securing ecmascript 5 adventures in strategic compromise
play

Securing EcmaScript 5: Adventures in Strategic Compromise Mark S. - PowerPoint PPT Presentation

Sep 23, 2023 •103 likes •831 views

Securing EcmaScript 5: Adventures in Strategic Compromise Mark S. Miller and the Cajadores Thanks to many on EcmaScript committee Overview My Expression Security Constraints talk The What and Why of object-capabilities (ocaps) This talk

  1. Securing EcmaScript 5: Adventures in Strategic Compromise Mark S. Miller and the Cajadores Thanks to many on EcmaScript committee

  2. Overview My “Expression Security Constraints” talk The What and Why of object-capabilities (ocaps) This talk The How of doing ocaps in JavaScript Why JavaScript? Dynamics of Language Adoption Improving JavaScript in Stages

  3. Improving JavaScript in Stages EcmaScript 3: One of the hardest oo languages to secure. Complex server-side translator. Runtime overhead. EcmaScript 5: One of the easiest oo languages to secure. Simple client-side init and verifier. No runtime overhead. Approx 3K download compressed.

  4. Improving JavaScript in Stages Encapsulated objects EcmaScript 3 (ES3) Tamper proof objects EcmaScript 5 (ES5) Defensive objects ES5 strict mode (ES5/strict) Future objects on old browsers ES5/3, SES5/3 (Caja) Confining offensive objects Secure EcmaScript (SES) on ES5 Distributed objects Distributed Resilient SES (Dr. SES) Robust objects SESLint?

  5. Adoption paths & progress Corba/C++ Complexity EJB C++ AJAX Java JS C ST,Self E Scheme Paradigm Actors function, closures, safe mobile code distributed resilient struct,*,& objects as protocol secure objects

  6. Legacy-free scouts lead way Corba/C++ Complexity EJB C++ AJAX Java JS C ST,Self E Scheme Paradigm Actors function, closures, safe mobile code distributed resilient struct,*,& objects as protocol secure objects

  7. Too big a jump Corba/C++ Complexity EJB C++ AJAX Java JS ? C ST,Self E Scheme Paradigm Actors function, closures, safe mobile code distributed resilient struct,*,& objects as protocol secure objects

  8. Today Corba/C++ Complexity EJB C++ AJAX Java JS ? Caja, ES5 ,SES C ST,Self E Scheme Paradigm Actors function, closures, safe mobile code distributed resilient struct,*,& objects as protocol secure objects

  9. Tomorrow? Corba/C++ Complexity EJB C++ AJAX Java JS Dr. SES Caja, ES5 , SES C ST,Self E Scheme Paradigm Actors function, closures, safe mobile code distributed resilient struct,*,& objects as protocol secure objects

  10. Encapsulated objects in ES3 function makeCounter () { makeCounter var count = 0; return { incr incr incr: function() { return ++count; }, incr incr incr incr decr: function() { return --count; } count }; count count } decr decr decr decr decr decr

  11. Encapsulated objects in ES3 function makeCounter () { makeCounter var count = 0; return { incr incr incr: function() { return ++count; }, incr incr incr incr decr: function() { return --count; } count }; count count } decr decr decr decr decr decr A record of closures hiding state is a fine representation of an object of methods hiding instance vars

  12. Encapsulated objects in ES3 function makeCounter () { makeCounter var count = 0; return { evil evil incr: function() { return ++count; }, incr incr incr incr decr: function() { return --count; } count }; count count } decr decr decr decr decr decr Indefensible: var counter = makeCounter(); bob(counter); carol(counter); Bob says: counter.incr = function evil (){…};

  13. Robustness impossible in ES3 Objects necessarily mutable (monkey patching) Not statically scoped – repaired by ES5 (function n () {…x…}) // named function exprs try{throw fn;}catch( f ){f();…x…} // thrown function Object = Date; …{}… // “as if by” Not statically scoped – repaired by ES5/strict with (o) {…x…} // attractive but botched delete x; // dynamic deletion eval(str); …x… // eval exports binding

