ConScript

ConScript

Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

Leo MeyerovichUC Berkeley

Benjamin LivshitsMicrosoft Research

2

Web Programmability Platform

yelp.com

openid.net

adsense.com

Google maps

3

Rich Internet Applications are Dynamic

Yelp.com: main.js … jQuery.js … adSense.js … GoogleMaps.js … OpenID_API.js

flexible runtime composition … but little control.

Towards Safe Programmability for the Web

4

Can’t trust other people’s codeMash-ups

5

Goals and Contributions

• protect benign users• by giving control to hosting site• ConScript approach: aspects for security

control loading and use of scripts

• 17 hand-written policies• correct policies are hard to write• proposed type system to catch common attacks• implemented 2 policy generators

express many policies safely

• built into IE 8 JavaScript interpreter• runtime and space overheads under 1% (vs. 30-550%)• smaller trusted computing base (TCB)

browser support

6

approach protect benign users by giving control to the hosting site

: aspects for security

7

ConScript

• Approach– protect benign Web users – give control to the hosting site

• How– Browser-supported aspects for security

8

Contributions of ConScript• protect benign users by giving control to hosting site• ConScript approach: aspects for security• built into IE 8 JavaScript interpreter

A case for aspects in browser

• Policies are easy to get wrong• Type system to ensure policy correctness

Correctness checking

• 17 hand-written policies• Comprehensive catalog of policies from literature and practice• implemented 2 policy generators

Expressiveness

• Tested on real apps: Google Maps, Live Desktop, etc.• runtime and space overheads under 1% (vs. 30-550%)• smaller trusted computing base (TCB)

Evaluation

9

manifest of script URLs

HTTP-only cookies

resource blacklists

limit eval

no foreign links

no hidden frames

script whitelist

<noscript>

no URL redirection

no pop-ups

enforce public vs. private

Policies

10

CONSCRIPT aspectsimplementing aspects in IE8checking CONSCRIPT policiesgenerating CONSCRIPT policiesperformance

11

heap

eval is evil

window.eval =function () { throw ‘Disallowed’};

function

eval

heap object

documentwindow

xyz…

div

stack

eval

eval

foo bar

12

No postMessage: A Simple Policy?

Wrapping: [[Caja, DoCoMo, AOJS, lightweightjs, Web Sandbox, …]]

window.postMessage = function () {};frame1.postMessage(“msg”, “evil.com”)

Aspects: [[AspectJ]]

void around(String msg, String uri) : call DOM.postMessage(String m, String u) { /* do nothing instead of call */ }

… no classes in JavaScript / DOM …

13

function () { [native code] }

function () { throw ‘exn’;}

Specifying Calls using References

around(window.postMessage, function () { throw ‘exn’; });

[Object window]

[Object frame] postMessage

postMessage

14

1. FunctionsDOM: aroundExt(postMessage, function (pm2, m, uri) { … });

JS: aroundNat(eval, function (eval, str) { … });

User-defined: aroundFnc(foo, function (foo2, arg1) { … });

2. Script introduction<script>: aroundScr(function (src) { return src + ‘;’ + pol;});

inline: aroundInl(function (src) { return src + ‘;’ + pol;});

ConScript Interface

Ben Livshits

You only support two cases, function advice and script loading advice. There's no need to mention others here. Please add synax examples of both

15


16

function f () { … }

function f () {<before> … <after>}

Problem: Implementation?

Source Rewriting [[aojs, docomo, caja, sandbox, fbjs]]

50%-450% more to transfer, 30-70% slowdown limited: native (DOM) functions, dynamic code? big assumptions: adds parser to TCB, …

17

Mediating DOM Functionswindow.postMessage

frame2.postMessage

JavaScript interpreter

IE8 libraries(HTML, Networking, …)

postMessage

0xff34e5arguments: “hello”, “evil.com”

call advice

aroundExt(window.postMessage,

off

0xff34e5 off

);

advice dispatch

[not found]

0xff34e5

function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; }

function foo () { }

Resuming Calls

18

function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }

function foo () { }

advice onadvice off

bless() temporarily disables advice for next call

Optimizing the Critical Path

19

function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }

function foo () { }

advice on

function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } }

function foo () { }

advice offadvice on

• calling advice turns advice off for next call• curse() enables advice for next call

20


21

Basic Usage

Yelp.com: main.js, index.html … jQuery.js … adSense.js … GoogleMaps.js … OpenID_API.js

script whitelist

no eval

no innerHTML

no hidden frames

only HTTP cookies

no inline scripts

<script src=“main.js” policy=“noEval()”/>

SURGEON GENERAL’S WARNING

Policies are written in a small JavaScript subset.

Applications only lose a few dangerous features.

22

Policy Integrity

Objects defined with policy constructors do not flow out

Old Policyaround(postMessage, function (m, url) { w = {“msn.com”: true}; …

23

Policy Integrity



policy object: must protectunknown: do not pass privileged objects!

