw0rd chase.com sketchy.ru sketchy.ru weak!

  19. Isn’t confinement a solved problem? Confinement for Haskell ➠ Hails Confinement for Java ➠ Jif! Change JavaScript to enforce IFC with JSFlow

  20. Dev…

  21. Design constraints • Can’t expect developers to learn new language • Can’t touch JavaScript runtime ➤ Highly optimized JITs ➤ Add 1 instruction on hot path ➠ no upstream! • Can’t radically change the security model ➤ Ingrained notion of principals: origins ➤ Keep iframes, pages, etc. as security boundaries

  22. The good news By accident… Web turns out to be a good fit for confinement …if you just look at it right

  23. The good news • Browsers already offer execution contexts ➤ Isolation enforced across context boundaries • Can enforce MAC at context granularity ➤ No need to change language runtime! [BFlow] • Can easily add new DOM-level APIs ➤ Attach policies to messages [Hails]

  24. Confinement with Origin Web Labels (COWL) Key (old) concepts: expressed in practical way? 1. Labels: using origins to specify MAC policies 2. Labeled communication: security across contexts ➤ Avoid changing existing communication APIs 3. Privileges: using origins to manage trust

  25. 
 
 Labels • Every piece of data is protected by a label • Label specifies, in terms of origin(s), who cares about the data ➤ E.g., data sensitive to Chase: Label(“chase.com”) ➤ E.g., data sensitive to both Chase and HSBC: Label(“chase.com”).and(“hsbc.com”) 
 hsbc.com chase.com p4ssw0rd chase.com hsbc.com

  26. Label tracking • COWL tracks labels at context/server granularity ➤ Pages, iframes, workers, servers • Messages can be labeled differently from context ➤ Both servers & JavaScript can label messages ➤ The right way to share sensitive data! public chase.com chase.com p4ssw0rd chase.com chase.com

  27. 
 
 
 Labeled Communication • Browser-server communication must respect labels! 
 chase.com sketchy.ru chase.com p4ssw0rd ❌ chase.com sketchy.ru

  28. 
 
 Labeled Communication • Communication across browser contexts must respect label 
 sketchy.ru chase.com public chase.com sketchy.ru sketchy.ru ❌

  29. 
 
 Labeled Communication • Communication across browser contexts must respect label 
 sketchy.ru chase.com public chase.com sketchy.ru sketchy.ru ❌

  30. 
 
 Labeled Communication • Communication across browser contexts must respect label 
 sketchy.ru chase.com chase.com public p4ssw0rd ❌ chase.com sketchy.ru sketchy.ru ❌

  31. 
 
 Adjusting labels to read data • Contexts can adopt more restrictive label ➤ I.e., add an origin to its label ➤ Can then read data from that origin ➤ Give up ability to write to contexts without it 
 sketchy.ru public public p4ssw0rd sketch.ru chase.com sketchy.ru

  32. 
 
 Adjusting labels to read data • Contexts can adopt more restrictive label ➤ I.e., add an origin to its label ➤ Can then read data from that origin ➤ Give up ability to write to contexts without it 
 sketchy.ru chase.com public public p4ssw0rd p4ssw0rd sketch.ru chase.com sketchy.ru

  33. 
 
 Adjusting labels to read data • Contexts can adopt more restrictive label ➤ I.e., add an origin to its label ➤ Can then read data from that origin ➤ Give up ability to write to contexts without it 
 sketchy.ru chase.com public public p4ssw0rd chase.com p4ssw0rd sketch.ru p4ssw0rd chase.com sketchy.ru

  34. 
 
 Adjusting labels to read data • Contexts can adopt more restrictive label ➤ I.e., add an origin to its label ➤ Can then read data from that origin ➤ Give up ability to write to contexts without it 
 sketchy.ru chase.com public public chase.com p4ssw0rd ❌ p4ssw0rd sketch.ru p4ssw0rd chase.com sketchy.ru

  35. 
 
 Adjusting labels to read data • Contexts can adopt more restrictive label ➤ I.e., add an origin to its label ➤ Can then read data from that origin ➤ Give up ability to write to contexts without it 
 sketchy.ru chase.com public public chase.com p4ssw0rd ❌ p4ssw0rd sketch.ru p4ssw0rd chase.com sketchy.ru weak!

  36. Summary: COWL design Web was made for confinement 1. Origins are a natural way to specify labels 2. Leverage contexts as security boundaries ➤ Mixed-granularity: label messages 3. Use origins to express privileges (see paper)

  37. What can we do with this?

  38. 
 
 
 
 Example: client-side Mint • Read-only client-side personal finance service 
 mint.cc chase.com hsbc.com • Banks can make labeled statements available to Mint ➠ Flexibility+Privacy!

