+ All Categories
Home > Documents > JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel...

JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel...

Date post: 11-Jan-2016
Category:

Documents
Upload: brian-melton
View: 218 times
Download: 0 times
Download Report this document
Share this document with a friend
Popular Tags:
javascript heap analysis
js enginejavascript
drawingsecurity tests
browser exploits
com384 nodes733 edgesstore
berkeleythis presentation
50
JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California, Berkeley This presentation is copyright © 2009 Joel Weinberger
Transcript
Page 1: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets

Adam BarthJoel Weinberger

Matt FinifterDawn Song

University of California, Berkeley

This presentation is copyright © 2009 Joel Weinberger

Page 2: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

JavaScript Contexts

JavaScript Context 1

JavaScript Context 2 JavaScript Context 3

Page 3: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Overview• Current JavaScript Security Model

• Cross-Origin JavaScript Capability Leaks

• Capability Leak Detection

• Browser Defense Mechanism

• Safe JavaScript Subsets

Page 4: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

The DOM and Access Control

DOM Reference Monitor

Object

JavaScript Context

Granted

Access?

Page 5: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

The DOM and Access Control

DOM Reference Monitor

Object

JavaScript Context

Granted

Access?

Page 6: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

The DOM and Access Control

DOM Reference Monitor

Object

JavaScript Context

Denied

Access?

Page 7: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

The JS Engine and Capabilities

Object 1 Object 2

Accessible Inaccessible

JavaScript Context

Page 8: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

DOM vs JS Engine

• The DOM provides an access control layer

Page 9: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

DOM vs JS Engine

• The DOM provides an access control layer

• The JavaScript engine treats objects as capabilities

Page 10: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Overview• Current JavaScript Security Model

• Cross-Origin JavaScript Capability Leaks

• Capability Leak Detection

• Browser Defense Mechanism

• Safe JavaScript Subsets

Page 11: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Cross-Context References

Window 1 Window 2

Global Object Global Object

document function foo()

document function bar()

Page 12: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Cross-Context References

Window 1 Window 2

Global Object Global Object

document function foo()

document function bar()

Page 13: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Cross-Context References

Window 1 Window 2

Global Object Global Object

document function foo()

document function bar()

Page 14: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Cross-Context References

Window 1 Window 2

Global Object Global Object

document function foo()

document function bar()

Page 15: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

DOM meets JS EngineJavaScript Context 1 JavaScript Context 2

DOM Reference Monitor

Object

Access?

Page 16: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

DOM meets JS EngineJavaScript Context 1 JavaScript Context 2

DOM Reference Monitor

Object

Access Granted

Page 17: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

DOM meets JS EngineJavaScript Context 1 JavaScript Context 2

DOM Reference Monitor

Object

Granted

Access?

Page 18: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

DOM meets JS EngineJavaScript Context 1 JavaScript Context 2

DOM Reference Monitor

Object

Granted

Access?

Page 19: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

DOM meets JS EngineJavaScript Context 1 JavaScript Context 2

DOM Reference Monitor

Object

Granted

Access?

Cross-Origin JavaScript Capability Leak

Page 20: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Overview• Current JavaScript Security Model

• Cross-Origin JavaScript Capability Leaks

• Capability Leak Detection

• Browser Defense Mechanism

• Safe JavaScript Subsets

Page 21: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

JavaScript Heap Inspection

?

Page 22: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Instrumentation

• In the JavaScript Engine object system

• Object creation, destruction, and reference

• Calls into analysis library

Page 23: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Empty Page Heap Graph

Page 24: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

google.com Heap Graph

Page 25: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Graph Stats• empty page

– 82 nodes– 170 edges

• google.com– 384 nodes– 733 edges

• store.apple.com/us– 5332 nodes– 11691 edges

• gmail.com– 55106 nodes– 133567 edges

Page 26: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Computing JavaScript Contexts

Object Prototype

Global Object

Object

Page 27: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Computing JavaScript Contexts

Object Prototype

Object

Global Object

Object

__proto__

Page 28: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Generated Coverage

• Total WebKit tests:– 9957 tests

• …but most of these tests are for drawing

• Security tests:– 143 tests

Page 29: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Example Vulnerability

Page 30: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Example Vulnerability

•2 WebKit Vulnerabilities

•Major flaws in CrossSafe cross-domain JSON request library

Page 31: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Overview• Current JavaScript Security Model

• Cross-Origin JavaScript Capability Leaks

• Capability Leak Detection

• Browser Defense Mechanism

• Safe JavaScript Subsets

Page 32: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Access Control Checks

Window 1 Window 2

Global Object Global Object

document function foo()

document function bar()

Page 33: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Access Control Checks

Window 1 Window 2

Global Object Global Object

document function foo()

document function bar()

Page 34: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

General Benchmarks

Page 35: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Overview• Current JavaScript Security Model

• Cross-Origin JavaScript Capability Leaks

• Capability Leak Detection

• Browser Defense Mechanism

• Safe JavaScript Subsets

Page 36: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Safe JavaScript Subets

Page 37: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Safe JavaScript Subets

Page 38: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Dynamically Enforced Containment

read write

Cajita 21% 20%

Valija 1493% 1000%

Microsoft Web Sandbox 1217% 634%

Slowdown on the “read” and “write” micro-benchmarks, average of 10 runs

Page 39: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Statically Verified Containment

•ADsafe•Dojo Secure•Jacaranda

Page 40: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Statically Verified Containment

•ADsafe•Dojo Secure•Jacaranda

Page 41: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Statically Verified Containment

