The document discusses self-protecting JavaScript as a technique for sandboxing untrusted third-party JavaScript code. It proposes a two-tier sandbox architecture where an outer sandbox enforces security policies on an API, and an inner sandbox then executes untrusted code using only the enforced API. This approach separates policy definition from API implementation to allow fine-grained, modular policies without requiring browser modifications or pre-processing of untrusted code. The technique works by wrapping security-sensitive JavaScript operations to intercept and control bad behavior based on the policies.
Web security: Securing Untrusted Web Content in BrowsersPhú Phùng
A joint Chicago Chapter ACM / Loyola University Computer Science Department meeting
Wednesday, September 10, 2014
Loyola University Water Tower Campus (Chicago/Michigan Area)
111 E. Pearson Street, Chicago IL 60611
Beane Ballroom (13th Floor, Lewis Towers)
Governing Bot-as-a-Service in Sustainability Platforms - Issues and ApproachesPhú Phùng
Presented at the 9th International Conference on Mobile Web Information Systems, MobiWIS 2012, Niagara Falls, Ontario, Canada, August 27-29, 2012 by Phu Phung
More detail: http://www.cs.uic.edu/~phu/
Web security: Securing Untrusted Web Content in BrowsersPhú Phùng
A joint Chicago Chapter ACM / Loyola University Computer Science Department meeting
Wednesday, September 10, 2014
Loyola University Water Tower Campus (Chicago/Michigan Area)
111 E. Pearson Street, Chicago IL 60611
Beane Ballroom (13th Floor, Lewis Towers)
Governing Bot-as-a-Service in Sustainability Platforms - Issues and ApproachesPhú Phùng
Presented at the 9th International Conference on Mobile Web Information Systems, MobiWIS 2012, Niagara Falls, Ontario, Canada, August 27-29, 2012 by Phu Phung
More detail: http://www.cs.uic.edu/~phu/
During a recent webinar, Lewis Ardem, senior security consultant at Synopsys presented "Reviewing Modern JavaScript Applications. " For more information, please visit our website at www.synopsys.com/software
Software, hardware, and content industries lose millions every year because of piracy, intellectual property theft, cracked copyright mechanisms, tampered software, malware, and so on.
Software, hardware, and content industries lose millions every year because of piracy, intellectual property theft, cracked copyright mechanisms, tampered software, malware, and so on.
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentSaltmarch Media
CDI (Contexts and Dependency Injection) for Java, aka JSR-299 has given us a new playing field for developing Java EE applications, by providing a standardised dependency injection framework and contextual component model. The CDI specification defines a feature for "portable extensions", which allow framework developers to extend the default behaviour of the Java EE container. By providing a number of useful portable extensions, Seam 3 increases developer productivity by solving the problems common to many enterprise projects. In this talk we will look at a number of features that Seam provides, dealing with transactions and persistence, security, internationalisation, bean validation and tooling, and how you can use them to improve your productivity in the real-world to develop rich internet applications. We'll also look at some of the cool upcoming features of Seam such as social network integration, and more.
Implementing zero trust in IBM Cloud Pak for IntegrationKim Clark
Architecting for cloud native requires a completely different perspective on security. The attack surface, and the potential attack vectors have completely changed. Most of the past assumptions around people, processes, infrastructure and more are no longer valid. You have to assume any vulnerability will be exploited, and trust no-one - whether external or internal. You have to look at threat modelling to inform and prioritize the approach, and implement security based on defense in depth. This deck and webinar explore what steps we have taken to implement a "Zero Trust" model when we re-architected the integration portfolio to create what is now Cloud Pak for Integration, and how customers can build upon these in their own integration solutions.
IDEALIZE 2023 - NodeJS & Firebase SessionBrion Mario
Slides for the NodeJS & Firebase session that was conducted by Brion Silva & Omal Wijegunawardane for IDEALIZE 2023 organized by AIESEC in University of Moratuwa.
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
For the start-ups that are already using Node.js in their web application, even you can implement these top 24 security tips to keep your Node.js app free from attacks.
