gatekeeper : mostly static enforcement of security & reliability policies for javascript code...

Gatekeeper:

Mostly Static Enforcement of Security & Reliability Policies for

JavaScript Code

Ben LivshitsSalvatore Guarnieri

Widgets are

everywhere• Widget sources (web and desktop):

Live web widgets

Google/IG web widgets

Vista Sidebar desktop widgets

…

• Lots of widget producers

• Various levels of quality and trust

A web widget is a portable chunk of code that can be installed 

and executed within any separate HTML-based web page by an 

end user without requiring additional compilation. They are 

derived from the idea of code reuse. Other terms used to 

describe web widgets include: gadget, badge, module, webjit, 

capsule, snippet, mini and flake. Web widgets usually but not 

always use DHTML, JavaScript, or Adobe Flash.

MOTIVATION & PROJECT GOALS

Widget host is

interested in

ensuring widget

security and

quality

• Bad widgets: host is

blamed

• Widget checking

eliminates issues for users

• Static analysis advantage:

all paths, no overhead,

detect early

Gatekeeper: Protecting the Widget Host

Gatekeeper Contributions• Propose a statically analyzable subset JavaScriptSAFE

• Propose the first points-to analysis for JavaScript

• Formulate 9 security and reliability policies using Datalog. – restricting widget capabilities– making sure built-in objects are not modified– preventing code injection attempts, etc.

• Evaluation on 8,000+ publicly available JavaScript widgets – Live.com– Vista Sidebar, and – Google

• We flag a total of 1,341 policy violations spanning 684 widgets, with 113 false positives affecting only two widgets.

TECHNIQUES

Basic Approach

• Represent the program as a database of facts– Normalize the JavaScript program AST– Introduce temporaries as necessary– Store facts in a compressed form

• Query this database using Datalog– This is how all analyses are implemented– Implement a points-to analysis to reason about

the program heap– A very declarative, extensible approach– Propose 9 different analyses/policies

Gatekeeper Architecture

10

Construct Live [2,714]

Sidebar [4,501]

Google [1,171]

eval(“(“ + oResponse + “)”); 10 353 55

setTimeout(GetFeed, 25000); 49 824 65

setInterval(clock, 500); 16 377 13

Non-const index 176 1736 192

var c = arguments[2] 6 175 3

a = new Function(“c”, “return c*10;”);

4 142 21

with (Math) { p = PI; } 2 422 2

document.write(url); 1 102 108

myFrame.innerHTML = [HTML]; 2,053 1,535 288

Enemies of Static Analysis

var x = new Object();x[a+b] = ...;

11

Start with Entire JavaScript…

EcmaScript-262

12

Remove eval & Friends…

EcmaScript 262

- eval- setTimeout- setInterval- Function- with- arguments array- [innerHtml]-----------------------= JavaScriptGK

13

Remove Unresolved Array Accesses…

EcmaScript 262

JavaScriptGK

- non-const array access a[x+y]--------------------------------= JavaScriptSAFE

14

Now, this is Amenable to Analysis!

EcmaScript 262

JavaScriptGK

JavaScriptSAFE

s ::=

// assignments

v1=v2

v = bot

return v

// calls

v = new v0(v1,…,vn)

v=v0(vthis,v1,…,vn)

// heap

v1=v2.f

v1.f=v2

// declarations

v=function(v1,…,vn){s}

Two language

subsets:

JavaScriptSAFE and

JavaScriptGK

• JavaScriptSAFE – can

analyze fully statically

without resorting to

runtime checks

• JavaScriptGK – need basic

instrumentation to

prevent runtime code

instroduction

JavaScript Language Features

TODO: discussion

of 1) prototypes

and 2) safe

reflection

18

Analysis Process

JavaScript AST

IR Normaliz

er

Output to Datalog

BDDBDDB solver

Analysis Results

Datalog analysis

rules

19

Converting JavaScript Statements to Facts

20

Pointer Analysis Inference Rules

EXPERIMENTALRESULTS

22

Widget Corpus

• Collected by scraping widget galleries

Total

Live 2,714

Sidebar 4,501

Google 1,171

23

Language Subsets in Practice

Live Sidebar Google 0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%100% 100% 100%

24.06%

51.17%

67.38%

23.69%

39.26%

65.58%

EcmaScript Gatekeeper JavaScriptSAFE

Policies for Widget Security & Reliability

25

Query Results• 1,210 violations total

Query Live [2,714] Sidebar [4,501] Google [1,171]

Alert 87 287 81

Frozen Violation

3 114 19

document.write

5 175 158

Location change

59 192 30

Totals 154 768 288

Conclusions

• Static analysis for

JavaScript

• Technique: points-to

analysis

• Focus: analyzing widgets

We feel that static

analysis of JavaScript is a

key building block for

enabling an environment

in which code from

different parties can

safely co-exist and

interact