ADsafety. Type-based Verification of JavaScript Sandboxing. Joe Gibbs Politz Spiridon Aristides Eliopoulos Arjun Guha Shriram Krishnamurthi

Size: px

Start display at page:

Download "ADsafety. Type-based Verification of JavaScript Sandboxing. Joe Gibbs Politz Spiridon Aristides Eliopoulos Arjun Guha Shriram Krishnamurthi"

Edwin Jacobs
5 years ago
Views:

1 ADsafety Type-based Verification of JavaScript Sandboxing Joe Gibbs Politz Spiridon Aristides Eliopoulos Arjun Guha Shriram Krishnamurthi 1

2 2

3 3

4 third-party ad third-party ad 4

5 Who is running code in your browser? 5

6 Who is running code in your browser? 5

7 Who is running code in your browser? 5

8 the host you visit 6

9 the host you visit 6

10 the host you visit the ad server 6

11 the host you visit the ad server same JavaScript context 6

12 the host you visit the ad server <iframe> 6

13 the host you visit the ad server <iframe> top.location.href 6

14 Microsoft Web Sandbox Facebook JavaScript (FBJS) Google Caja Yahoo! ADsafe All are defining safe sub-languages 7

15 8

16 eval 8

17 eval 8

18 eval e 8

19 eval e wrap(e) 8

20 eval e wrap wrap(e) 8

21 filters wrappers eval rewriters e wrap wrap(e) Maffeis, Mitchell, and Taly, ESORICS

22 9

23 eval 9

24 eval ADSAFE.get(obj, x) untrusted widget 9

25 eval ADSAFE.get ADSAFE.get(obj, x) untrusted widget 9

26 1, 800 LOC adsafe.js library 50 calls to three kinds of assertions 40 type-tests 5 regular-expression based checks 60 privileged DOM method calls 10

27 ? 1, 800 LOC adsafe.js library 50 calls to three kinds of assertions 40 type-tests 5 regular-expression based checks 60 privileged DOM method calls 10

28 Type-based Verification of 11

29 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 12

30 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; eval() document.write() document.createelement("script")... 12

31 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; eval() document.write() document.createelement("script")... 12

32 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.s cannot obtain direct references to DOM nodes; <div> <p> <div> ADsafe Untrusted <b> 12

33 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.s cannot obtain direct references to DOM nodes; <div> <p> <div> ADsafe Untrusted <b> 12

34 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.s cannot obtain direct references to DOM nodes; <div> 3.s cannot affect the DOM outside of their subtree; and <div id="widget"> <p> <div> ADsafe Untrusted <b> 12

35 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.s cannot obtain direct references to DOM nodes; <div> 3.s cannot affect the DOM outside of their subtree; and <div id="widget"> <p> <div> ADsafe Untrusted <b> 12

36 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.s cannot obtain direct references to DOM nodes; 3.s cannot affect the DOM outside of their subtree; and 4.Multiple widgets on the same page cannot communicate. A ADsafe B 12

37 eval Goal: Verify ADsafe ADSAFE.get ADSAFE.get(obj, x) 13

38 eval Goal: Verify ADsafe ADSAFE.get ADSAFE.get(obj, x) untrusted, but passes JSLint 13

39 eval Goal: Verify ADsafe Goal: model JSLint ADSAFE.get ADSAFE.get(obj, x) untrusted, but passes JSLint 13

40 JSLint ensures: no DOM references node <div> <p> <div> ADsafe Untrusted <b> s cannot obtain direct references to DOM nodes. 14

41 JSLint ensures: no DOM references node ADsafe ensures: only safe methods on bunches bunch = { nodes : array of nodes, append: function..., gettext: function..., functions } <div> <p> <div> ADsafe Untrusted <b> s cannot obtain direct references to DOM nodes. 14

42 JSLint ensures: no DOM references node ADsafe ensures: only safe methods on bunches bunch = { nodes : array of nodes, append: function..., gettext: function..., functions } bunch. nodes No private fields in JavaScript! <div> <p> <div> ADsafe Untrusted <b> s cannot obtain direct references to DOM nodes. 14

