ConScript Specifying and Enforcing Fine-Grained Security Policies - - PowerPoint PPT Presentation

ConScript

Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft Research

Web Programmability Platform

2

yelp.com

• penid.net

adsense.com Google maps

Rich Internet Applications are Dynamic

Yelp.com: main.js … jQuery.js … adSense.js … GoogleMaps.js … OpenID_API.js

3

flexible runtime composition … but little control.

Towards Safe Programmability for the Web

4

Can’t trust other people’s code

Mash-ups

Goals and Contributions

5

• protect benign users
• by giving control to hosting site
• ConScript approach: aspects for security

control loading and use of scripts

• 17 hand-written policies
• correct policies are hard to write
• proposed type system to catch common attacks
• implemented 2 policy generators

express many policies safely

• built into IE 8 JavaScript interpreter
• runtime and space overheads under 1% (vs. 30-550%)
• smaller trusted computing base (TCB)

browser support

approach protect benign users by giving control to the hosting site : aspects for security

6

ConScript

• Approach

– protect benign Web users – give control to the hosting site

• How

– Browser-supported aspects for security

7

Contributions of ConScript

8

• protect benign users by giving control to hosting site
• ConScript approach: aspects for security
• built into IE 8 JavaScript interpreter

A case for aspects in browser

• Policies are easy to get wrong
• Type system to ensure policy correctness

Correctness checking

• 17 hand-written policies
• Comprehensive catalog of policies from literature and practice
• implemented 2 policy generators

Expressiveness

• Tested on real apps: Google Maps, Live Desktop, etc.
• runtime and space overheads under 1% (vs. 30-550%)
• smaller trusted computing base (TCB)

Evaluation

manifest of script URLs HTTP-only cookies resource blacklists limit eval no foreign links no hidden frames script whitelist <noscript> no URL redirection no pop-ups enforce public

• vs. private

Policies

9

CONSCRIPT aspects implementing aspects in IE8 checking CONSCRIPT policies generating CONSCRIPT policies performance

10

heap

eval is evil

window.eval =

11

function () { throw „Disallowed‟ };

function eval heap

• bject

document window x y z … div

stack

eval eval foo bar

No postMessage: A Simple Policy?

Wrapping: [[Caja, DoCoMo, AOJS, lightweightjs, Web Sandbox, …]]

window.postMessage = function () {}; frame1.postMessage(“msg”, “evil.com”)

Aspects: [[AspectJ]]

void around(String msg, String uri) : call DOM.postMessage(String m, String u) { /* do nothing instead of call */ }

… no classes in JavaScript / DOM …

12

function () { [native code] } function () { throw ‘exn’; }

Specifying Calls using References

around(window.postMessage, function () { throw „exn‟; });

[Object window] [Object frame]

postMessage postMessage

13

• 1. Functions

DOM:

a r

• u

n d E x t ( p

• s

t M e s s a g e, f u n c t i

• n

( p m 2 , m , u r i ) { … } ) ;

JS:

a r

• u

n d N a t ( e v a l , f u n c t i

• n

( e v a l , s t r ) { … } ) ;

User-defined:

a r

• u

n d F n c ( f

• ,

f u n c t i

• n

( f

• 2

, a r g 1 ) { … } ) ;

• 2. Script introduction

<script>: aroundScr(function (src) { return src + „;‟ + pol;}); inline:

aroundInl(function (src) { return src + „;‟ + pol;});

ConScript Interface

14

CONSCRIPT aspects implementing aspects in IE8 checking CONSCRIPT policies generating CONSCRIPT policies performance

15

function f () { … } function f () {<before> … <after>}

Problem: Implementation?

Source Rewriting [[aojs, docomo, caja, sandbox, fbjs]]  50%-450% more to transfer, 30-70% slowdown  limited: native (DOM) functions, dynamic code?  big assumptions: adds parser to TCB, …

16

Mediating DOM Functions

17

window.postMessage frame2.postMessage JavaScript interpreter IE8 libraries (HTML, Networking, …) postMessage 0xff34e5 arguments: “hello”, “evil.com” call advice aroundExt(window.postMessage,

• ff

0xff34e5

• ff

); advice dispatch [not found] 0xff34e5

function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; } function foo () { }

Resuming Calls

18

} else throw ‘ ’; } throw ‘ ’; }}

function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; } function foo () { }

advice on advice off

bless() temporarily disables advice for next call

Optimizing the Critical Path

19

function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; } function foo () { }

advice on

function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } } function foo () { }

advice off advice on

• calling advice turns advice off for next call
• curse() enables advice for next call

CONSCRIPT aspects implementing aspects in IE8 checking CONSCRIPT policies generating CONSCRIPT policies performance

20

Basic Usage

Yelp.com: main.js, index.html … jQuery.js … adSense.js … GoogleMaps.js … OpenID_API.js

21

script whitelist no eval no innerHTML no hidden frames

• nly HTTP cookies

no inline scripts

<script src=“main.js” policy=“noEval()”/>

SURGEON GENERAL’S WARNING

Policies are written in a small JavaScript subset. Applications only lose a few dangerous features.

