Securing JavaScript Information Flow with Staged Approach

Slide Note
Embed
Share

This content discusses the challenges of third-party code affecting sensitive data in JavaScript and proposes a staged approach for securing information flow, emphasizing server-side context and policies to enforce confidentiality and integrity. The solution involves analyzing JavaScript staging to ensure no unauthorized data read or write operations occur, providing a syntactically enforceable method for improved security.

onestipe
onestipe Follow

Uploaded on Oct 03, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego

  2. wsj.com <textbox id= SearchBox > <button onclick= doSearch(SearchBox.value) > <script type= javascript > searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } z = get( a.com/ad.js ); eval(z); </script> 2

  3. wsj.com <textbox id= SearchBox > <button onclick= doSearch(SearchBox.value) > <script type= javascript > searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } a.com/ad.js displayAd = function() { ... } displayAd(); </script> 3

  4. wsj.com <textbox id= SearchBox > <button onclick= doSearch(SearchBox.value) > <script type= javascript > searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } a.com/ad.js displayAd = function() { ... } displayAd(); searchUrl = evil.com/ ; </script> 4

  5. evil.com Script navigates to malicious page Exploits browser vulnerability 5

  6. The Problem, Part 1 Third-party code may affect sensitive data e.g. writing doc.location e.g. reading doc.cookie Information flow policies e.g. integrity of doc.location e.g. confidentiality of doc.cookie JavaScript difficulties dynamic typing first-class functions objects, but no classes prototypes server code var doc = ...; third-party code doc.location = evil ; steal(doc.cookie); 6

  7. The Problem, Part 2 Entire code not available until runtime server code Arrives in stages var doc = ...; third-party code doc.location = evil ; steal(doc.cookie); 7

  8. Our Staged Approach: Server context Information Flow Policies Confidentiality policy: x should not be read policy Integrity policy: x should not be written 8

  9. Our Staged Approach: Server context residual policy JavaScript Staging Analysis No Write No Read policy must-not-write vars must-not-read vars Summarizes how loaded code must behave Syntactically enforceable for speed 9

  10. Our Staged Approach: Client Browser context JavaScript Engine residual policy Residual Policy Checker hole 10

  11. wsj.com <textbox id= SearchBox > <button onclick= doSearch(SearchBox.value) > <script type= javascript > document.location searchUrl = wsj.com/search? ; No Write s searchUrl SearchBox.value doSearch = function(s) { var u = searchUrl + s; document.location = u; } No Read doSearch </script> 11

  12. wsj.com <textbox id= SearchBox > <button onclick= doSearch(SearchBox.value) > <script type= javascript > document.location searchUrl = wsj.com/search? ; No Write searchUrl SearchBox.value doSearch = function(s) { var u = searchUrl + s; document.location = u; } No Read doSearch </script> 12

  13. wsj.com <textbox id= SearchBox > <button onclick= doSearch(SearchBox.value) > <script type= javascript > document.location searchUrl = wsj.com/search? ; No Write searchUrl a.com/ad1.js SearchBox.value doSearch = function(s) { var u = searchUrl + s; document.location = u; } No Read displayAd = function() { if (version < 7) { ... } else { ... } } displayAd(); doSearch </script> 13

  14. wsj.com <textbox id= SearchBox > <button onclick= doSearch(SearchBox.value) > <script type= javascript > document.location searchUrl = wsj.com/search? ; No Write searchUrl a.com/ad2.js SearchBox.value doSearch = function(s) { var u = searchUrl + s; document.location = u; } No Read searchUrl = evil.com/ ; doSearch </script> 14

  15. wsj.com <textbox id= SearchBox > <button onclick= doSearch(SearchBox.value) > <script type= javascript > document.location searchUrl = wsj.com/search? ; No Write searchUrl a.com/ad3.js SearchBox.value doSearch = function(s) { var u = searchUrl + s; document.location = u; } No Read doSearch( foo ); doSearch </script> 15

  16. Outline Overview JavaScript Static Analysis Computing Residual Policies Additional Challenges Evaluation 16

  17. Information Flow Graph Analysis tracks information flow in program Flow-insensitive, set constraint-based Graph representation: program constants, variables, edges 0 x special nodes for function declarations and calls Fun 17