  39. 
 
 
 
 Example: client-side Mint • Read-only client-side personal finance service 
 chase.com mint.cc chase.com hsbc.com • Banks can make labeled statements available to Mint ➠ Flexibility+Privacy!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Protecting Users by Confining JavaScript with SWAPI Deian Stefan, Petr Marchenko, Brad Karp,

Protecting Users by Confining JavaScript with SWAPI Deian Stefan, Petr Marchenko, Brad Karp,

Protecting Users by Confining JavaScript with SWAPI Deian Stefan, Petr Marchenko, Brad Karp, David Mazires, Dave Herman, and John C. Mitchell Modern websites are complex Modern websites are complex Modern websites are complex Page code

1.65k views • 97 slides
JavaScript! What is JavaScript? A (traditionally) client-side scripting language Meant

JavaScript! What is JavaScript? A (traditionally) client-side scripting language Meant

JavaScript! What is JavaScript? A (traditionally) client-side scripting language Meant (traditionally) to run entirely on the users browser Defined by the ECMAscript standard, published by the ECMA foundation JavaScript != Java,

657 views • 32 slides
Universal properties of the confining string in gauge theories F . Gliozzi DFT & INFN,

Universal properties of the confining string in gauge theories F . Gliozzi DFT & INFN,

Universal properties of the confining string in gauge theories F . Gliozzi DFT & INFN, Torino U. GGI, 6/5/08 F. Gliozzi ( DFT & INFN, Torino U. ) Confining strings GGI, 6/5/08 1 / 40 Plan of the talk The origins 1 The free

724 views • 40 slides
and Protecting Assets Information Technology Manager - Redstone Arsenal 15,000 users

and Protecting Assets Information Technology Manager - Redstone Arsenal 15,000 users

Cyber Theft and Protecting Assets Information Technology Manager - Redstone Arsenal 15,000 users Technology and Digital Forensics Counter Drug Agency (Army) Canfield Computer Solutions since 1995 Network and workstation

339 views • 4 slides
JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce

JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce

JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce JavaScript? Notorious for being worlds most misunderstood programming language o (Douglas Crockford -

432 views • 11 slides
Introduction to JavaScript Niels Olof Bouvin 1 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 1 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 1 Overview A brief history of JavaScript and ECMAScript JavaScript for Java developers The JavaScript ecosystem Getting access to JavaScript Some language basics A look at the Node.js standard

1.1k views • 57 slides
Introduction to JavaScript Niels Olof Bouvin 2 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 2 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 2 Overview A brief history of JavaScript and ECMAScript JavaScript for Java developers The JavaScript ecosystem Getting access to JavaScript Some language basics A look at the Node.js standard

1.03k views • 54 slides
CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic

CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic

CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic programming language. Introduced in 1995 as a way to add programs to web pages in the Netscape Navigator browser. It has made modern web

795 views • 35 slides
Protecting Privacy by Spying on Users Andrew Patrick & Information Security Group (Larry

Protecting Privacy by Spying on Users Andrew Patrick & Information Security Group (Larry

Protecting Privacy by Spying on Users Andrew Patrick & Information Security Group (Larry Korba, Ronggong Song, George Yee, Scott Buffett, Yunli Wang, Liqiang Geng, Steve Marsh, Hongyu Liu) 1 data breaches caused by laptop theft, hacks 2

512 views • 26 slides
JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming

JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming

JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming Language Principles Introduction to JavaScript Prof. Tom Austin San Jos State University History of JavaScript In 1995, Netscape hired Brendan

395 views • 16 slides
Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful

Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful

Advanced JavaScript Lars Larsson Today JavaScript strings JavaScript Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful degradation AJAX Summary Lecture #11 Advanced JavaScript 1

831 views • 38 slides
future shock treatment ctrl+s SVN HTML CSS JavaScript elements attributes class names IDs

future shock treatment ctrl+s SVN HTML CSS JavaScript elements attributes class names IDs

future shock treatment ctrl+s SVN HTML CSS JavaScript elements attributes class names IDs HTML body id="users" /users/ body id="users" class="view" /users/username body id="users"

789 views • 56 slides
JavaScript Concepts JavaScript is pretty hard to escape if you want to do anything for the web C

JavaScript Concepts JavaScript is pretty hard to escape if you want to do anything for the web C

JavaScript Concepts JavaScript is pretty hard to escape if you want to do anything for the web C of the Internet Take JavaScript for instance. It's widely criticized in the POPL community for getting many things wrong. But it must have

655 views • 44 slides
Game Development In JavaScript First Impressions Javascript Designed for web application

Game Development In JavaScript First Impressions Javascript Designed for web application

