![Page 1: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/1.jpg)
ConScript
Specifying and Enforcing Fine-Grained Security Policies
for JavaScript in the Browser
Leo Meyerovich UC Berkeley
Benjamin Livshits Microsoft Research
![Page 2: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/2.jpg)
Web Programmability Platform
2
yelp.com
openid.net
adsense.com
Google maps
![Page 3: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/3.jpg)
Rich Internet Applications are Dynamic
Yelp.com:
main.js
… jQuery.js
… adSense.js
… GoogleMaps.js
… OpenID_API.js
3
flexible runtime composition … but little control.
![Page 4: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/4.jpg)
Towards Safe Programmability for the Web
4
Can’t trust other people’s code Mash-ups
![Page 5: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/5.jpg)
Goals and Contributions
5
• protect benign users
• by giving control to hosting site
• ConScript approach: aspects for security
control loading and use of scripts
• 17 hand-written policies
• correct policies are hard to write
• proposed type system to catch common attacks
• implemented 2 policy generators
express many policies safely
• built into IE 8 JavaScript interpreter
• runtime and space overheads under 1% (vs. 30-550%)
• smaller trusted computing base (TCB) browser support
![Page 6: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/6.jpg)
approach protect benign users by giving control
to the hosting site : aspects for security
6
![Page 7: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/7.jpg)
ConScript
• Approach
– protect benign Web users
– give control to the hosting site
• How
– Browser-supported aspects for security
7
![Page 8: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/8.jpg)
Contributions of ConScript
8
• protect benign users by giving control to hosting site
• ConScript approach: aspects for security
• built into IE 8 JavaScript interpreter
A case for aspects in browser
• Policies are easy to get wrong
• Type system to ensure policy correctness
Correctness checking
• 17 hand-written policies
• Comprehensive catalog of policies from literature and practice
• implemented 2 policy generators Expressiveness
• Tested on real apps: Google Maps, Live Desktop, etc.
• runtime and space overheads under 1% (vs. 30-550%)
• smaller trusted computing base (TCB) Evaluation
![Page 9: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/9.jpg)
manifest of script URLs
HTTP-only cookies
resource blacklists
limit eval
no foreign links
no hidden frames
script whitelist
<noscript>
no URL redirection
no pop-ups
enforce public vs. private
Policies
9
![Page 10: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/10.jpg)
CONSCRIPT aspects
implementing aspects in IE8
checking CONSCRIPT policies
generating CONSCRIPT policies
performance
10
![Page 11: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/11.jpg)
heap
eval is evil
window.eval =
11
function () {
throw „Disallowed‟
};
function
eval
heap object
document window
x y z …
div
stack
eval
eval
foo bar
![Page 12: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/12.jpg)
No postMessage: A Simple Policy?
Wrapping: [[Caja, DoCoMo, AOJS, lightweightjs, Web Sandbox, …]]
window.postMessage = function () {};
frame1.postMessage(“msg”, “evil.com”)
Aspects: [[AspectJ]]
void around(String msg, String uri) :
call DOM.postMessage(String m, String u)
{ /* do nothing instead of call */ }
… no classes in JavaScript / DOM … 12
![Page 13: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/13.jpg)
function () { [native code] }
function () { throw ‘exn’; }
Specifying Calls using References
around(window.postMessage,
function () { throw „exn‟; });
[Object window]
[Object frame] postMessage
postMessage
13
![Page 14: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/14.jpg)
1. Functions DOM: aroundExt(postMessage, function (pm2, m, uri) { … });
JS: aroundNat(eval, function (eval, str) { … });
User-defined: aroundFnc(foo, function (foo2, arg1) { … });
2. Script introduction <script>: aroundScr(function (src) { return src + „;‟ + pol;});
inline: aroundInl(function (src) { return src + „;‟ + pol;});
ConScript Interface
14
![Page 15: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/15.jpg)
CONSCRIPT aspects
implementing aspects in IE8
checking CONSCRIPT policies
generating CONSCRIPT policies
performance
15
![Page 16: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/16.jpg)
function f () { … }
function f () {<before> … <after>}
Problem: Implementation?
