Transcript ConScript

Presented by Vaibhav Rastogi



Advent of Web 2.0 and Mashups
Inclusion of untrusted third party content a
necessity
Need to restrict the functionality of untrusted
content, content that does not need that
functionality


A browser based, security oriented aspect
system
Allow hosting page to specify policies
 Restrict code execution in the context of the
hosting page

Examples
 Limiting eval to JSON parsing
 Allowing only white-listed strings, scripts

Security aspects in the browser
 Deep aspects with native support




Static and runtime validation strategies for
aspects
17 example security and reliability policies for
JavaScript
Automatic policy generation
Evaluation



eval considered unsafe
But a necessity for JSON parsing
Approach 1:
 Redefine eval
 Shallow redefinition
 Other access paths to eval may exist

Aspects:
 Specify code to execute – advice
 At particular moments of execution - pointcut

Approach 2
 Require browser support
 Uses aspects – advice and pointcuts



Advice registration
Binding original advised function to new
function
Use type safe calls



The around advice
Call the function parameter instead of the
function specified as the first parameter
The advice designer decides what to do in the
new function
 Throw exception
 Do some safe execution
 Invoke the original function

Several access paths to
designate an
object/function
var ge = document.getElementById;

Current state of the art - wrapping of an
access path
 Shallow advice
 Protects only one access path

Conscript’s approach
 Deep advice
 Registering advice on one access path suffices





Browser is trusted
Host web site specifies the policies – advice
Advice is trusted – kernel level code
Untrusted scripts (user level code) are loaded
after advice specification
Allow libraries to be loaded before advice
 They should declare new code only
 They should not change the environment in
undesirable ways

User defined functions
 Represented as closures
 Point closure to advice function
 A bit indicates if advice is enables

Native functions:
 Analogous to user defined functions

Foreign functions
 Like
frame[0].postMessage
 Use translation table

Problem of infinite recursion

Solution
 Define two functions
▪ bless: enable the advice
▪ curse: disable the advice

Rewrite

Autobless
 Avoid verbosity
 More efficient

What if the raw function is not called
 Be explicit
 curse


Important pointcut
aroundScript

Advice should not be tampered with
 Should be written in a secure manner

A vulnerable advice definition
 A whitelist policy for frame messaging

Attack 1: toString redefinition

Attack 2: Function.prototype poisoning

Attack 3: Object.prototype poisoning

Attack 4: Malicious getters



Eliminate with and eval
Disallow caller access
Introduce a new primitive ucall
 Circumvent prototype poisoning

Introduce a poisoning safe primitive hasProp

Secure version of the whitelist policy




Static validation
ML like type system
Types are annotated with security labels
Two properties
 Reference isolation – kernel objects should not
flow to user code
 Access path integrity of explicitly invoked function

Lattice with “is substitutable for” relation

Substitution represented with flow relation




Primitive type: *
Other types similar to ML
Types annotated with security labels
Sample inference rule
 Calling trusted foreign functions

No dynamic scripts

No string arguments to setInterval,
setTimeout

Static: Instrument Script#
 Script# converts C# to JS
 JS does not have access qualifiers like private
 Generate policies enforce private, protected
accesses

Runtime
 Test in a sandboxed environment what
capabilities are used
 Strip off all other capabilities





Neat idea
Impressive performance
No with and eval
Needs browser support
Automatic policy generation
 Policies come with host page
 Third party developer (attacker) may choose to
not use any ConScript supported frameworks



SetTimeout also unsafe without policy
enforcement
Most policies described can be checked
statically
Rule set for type inference may not be
complete
Presented by Vaibhav Rastogi



Enable fine grained sharing of JavaScript
objects between principals
Let different principals have different views
of the objects
Views may be different in
 Access rights
 Overriding methods to hide some information

Aspects oriented approach

Two settings
 Server side script rewriters
 Browsers


View sharer creates object view according to
policies
Attacker is the view recipient
 Tries to steal information that should not be
accessible to it



Both are very similar aspects oriented
approaches
ConScript is for applying JavaScript policies
Object Views is for creating multiple views for
sharing