Mashup Security by Compilation

Mashup Security by Compilation

Tamara RezkThese slides discuss joint work with

Zhengqin Luo and Jose Santos

February 22nd , 2013

Web Client Mashup

• Client-side web application

• Integrating third-party gadgets

• Great way for code reuse!

Google Maps Gadget Integrator’s Housing Data

Different kind of Mashups

The integrator uses the gadget as a library The gadget reads state from the integrator

gadget

Programming model

• Mashups written in HTML + Javascript;

• Two ways to include external gadgets:– Using script tag– Using frame tag

Script tag - oversharing

• Gadget has integrator privileges

• Full exposure JS execution environment

<script src="http://maps.google.com/maps/api/js?sensor=true"></script>

Google Maps Gadget Integrator’sHousing Data

Script tag – security violations

• Confidentiality violationvar steal =

window[“integratorSecret”]

• Integrity violationwindow[“price”] = newPrice

<script src="http://maps.google.com/maps/api/js?sensor=true"></script>


Script tag – integrity violation<html><head> <script src=http://untrusted.com/untrustedAD.js></script> </head><body><script> var fac= function(x) { if (x <= 1) { return 1; } return x*fac(x-1); } r = fac(3); s = "alert("+r+")“ setTimeout(s, 100)</script></body></html>

Script tag - integrity violation

Content of http://untrusted.com/untrustedAD.js

setTimeout = function() { EVIL CODE HERE }

Embedded frame – undersharing

• Gadget has no privileges

• Isolation of JS execution environment between integrator and gadget

• Same Origin Policy

<iframe src="http://mapservice.com/maps.html"></iframe>


X

Embedded frame – undersharing

Isolation of JS execution:

• Confidentiality violationvar steal =

window[“integratorSecret”]• Integrity violationwindow[“price”] = newPrice

<iframe src="http://mapservice.com/maps.html"></iframe>


X

X

Script versus Frame Tag

• Script tag: – exposes the integrator’s JS environment– unlimited communication – not secure

• Frame tag: – isolates the environment of gadget and integrator– communication is limited– more secure than script

In practice: sacrifice security in the name of functionality!

HTML5 and Inter-frame communication

• Frame can communicate with integrator via PostMessage: – confidentiality – authentication

Gadget Integrator

listener in gadget

listener in integrator

HTML5 and Inter-frame communication

• The Postmash design was proposed by Barth, Jackson, and Li [09]

• Put untrusted code in embedded frame;

• Two stub libraries; • Proxy e.g. method invocation

by message-passing;

• No need to change untrusted code !!


Stub library in gadget

Stub library in integrator

Postmash

• How to transform an insecure mashup to a mashup following the Postmash design? – Manually writing two stub libraries (gadget

dependent);– Manually rewriting of integrators’ code;

• Our proposal : automate it and characterize the security property that it enforces:

Mashic Compiler [CSF’ 12]

Our proposal: Mashic Compiler• A generic proxy and listener library

– Gadget independent!• Integrator transform:

– Adapt to asynchronous communication,

– Use the proxy library• Mashic compiler

– Input: insecure mashup– Output: secured mashup

• Proofs: – Correctness

• benign gadget– Security

• JS small-step semantics of Maffeis et al. with rules to model the same origin policy

Mashic compiler - Overview

• Pg : gadget code• Pi : integrator code

Mashic compiler

<html> <script src = u> </script> <script> I </script></html>

<html> <iframe src = u’> </iframe> <script> Proxy </script> <script> Bootstrap-I </script> <script> C(I) </script></html>

where Web(u’ ) = <script> Listener </script> <script src = u> </script> <script>

Opaque Handle

• Opaque Handles– Integrator’s reference to gadget’s object– E.g.: { is_handle: true

id : 42}• Inside gadget – 42 maps to the real object.

• Gadget independent!

Integrator

Framed gadget

Proxy and listener

• Proxy provides interfaces using opaque handles:1. Example: GET_PROPERTY(ohandle,prop,cont)2. Send (“get property”, ohandle, prop) via

Postmessage3. Listener reacts to message:

1. E.g. if ohandle { is_handle: true, id : 42} -> { “prop”: 4}, then listener responds with 4.

4. Proxy receives the response, applies the continuation cont to 4.

Integrator

Framed gadget

A minimal set of Proxy Interfaces

• GET_GLOBAL_REF– Get global property

• CALL_METHOD– Call a method

• CALL_FUNCTION– Call a function

• ASSIGN_PROPERTY– Property assignment

• General enough to encode most real-world mashups!!

Integrator transformation

• PostMessage is asynchronous;

• So is our proxy interface;

• Automated CPS transformation and call to proxy interfaces of old integrator code

• An example of rule

Realistic core JS subset

• Small-step core JS semantics adopted from Maffeis et al. [08];

• Extended with DOM semantics and message-passing;

• A decorated (colored heap) semantics;

Decorated Semantics

programs run as colored principal

heaps contain objects with properties that are colored

Formal Guarantees

• Correctness guarantees:– If the gadget is benign, then the compiled mashup

behaves as the original one.

• Security guarantees:– If the gadget is not benign, nothing “bad” can

happen in the compiled mashup.

Benign gadget

Intuitively:• Integrity: A gadget does not try to write a

property belonging to the integrator;• Confidentiality: A gadget does not try to read

a property of the integrator;• Formally defined:

Correctness Theorem

For a benign gadget, the compiled mashup reaches a final configuration indistinguishable with the one reachable from the original mashup.

