presented by vaibhav rastogi
DESCRIPTION
Presented by Vaibhav Rastogi. ConScript : Specifying and Enforcing Fine Grained Security Policies fpr JavaScript in the Browser. Introduction. Advent of Web 2.0 and Mashups Inclusion of untrusted third party content a necessity - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/1.jpg)
ConScript: Specifying and Enforcing Fine Grained Security Policies fpr JavaScript in the Browser
Presented by Vaibhav Rastogi
![Page 2: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/2.jpg)
Introduction
Advent of Web 2.0 and Mashups Inclusion of untrusted third party
content a necessity Need to restrict the functionality of
untrusted content, content that does not need that functionality
![Page 3: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/3.jpg)
ConScript
A browser based, security oriented aspect system
Allow hosting page to specify policies Restrict code execution in the context of
the hosting page Examples
Limiting eval to JSON parsing Allowing only white-listed strings, scripts
![Page 4: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/4.jpg)
Looking Ahead
Security aspects in the browser Deep aspects with native support
Static and runtime validation strategies for aspects
17 example security and reliability policies for JavaScript
Automatic policy generation Evaluation
![Page 5: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/5.jpg)
An example
eval considered unsafe But a necessity for JSON parsing Approach 1:
Redefine eval
Shallow redefinition Other access paths to eval may exist
![Page 6: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/6.jpg)
An example
Aspects: Specify code to execute – advice At particular moments of execution -
pointcut Approach 2
Require browser support Uses aspects – advice and pointcuts
![Page 7: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/7.jpg)
An example
![Page 8: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/8.jpg)
Salient Points
Advice registration Binding original advised function to
new function Use type safe calls
![Page 9: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/9.jpg)
Aspects: Binding Pointcuts to Advice
The around advice Call the function parameter instead
of the function specified as the first parameter
The advice designer decides what to do in the new function Throw exception Do some safe execution Invoke the original function
![Page 10: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/10.jpg)
Deep Advice
Several access paths to designate an object/function
var ge = document.getElementById;
![Page 11: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/11.jpg)
Deep Advice
Current state of the art - wrapping of an access path Shallow advice Protects only one access path
Conscript’s approach Deep advice Registering advice on one access path
suffices
![Page 12: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/12.jpg)
Attack Model and Boot Sequence
Browser is trusted Host web site specifies the policies –
advice Advice is trusted – kernel level code Untrusted scripts (user level code)
are loaded after advice specification Allow libraries to be loaded before
advice They should declare new code only They should not change the environment
in undesirable ways
![Page 13: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/13.jpg)
Advising functions: Implementation
User defined functions Represented as closures Point closure to advice function A bit indicates if advice is enables
![Page 14: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/14.jpg)
Native functions: Analogous to user defined functions
Advising functions: Implementation
![Page 15: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/15.jpg)
Advising functions: Implementation
Foreign functions Like
frame[0].postMessage
Use translation table
![Page 16: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/16.jpg)
Blessing and Advice Optimizations
Problem of infinite recursion
Solution Define two functions▪ bless: enable the advice▪ curse: disable the advice
Rewrite
![Page 17: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/17.jpg)
Autobless Avoid verbosity More efficient
What if the raw function is not called Be explicit curse
Blessing and Advice Optimizations
![Page 18: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/18.jpg)
Advising Script Introduction
Important pointcut aroundScript
![Page 19: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/19.jpg)
Securing Advice
Advice should not be tampered with Should be written in a secure manner
A vulnerable advice definition A whitelist policy for frame messaging
![Page 20: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/20.jpg)
Attack 1: toString redefinition
Attack 2: Function.prototype poisoning
Securing Advice
![Page 21: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/21.jpg)
Attack 3: Object.prototype poisoning
Attack 4: Malicious getters
Securing Advice
![Page 22: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/22.jpg)
Eliminate with and eval Disallow caller access Introduce a new primitive ucall
Circumvent prototype poisoning Introduce a poisoning safe primitive
hasProp
Securing Advice: Improvements
![Page 23: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/23.jpg)
Securing Advice
Secure version of the whitelist policy
![Page 24: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/24.jpg)
Policy Validation
Static validation ML like type system Types are annotated with security
labels Two properties
Reference isolation – kernel objects should not flow to user code
Access path integrity of explicitly invoked function
![Page 25: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/25.jpg)
Security Labels
Lattice with “is substitutable for” relation
Substitution represented with flow relation
![Page 26: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/26.jpg)
Type system
Primitive type: * Other types similar to ML Types annotated with security labels Sample inference rule
Calling trusted foreign functions
![Page 27: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/27.jpg)
Policy examples
No dynamic scripts
No string arguments to setInterval, setTimeout
![Page 28: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/28.jpg)
Automatic Policy Generation
Static: Instrument Script# Script# converts C# to JS JS does not have access qualifiers like
private Generate policies enforce private,
protected accesses Runtime
Test in a sandboxed environment what capabilities are used
Strip off all other capabilities
![Page 29: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/29.jpg)
Evaluation: Micro Benchmarks
![Page 30: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/30.jpg)
Evaluation: Macro Benchmarks
![Page 31: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/31.jpg)
Evaluation: Code Size Increase
![Page 32: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/32.jpg)
Impressions
Neat idea Impressive performance
No with and eval Needs browser support Automatic policy generation
Policies come with host page Third party developer (attacker) may
choose to not use any ConScript supported frameworks
![Page 33: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/33.jpg)
Impressions
SetTimeout also unsafe without policy enforcement
Most policies described can be checked statically
Rule set for type inference may not be complete
![Page 34: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/34.jpg)
Object Views: Fine Grained Sharing in BrowsersPresented by Vaibhav Rastogi
![Page 35: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/35.jpg)
Key Idea
Enable fine grained sharing of JavaScript objects between principals
Let different principals have different views of the objects
Views may be different in Access rights Overriding methods to hide some
information Aspects oriented approach
![Page 36: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/36.jpg)
Threat model
Two settings Server side script rewriters Browsers
View sharer creates object view according to policies
Attacker is the view recipient Tries to steal information that should not
be accessible to it
![Page 37: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/37.jpg)
View designs: Example
![Page 38: Presented by Vaibhav Rastogi](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56812eb2550346895d94576a/html5/thumbnails/38.jpg)
Comparison with ConScript
Both are very similar aspects oriented approaches
ConScript is for applying JavaScript policies
Object Views is for creating multiple views for sharing