43 JSLint ensures: no DOM references node ADsafe ensures: only safe methods on bunches bunch = { nodes : array of nodes, append: function..., gettext: function..., functions } <div> JSLint ensures: nodes is private bunch. nodes <p> <div> ADsafe Untrusted <b> s cannot obtain direct references to DOM nodes. 14

44 JSLint ensures: no DOM references node ADsafe ensures: only safe methods on bunches bunch = { nodes : array of nodes, append: function..., gettext: function..., functions } <div> JSLint ensures: nodes is private bunch. nodes <p> <div> ADsafe Untrusted <b> bunch.append(...) Exploit append to return nodes? s cannot obtain direct references to DOM nodes. 14

45 JSLint ensures: no DOM references node ADsafe ensures: only safe methods on bunches bunch = { nodes : array of nodes, append: function..., gettext: function..., functions } <div> JSLint ensures: nodes is private bunch. nodes <p> <div> ADsafe Untrusted ADsafe ensures: DOM nodes are not returned bunch.append(...) <b> s cannot obtain direct references to DOM nodes. 14

46 eval Goal 2: Verify ADsafe Goal 1: model JSLint ADSAFE.get ADSAFE.get(obj, x) untrusted, but passes JSLint 15

47 var n = 6 var s = "a string" var b = true 16

48 var n = 6 var s = "a string" var b = true := Number + String + Boolean + Undefined + Null + 16

49 := Number + String + Boolean + Undefined + Null + 17

50 { x: 6, b: "car" } := Number + String + Boolean + Undefined + Null + 17

51 { x: 6, b: "car" } { nested: { y: 10, b: false } } := Number + String + Boolean + Undefined + Null + : nodes : Array<Node> caller: prototype:... code :... proto : Object + Function + Array

52 { x: 6, b: "car" } { nested: { y: 10, b: false } } { nodes : 90 } myobj.prototype = { }; := Number + String + Boolean + Undefined + Null + : nodes : Array<Node> caller: prototype:... code :... proto : Object + Function + Array

53 { x: 6, b: "car" } { nested: { y: 10, b: false } } { nodes : 90 } myobj.prototype = { }; function foo(x) { return x + 1; } foo(900) foo.w = "functions are objects" ["array", "of", "strings"] /regular[ \t]*expressions/ := Number + String + Boolean + Undefined + Null + : nodes : Array<Node> caller: prototype:... code :... proto : Object + Function + Array

54 JSLint type-checker typable widgets widgets that pass JSLint 18

55 JSLint type-checker typable widgets Claim: widgets that pass JSLint evidence: 1,100 LOC of tests or, passing JSLint -typable 18

56 JSLint type-checker typable widgets type-based arguments about widgets Claim: widgets that pass JSLint evidence: 1,100 LOC of tests or, passing JSLint -typable 18

57 eval Goal 2: Verify ADsafe Goal 1: model JSLint ADSAFE.get ADSAFE.get(obj, x) untrusted, but passes JSLint 19

58 window.settimeout(callback, delay); eval String window.settimeout 20

59 Object String Number eval String /*: */ ADSAFE.later = function(callback, delay) { if (typeof callback!== "function") { throw "expected function"; } } window.settimeout(callback, delay); window.settimeout 20

60 Object String Number window : { eval:, settimeout : (... ) Undefined,... } eval String /*: */ ADSAFE.later = function(callback, delay) { if (typeof callback!== "function") { throw "expected function"; } } window.settimeout(callback, delay); window.settimeout 20

61 Object String Number window : { eval:, settimeout : (... ) Undefined,... } eval String /*: */ ADSAFE.later = function(callback, delay) { if (typeof callback!== "function") { throw "expected function"; } } window.settimeout(callback, delay); window.settimeout 20

62 Object String Number window : { eval:, settimeout : (... ) Undefined,... } /*: */ ADSAFE.later = function(callback, delay) { if (typeof callback!== "function") { throw "expected function"; } window.settimeout(callback, delay); eval String }... window.settimeout 20

== "function") { throw "expected function"; }

settimeout(callback, delay); eval String }.