  14. Tamper-proof objects in ES5 function makeCounter () { makeCounter var count = 0; return Object.freeze({ incr incr incr: function() { return ++count; }, incr incr incr incr decr: function() { return --count; } count }); count count } decr decr decr decr decr decr Bob’s attack fails: counter.incr = function evil (){…};

  15. Encapsulation Leaks in non-strict ES5 function doSomething ( ifBobKnows , passwd ) { if (ifBobKnows() === passwd) { //… do something with passwd } }

  16. Encapsulation Leaks in non-strict ES5 function doSomething ( ifBobKnows , passwd ) { if (ifBobKnows() === passwd) { //… do something with passwd } } Bob says: var stash ; function ifBobKnows () { stash = arguments.caller.arguments[1]; return arguments.caller.arguments[1] = badPasswd; }

  17. Encapsulation & Scope in ES5/strict “use strict”; function doSomething ( ifBobKnows , passwd ) { if (ifBobKnows() === passwd) { //… do something with passwd } } Bob’s attack fails: return arguments.caller.arguments[1] = badPasswd; Parameters not joined to arguments .

  18. Encapsulation & Scope in ES5/strict “use strict”; function doSomething ( ifBobKnows , passwd ) { if (ifBobKnows() === passwd) { //… do something with passwd } } Bob’s attack fails: return arguments.caller.arguments[1] = badPasswd; Poison pills.

  19. Encapsulation & Scope in ES5/strict “use strict”; function doSomething ( ifBobKnows , passwd ) { if (ifBobKnows() === passwd) { //… do something with passwd } } Bob’s attack fails: return arguments.caller.arguments[1] = badPasswd; Even non-strict “ .caller ” can’t reveal a strict caller.

  20. Defensive objects in ES5/strict “use strict”; makeCounter function makeCounter () { var count = 0; incr incr return Object.freeze({ incr incr incr incr incr: function() { return ++count; }, count decr: function() { return --count; } count count }); decr decr decr decr } decr decr

  21. Confining offensive objects in SES Alice says: Alice Bob var bobSrc = //site B bob var carolSrc = //site C var bob = safeEval(bobSrc); Carol var carol = safeEval(carolSrc); carol Bob and Carol are confined . Only Alice controls how they can interact or get more connected.

  22. The Mashup problem: Code as Media <html> <head> <title>Basic Mashup</title> <script> function animate ( id ) { var element = document.getElementById(id); var textNode = element.childNodes[0]; var text = textNode.data; var reverse = false; element.onclick = function() { reverse = !reverse; }; setInterval(function() { textNode.data = text = reverse ? text.substring(1) + text[0] : text[text.length-1] + text.substring(0, text.length-1); }, 100); } </script> </head> <body onload="animate('target')"> <pre id="target">Hello Programmable World! </pre> </body> </html>

  24. Future objects on old browsers

  25. Future objects on old browsers

  26. Turning ES5/strict into SES Monkey patch away bad non-std behaviors Remove non-whitelisted primordials Install leaky WeakMap emulation Make virtual global root Freeze whitelisted global variables Replace eval & Function with safe alternatives Freeze accessible primordials

  27. Monkey patch away bad non-std behaviors Secure ES5 reality, not just spec. Ch16 exemptions destroy security reasoning.  /x/.test(‘axb’); true  RegExp.leftContext; a  new RegExp(‘(.|\r|\n)*’,‘’).exec(); axb,b

  28. Monkey patch away bad non-std behaviors Specified primordials replaceable, whew! var unsafeExec = RegExp.prototype.exec; RegExp.prototype.exec = function( specimen ) { return unsafeExec.call(this, String(specimen)); } var unsafeTest = …

  29. Monkey patch away bad non-std behaviors Unspecified primordials unspecified, darn!  delete RegExp.leftContext; false  ‘leftContext’ in RegExp; true Allowed by Ch16 exemptions