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
Android Reverse Engineering by Samrat Das
Abstract
• Intro to Reverse Engineering
• Short walkthough with Windows RE
• Introduction to Mobile Security Assessments
• Dalvik Virtual Machine vs JVM
• APK Walkthrough
• Components of Android
• Steps of Reverse Engineering Android Applications
• Hands-on demos on manual reversing of android apps
• Introduction to APPuse VM for droid assessments
• Detecting developer backdoors
• Creating Infected Android Applications
• Anti-Reversing | Obfuscation
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
More Related Content
Similar to A Two-Tier Sandbox Architecture for Untrusted JavaScript
During a recent webinar, Lewis Ardem, senior security consultant at Synopsys presented "Reviewing Modern JavaScript Applications. " For more information, please visit our website at www.synopsys.com/software
Software, hardware, and content industries lose millions every year because of piracy, intellectual property theft, cracked copyright mechanisms, tampered software, malware, and so on.
Software, hardware, and content industries lose millions every year because of piracy, intellectual property theft, cracked copyright mechanisms, tampered software, malware, and so on.
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentSaltmarch Media
CDI (Contexts and Dependency Injection) for Java, aka JSR-299 has given us a new playing field for developing Java EE applications, by providing a standardised dependency injection framework and contextual component model. The CDI specification defines a feature for "portable extensions", which allow framework developers to extend the default behaviour of the Java EE container. By providing a number of useful portable extensions, Seam 3 increases developer productivity by solving the problems common to many enterprise projects. In this talk we will look at a number of features that Seam provides, dealing with transactions and persistence, security, internationalisation, bean validation and tooling, and how you can use them to improve your productivity in the real-world to develop rich internet applications. We'll also look at some of the cool upcoming features of Seam such as social network integration, and more.
Implementing zero trust in IBM Cloud Pak for IntegrationKim Clark
Architecting for cloud native requires a completely different perspective on security. The attack surface, and the potential attack vectors have completely changed. Most of the past assumptions around people, processes, infrastructure and more are no longer valid. You have to assume any vulnerability will be exploited, and trust no-one - whether external or internal. You have to look at threat modelling to inform and prioritize the approach, and implement security based on defense in depth. This deck and webinar explore what steps we have taken to implement a "Zero Trust" model when we re-architected the integration portfolio to create what is now Cloud Pak for Integration, and how customers can build upon these in their own integration solutions.
IDEALIZE 2023 - NodeJS & Firebase SessionBrion Mario
Slides for the NodeJS & Firebase session that was conducted by Brion Silva & Omal Wijegunawardane for IDEALIZE 2023 organized by AIESEC in University of Moratuwa.
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
For the start-ups that are already using Node.js in their web application, even you can implement these top 24 security tips to keep your Node.js app free from attacks.
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
Android Reverse Engineering by Samrat Das
Abstract
• Intro to Reverse Engineering
• Short walkthough with Windows RE
• Introduction to Mobile Security Assessments
• Dalvik Virtual Machine vs JVM
• APK Walkthrough
• Components of Android
• Steps of Reverse Engineering Android Applications
• Hands-on demos on manual reversing of android apps
• Introduction to APPuse VM for droid assessments
• Detecting developer backdoors
• Creating Infected Android Applications
• Anti-Reversing | Obfuscation
Similar to A Two-Tier Sandbox Architecture for Untrusted JavaScript (20)
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
A Two-Tier Sandbox Architecture for Untrusted JavaScript
1. Phu H. Phung
Chalmers University of Technology
Joint work with Lieven Desmet (KU Leuven)
JSTools’ 12
June 13, 2012, Beijing, China
2. External third-party JS code embedded to
hosting pages, e.g., ads, widgets, analysis
tools
Run with the same privilege of the hosting page
Security issues:
Malicious third-party code
Trusted third-party is compromised
Confidentiality, integrity, and other security risks
1
3. Server-side pre-processing of untrusted code
to ensure the code is in a safe subset
Transformation, e.g. Caja, BrowserSheild
Code validation, e.g. Adsafe
Iframe isolation
e.g., Adjail, Webjail
Behavioral sandboxing
Browser modification, e.g. ConScript
Client-side security wrappers
2
4. Context
Overview of Self-Protecting JavaScript
Goals
Two-tier sandbox architecture
Technical approach
Validation
Summary and further work
3
5. Intercept JavaScript security-
relevant actions with policies by
wrappers
control or modify the bad behaviour
The method works since we only try
to control built-in calls
