Date post: | 11-Jan-2016 |
Category: |
Documents |
Upload: | brian-melton |
View: | 218 times |
Download: | 0 times |
JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets
Adam BarthJoel Weinberger
Matt FinifterDawn Song
University of California, Berkeley
This presentation is copyright © 2009 Joel Weinberger
JavaScript Contexts
JavaScript Context 1
JavaScript Context 2 JavaScript Context 3
Overview• Current JavaScript Security Model
• Cross-Origin JavaScript Capability Leaks
• Capability Leak Detection
• Browser Defense Mechanism
• Safe JavaScript Subsets
The DOM and Access Control
DOM Reference Monitor
Object
JavaScript Context
Granted
Access?
The DOM and Access Control
DOM Reference Monitor
Object
JavaScript Context
Granted
Access?
The DOM and Access Control
DOM Reference Monitor
Object
JavaScript Context
Denied
Access?
The JS Engine and Capabilities
Object 1 Object 2
Accessible Inaccessible
JavaScript Context
DOM vs JS Engine
• The DOM provides an access control layer
DOM vs JS Engine
• The DOM provides an access control layer
• The JavaScript engine treats objects as capabilities
Overview• Current JavaScript Security Model
• Cross-Origin JavaScript Capability Leaks
• Capability Leak Detection
• Browser Defense Mechanism
• Safe JavaScript Subsets
Cross-Context References
Window 1 Window 2
Global Object Global Object
document function foo()
document function bar()
Cross-Context References
Window 1 Window 2
Global Object Global Object
document function foo()
document function bar()
Cross-Context References
Window 1 Window 2
Global Object Global Object
document function foo()
document function bar()
Cross-Context References
Window 1 Window 2
Global Object Global Object
document function foo()
document function bar()
DOM meets JS EngineJavaScript Context 1 JavaScript Context 2
DOM Reference Monitor
Object
Access?
DOM meets JS EngineJavaScript Context 1 JavaScript Context 2
DOM Reference Monitor
Object
Access Granted
DOM meets JS EngineJavaScript Context 1 JavaScript Context 2
DOM Reference Monitor
Object
Granted
Access?
DOM meets JS EngineJavaScript Context 1 JavaScript Context 2
DOM Reference Monitor
Object
Granted
Access?
DOM meets JS EngineJavaScript Context 1 JavaScript Context 2
DOM Reference Monitor
Object
Granted
Access?
Cross-Origin JavaScript Capability Leak
Overview• Current JavaScript Security Model
• Cross-Origin JavaScript Capability Leaks
• Capability Leak Detection
• Browser Defense Mechanism
• Safe JavaScript Subsets
JavaScript Heap Inspection
?
Instrumentation
• In the JavaScript Engine object system
• Object creation, destruction, and reference
• Calls into analysis library
Empty Page Heap Graph
google.com Heap Graph
Graph Stats• empty page
– 82 nodes– 170 edges
• google.com– 384 nodes– 733 edges
• store.apple.com/us– 5332 nodes– 11691 edges
• gmail.com– 55106 nodes– 133567 edges
Computing JavaScript Contexts
Object Prototype
Global Object
Object
Computing JavaScript Contexts
Object Prototype
Object
Global Object
Object
__proto__
Generated Coverage
• Total WebKit tests:– 9957 tests
• …but most of these tests are for drawing
• Security tests:– 143 tests
Example Vulnerability
Example Vulnerability
•2 WebKit Vulnerabilities
•Major flaws in CrossSafe cross-domain JSON request library
Overview• Current JavaScript Security Model
• Cross-Origin JavaScript Capability Leaks
• Capability Leak Detection
• Browser Defense Mechanism
• Safe JavaScript Subsets
Access Control Checks
Window 1 Window 2
Global Object Global Object
document function foo()
document function bar()
Access Control Checks
Window 1 Window 2
Global Object Global Object
document function foo()
document function bar()
General Benchmarks
Overview• Current JavaScript Security Model
• Cross-Origin JavaScript Capability Leaks
• Capability Leak Detection
• Browser Defense Mechanism
• Safe JavaScript Subsets
Safe JavaScript Subets
Safe JavaScript Subets
Dynamically Enforced Containment
read write
Cajita 21% 20%
Valija 1493% 1000%
Microsoft Web Sandbox 1217% 634%
Slowdown on the “read” and “write” micro-benchmarks, average of 10 runs
Statically Verified Containment
•ADsafe•Dojo Secure•Jacaranda
Statically Verified Containment
•ADsafe•Dojo Secure•Jacaranda
Statically Verified Containment
Statically Verified Containment
Potential Exploits in Alexa 100
Potential Exploits in Alexa 100
ADsafe
Guest Accessible Object
Safe Object
Safe Object
foo
bar
ADsafe
Guest Accessible Object
Safe Object
foo
bar
Safe Object
Blancura
Guest Accessible Object
Safe Object
Safe Object
BLANCURA_OBJ_foo
BLANCURA_OBJ_bar
Conclusion
• Heap Graph Analysis can be used to find vulnerabilities in web browsers– And these exploits can be eliminated
• Heap Graph Analysis can reveal properties of JavaScript code
• Static Containment for JavaScript subsets can be useful and safe
Conclusion
• Check out http://webblaze.cs.berkeley.edu
• http://webblaze.cs.berkeley.edu/2009/heapgraph– Heap Graph Tool and Access Control Prototype for
WebKit– USENIX Security 2009 Paper
WebKit Unmodified vs. Access Control