  18. searchUrl = wsj.com/search?; doSearch = function(s) { var u = searchUrl + s; document.location = u; } searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); doSearch(SearchBox.value); /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); 18

  19. wsj.com/search? searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); 19

  20. wsj.com/search? searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); s Fun doSearch 20

  21. wsj.com/search? searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); u s Fun doSearch 21

  22. wsj.com/search? searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); u s Fun doSearch document.location 22

  23. wsj.com/search? searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); u s Fun doSearch SearchBox.value Fun document.location 23

  24. wsj.com/search? searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); u s Fun doSearch SearchBox.value Fun document.location 24

  25. wsj.com/search? searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); u s Fun Fun doSearch displayAd SearchBox.value Fun document.location 25

  26. wsj.com/search? searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); u s Fun Fun doSearch displayAd SearchBox.value Fun Fun document.location 26

  27. wsj.com/search? searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); u s Fun Fun doSearch displayAd SearchBox.value Fun Fun document.location 27

  28. wsj.com/search? searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); u s Fun Fun doSearch displayAd SearchBox.value Fun Fun document.location 28

  29. wsj.com/search? searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); doSearch(SearchBox.value); searchUrl evil.com/ /* a.com/ad2.js */ searchUrl = evil.com ; u s Fun doSearch SearchBox.value Fun document.location 29

  30. wsj.com/search? searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); doSearch(SearchBox.value); searchUrl evil.com/ /* a.com/ad2.js */ searchUrl = evil.com ; u s Fun doSearch SearchBox.value Fun document.location 30

  31. wsj.com/search? searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); doSearch(SearchBox.value); searchUrl /* a.com/ad3.js */ doSearch( foo ); u s Fun doSearch foo Fun SearchBox.value Fun document.location 31

  32. wsj.com/search? searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad3.js */ doSearch( foo ); u s Fun doSearch foo Fun SearchBox.value Fun document.location 32

  33. Outline Overview JavaScript Static Analysis Computing Residual Policies Additional Challenges Evaluation 33

  34. wsj.com/search? searchUrl = wsj.com/search? ; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); Add taint to sensitive data and propagate searchUrl searchUrl No Write u u document.location s s Fun Fun searchUrl doSearch doSearch SearchBox.value No Read SearchBox.value SearchBox.value Fun doSearch document.location document.location 34

  35. Residual Policies Difficulties: Aliasing First-class functions Don t want flow analysis in browser Solution: Conservatively taint functions Conservatively taint fields 35

  36. No Write Taint Tainted Functions No Read Taint Transfer taints from parameters to functions Fun Fun No Write to No Read foo foo // hole redefines foo foo = function(t) { // reads t, hence cookie } No Read to No Write foo foo Fun Fun foo(document.cookie); Transfer taints from return values to functions 36

  37. Aliasing and Tainted Fields No Write tmp = document; No Read z = tmp.cookie; document.cookie // reads z tmp.cookie z Residual policy misses future aliasing Conservative approach: if field f is tainted for some object, f tainted for all 37

  38. Outline Overview JavaScript Static Analysis Computing Residual Policies Additional Challenges Evaluation 38

  39. Objects Used pervasively in JavaScript Hence, analysis must be field-sensitive Encode setter and getter for field f using Fldf x = { f:1 }; x.g = 2; Fields can be dynamically added Initially assume no fields Iteratively add constraints until fixpoint 39

  40. Prototypes JavaScript uses prototype-based inheritance Intuitively, each object x has a link to its parent inherits parent s fields x.parent x Ensures each object has fields of its ancestors 40

  41. Indirect Flows if (document.cookie == foo ) { y = 1; } INDIRECT document.cookie y 1 Propagate taints along indirect flow edges But not program values 41

  42. Outline Overview JavaScript Static Analysis Computing Residual Policies Additional Challenges Evaluation 42

  43. Implementation Flow analysis and residual policy generator parse JavaScript (JSure) generate set constraints (6,000 lines of OCaml) solve constraints (Banshee + 400 lines of C) Stand-alone residual policy checker not yet incorporated into browser JavaScript collector Firefox extension (500 lines of JavaScript) 43