Security Theorem

For any gadget, the compiled mashup provides integrity and confidentiality for the integrator.

Prototype Implementation

• A prototype compiler written in Bigloo (a dialect of scheme)– 3.3k loc of bigloo and 0.8k loc of Javascript

• Applied to various mashups:

Benign Gadget: Passive Gadget

Assumption

The compiled mashup preserves the original semantics

Theorem

Theorem

After Mashic compilation, the malicious gadget cannot read/write information belonging to the integrator.

Correcteness

Security

Mashic: Summary

Plus

Browser IndependenceGadget Independence

Extending Mashic

ChallengeHandle Active Gadgets

How?Gadgets must be allowed to access integrator objects

Add an Access Control layer between gadgets and the integrator

Supporting Active Gadgets

Integrator.js

Gadget A

ifram

e

Page

.htm

l

Allow two-sided communication

Current MashicGoal

Add proxy and listener libraries to both the gadget iframe and to the integrator code

Listener

Proxy

Listener

Proxy Control the communication from the gadget to the integrator

UncontrolledControlled

Integrator

Controlling Gadget – Integrator Com.

Integrator.js

Gadget A

ifram

e

Page

.htm

l

How?Listener

Proxy

Listener

Proxy

UncontrolledControlled

1 Establish a lattice of security levels

2 Assign a security level to each integrator resource

4 Check all the gadget – integrator accesses at runtime

3 Assign a security level to each gadget

Confidentiality Integrity

Lc LI

LcxLI

vl where l is in LcxLI

∑ : Gadgets → LcxLI

Integrator

Gadget A

Ext Mashic: Soundness and Security

Benign Gadget: A gadget that only tries to access integrator information compatible with its security level

Assumption

The compiled mashup preserves the original semantics

Theorem

TheoremAfter Mashic compilation, the malicious gadget can only read/write integrator information compatible with its security level.

Correcteness

Security

Information Flow control neededfor the integrator code!

(and only the integrator code)

Information Flow Control needed

• Separation of the gadget using iframe : no need to analyze gadget code

• Existing work on dynamic monitors (browser dependent): • Hedin and Sabelfeld, 12• Austin and Flanagan, 09,10,12

• Inlining of dynamic security monitors (browser independent) :• Sabelfeld et al ‘’10• Chudnov and Naumann’ 10

Information Flow Control

Labeling in JavaScript

Confidentiality Integrity

Lc LI

LcxLI

var o = {};o[f()] = 1

f() is a function that returns a dynamically computed string

In the final memory o has a new property unknown before

execution! Static labeling is not always possible.

Labeling Values

Original ObjectRuntime Labelingp1: v1

p2: v2

p3: v3

pn: vn

…

Labeled Object

p1: (v1,,l1)

p2: (v2, l2)

p3: (v3, l3)

pn: (vn, ln)

…

lo: lSecurity Level of the object

Security levels of the object

property values

Labeling Values and Instrumentation

Source Integrator Code…if(x) { y = y + x; } else { alert(“hello world”)}

Source Integrator Code…if(x.value) { lpc = x.level ˅ lpc; y.value = y.value + x.value; y.level = x.level ˅ y.level ˅ lpc;} else { alert(“hello world”)}

Labeling Values and Instrumentation

Source Integrator Code…if(x) { y = y + x; } else { alert(“hello world”)}

Source Integrator Code…if(x.value) { lpc = x.level ˅ lpc; y.value = y.value + x.value; y.level = x.level ˅ y.level ˅ lpc;} else { alert(“hello world”)}

code in

strumentation:

a new object for e

ach va

lue in th

e program!

Labeling Properties


p2: v2

p3: v3

pn: vn

…

Labeled Object

(p1,l1) : v1

(p2 ,l2): v2

(pn,ln) : vn

…

lo: l

Labeling Properties


p2: v2

p3: v3

pn: vn

…

Labeled Object

(p1,l1) : v1

(p2 ,l2): v2

(pn,ln) : vn

…

lo: l

code in

strumentation:

a property fo

r each

object

(mapping p

roperties o

f the object

to labels)

Labeling Properties

• Inlining security monitors becomes more efficient (no need for an object per value in the program)

• Opens the path to combining dynamic and static JavaScript analysis

Dynamic Semantics, extracting constrains

constrains

Conclusions

Mashic Compiler: – assumption: gadgets used as libraries– correctness under assumption– security guarantees based on SOP, characterized

as IF where everything in the integrator is treated as top security level

– compilation: gadget and browser independent!

Conclusions

Mashic Compiler Extension: – assumption: two way communication with AC – correctness under assumption– security guarantees based on information flow

security– compilation:

• IF analysis for the integrator using code instrumentation• gadget independence regarding IF analysis• browser independence

Open Questions

• IF analysis for the integrator using code instrumentation: – Combining with static analysis? If part of the code is in

a static typable subset [Maffeis 2010] then type check and instrument the rest.

• Gadget independence regarding IF analysis: – Still have to adapt to asynchrony of PostMessage … what’s a

good solution to this? shadow pages? [Adjail 2010]

• Making the web ad business model secure and practical?

Mashup Security by Compilation

Documents

web application

external gadgets

mashup sandboxing

librarythe gadget

web client mashupclient

thirdparty gadgets great

joint work

zhengqin luo