Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Lightweight Self-Protecting JavaScript
1. Lightweight Self-Protecting JavaScript*
Phu H. Phung David Sands
Chalmers University of Technology
Gothenburg, Sweden
29.03.09 - 03.04.09, Dagstuhl Seminar 09141
Web Application Security
Dagstuhl 02 April 2009
Andrey Chudnov
Stevens Institute of Technology
New Jersey, USA
* In Proceedings of ASIACCS’09, 10-12 March 2009, Sydney, ACM Press
2. 1/18
The concern problems
• Injected (untrusted) JavaScript code (e.g.XSS)
– A malicious user (the attacker) injects potentially
dangerous JavaScript code into a webpage via
data entry in the webpage, e.g.:
• blog
• forum
• web-mail
• Third party scripts (e.g. advertisement,
mashup web applications)
• Buggy code
Dagstuhl 09141, 2 April 2009Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
3. 2/18
Previous solutions
Server Filtering for Script Detection
• detect and remove potential malicious scripts
Problems
• Parser mismatch problem: filter does not always
parse in the same way as browser
c.f. Samy / MySpace
• Dynamic scripts problematic...
Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se Dagstuhl 09141, 2 April 2009
4. 3/18
Previous solutions
Server Filtering for Script Detection
detect and remove potential malicious scripts
Problems
Parser mismatch problem: filter does not always
parse in the same way as browser
c.f. Samy / MySpace, Yamanner / Yahoo Mail
• Dynamic scripts problematic...
Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
<script>
document.write(‘<scr’);
document.write(‘ipt> malic’);
var i= 1;
document.write(‘ious code; </sc’);
document.write(‘ript>’);
</script>
<script> malicious code; </script>
Dagstuhl 09141, 2 April 2009
5. 4/18
Previous solutions
Server Filtering for Script Detection
Prevent dynamic scripts by safe language subsets
(c.f. Facebook’s FBJS, ADsafe, CoreScript)
• Limits functionality
• Defeated by parser mismatch problem
Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se Dagstuhl 09141, 2 April 2009
6. 5/18
Previous solutions
Behavioural Control:
Don’t try to detect bad scripts,
just prevent bad behaviour
• Modify browser with
reference monitor
• Transform code at
runtime to make it safe
Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
• Requires
browser
modification,
e.g. BEEP
• Limited policies
• Parser mismatch
problem
• Dynamic code
runtime transformation
high overhead
e.g. BrowserShield
Dagstuhl 09141, 2 April 2009
7. 6/18Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
Our approach:
Use an Inlined Reference Monitor
• “inline” the policy into the JavaScript code
so that the code becomes self-protecting
• The policy enforcement is implemented in
a lightweight manner
– does not require browser modification
– non invasive: the original code (and any dynamically
generated code) is not syntactically modified
– its implementation is a small and simple adaptation of
an aspect-oriented programming library
Dagstuhl 09141, 2 April 2009
8. 7/18Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
The policy
• The enforcement mechanism is security
reference monitor-based
• Ensure safety property of program execution
• Examples:
• Only allow URI in a white-list when sending by
XMLHttpRequest
• Do not allow send after cookie read
• Limit the number of alerts to 2
Dagstuhl 09141, 2 April 2009
9. 8/18Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
Enforcement method
• Intercept JavaScript API method call by
inlining policy into the call
– control or modify the bad behaviour
• Monitor access to sensitive properties
Dagstuhl 09141, 2 April 2009
10. 9/18
• Use aspect-oriented programming (AOP)
to intercept JavaScript API method call
• No browser modification
• No syntactical script code modification
Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
before( {target: window, method: 'alert'},
function() {
log('AOP test: window.alert is invoked');
}
);
Execution point =
Point cut in AOP
Advice
(additional code at an
execution point)
Lightweight
Advice types:
before, after, around
Dagstuhl 09141, 2 April 2009
11. 10/18Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
AOP weaving: Adapt jQuery AOP
Dagstuhl 09141, 2 April 2009
Store the original method
Apply the policy
Control the original method
var wrap = function(pointcut, Policy) {
var source = (typeof(pointcut.target.prototype) != 'undefined‘)?
pointcut.target.prototype : pointcut.target;
var method = pointcut.method;
var original = source[method];
var aspect = function() {
var invocation = { object: this, args: arguments };
return Policy.apply(invocation.object,
[{ arguments: invocation.args,
method: method,
proceed : function(){ return original.apply(
invocation.object, invocation.args);}}] );
};
source[method] = aspect;
return aspect;
};
13. 12/18Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
The problems of dynamic feature
• Consider the behaviour of the code
– Avoid the problems of dynamic feature of
JavaScript
Dagstuhl 09141, 2 April 2009
%61%6C%65%72%74%28%27%58
%53%53%27%29%3B%0A%0A
alert(‘XSS’)
var abcxyz = window.alert;
abcxyz(‘XSS’);
eval(“alert(‘XSS’)”);
(function(){ return this;})().alert(‘XSS’);
14. 13/18
• Use Mozilla-specific setter and getter*
object.prototype.__defineGetter__(...),
object.prototype.__defineSetter__(...)