Source Rewriting [[aojs, docomo, caja, sandbox, fbjs]]
50%-450% more to transfer, 30-70% slowdown
limited: native (DOM) functions, dynamic code?
big assumptions: adds parser to TCB, …
16
![Page 17: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/17.jpg)
Mediating DOM Functions
17
window.postMessage
frame2.postMessage
JavaScript interpreter
IE8 libraries (HTML, Networking, …)
postMessage
0xff34e5 arguments: “hello”, “evil.com”
call advice
aroundExt(window.postMessage,
off
0xff34e5 off
);
advice dispatch
[not found]
0xff34e5
![Page 18: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/18.jpg)
function advice1 (foo2) { if (ok()) { foo2(); } else throw ‘exn’; }
function foo () { }
Resuming Calls
18
1. function (eval, str) { if (ok(str)) {
bless(); return eval(str); } else throw ‘exn’; } 3. function (eval, str) { if (ok(str)) return eval(str); else {
curse(); throw ‘exn’; }}
function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }
function foo () { }
advice on advice off
bless() temporarily disables advice for next call
![Page 19: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/19.jpg)
Optimizing the Critical Path
19
function advice2 (foo2) { if (ok()) { bless(); foo2(); } else throw ‘exn’; }
function foo () { }
advice on
function advice3 (foo2) { if (ok()) foo2(); else { curse(); throw ‘exn’; } }
function foo () { }
advice off advice on
• calling advice turns advice off for next call • curse() enables advice for next call
![Page 20: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/20.jpg)
CONSCRIPT aspects
implementing aspects in IE8
checking CONSCRIPT policies
generating CONSCRIPT policies
performance
20
![Page 21: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/21.jpg)
Basic Usage
Yelp.com: main.js, index.html
… jQuery.js
… adSense.js
… GoogleMaps.js
… OpenID_API.js
21
script whitelist
no eval
no innerHTML
no hidden frames
only HTTP cookies
no inline scripts
<script src=“main.js” policy=“noEval()”/>
SURGEON GENERAL’S WARNING
Policies are written in a small JavaScript subset.
Applications only lose a few dangerous features.
![Page 22: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/22.jpg)
Policy Integrity
Objects defined with policy constructors do not flow out
Old Policy around(postMessage, function (m, url) {
w = {“msn.com”: true};
…
22
![Page 23: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/23.jpg)
Policy Integrity
Objects defined with policy constructors do not flow out
Old Policy around(postMessage, function (m, url) {
w = {“msn.com”: true};
…
policy object: must protect unknown: do not pass privileged objects!
23
![Page 24: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/24.jpg)
Policy Integrity
Objects defined with policy constructors do not flow out
Old Policy around(postMessage, function (m, url) {
w = {“msn.com”: true};
…
User Exploit postMessage(“”, “msn.com”);
w[“evil.com”] = 1;
postMessage(“”, “evil.com”);
24
![Page 25: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/25.jpg)
Policy Integrity
Objects defined with policy constructors do not flow out
New Policy around(postMessage, function (m, url) {
window.w = {“msn.com”: true};
…
User Exploit postMessage(“”, “msn.com”);
w[“evil.com”] = 1;
postMessage(“”, “evil.com”);
var w
25
![Page 26: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/26.jpg)
Policy Integrity
Objects defined with policy constructors do not flow out
New Policy around(postMessage, function (m, url) {
window.w = {“msn.com”: true};
…
policy object: must protect unknown: do not pass privileged objects!
var w
26
![Page 27: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/27.jpg)
Maintaining Integrity
1. Policy objects do not leak out of policies
2. Access path integrity of calls (no prototype hijacking)
• ML-style type inference – basic
– program unmodified
– only manually tested on policies
• JavaScript interpreter support – call(ctx, fnc, arg1, …), hasOwnProperty(obj, “fld”)
– caller
27
![Page 28: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/28.jpg)
Transparency
• If running with policies throws no errors – … for same input, running without should be safe
– empty advice should not be functionally detectable
• Difficult with wrapping or rewriting – Function.prototype.apply, exn.stacktrace, myFunction.callee,
arguments.caller, myFunction.toString, Function.prototype.call
– correctness vs. compatibility vs. performance …
• Simpler at interpreter level – rest up to developer
– no proof
28
![Page 29: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/29.jpg)
CONSCRIPT aspects
implementing aspects in IE8
checking CONSCRIPT policies
generating CONSCRIPT policies
performance
29
![Page 30: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/30.jpg)
Automatically Generating Policies
• Intrusion detection
– can we infer and disable unneeded DOM functions?