  30. Monkey patch away bad non-std behaviors Most specified globals replaceable, whew! var UnsafeRegExp = RegExp; RegExp = function( pattern , flags ) { return UnsafeRegExp(pattern, flags); } RegExp.prototype = UnsafeRegExp.prototype; RegExp.prototype.constructor = RegExp;

  31. Remove non-whitelisted primordials Object.getOwnPropertyNames(o)  string[] Object.getPrototypeOf(o)  o | null var whitelist = { "escape": true, // ES5 Appendix B de-facto "unescape": true, // ES5 Appendix B de-facto "Object": { "prototype": { "constructor": "*", "toString": "*", "toLocaleString": "*", "valueOf": true, "hasOwnProperty": true, "isPrototypeOf": true, "propertyIsEnumerable": true }, "getPropertyDescriptor": true, // ES-Harmony proposal "getPropertyNames": true, // ES-Harmony proposal "identical": true, // ES-Harmony strawman "getPrototypeOf": true, "getOwnPropertyDescriptor": true, "getOwnPropertyNames": true,

  32. Remove non-whitelisted primordials… … or die trying.  delete Object.caller; false  ‘caller’ in Object; true The trivial secureability of ES5 is easily lost. A suggestion for ES5 implementers: Please make all non-std properties configurable (deletable).

  33. Install leaky WeakMap emulation Too kludgy to explain in this talk. A suggestion for ES5 implementers: Please implement the ES-Harmony WeakMap proposal.

  34. Make virtual global root var root = Object.create(null, { Object: {value: Object}, Array: {value: Array}, NaN: {value: NaN}, //… });

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

From E to EcmaScript and back again Mark S. Miller and the Cajadores Overview

From E to EcmaScript and back again Mark S. Miller and the Cajadores Overview

From E to EcmaScript and back again Mark S. Miller and the Cajadores Overview Object-Capabilities Security as extreme modularity Securing JavaScript Why and How? E Caja ES5 SES Dr. SES Patterns of Safe Cooperation In

1.49k views • 72 slides
ADVANCED JS &amp; CSS flexb ox ES6 WHAT IS ES6? ES (ECMAScript) is a scripting language standard

ADVANCED JS &amp; CSS flexb ox ES6 WHAT IS ES6? ES (ECMAScript) is a scripting language standard

CS498RK SPRING 2020 e s 6 ADVANCED JS &amp; CSS flexb ox ES6 WHAT IS ES6? ES (ECMAScript) is a scripting language standard . JavaScript implements ECMAScript. ES6 means the 6th Edition of ECMAScript. Timelin e 6 years later, ES6! Started in

710 views • 42 slides
Modern JavaScript Shan-Hung Wu &amp; DataLab CS, NTHU ES5, ES6 and ES7 Javascript:

Modern JavaScript Shan-Hung Wu &amp; DataLab CS, NTHU ES5, ES6 and ES7 Javascript:

Modern JavaScript Shan-Hung Wu &amp; DataLab CS, NTHU ES5, ES6 and ES7 Javascript: implementation of ECMAScript (ES) ES5 = ECMAScript 5 (2009) ES6 = ECMAScript 6 = ES2015 ES7 = ECMAScript 7 = ES2016 2 Outline Project-based

730 views • 49 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Advanced JavaScript and ECMAScript ECMAScript and JavaScript

CS/COE 1520 pitt.edu/~ach54/cs1520 Advanced JavaScript and ECMAScript ECMAScript and JavaScript

CS/COE 1520 pitt.edu/~ach54/cs1520 Advanced JavaScript and ECMAScript ECMAScript and JavaScript ECMAScript is based on JavaScript, and JavaScript is based on ECMAScript ... 2 First of all, what is ECMA? Ecma International

779 views • 55 slides
ES6 JavaScript, Metaprogramming, &amp; Object Proxies Prof. Tom Austin San Jos State

ES6 JavaScript, Metaprogramming, &amp; Object Proxies Prof. Tom Austin San Jos State

