gatekeeper : mostly static enforcement of security & reliability policies for javascript code...
Post on 19-Dec-2015
216 views
TRANSCRIPT
![Page 1: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/1.jpg)
Gatekeeper:
Mostly Static Enforcement of Security & Reliability Policies for
JavaScript Code
Ben LivshitsSalvatore Guarnieri
![Page 2: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/2.jpg)
Widgets are
everywhere• Widget sources (web and desktop):
Live web widgets
Google/IG web widgets
Vista Sidebar desktop widgets
…
• Lots of widget producers
• Various levels of quality and trust
A web widget is a portable chunk of code that can be installed
and executed within any separate HTML-based web page by an
end user without requiring additional compilation. They are
derived from the idea of code reuse. Other terms used to
describe web widgets include: gadget, badge, module, webjit,
capsule, snippet, mini and flake. Web widgets usually but not
always use DHTML, JavaScript, or Adobe Flash.
![Page 3: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/3.jpg)
MOTIVATION & PROJECT GOALS
![Page 4: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/4.jpg)
Widget host is
interested in
ensuring widget
security and
quality
• Bad widgets: host is
blamed
• Widget checking
eliminates issues for users
• Static analysis advantage:
all paths, no overhead,
detect early
![Page 5: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/5.jpg)
Gatekeeper: Protecting the Widget Host
![Page 6: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/6.jpg)
Gatekeeper Contributions• Propose a statically analyzable subset JavaScriptSAFE
• Propose the first points-to analysis for JavaScript
• Formulate 9 security and reliability policies using Datalog. – restricting widget capabilities– making sure built-in objects are not modified– preventing code injection attempts, etc.
• Evaluation on 8,000+ publicly available JavaScript widgets – Live.com– Vista Sidebar, and – Google
• We flag a total of 1,341 policy violations spanning 684 widgets, with 113 false positives affecting only two widgets.
![Page 7: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/7.jpg)
TECHNIQUES
![Page 8: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/8.jpg)
Basic Approach
• Represent the program as a database of facts– Normalize the JavaScript program AST– Introduce temporaries as necessary– Store facts in a compressed form
• Query this database using Datalog– This is how all analyses are implemented– Implement a points-to analysis to reason about
the program heap– A very declarative, extensible approach– Propose 9 different analyses/policies
![Page 9: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/9.jpg)
Gatekeeper Architecture
![Page 10: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/10.jpg)
10
Construct Live [2,714]
Sidebar [4,501]
Google [1,171]
eval(“(“ + oResponse + “)”); 10 353 55
setTimeout(GetFeed, 25000); 49 824 65
setInterval(clock, 500); 16 377 13
Non-const index 176 1736 192
var c = arguments[2] 6 175 3
a = new Function(“c”, “return c*10;”);
4 142 21
with (Math) { p = PI; } 2 422 2
document.write(url); 1 102 108
myFrame.innerHTML = [HTML]; 2,053 1,535 288
Enemies of Static Analysis
var x = new Object();x[a+b] = ...;
![Page 11: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/11.jpg)
11
Start with Entire JavaScript…
EcmaScript-262
![Page 12: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/12.jpg)
12
Remove eval & Friends…
EcmaScript 262
- eval- setTimeout- setInterval- Function- with- arguments array- [innerHtml]-----------------------= JavaScriptGK
![Page 13: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/13.jpg)
13
Remove Unresolved Array Accesses…
EcmaScript 262
JavaScriptGK
- non-const array access a[x+y]--------------------------------= JavaScriptSAFE
![Page 14: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/14.jpg)
14
Now, this is Amenable to Analysis!
EcmaScript 262
JavaScriptGK
JavaScriptSAFE
s ::=
// assignments
v1=v2
v = bot
return v
// calls
v = new v0(v1,…,vn)
v=v0(vthis,v1,…,vn)
// heap
v1=v2.f
v1.f=v2
// declarations
v=function(v1,…,vn){s}
![Page 15: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/15.jpg)
Two language
subsets:
JavaScriptSAFE and
JavaScriptGK
• JavaScriptSAFE – can
analyze fully statically
without resorting to
runtime checks
• JavaScriptGK – need basic
instrumentation to
prevent runtime code
instroduction
![Page 16: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/16.jpg)
JavaScript Language Features
![Page 17: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/17.jpg)
TODO: discussion
of 1) prototypes
and 2) safe
reflection
![Page 18: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/18.jpg)
18
Analysis Process
JavaScript AST
IR Normaliz
er
Output to Datalog
BDDBDDB solver
Analysis Results
Datalog analysis
rules
![Page 19: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/19.jpg)
19
Converting JavaScript Statements to Facts
![Page 20: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/20.jpg)
20
Pointer Analysis Inference Rules
![Page 21: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/21.jpg)
EXPERIMENTALRESULTS
![Page 22: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/22.jpg)
22
Widget Corpus
• Collected by scraping widget galleries
Total
Live 2,714
Sidebar 4,501
Google 1,171
![Page 23: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/23.jpg)
23
Language Subsets in Practice
Live Sidebar Google 0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%100% 100% 100%
24.06%
51.17%
67.38%
23.69%
39.26%
65.58%
EcmaScript Gatekeeper JavaScriptSAFE
![Page 24: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/24.jpg)
Policies for Widget Security & Reliability
![Page 25: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/25.jpg)
25
Query Results• 1,210 violations total
Query Live [2,714] Sidebar [4,501] Google [1,171]
Alert 87 287 81
Frozen Violation
3 114 19
document.write
5 175 158
Location change
59 192 30
Totals 154 768 288
![Page 26: Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri](https://reader037.vdocuments.net/reader037/viewer/2022110322/56649d3a5503460f94a151d8/html5/thumbnails/26.jpg)
Conclusions
• Static analysis for
JavaScript
• Technique: points-to
analysis
• Focus: analyzing widgets
We feel that static
analysis of JavaScript is a
key building block for
enabling an environment
in which code from
different parties can
safely co-exist and
interact