Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Caja"KA-ha”<br />yiminghe@gmail.com<br />承玉<br />2011-09-20 Draft<br />
Outline<br />Background<br />Caja Introduction<br />Caja Internal<br />Learn By Example<br />
Javascriptis dangerous ?<br />
Stealing cookies<br />
DDOS<br />Make requests to your server<br />
Expose all information<br />See what it should not see <br />
Load viral script<br />Can load any number viral scripts as it want<br />
Forge id<br />Ask for information from user as your id<br />
Finnally Leak<br />Send what it got to remote server<br />
So ?<br />
But<br />
Caja Comes<br />HTML , CSS , JavaScript Security<br />Object Capability Javascript<br />Safe subset of javascript<br />Rel...
Sanitize<br />
YAP<br />
Make app safe<br />
Object Capabilty<br />Caja use object-capability  security model<br />
What does it mean<br />other<br />callee<br />caller<br />Caller can call callee by reference<br />Caller can not call oth...
How to get reference<br /> creation or introduction<br />
Internals<br />Backend<br />frontend<br />
backend<br />Rewrite source code to allow runtime check<br />
frontend<br />Runtime check at browser<br />Object properties descriptor enhance<br /> Global prevent<br /> Wrap native DO...
Iframed isolation<br />
frontend<br />
Learn By Example<br />
Simple example<br />Sourcecode<br />this.x=1;window.alert(2);<br />Issues ?<br />
Compiled  code:<br />___.loadModule({<br />		'instantiate':function(___, IMPORTS___){<br />vardis___ = IMPORTS___;<br />va...
Little note<br />IMPORTS__   : runtime environment<br />*_w__ : whether allowed to write<br />w__ : intercept writing<br /...
DOM example<br />Source code<br />document.body.style=‘color:red’;<br />Issues ?<br />
compiled<br />vardis___ = IMPORTS___;<br />varmoduleResult___, x0___, x1___;<br />moduleResult___ = ___.NO_RESULT;<br />mo...
Import KISSY<br />Inject KISSY into IMPORT__<br />Source:<br />KISSY.DOM.addClass(el,"x");<br />
compiled<br />vardis___ = IMPORTS___;<br />varmoduleResult___, x0___, x1___, x2___;<br />moduleResult___ = ___.NO_RESULT;<...
How<br />Tell IMPORTS__ to recognize KISSY.DOM.addClass as a function<br />frameGroup.makeES5Frame(document.getElementById...
Import others<br />Class : Anim<br />Instance method : Anim.proto.run<br />Class : EventObject<br />Intance member : Event...
Demo<br />
Refer<br />Caja<br />http://code.google.com/p/google-caja/ <br />YAP<br />http://developer.yahoo.com/yap/guide/caja-suppor...
Thank you<br />
Upcoming SlideShare
Loading in …5
×