CS 152: Programming Language Paradigm ES6 JavaScript, Metaprogramming, &amp; Object Proxies Prof. Tom Austin San Jos State University ECMAScript Schism ECMAScript 4 was divisive A group broke off to create ECMAScript 3.1 more

695 views • 37 slides
Remaining Hazards and Mitigating Patterns for Secure Mashups in EcmaScript 5 Mark S. Miller and

Remaining Hazards and Mitigating Patterns for Secure Mashups in EcmaScript 5 Mark S. Miller and

Remaining Hazards and Mitigating Patterns for Secure Mashups in EcmaScript 5 Mark S. Miller and the Cajadores Overview The Mashup Problem The Offensive and Defensive Code Problems JavaScript (EcmaScript) gets simpler ES3, ES5, ES5/strict,

716 views • 52 slides
Metaprogramming &amp; JavaScript Object Proxies Prof. Tom Austin San Jos State University

Metaprogramming &amp; JavaScript Object Proxies Prof. Tom Austin San Jos State University

CS 252: Advanced Programming Language Principles Metaprogramming &amp; JavaScript Object Proxies Prof. Tom Austin San Jos State University ECMAScript Schism ECMAScript 4 was divisive A group broke off to create ECMAScript 3.1

480 views • 32 slides
TypeScript - a look at SPA's and Angular 2 Christian Holm Diget Agenda EcmaScript 6

TypeScript - a look at SPA's and Angular 2 Christian Holm Diget Agenda EcmaScript 6

TypeScript - a look at SPA's and Angular 2 Christian Holm Diget Agenda EcmaScript 6 TypeScript Libraries: ImmutableJS + React SPA architecture Angular 2.0 EcmaScript 6/2015 Let + const function f() { { let x; { //

859 views • 48 slides
Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

Looking backwards to look forward: Mark Twain and best practice for developing clear and effective content in our globalised, digitally-connected world Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

437 views • 21 slides
ECMAScript &quot;3.1&quot; Pratap Lakshman, ECMA TC39 Representative Microsoft Corp.

ECMAScript &quot;3.1&quot; Pratap Lakshman, ECMA TC39 Representative Microsoft Corp.

ECMAScript &quot;3.1&quot; Pratap Lakshman, ECMA TC39 Representative Microsoft Corp. pratapL@microsoft.com JAOO Aarhus 2008 1 ECMAScript A brief introduction to the language Standardization History, Motivation, and Status

1.12k views • 22 slides
Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey

Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey

Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey M. Voelker Alex C. Snoeren On account compromise Compromise of email/social network/etc is devastating Personal/professional reputational, financial

798 views • 49 slides
Adventures in Elm GOTO Chicago, 24 May 2016 Adventures in Elm Events, Reproducibility, and

Adventures in Elm GOTO Chicago, 24 May 2016 Adventures in Elm Events, Reproducibility, and

Adventures in Elm GOTO Chicago, 24 May 2016 Adventures in Elm Events, Reproducibility, and Kindness question your principles @jessitron Adventures in Elm Events, Reproducibility, and Kindness Data Data In Out Server UI Everything My

646 views • 39 slides
IRS &amp; FTB Offers in Compromise December 12, 2012 Thank you for attending this seminar. Your

IRS &amp; FTB Offers in Compromise December 12, 2012 Thank you for attending this seminar. Your

IRS &amp; FTB Offers in Compromise December 12, 2012 Thank you for attending this seminar. Your work on behalf of ALRP clients can reduce, or eliminate, the financial burdens that result from having tax problems. FEDERAL OFFERS IN COMPROMISE

403 views • 8 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
Missouri Compromise, 1820 Firebell in the Night The Missouri Compromise, 1820 Divides the

Missouri Compromise, 1820 Firebell in the Night The Missouri Compromise, 1820 Divides the

Missouri Compromise, 1820 Firebell in the Night The Missouri Compromise, 1820 Divides the Louisiana Purchase into Free and Slave territory along 36 30 Admits Missouri as a Slave state and Maine as a Free state Keeps Equal Political Power