63 Object String Number window : { eval:, settimeout : (... ) Undefined,... } /*: */ ADSAFE.later = function(callback, delay) { if (typeof callback!== "function") { throw "expected function"; } window.settimeout(callback, delay); eval String }... window.settimeout This is just one kind of if-split we handle. Politz et al. USENIX Security 2011 and Guha, Saftoiu, Krishnamurthi. ESOP

64 JSLinted adsafe.js widget 21

65 JSLinted adsafe.js widget 21

66 JSLinted adsafe.js widget 21

67 JSLinted adsafe.js widget 21

68 JSLinted adsafe.js widget 21

69 JSLinted adsafe.js widget 21

70 Array<Node> Node JSLinted adsafe.js widget 21

71 Node Node Array<Node> Node JSLinted adsafe.js widget 21

72 typable widgets widgets that pass JSLint + = Array<Node> Node adsafe.js JSLinted widget JSLint model Type-checked ADsafe 22

73 typable widgets widgets that pass JSLint var fakenode = { tagname: "div", appendchild: function(elt) { var win = elt.ownerdocument.defaultview; win.eval("alert('hacked')"); } }; 23

74 typable widgets widgets that pass JSLint var fakenode = { tagname: "div", appendchild: function(elt) { var win = elt.ownerdocument.defaultview; win.eval("alert('hacked')"); } }; var fakebunch = { nodes : [fakenode] }; Rejected by JSLint 23

75 typable widgets widgets that pass JSLint var fakenode = { tagname: "div", appendchild: function(elt) { var win = elt.ownerdocument.defaultview; win.eval("alert('hacked')"); } }; var fakebunch = { nodes : [fakenode] }; var fakebunch = { ' nodes ': [fakenode] }; Rejected by JSLint Accepted by JSLint type error: expected Array<HTML>, received Array<> 23

76 /*: */ WrappedElt.prototype.style = function(name, val) { var regexp = new Regexp("url"); if (regexp.test(val)) { return error(); }... this. node.style[name] = val... } 24

77 /*: */ WrappedElt.prototype.style = function(name, val) { var regexp = new Regexp("url"); } if (regexp.test(val)) { return error(); }... this. node.style[name] = val... expected String, received 24

78 /*: */ WrappedElt.prototype.style = function(name, val) { var regexp = new Regexp("url"); } if (regexp.test(val)) { return error(); }... this. node.style[name] = val... expected String, received var firstcall = true; var badname = { tostring: function() { if (firstcall) { firstcall = false; return "font"; } else { return "url('/evil.xml')"; } } }; passes safety check returns bad value 24

79 Fix: check_string assertion inserted here, and in 16 other places /*: */ WrappedElt.prototype.style = function(name, val) { var regexp = new Regexp("url"); } if (regexp.test(val)) { return error(); }... this. node.style[name] = val... expected String, received var firstcall = true; var badname = { tostring: function() { if (firstcall) { firstcall = false; return "font"; } else { return "url('/evil.xml')"; } } }; passes safety check returns bad value 24

80 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; eval() document.write() document.createelement("script")... <div> 2.s cannot obtain direct <p> <div> ADsafe Untrusted references to DOM nodes; <b> <div> 3.s cannot affect the DOM outside of their subtree; <div id="widget"> and <p> <div> ADsafe Untrusted <b> 4.Multiple widgets on the same page cannot communicate. A ADsafe B 25

81 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; eval() document.write() document.createelement("script")... <div> 2.s cannot obtain direct <p> <div> ADsafe Untrusted references to DOM nodes; <b> <div> 3.s cannot affect the DOM outside of their subtree; <div id="widget"> and <p> <div> ADsafe Untrusted <b> 4.Multiple widgets on the same page cannot communicate. A ADsafe B 25