4
6. Easy of deployment
No browser modification nor user installation
Non-invasive: no difficulties with dynamic-
generated JavaScript code
Focus on code behavior, not code integrity
does not parse or transform the code
Can enforce application-specific, fine-grained
policies at runtime, e.g.:
limit the number of popup to 3
Disallow send after cookie read
5
7. Self-Protecting
TRUSTED
JavaScript Code
Hosting code
UNTRUSTED
Hosting code
Hosting code
No privilege
distinguish between
external code
hosting code and
external code
external code
6
8. Deploy SPJS in the context of untrusted JS
Load and execute untrusted code without pre-
processing the code
No browser modification is required
Enforce modular and fined-grained, stateful
security policies for a piece of untrusted code
Protect the hosting page from untrusted code
Robust to potential flaws in security policies
Bad written policies might not break security
7
9. Use Secure ECMAScript (SES) library
developed by Google Caja team (Miller et al)
Load a piece of code to execute within an isolated
environment
▪ The code can only interact with the outside world via a
provided API
var api = {...}; //constructing
var makeSandbox =
cajaVM.compileModule(untrustedCodeSrc);
var sandboxed = makeSandbox(api);
8
10. API implementation
Can enforce coarse-grained, generic policies, e.g.:
▪ Sanitize HTML
▪ Ensure complete mediation
More fine-grained policies are needed for
multiple untrusted code
Modular, principal-specific, e.g.: script1 is allowed to
read/write reg_A, script2 is allowed to read reg_A
Stafeful, e.g.: limit the number of popups to 3
Cross-principal stateful policies, e.g: after script1 write
to reg_A, disallow access from script2 to reg_A
9
11. API/policy 1 • API implementation is complex,
API/policy 2
• difficult and error-prone to
untrusted
specify application-specific
policy within APIuntrusted
API/policy 3
untrusted
10/40
12. var api = loadAPI(api_url);
var outerSandbox =
cajaVM.compileModule(policyCode);
var enforcedAPI = outerSandbox(api);
var innerSandbox =
cajaVM.compileModule(untrustedCode);
innerSandbox(enforcedAPI);
11
13. Base-line API The policy code can only
implementation, access the base-line API and
in e.g. `api.js’ file provided wrapper functions
Sandbox running policy
code, defined in a The implementation of
separate file e.g. Thepolicy is ancode can only
untrusted adaptation of
`policy.js’ access objects returned by
Self-Protecting JavaScript
Sandbox running the enforcement sandbox
in ECMAScript 5
untrusted code,
defined in a
separate file e.g. JavaScript
`untrusted.js’
environment,
e.g. the DOM
12
14. Base-line API Policy 2
Policy 1
implementation,
untrusted in e.g. `api.js’ file
untrusted
Policy 3
untrusted
13
15. Policy definition is constrained by the outer-
sandbox
Even bad written policies can only access the API,
not the real DOM
Whitelist (least-privilege) implementation
approach
Only properties and objects defined in policies are
available to the untrusted code
▪ Only define least-privilege policies to function
14
16. Load and run remote JS code
Server-side proxy + XMLHttpRequest
Base-line API implementation – complete
mediation is essential
Proxy API in Harmony ECMAScript
Dynamic loaded code, e.g.
document.write(‘<script …>…</script>’), …
Load and execute the script in the same scope
15
17. The prototype implementation is validated
by a number of JS widgets and a context-
sensitive web ad
On-going work
In real applications, e.g., Google Maps, Google
Analytics, jQuery
Ad networks – advertisement-specific behaviors
16
18. The two-tier sandbox architecture separates
API implementation and policy definition
Load and execute a piece of untrusted code in
a sandboxed environment controlled by fine-
grained, stateful policy enforcement
Further work will focus on practical issues to
deploy the architecture to real-world
scenarios
17
19. The work is partial funded by the European FP7 project
WebSand http://www.websand.eu
This talk, i.e. the trip, is supported the Ericsson
Research Foundation
With the financial support from the Prevention of and
Fight against Crime Programme of the European Union
18
23. var node_map = WeakMap();
function iHTMLDocument(){ node_map.set(this,document); }
iHTMLDocument.prototype ={
getElementById : function(id){
try{
element = node_map.get(this).getElementById(id);
return wrapNode(element); }catch(e){}
}, Application-
//… specific
} policies
var iDocument = new iHTMLDocument(); //base-line
var mydocument =
enforceWhitelistPolicies(my_policy, iDocument);
var api = {document: mydocument, …}; 22
24. Allow restricted read access Allow
Menu and other
no access to ad
to the ad script restricted
contents:
script
write access
to the ad
script
api.js
Sandbox
policy.js ad.js
23
25. var api_and_enforcement = ...//baseline API & enforcement libary
//using XMLHtmlRequest to get the content of file
//`policy.js' into `policyCode' variable
var moduleMaker = cajaVM.compileModule(policyCode);
var enforcedAPI = moduleMaker(api_and_enforcement);
load_untrustedCode(enforcedAPI);
function load_untrustedCode(api){
//using XMLHtmlRequest to get the content of file
//`untrustedcode.js' into `untrustedCode' variable
var moduleMaker = cajaVM.compileModule(untrustedCode);
moduleMaker(api);
}
See it?