Game Development In JavaScript First Impressions Javascript Designed for web application Had a rough childhood Very misunderstood Performance difference across browsers Benchmark Pros/Cons JavaScript: WebGL & Canvas

939 views • 18 slides
J AVA S CRIPT JavaScript is the programming language of HTML and the Web. JavaScript

J AVA S CRIPT JavaScript is the programming language of HTML and the Web. JavaScript

J AVA S CRIPT JavaScript is the programming language of HTML and the Web. JavaScript Java JavaScript is interpreted by the browser JavaScript 1/15 JS W HERE T O <!DOCTYPE html> <html> <head> <script

591 views • 15 slides
TESTING JAVASCRIPT BUILDING JAVASCRIPT APPLICATIONS YOU WON'T HATE 1/45 Testing Javascript

TESTING JAVASCRIPT BUILDING JAVASCRIPT APPLICATIONS YOU WON'T HATE 1/45 Testing Javascript

TESTING JAVASCRIPT BUILDING JAVASCRIPT APPLICATIONS YOU WON'T HATE 1/45 Testing Javascript Called Testing JS but really about embracing the front end Classic JS meme about "this" This tweet could have ended half way through and

844 views • 45 slides
Prosodic features of the topic information unit in BP and EP: a corpus based study Bruno Rocha

Prosodic features of the topic information unit in BP and EP: a corpus based study Bruno Rocha

Prosodic features of the topic information unit in BP and EP: a corpus based study Bruno Rocha Maryual M. Mittmann Tommaso Raso UFMG Foreword Our aim is to present and describe the Topic intonational forms for European and Brazilian

381 views • 26 slides
Modane Underground Laboratory F. Piquemal (CNRS/IN2P3) Laboratoire Souterrain

Modane Underground Laboratory F. Piquemal (CNRS/IN2P3) Laboratoire Souterrain

Modane Underground Laboratory F. Piquemal (CNRS/IN2P3) Laboratoire Souterrain de Modane (CNRS and CEA) ) Aspera Interdisciplinary workshop December,19 2012 Durham Modane Underground

936 views • 48 slides
EM methods for geothermal explora%on Adele Manzella Ins%tute

EM methods for geothermal explora%on Adele Manzella Ins%tute

Institute of Geosciences and Earth Resources EM methods for geothermal explora%on Adele Manzella Ins%tute of Geosciences and Georesources Na%onal Research Council of

827 views • 61 slides
Two Transformative Acquisitions: Salt Lake Mining & VMS Ventures February 1, 2016 Call

Two Transformative Acquisitions: Salt Lake Mining & VMS Ventures February 1, 2016 Call

ROYAL NICKEL CORPORATION Two Transformative Acquisitions: Salt Lake Mining & VMS Ventures February 1, 2016 Call Participants: Mark Selby, President & CEO Tim Hollaar, CFO TSX:RNX Disclaimer Cautionary Statements Concerning

813 views • 34 slides
MINT Style Based Architectural Migration: Method and Case Study Simon Giesecke, Johannes

MINT Style Based Architectural Migration: Method and Case Study Simon Giesecke, Johannes

MINT Style Based Architectural Migration: Method and Case Study Simon Giesecke, Johannes Bornhold <simon.giesecke@acm.org> Software Engineering Group Carl von Ossietzky University Oldenburg, Germany WMR 2006, Bari, Italy 2006-03-24

406 views • 19 slides
Physics 102 Dr. LeClair Official things Lecture: 203 Gallalee every day! Lab:

Physics 102 Dr. LeClair Official things Lecture: 203 Gallalee every day! Lab:

Physics 102 Dr. LeClair Official things Lecture: 203 Gallalee every day! Lab: 329 Gallalee M-W-Th ~3 hr block will not usually need whole 3 hours NO lab today official things Dr. Patrick LeClair -

1.01k views • 55 slides
Anonymity Application Example: e-Cash 1 Conventional Everyday Cash Counterfeit-able Slow

Anonymity Application Example: e-Cash 1 Conventional Everyday Cash Counterfeit-able Slow

Anonymity Application Example: e-Cash 1 Conventional Everyday Cash Counterfeit-able Slow Costly Vulnerable Bad for Remote Transactions DIRTY! 1 Credit Cards, Bank Cards, Checks, other cards: Easy Fraud Little Privacy

351 views • 11 slides
Efficient Graph-Based Image Segmentation Felzenszwalb and Huttenlocher Overview Goals:

Efficient Graph-Based Image Segmentation Felzenszwalb and Huttenlocher Overview Goals:

Efficient Graph-Based Image Segmentation Felzenszwalb and Huttenlocher Overview Goals: Capture Perceptually important Groupings Be highly efficient Contributions: 2 Graph Based representation of an image.

669 views • 34 slides

More recommend