Page 42: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Statically Verified Containment

Page 43: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Potential Exploits in Alexa 100

Page 44: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Potential Exploits in Alexa 100

Page 45: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

ADsafe

Guest Accessible Object

Safe Object

Safe Object

foo

bar

Page 46: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

ADsafe

Guest Accessible Object

Safe Object

foo

bar

Safe Object

Page 47: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Blancura

Guest Accessible Object

Safe Object

Safe Object

BLANCURA_OBJ_foo

BLANCURA_OBJ_bar

Page 48: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Conclusion

• Heap Graph Analysis can be used to find vulnerabilities in web browsers– And these exploits can be eliminated

• Heap Graph Analysis can reveal properties of JavaScript code

• Static Containment for JavaScript subsets can be useful and safe

Page 49: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

Conclusion

• Check out http://webblaze.cs.berkeley.edu

• http://webblaze.cs.berkeley.edu/2009/heapgraph– Heap Graph Tool and Access Control Prototype for

WebKit– USENIX Security 2009 Paper

Page 50: JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

WebKit Unmodified vs. Access Control


Recommended
Goldman v. Weinberger, 475 U.S. 503 (1986)

Goldman v. Weinberger, 475 U.S. 503 (1986)

Documents

#27 Road Diets – Improving Safety for Everyone - Weinberger

#27 Road Diets – Improving Safety for Everyone - Weinberger

Documents

Venice Sessions IV - David Weinberger - Between Media and World

Venice Sessions IV - David Weinberger - Between Media and World

Documents

A. J. Weinberger Tips for a Good Talk Alycia J. Weinberger 28 October 2011, updated 2013 - 2016.

A. J. Weinberger Tips for a Good Talk Alycia J. Weinberger 28 October 2011, updated 2013 - 2016.

Documents

CURRICULUM VITAE Morris Weinberger, PhD December 2019CURRICULUM VITAE Morris Weinberger, PhD December 2019 CONTACT INFORMATION Vergil N. Slee Distinguished Professor of Healthcare

CURRICULUM VITAE Morris Weinberger, PhD December 2019CURRICULUM VITAE Morris Weinberger, PhD December 2019 CONTACT INFORMATION Vergil N. Slee Distinguished Professor of Healthcare

Documents

Benchley/Weinberger...Benchley-Weinberger Achievement through Communications Magnet VISION: By providing a challenging curriculum and teaching high-level communication skills in a

Benchley/Weinberger...Benchley-Weinberger Achievement through Communications Magnet VISION: By providing a challenging curriculum and teaching high-level communication skills in a

Documents

Janja Zule, Gabriele Weinberger, Alp Ergünsel, Quentin Thiebaut … Zule_ICP.pdf · 2015-03-13 · Janja Zule, Gabriele Weinberger, Alp Ergünsel, Quentin Thiebaut GZS, 19. junij

Janja Zule, Gabriele Weinberger, Alp Ergünsel, Quentin Thiebaut … Zule_ICP.pdf · 2015-03-13 · Janja Zule, Gabriele Weinberger, Alp Ergünsel, Quentin Thiebaut GZS, 19. junij

Documents

By Adam Barth, Joel Weinberger and Dawn Song. Current JavaScript Security Model Cross-Origin JavaScript Capability Leaks Capability Leak Detection.

By Adam Barth, Joel Weinberger and Dawn Song. Current JavaScript Security Model Cross-Origin JavaScript Capability Leaks Capability Leak Detection.

Documents

What is JavaScript? Embedding JavaScript with HTML JavaScript conventions Variables in JavaScript

What is JavaScript? Embedding JavaScript with HTML JavaScript conventions Variables in JavaScript

Documents

Everything is Miscellaneous Weinberger

Everything is Miscellaneous Weinberger

Documents

AMY FALK WEINBERGER, M.S.Ed. 5949 Approach Road Sarasota ... · AMY FALK WEINBERGER, M.S.Ed. 5949 Approach Road Sarasota, FL 34238 941.924.6373 amy@thinkingcenter.com Skype: Amy Weinberger

AMY FALK WEINBERGER, M.S.Ed. 5949 Approach Road Sarasota ... · AMY FALK WEINBERGER, M.S.Ed. 5949 Approach Road Sarasota, FL 34238 941.924.6373 [email protected] Skype: Amy Weinberger

Documents

1. ESTRATEGIA - Karen Weinberger

1. ESTRATEGIA - Karen Weinberger

Documents

VINT Symposium 2012: Recorded Future | David Weinberger

VINT Symposium 2012: Recorded Future | David Weinberger

Technology

Weinberger v. Wiesenfeld, 95 S. Ct. 1225 (1975)

Weinberger v. Wiesenfeld, 95 S. Ct. 1225 (1975)

Documents

Joseph Aaron Weinberger

Joseph Aaron Weinberger

Documents

NJ Future Redevelopment Forum 2017 Weinberger

NJ Future Redevelopment Forum 2017 Weinberger

News & Politics

Rabbi Weinberger 5774 Night

Rabbi Weinberger 5774 Night

Documents

February 7,2002 Mr. Mark Weinberger Washington, DC 20220 · February 7,2002 Mr. Mark Weinberger Assistant Secretary - Tax Policy U.S. Department of Treasury 1500 Pennsylvania Avenue,

February 7,2002 Mr. Mark Weinberger Washington, DC 20220 · February 7,2002 Mr. Mark Weinberger Assistant Secretary - Tax Policy U.S. Department of Treasury 1500 Pennsylvania Avenue,

Documents