  44. Experimental Setup Collect JavaScript for Alexa top 100 web sites server code Context: all server code Hole: all third-party code third-party code 97/100 have JavaScript 63/97 have holes 44

  45. Experimental Setup Information flow analysis on context + hole cookie confidentiality / location integrity Compute residual policy, check it on hole / 45

  46. Scalability of Full Analysis 90 80 70 Running time (seconds) 60 Average: 9.9 sec 50 80% run in <12 sec 40 30 20 10 0 0 5 10 15 Lines of code (thousands) 20 25 30 35 40 45 46

  47. Average Running Times Full Analysis / 9.9 sec Staged Analysis / 14.0 sec 0.13 sec 47

  48. Results of Analysis: Full 30 32 Hole satisfies cookie policy? 30 32 48

  49. Results of Analysis: Staged 30 32 Hole satisfies cookie policy? Residual checker: 26 32 26/30 safe Imprecision: 4 false positives 4 49

  50. Future Work Context-sensitivity Dynamically-constructed field names Test more complicated policies Embed residual policy checker in browser 50

Related


Introduction to Web Programming with JavaScript

Introduction to Web Programming with JavaScript

icarus
Introduction to JavaScript: History, Features, and Functional Paradigm

Introduction to JavaScript: History, Features, and Functional Paradigm

delyth
Understanding Loops and Arrays in JavaScript

Understanding Loops and Arrays in JavaScript

ada_bev
Using JavaScript, CSS, and jQuery to Create Searchable Shuttle APEX Plug-in

Using JavaScript, CSS, and jQuery to Create Searchable Shuttle APEX Plug-in

stefha
Exploring the World of JavaScript and DOM

Exploring the World of JavaScript and DOM

brennank
Introduction to Client-side Web Programming with JavaScript by Jaana Holvikivi

Introduction to Client-side Web Programming with JavaScript by Jaana Holvikivi

maij_48
Excise Readiness Event and Policy Summary for GB-EU Trade

Excise Readiness Event and Policy Summary for GB-EU Trade

allgood_r
JavaScript DOM: Mouse Maze Lab and Exercises

JavaScript DOM: Mouse Maze Lab and Exercises

nrecc
Understanding Flow Monitoring in OVS for Efficient Network Management

Understanding Flow Monitoring in OVS for Efficient Network Management

andreea
ASPEN Staged Separation Unit-Ops

ASPEN Staged Separation Unit-Ops

elouise
Staged Development Tool (SDT) for NPHIs - Background and Description

Staged Development Tool (SDT) for NPHIs - Background and Description

emmalyn
Staged Development Tool for National Public Health Institutes

Staged Development Tool for National Public Health Institutes

fritz
Understanding JavaScript While Loops

Understanding JavaScript While Loops

maura
Working with JavaScript Arrays: Storing and Accessing Data

Working with JavaScript Arrays: Storing and Accessing Data

antoinette
Web Application Development and Programming CTE Program Overview

Web Application Development and Programming CTE Program Overview

harm_21
Understanding Variable Declaration in JavaScript and Its Impact on Web Design

Understanding Variable Declaration in JavaScript and Its Impact on Web Design

blew_zir
Understanding JavaScript: A Brief Overview

Understanding JavaScript: A Brief Overview

noga_ney
Understanding JavaScript Cookies and Storing Data

Understanding JavaScript Cookies and Storing Data

oteh
Understanding JavaScript Core API and Browser Object Model (BOM)

Understanding JavaScript Core API and Browser Object Model (BOM)

ayme_43
Understanding Open Channel Flow and Mannings Equation

Understanding Open Channel Flow and Mannings Equation

zhu_yl
Introduction to State Management with Flux and Redux in JavaScript Apps

Introduction to State Management with Flux and Redux in JavaScript Apps

kindrick
Information-Agnostic Flow Scheduling: Minimizing FCT in Data Centers

Information-Agnostic Flow Scheduling: Minimizing FCT in Data Centers

jam_sti
Importance of Cash Flow Analysis in Financial Management

Importance of Cash Flow Analysis in Financial Management

georgina
Understanding Flow Chemistry for Efficient Chemical Reactions

Understanding Flow Chemistry for Efficient Chemical Reactions

fcry

More Related Content