24
27. Only allow URI in a white-list when sending
by XMLHttpRequest
wrap(XMLHttpRequest, whitelist_policy)
Do not allow send after cookie read
document.__defineGetter__(‘cookie’, cookie_policy)
Limit the number of alerts to 2
wrap(window.alert, alert_policy)
26
28. <html> Runtime overhead
Policy code and <head>
enforcement <script src=“selfprotectingJS.js"></script>
70 66.03
<title>Self-protecting JavaScript </title>
code defined in The enforcement code
Thetext file
a orgininal
<meta content=…> <style>…</style>
60
Slowdown (times)
<script>…</script>
can be deployed
50
code is not <!-- more heading setting -->
</head>
40
syntactically <body>
30
anywhere: server side,
modified 20
proxy or browser plug-
<script type="text/javascript">
(function() {..})();
10 in, i.e. no need for a
</script>6.33
<!-- the content of page -->
</body>
0
modified browser
</html> Self-Protecting BrowserShield
27
29. Function
• constructor
• prototype
• apply( )
Anonymous scope • call( )
Wrapping library +
policy code This is a general
$virgin_apply = JavaScript
problem
Function.prototype.apply;
...
original.apply(this,args);
...
28
30. code Policy checker JavaScript execution environment
(e.g. browsers)
window.open("good.com","_blank",
"location=yes",true); Native implementations
Policy: good.com,..
Only allow
URL in a bad.com open
whitelist implementation
good.com
var maliciousURL =
{toString: function() {
this.toString = function(){
return "bad.com"};
return "good.com";
}
}
window.open(maliciousURL);
29
31. WRAPPER Policy can inspect and
Inspection modify values
type for
policy
x: "good.com"
x: "good.com" x: "string" z: "location=true"
z: "location=false" y: * w: false
w:true z: "string"
w: "boolean"
Copy Combine Built-in
x = {toString: function() {
x: {…}
Copy values and x: = function(){ The output of the
this.toString "good.com"
y:"_blank"the
coerce to y:"_blank"
return " bad.com"}; policy is merged with
z: "location=false"
type specified z: "location=true"
return "good.com";} the original input
w:true policy
by the } w:false
30
32. Self-protecting JavaScript is appealing for
Self-Protecting
TRUSTED
untrusted Code
JavaScript dynamic loaded JavaScript
does not parse or transform the code, and
can enforce application-specific, modular fine-
UNTRUSTED
grained policies at runtime
However, due to the dangerous features of
current JavaScript, it is not possible to
sandbox untrusted JavaScript without
heavy restrictions, e.g. FacebookJS,
ADsafe…
31
33. Patch dangerous features in current
JavaScript
ES5 strict mode (ES5S) provides more
restrictions
Credit: Taly at el, SP201132
34. SecureECMAScript (SES) is a subset of ES5S,
under consider to be included in future
ECMAScript
The Google Caja team developed SES as an library
In SES, untrusted JavaScript can be loaded
and executed dynamically in an isolated
environment
Without static validation, code filtering or
transformation
33
35. Untrusted code executed in a sandbox can
only interact with the outside world through
a provided API
var moduleMaker =
cajaVM.compileModule(untrustedCodeSrc);
var sandboxed = moduleMaker(api);
untrustedCode Global
API context
sandbox
34
36. Our approach is to control and modify the
behaviour of JavaScript by wrapping the
security-sensitive operations to make the
code self-protecting
no browser modifications
non-invasive
▪ solve the problem of dynamic scripts
▪ avoiding the need for extensive runtime code
transformation
Can apply in sandboxing untrusted JavaScript
in ECMAScript 5
35
Editor's Notes
Assume we have a base-line API implementation for untrusted code
Suppose that we have a policy only allow good URL defined in a whitelist