• C# access modifiers
– can we enforce access modifiers like private?
• ASP policies
– can we guarantee no scripts get run in <% echo %>?
30
![Page 31: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/31.jpg)
Intrusion Detection 1: Learn Blacklist
31
eval
new Function(“string”)
postMessage
XDomainRequest
xmlHttpRequest
…
log
audit
![Page 32: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/32.jpg)
Intrusion Detection 2: Enforce Blacklist
32
![Page 33: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/33.jpg)
Enforcing C# Access Modifiers
33
class File { public File () { … } private open () { … } …
C# JavaScript
function File () { … } File.construct = … File.open = … …
Script# compiler
around(File, pubEntryPoint); around(File.construct, pubEntryPoint); around(File.open, privCall);
ConScript
![Page 34: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/34.jpg)
CONSCRIPT aspects
implementing aspects in IE8
checking CONSCRIPT policies
generating CONSCRIPT policies
performance
34
![Page 35: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/35.jpg)
Performance
Microbenchmarks: 1.2x (vs. 3.4x)
Initialization time: 0-1%
Runtime: 0-7% (vs. 30+%)
File size blowup: < 1% (vs. 50+%)
35
![Page 36: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/36.jpg)
Microbenchmark: Mediation Overhead
36
function advice2 (foo2) { bless(); foo2(); }
function advice3 (foo2) { foo2();
}
var raw = obj.f; obj.f = function () { raw();}
0
0.5
1
1.5
2
2.5
3
3.5
4
wrap bless autobless3.42x
1.44x
1.24x
![Page 37: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/37.jpg)
File Size Increase (IDS)
37
1.0 1.7
4.8
1.2 1.0 1.5
3.9
10.4
1.0 1.5
4.4
1.5
0.01.02.03.04.05.06.07.08.09.0
10.011.0
ConScript Docomo Caja Sandbox
MSN GMail Google Maps
![Page 38: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/38.jpg)
38
Access Modifier
Enforcement
Intrusion Detection
System
Runtime Overhead
7% 1%
30%
73%
63%
0%
20%
40%
60%
80%
Google Maps(183ms)
MSN (439ms) GMail (736ms)Ru
nti
me
ove
rhe
ad
ConScript DoCoMo (JavaScript rewriting)
291.05
155.5
297.45
156.9
0
100
200
300
400
Application Loading Opening a Folder
Ru
nti
me
(m
s)
Uninstrumented Secured Private Methods
![Page 39: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/39.jpg)
Goals and Contributions
39
• protect benign users
• by giving control to hosting site
• ConScript approach: aspects for security
control loading and use of scripts
• 16 hand-written policies
• correct policies are hard to write
• proposed type system to catch common attacks
• implemented 2 policy generators
express many policies safely
• built into IE 8 JavaScript interpreter
• runtime and space overheads under 1% (vs. 30-550%)
• smaller trusted computing base (TCB) browser support
![Page 40: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/40.jpg)
manifest of URLs
limit eval
no foreign links
resource blacklists
no hidden frames
script whitelist <noscript>
no URL redirection
HTTP-only cookies
no pop-ups
enforce public vs. private
Questions?
40
1.0 1.7
4.8
1.2 1.0 1.5
3.9
10.4
1.0 1.5
4.4
1.5
0.01.02.03.04.05.06.07.08.09.0
10.011.0
ConScript Docomo Caja Sandbox
MSN GMail Google Maps
00.5
11.5
22.5
33.5
4wrap bless autobless
7% 1%
30%
73% 63%
0%
100%
Google Maps (183ms) MSN (439ms) GMail (736ms)
Ru
nti
me
o
verh
ead
ConScript DoCoMo (JavaScript rewriting)
291.05 155.5 297.45 156.9 0
100200300400
Application Loading Opening a FolderRu
nti
me
(m
s)
Uninstrumented Secured Private Methods
![Page 41: Enforcing End-Point Security with ConScriptlivshits/papers/ppt/oakland10.pdf · –correctness vs. compatibility vs. performance … •Simpler at interpreter level –rest up to](https://reader033.vdocuments.mx/reader033/viewer/2022051722/5aa81a0b7f8b9ab6258b6969/html5/thumbnails/41.jpg)
END.
41