Caja "Ka-ha" Introduction

1,103 views

Published on

Published in: Technology
  • Be the first to comment

Caja "Ka-ha" Introduction

  1. 1. Caja"KA-ha”<br />yiminghe@gmail.com<br />承玉<br />2011-09-20 Draft<br />
  2. 2. Outline<br />Background<br />Caja Introduction<br />Caja Internal<br />Learn By Example<br />
  3. 3. Javascriptis dangerous ?<br />
  4. 4. Stealing cookies<br />
  5. 5. DDOS<br />Make requests to your server<br />
  6. 6. Expose all information<br />See what it should not see <br />
  7. 7. Load viral script<br />Can load any number viral scripts as it want<br />
  8. 8. Forge id<br />Ask for information from user as your id<br />
  9. 9. Finnally Leak<br />Send what it got to remote server<br />
  10. 10. So ?<br />
  11. 11. But<br />
  12. 12. Caja Comes<br />HTML , CSS , JavaScript Security<br />Object Capability Javascript<br />Safe subset of javascript<br />Related<br />Microsoft Web Sandbox<br />FBJS<br />YAHOO! Adsafe<br />
  13. 13. Sanitize<br />
  14. 14. YAP<br />
  15. 15. Make app safe<br />
  16. 16. Object Capabilty<br />Caja use object-capability security model<br />
  17. 17. What does it mean<br />other<br />callee<br />caller<br />Caller can call callee by reference<br />Caller can not call other in global namespace<br />
  18. 18. How to get reference<br /> creation or introduction<br />
  19. 19. Internals<br />Backend<br />frontend<br />
  20. 20. backend<br />Rewrite source code to allow runtime check<br />
  21. 21. frontend<br />Runtime check at browser<br />Object properties descriptor enhance<br /> Global prevent<br /> Wrap native DOM<br />Iframed isolation<br />
  22. 22. Iframed isolation<br />
  23. 23. frontend<br />
  24. 24. Learn By Example<br />
  25. 25. Simple example<br />Sourcecode<br />this.x=1;window.alert(2);<br />Issues ?<br />
  26. 26. Compiled code:<br />___.loadModule({<br /> 'instantiate':function(___, IMPORTS___){<br />vardis___ = IMPORTS___;<br />varmoduleResult___, x0___;<br />moduleResult___ = ___.NO_RESULT;<br />dis___.x_w___ ===dis___?(dis___.x= 1):dis___.w___('x', 1);<br />moduleResult___ =(x0___ =IMPORTS___.window_v___?IMPORTS___.window:<br /> ___.ri(IMPORTS___,'window'), x0___.alert_m___? x0___.alert(2):<br /> x0___.m___('alert',[ 2 ]));<br /> returnmoduleResult___;<br /> },<br />
  27. 27. Little note<br />IMPORTS__ : runtime environment<br />*_w__ : whether allowed to write<br />w__ : intercept writing<br />v__ : intercept getting<br />*_m__ : whether allowed to call method<br />m__ : intercept method<br />
  28. 28. DOM example<br />Source code<br />document.body.style=‘color:red’;<br />Issues ?<br />
  29. 29. compiled<br />vardis___ = IMPORTS___;<br />varmoduleResult___, x0___, x1___;<br />moduleResult___ = ___.NO_RESULT;<br />moduleResult___ =(x1___ =(x0___ =IMPORTS___.document_v___?<br />IMPORTS___.document: ___.ri(IMPORTS___,'document'),<br /> x0___.body_v___? x0___.body: x0___.v___('body')), x1___.style_w___ <br /> === x1___?(x1___.style ='color:red'): x1___.w___('style',<br /> 'color:red'));<br /> returnmoduleResult___;<br />
  30. 30. Import KISSY<br />Inject KISSY into IMPORT__<br />Source:<br />KISSY.DOM.addClass(el,"x");<br />
  31. 31. compiled<br />vardis___ = IMPORTS___;<br />varmoduleResult___, x0___, x1___, x2___;<br />moduleResult___ = ___.NO_RESULT;<br />moduleResult___ =(x1___ =(x0___ =IMPORTS___.KISSY_v___?<br /> IMPORTS___.KISSY: ___.ri(IMPORTS___,'KISSY'), x0___.DOM_v___?<br /> x0___.DOM: x0___.v___('DOM')), x2___ =IMPORTS___.el_v___?<br />IMPORTS___.el: ___.ri(IMPORTS___,'el'), x1___.addClass_m___?<br /> x1___.addClass(x2___,'x'): x1___.m___('addClass',[ x2___,'x']));<br /> returnmoduleResult___;<br />
  32. 32. How<br />Tell IMPORTS__ to recognize KISSY.DOM.addClass as a function<br />frameGroup.makeES5Frame(document.getElementById("theGadget2"),<br /> {/* Grant this gadget no network access */},<br /> function(frame){<br /> // Load and run the gadget <br />frame.contentCajoled(code)<br /> .run({<br /> KISSY:frameGroup.tame({<br />DOM:frameGroup.markFunction(function(){})<br /> })<br /> });<br /> });<br />
  33. 33. Import others<br />Class : Anim<br />Instance method : Anim.proto.run<br />Class : EventObject<br />Intance member : EventObject.proto.target<br />…etc<br />
  34. 34. Demo<br />
  35. 35. Refer<br />Caja<br />http://code.google.com/p/google-caja/ <br />YAP<br />http://developer.yahoo.com/yap/guide/caja-support.html<br />http://developer.yahoo.com/yap/guide/what-are-cajas-limitations.html<br />TAOBAO SHOP<br />http://shopxxx.taobao.com<br />
  36. 36. Thank you<br />

×