* This feature is Mozilla-specific, however, it has been specified in the
current draft proposal for the next generations of JavaScript
(ECMA-262 3.1)
Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
Monitoring Property access
Dagstuhl 09141, 2 April 2009
15. 14/18Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
A realisation
• Structure of a webpage containing policy
enforcement code
• Policies are located in the first script tag
– Policy enforcement is applied for the rest of code
Dagstuhl 09141, 2 April 2009
The enforcement code can be deployed in
any sides: server side, proxy or plug-in
16. 15/18Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
Effectiveness
• Defend real-world exploits
– phpBB 2.0.18 vulnerabilities – a stored XSS
attack (see demo)
– WebCal vulnerabilities –a reflected XSS attack
• Can enforce application-specific policies
– Using building blocks, i.e. security policy
patterns
Dagstuhl 09141, 2 April 2009
17. 16/18Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
Security Policy Patterns (1)
• Preventing leakage of sensitive data
– monitoring sensitive data read and data output e.g.
write, redirect, XMLHttpRequest...
Dagstuhl 09141, 2 April 2009
enforcePolicy({target:XMLHttpRequest,
method: 'send'},
function(invocation){
XMLHttpRequestPolicy(invocation);});
18. 17/18Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
Security Policy Patterns (2)
• Preventing impersonation attacks
– only allow URI in a defined white-list
Dagstuhl 09141, 2 April 2009
var XMLHttpRequestPolicy = function(invocation){
//allow the transaction if the
// URI is in the whitelist
if (AllowedURL(XMLHttpRequestURL)){
policylog("XMLHttpRequest is sent");
return invocation.proceed();
}
policylog("XMLHttpRequest is suppressed:“+
"potential impersonation attacks");
}
19. 18/18Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
Security Policy Patterns (3)
• Preventing forgery attacks, e.g.
– open a new window without the location bar: enforce
corresponding invariants
– faked links: detect and disable the faked links
Dagstuhl 09141, 2 April 2009
var checkLinks = function(){
var links = document.links;
if (!links){ policylog('no links'); return; }
for(var i = 0; i < links.length; i++) {
if (!AllowedLinks(links[i].href))
{
links[i].href =
"javascript:alert('disabled link')";
}
}
}
20. 19/18Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
Security Policy Patterns (4)
• Preventing resource abuse
– limit or prohibit potential abuse functions
Dagstuhl 09141, 2 April 2009
21. 20/18Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
Overhead
Render: 5.37%
Weaving slowdown 6,33 times (We measure
micro-benchmark with operations)
Dagstuhl 09141, 2 April 2009
22. 21/18
Limitations
• Policies cannot span multiple pages
– frame and iframe are separate pages!
• Implementation Specific Solutions and
Problems
– Use of custom getter and setter (in Mozilla,
but not in IE)
– Problems handling Mozilla’s delete semantics
Both problems solved in ECMA-262 v3.1
proposal
Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se Dagstuhl 09141, 2 April 2009
23. 22/18
Summary
• Our approach is to control and modify the
behaviour of JavaScript by transforming
the code to make it self-protecting
– no browser modifications
– non-invasive
• solve the problem of dynamic scripts
• avoiding the need for extensive runtime code
transformation
Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se Dagstuhl 09141, 2 April 2009
24. 23/18
Further concerns
• Case studies for particular web
applications
• Integration with other methods
• Securing JavaScript AOP
Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se Dagstuhl 09141, 2 April 2009
25. ASIACCS'09, 10 March 2009Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se
26. 25/18
Attacks to the Unique Reference Property
• Restoring built-in methods from another
page
– Creates a new window, frame or iframe to
manufacture a pointer to the original built-in
methods
• Mozilla’s delete operator
– Our wrapper methods are not built-in, they are
deletable and the deletion exposes the
original built-in.
Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se Dagstuhl 09141, 2 April 2009