Policy Integrity

Objects defined with policy constructors do not flow out Old Policy

around(postMessage, function (m, url) { w = {“msn.com”: true}; …

22

Policy Integrity

Objects defined with policy constructors do not flow out Old Policy

around(postMessage, function (m, url) { w = {“msn.com”: true}; …

policy object: must protect unknown: do not pass privileged objects!

23

Policy Integrity

Objects defined with policy constructors do not flow out Old Policy

around(postMessage, function (m, url) { w = {“msn.com”: true}; …

User Exploit

postMessage(“”, “msn.com”); w[“evil.com”] = 1; postMessage(“”, “evil.com”);

24

Policy Integrity

Objects defined with policy constructors do not flow out New Policy

around(postMessage, function (m, url) { window.w = {“msn.com”: true}; …

User Exploit

postMessage(“”, “msn.com”); w[“evil.com”] = 1; postMessage(“”, “evil.com”); var w

25

Policy Integrity

Objects defined with policy constructors do not flow out New Policy

around(postMessage, function (m, url) { window.w = {“msn.com”: true}; …

policy object: must protect unknown: do not pass privileged objects!

var w

26

Maintaining Integrity

• 1. Policy objects do not leak out of policies
• 2. Access path integrity of calls (no prototype hijacking)
• ML-style type inference

–  basic –  program unmodified –  only manually tested on policies

• JavaScript interpreter support

– call(ctx, fnc, arg1, …), hasOwnProperty(obj, “fld”) – caller

27

Transparency

• If running with policies throws no errors

– … for same input, running without should be safe – empty advice should not be functionally detectable

• Difficult with wrapping or rewriting

– Function.prototype.apply, exn.stacktrace, myFunction.callee, arguments.caller, myFunction.toString, Function.prototype.call

– correctness vs. compatibility vs. performance …

• Simpler at interpreter level

– rest up to developer – no proof

28

CONSCRIPT aspects implementing aspects in IE8 checking CONSCRIPT policies generating CONSCRIPT policies performance

29

Automatically Generating Policies

• Intrusion detection

– can we infer and disable unneeded DOM functions?

• C# access modifiers

– can we enforce access modifiers like private?

• ASP policies

– can we guarantee no scripts get run in <% echo %>?

30

Intrusion Detection 1: Learn Blacklist

31

eval new Function(“string”) postMessage XDomainRequest xmlHttpRequest …

log audit

Intrusion Detection 2: Enforce Blacklist

32

Enforcing C# Access Modifiers

33

class File { public File () { … } private open () { … } …

C# JavaScript

function File () { … } File.construct = … File.open = … …

Script# compiler

around(File, pubEntryPoint); around(File.construct, pubEntryPoint); around(File.open, privCall);

ConScript

CONSCRIPT aspects implementing aspects in IE8 checking CONSCRIPT policies generating CONSCRIPT policies performance

34

Performance

Microbenchmarks: 1.2x (vs. 3.4x) Initialization time: 0-1% Runtime: 0-7% (vs. 30+%) File size blowup: < 1% (vs. 50+%)

35

Microbenchmark: Mediation Overhead

36

function advice2 (foo2) { bless(); foo2(); } function advice3 (foo2) { foo2(); } var raw = obj.f;

• bj.f = function () { raw();}

0.5 1 1.5 2 2.5 3 3.5 4

wrap bless autobless

3.42x 1.44x 1.24x

File Size Increase (IDS)

37

1.0 1.7 4.8 1.2 1.0 1.5 3.9 10.4 1.0 1.5 4.4 1.5 0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 9.0 10.0 11.0 ConScript Docomo Caja Sandbox MSN GMail Google Maps

38

Access Modifier Enforcement

Intrusion Detection System

Runtime Overhead

7% 1% 30% 73% 63%

0% 20% 40% 60% 80% Google Maps (183ms) MSN (439ms) GMail (736ms) Runtime overhead ConScript DoCoMo (JavaScript rewriting)

291.05 155.5 297.45 156.9

100 200 300 400 Application Loading Opening a Folder Runtime (ms) Uninstrumented Secured Private Methods

Goals and Contributions

39

• protect benign users
• by giving control to hosting site
• ConScript approach: aspects for security

control loading and use of scripts

• 16 hand-written policies
• correct policies are hard to write
• proposed type system to catch common attacks
• implemented 2 policy generators

express many policies safely

• built into IE 8 JavaScript interpreter
• runtime and space overheads under 1% (vs. 30-550%)
• smaller trusted computing base (TCB)

browser support

manifest of URLs limit eval no foreign links resource blacklists no hidden frames script whitelist <noscript> no URL redirection HTTP-only cookies no pop-ups enforce public

• vs. private

Questions?

40

1.0 1.7 4.8 1.2 1.0 1.5 3.9 10.4 1.0 1.5 4.4 1.5 0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 9.0 10.0 11.0 ConScript Docomo Caja Sandbox MSN GMail Google Maps 0.5 1 1.5 2 2.5 3 3.5 4 wrap bless autobless 7% 1% 30% 73% 63% 0% 100% Google Maps (183ms) MSN (439ms) GMail (736ms) Runtime

• verhead

ConScript DoCoMo (JavaScript rewriting) 291.05 155.5 297.45 156.9 100 200 300 400 Application Loading Opening a Folder Runtime (ms) Uninstrumented Secured Private Methods

END.

41