gatekeeper : mostly static enforcement of security & reliability policies for javascript code...
Post on 19-Dec-2015
216 views
TRANSCRIPT
Gatekeeper:
Mostly Static Enforcement of Security & Reliability Policies for
JavaScript Code
Ben LivshitsSalvatore Guarnieri
Widgets are
everywhere• Widget sources (web and desktop):
Live web widgets
Google/IG web widgets
Vista Sidebar desktop widgets
…
• Lots of widget producers
• Various levels of quality and trust
A web widget is a portable chunk of code that can be installed
and executed within any separate HTML-based web page by an
end user without requiring additional compilation. They are
derived from the idea of code reuse. Other terms used to
describe web widgets include: gadget, badge, module, webjit,
capsule, snippet, mini and flake. Web widgets usually but not
always use DHTML, JavaScript, or Adobe Flash.
MOTIVATION & PROJECT GOALS
Widget host is
interested in
ensuring widget
security and
quality
• Bad widgets: host is
blamed
• Widget checking
eliminates issues for users
• Static analysis advantage:
all paths, no overhead,
detect early
Gatekeeper: Protecting the Widget Host
Gatekeeper Contributions• Propose a statically analyzable subset JavaScriptSAFE
• Propose the first points-to analysis for JavaScript
• Formulate 9 security and reliability policies using Datalog. – restricting widget capabilities– making sure built-in objects are not modified– preventing code injection attempts, etc.
• Evaluation on 8,000+ publicly available JavaScript widgets – Live.com– Vista Sidebar, and – Google
• We flag a total of 1,341 policy violations spanning 684 widgets, with 113 false positives affecting only two widgets.
TECHNIQUES
Basic Approach
• Represent the program as a database of facts– Normalize the JavaScript program AST– Introduce temporaries as necessary– Store facts in a compressed form
• Query this database using Datalog– This is how all analyses are implemented– Implement a points-to analysis to reason about
the program heap– A very declarative, extensible approach– Propose 9 different analyses/policies
Gatekeeper Architecture
10
Construct Live [2,714]
Sidebar [4,501]
Google [1,171]
eval(“(“ + oResponse + “)”); 10 353 55
setTimeout(GetFeed, 25000); 49 824 65
setInterval(clock, 500); 16 377 13
Non-const index 176 1736 192
var c = arguments[2] 6 175 3
a = new Function(“c”, “return c*10;”);
4 142 21
with (Math) { p = PI; } 2 422 2
document.write(url); 1 102 108
myFrame.innerHTML = [HTML]; 2,053 1,535 288
Enemies of Static Analysis
var x = new Object();x[a+b] = ...;
11
Start with Entire JavaScript…
EcmaScript-262
12
Remove eval & Friends…
EcmaScript 262
- eval- setTimeout- setInterval- Function- with- arguments array- [innerHtml]-----------------------= JavaScriptGK
13
Remove Unresolved Array Accesses…
EcmaScript 262
JavaScriptGK
- non-const array access a[x+y]--------------------------------= JavaScriptSAFE
14
Now, this is Amenable to Analysis!
EcmaScript 262
JavaScriptGK
JavaScriptSAFE
s ::=
// assignments
v1=v2
v = bot
return v
// calls
v = new v0(v1,…,vn)
v=v0(vthis,v1,…,vn)
// heap
v1=v2.f
v1.f=v2
// declarations
v=function(v1,…,vn){s}
Two language
subsets:
JavaScriptSAFE and
JavaScriptGK
• JavaScriptSAFE – can
analyze fully statically
without resorting to
runtime checks
• JavaScriptGK – need basic
instrumentation to
prevent runtime code
instroduction
JavaScript Language Features
TODO: discussion
of 1) prototypes
and 2) safe
reflection
18
Analysis Process
JavaScript AST
IR Normaliz
er
Output to Datalog
BDDBDDB solver
Analysis Results
Datalog analysis
rules
19
Converting JavaScript Statements to Facts
20
Pointer Analysis Inference Rules
EXPERIMENTALRESULTS
22
Widget Corpus
• Collected by scraping widget galleries
Total
Live 2,714
Sidebar 4,501
Google 1,171
23
Language Subsets in Practice
Live Sidebar Google 0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%100% 100% 100%
24.06%
51.17%
67.38%
23.69%
39.26%
65.58%
EcmaScript Gatekeeper JavaScriptSAFE
Policies for Widget Security & Reliability
25
Query Results• 1,210 violations total
Query Live [2,714] Sidebar [4,501] Google [1,171]
Alert 87 287 81
Frozen Violation
3 114 19
document.write
5 175 158
Location change
59 192 30
Totals 154 768 288
Conclusions
• Static analysis for
JavaScript
• Technique: points-to
analysis
• Focus: analyzing widgets
We feel that static
analysis of JavaScript is a
key building block for
enabling an environment
in which code from
different parties can
safely co-exist and
interact