378 views • 24 slides
Building&amp;Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

Building&amp;Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

www.securing.pl Building&amp;Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on

998 views • 67 slides
A Realistic Evaluation of Memory Hardware Errors and Software System Susceptibility Xin Li 1

A Realistic Evaluation of Memory Hardware Errors and Software System Susceptibility Xin Li 1

A Realistic Evaluation of Memory Hardware Errors and Software System Susceptibility Xin Li 1 Michael Huang 1 Kai Shen 2 Lingkun Chu 3 1 Department of Electrical and Computer Engineering University of Rochester 2 Department of Computer Science

504 views • 29 slides
Chapter 04: Recurrences (Divide and Conquer). The MergeSort algorithm . Merge( A, p, q, r ) {

Chapter 04: Recurrences (Divide and Conquer). The MergeSort algorithm . Merge( A, p, q, r ) {

Chapter 04: Recurrences (Divide and Conquer). The MergeSort algorithm . Merge( A, p, q, r ) { MergeSort( A, p, r ) { (2) n 1 = q p + 1; n 2 = r q ; (1) if p &lt; r { ( n 1 + 1) for i = 1 to n 1 (1) q = ( p + r ) / 2 ; ( n 1 ) L [

527 views • 25 slides
Institutionalizing Lessons Learned October 25, 2006 Loren Plisco Region II Background

Institutionalizing Lessons Learned October 25, 2006 Loren Plisco Region II Background

Institutionalizing Lessons Learned October 25, 2006 Loren Plisco Region II Background SEP 2002 Davis-Besse Lessons Learned Task Force AUG 2004 - Effectiveness Review Lessons Learned Task Force JAN 2005 - EDO Charters

269 views • 22 slides
Recursive Algorithms Department of Computer Science University of Maryland, College Park

Recursive Algorithms Department of Computer Science University of Maryland, College Park

CMSC 132: Object-Oriented Programming II Recursive Algorithms Department of Computer Science University of Maryland, College Park Recursion Recursion is a strategy for solving problems A procedure that calls itself Approach If (

459 views • 20 slides
On the Quantitative Semantics of Regular Expressions over Real-Valued Signals Alexey Bakhirkin

On the Quantitative Semantics of Regular Expressions over Real-Valued Signals Alexey Bakhirkin

On the Quantitative Semantics of Regular Expressions over Real-Valued Signals Alexey Bakhirkin Thomas Ferr` ere Oded Maler Dogan Ulus We Want to Ask Questions about Signals 1 0 x 1 y 0 time 0 | w | Real-valued.

563 views • 20 slides
1 2 3 4 5 6 Go runtime deadlock detector 7 8 9 10 11 12 13 14 15 16 17 18 19 20

1 2 3 4 5 6 Go runtime deadlock detector 7 8 9 10 11 12 13 14 15 16 17 18 19 20

1 2 3 4 5 6 Go runtime deadlock detector 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 Implementation Toolchain Gong written in Haskell Gong The tool checks input behavioural types Behavioural types

574 views • 33 slides
Productive Coprogramming with Guarded Recursion Jeroen Slot en Ilse Pool First slide Last time

Productive Coprogramming with Guarded Recursion Jeroen Slot en Ilse Pool First slide Last time

Productive Coprogramming with Guarded Recursion Jeroen Slot en Ilse Pool First slide Last time we saw that corecursive functions have to be guarded. But guarded recur- sion does not always work, so we need something else, which we will be

783 views • 5 slides
Composing heterogeneous software with style Stephen Kell stephen.kell@cs.ox.ac.uk Composing. . .

Composing heterogeneous software with style Stephen Kell stephen.kell@cs.ox.ac.uk Composing. . .

Composing heterogeneous software with style Stephen Kell stephen.kell@cs.ox.ac.uk Composing. . . p.1/12 Software is heterogeneous When building software, we have a lot of choices. Composing. . . p.2/12 Heterogeneous software doesnt

597 views • 20 slides

More recommend