82 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; eval() document.write() document.createelement("script")... <div> 2.s cannot obtain direct <p> <div> ADsafe Untrusted references to DOM nodes; <b> <div> 3.s cannot affect the DOM outside of their subtree; <div id="widget"> and <p> <div> ADsafe Untrusted <b> 4.Multiple widgets on the same page cannot communicate. A ADsafe B 25

83 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; eval() document.write() document.createelement("script")... <div> 2.s cannot obtain direct <p> <div> ADsafe Untrusted references to DOM nodes; <b> <div> 3.s cannot affect the DOM outside of their subtree; <div id="widget"> and <p> <div> ADsafe Untrusted <b> 4.Multiple widgets on the same page cannot communicate. A ADsafe B 25

84 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; eval() document.write() document.createelement("script")... <div> 2.s cannot obtain direct references to DOM nodes; <p> <b> <div> ADsafe Untrusted <div> 3.s cannot affect the DOM outside of their subtree; and <div id="widget"> <p> <div> ADsafe Untrusted 4.Multiple widgets on the same Retracted page cannot communicate. A <b> ADsafe B 25

85 ! Caveats: 11 LOC unverified subtree property unverified 26

86 JavaScript program Proofs for JavaScript? 27

87 JavaScript program desugar λ JS program Proofs for JavaScript? Proofs for λjs. 27

88 JavaScript program desugar λ JS program Proofs for JavaScript? SpiderMonkey, V8, Rhino 100 LOC interpreter Proofs for λjs. their answer identical for Mozilla JS test suite* our answer Guha, Saftoiu, Krishnamurthi. ECOOP

89 banned = { 'arguments' : true, callee : true, caller : true, constructor : true, 'eval' : true, prototype : true, stack : true, unwatch : true, valueof : true, watch : true } + function reject_global(that) { if (that.window) { error(); } } + if (/url/i.test(string_check(value[i]))) { error('adsafe error.'); } and other patterns... 28

90 banned = { 'arguments' : true, callee : true, caller : true, constructor : true, 'eval' : true, prototype : true, stack : true, unwatch : true, valueof : true, watch : true } + function reject_global(that) { if (that.window) { error(); } } + if (/url/i.test(string_check(value[i]))) { error('adsafe error.'); } and other patterns can be succinctly expressed with types := Number + String + Boolean + Undefined + Null + : nodes : Array<Node> caller: prototype:... code :... proto : Object + Function + Array

+ Boolean + Undefined + Null + : proto : Object +

.. JavaScript program desugar λ JS program 3.

91 Conclusion untypable 1.Model sandbox as a type eval e system typable wrap wrap(e) typable 2.Object types for JavaScript ( and ) := Number + String + Boolean + Undefined + Null + : proto : Object + Function + Array +... code :... arguments: caller:... JavaScript program desugar λ JS program 3.Proofs over tractable SpiderMonkey, V8, Rhino 100 LOC interpreter JavaScript semantics their answer identical for Mozilla JS test suite* our answer 29

92 Spiridon Aristides Eliopoulos Extra Slides 30

93 Unverified Code function F() {}; ADSAFE.create = typeof Object.create === 'function'? Object.create : function (o) { F.prototype = typeof o === 'object' && o? o : Object.prototype; return new F(); }; /*: (banned True) & (not_banned False) */ function reject_name(name) { return banned[name] ((typeof name!== 'number' name < 0) && (typeof name!== 'string' name.charat(0) === '_' name.slice(-1) === '_' name.charat(0) === '-')); } 31

94 Theorems 32

95 Full Type 33

A Structural Operational Semantics for JavaScript

A Structural Operational Semantics for JavaScript Dept. of Computer Science, Stanford University Joint work with Sergio Maffeis and John C. Mitchell Outline 1 Motivation Web Security problem Informal and Formal Semantics Related work 2 Formal Semantics