24

Policy Integrity



User ExploitpostMessage(“”, “msn.com”);w[“evil.com”] = 1;postMessage(“”, “evil.com”);

25

Policy Integrity


New Policyaround(postMessage, function (m, url) { window.w = {“msn.com”: true}; …

User ExploitpostMessage(“”, “msn.com”);w[“evil.com”] = 1;postMessage(“”, “evil.com”);

var w

26

Policy Integrity


New Policyaround(postMessage, function (m, url) { window.w = {“msn.com”: true}; …

policy object: must protectunknown: do not pass privileged objects!

var w

27

Maintaining Integrity

1. Policy objects do not leak out of policies2. Access path integrity of calls (no prototype hijacking)

• ML-style type inference– basic– program unmodified– only manually tested on policies

• JavaScript interpreter support– call(ctx, fnc, arg1, …), hasOwnProperty(obj, “fld”)– caller

Ben Livshits

Ben Livshits

Once again, you haven't implemented type inference. You can only say that you've hand-checked the policies we use.

28

Transparency

• If running with policies throws no errors– … for same input, running without should be safe– empty advice should not be functionally detectable

• Difficult with wrapping or rewriting– Function.prototype.apply, exn.stacktrace, myFunction.callee,

arguments.caller, myFunction.toString, Function.prototype.call

– correctness vs. compatibility vs. performance …• Simpler at interpreter level– rest up to developer– no proof

Ben Livshits

We don't guarantee it. All you can say is that we believe it's not detectable. Proof is future work.

29


30

Automatically Generating Policies

• Intrusion detection– can we infer and disable unneeded DOM functions?

• C# access modifiers– can we enforce access modifiers like private?

• ASP policies– can we guarantee no scripts get run in <% echo %>?

31

Intrusion Detection 1: Learn Blacklist

evalnew Function(“string”)postMessageXDomainRequestxmlHttpRequest…

log

audit

Ben Livshits

Why are you showing Yelp here where it's other applications you are applying it to?

32

Intrusion Detection 2: Enforce Blacklist

33

Enforcing C# Access Modifiers

class File { public File () { … } private open () { … } …

C# JavaScript

function File () { … }File.construct = …File.open = ……

Script#compiler

policygenerator

around(File, pubEntryPoint);around(File.construct, pubEntryPoint);around(File.open, privCall);

ConScript

34


35

Performance

Microbenchmarks: 1.2x (vs. 3.4x)

Initialization time: 0-1%Runtime: 0-7% (vs. 30+%)File size blowup: < 1% (vs. 50+%)

36

Microbenchmark: Mediation Overhead

function advice2 (foo2) { bless(); foo2();}

function advice3 (foo2) { foo2();

}

var raw = obj.f;obj.f = function () { raw();}

0

0.5

1

1.5

2

2.5

3

3.5

4

wrap bless autobless3.42x

1.44x

1.24x

37

File Size Increase (IDS)

ConScript Docomo Caja Sandbox0.01.02.03.04.05.06.07.08.09.0

10.011.0

1.01.7

4.8

1.21.0 1.5

3.9

10.4

1.0 1.5

4.4

1.5

MSN GMail Google Maps

38

Access Modifier

Enforcement

Intrusion Detection System

Runtime Overhead

Google Maps (183ms)

MSN (439ms) GMail (736ms)0%

20%40%60%80%

7%1% 0%

30%

73%63%

ConScript DoCoMo (JavaScript rewriting)

Runti

me

over

head

Application Loading Opening a Folder0

100200300400

291.05

155.5

297.45

156.9

Uninstrumented Secured Private Methods

Runti

me

(ms)

39

Goals and Contributions

•protect benign users•by giving control to hosting site•ConScript approach: aspects for security

control loading and use of scripts

•16 hand-written policies•correct policies are hard to write•proposed type system to catch common attacks•implemented 2 policy generators

express many policies safely

•built into IE 8 JavaScript interpreter•runtime and space overheads under 1% (vs. 30-550%)•smaller trusted computing base (TCB)

browser support

manifest of URLslimit eval

no foreign links

resource blacklists

no hidden frames

script whitelist

<noscript>

no URL redirectio

n

HTTP-only cookies

no pop-ups

enforce public vs.

private

Questions?

40ConScript Docomo Caja Sandbox

0.0

2.0

4.0

6.0

8.0

10.0

1.01.7

4.8

1.21.0 1.5

3.9

10.4

1.0 1.5

4.4

1.5

MSN GMail Google Maps

Math.ta

n(5)

eval(

"1")

eval(

"if (tr

ue) tru

e; fal

se")

documen

t.getE

lemen

tsByT

agNam

e...

documen

t.crea

teElem

ent("

div");

function ()

{} 10x m

ore ite

rations

add1(1) 1

0x more

iterati

ons0

0.51

1.52

2.53

3.54

wrap bless autobless

Google Maps (183ms)

MSN (439ms) GMail (736ms)0%

20%40%60%80%

7% 1% 0%

30%

73% 63%ConScript DoCoMo (JavaScript rewriting)

Runti

me

over

head

Application Load-ing

Opening a Folder0

300291.05 155.5297.45 156.9

UninstrumentedSecured Private Methods

Runti

me

(ms)

Ben Livshits

I assume this is hidden?

41

END.

ConScript

Documents

function foo2

example of function

function pm2

conscript conscriptspecifying

return src pol

javascript dom

return evalstr

aroundinlfunction src