securing ecmascript 5 adventures in strategic compromise
play

Securing EcmaScript 5: Adventures in Strategic Compromise Mark S. - PowerPoint PPT Presentation

Sep 23, 2023 •103 likes •831 views

Securing EcmaScript 5: Adventures in Strategic Compromise Mark S. Miller and the Cajadores Thanks to many on EcmaScript committee Overview My Expression Security Constraints talk The What and Why of object-capabilities (ocaps) This talk

  1. Securing EcmaScript 5: Adventures in Strategic Compromise Mark S. Miller and the Cajadores Thanks to many on EcmaScript committee

  2. Overview My “Expression Security Constraints” talk The What and Why of object-capabilities (ocaps) This talk The How of doing ocaps in JavaScript Why JavaScript? Dynamics of Language Adoption Improving JavaScript in Stages

  3. Improving JavaScript in Stages EcmaScript 3: One of the hardest oo languages to secure. Complex server-side translator. Runtime overhead. EcmaScript 5: One of the easiest oo languages to secure. Simple client-side init and verifier. No runtime overhead. Approx 3K download compressed.

  4. Improving JavaScript in Stages Encapsulated objects EcmaScript 3 (ES3) Tamper proof objects EcmaScript 5 (ES5) Defensive objects ES5 strict mode (ES5/strict) Future objects on old browsers ES5/3, SES5/3 (Caja) Confining offensive objects Secure EcmaScript (SES) on ES5 Distributed objects Distributed Resilient SES (Dr. SES) Robust objects SESLint?

  5. Adoption paths & progress Corba/C++ Complexity EJB C++ AJAX Java JS C ST,Self E Scheme Paradigm Actors function, closures, safe mobile code distributed resilient struct,*,& objects as protocol secure objects

  6. Legacy-free scouts lead way Corba/C++ Complexity EJB C++ AJAX Java JS C ST,Self E Scheme Paradigm Actors function, closures, safe mobile code distributed resilient struct,*,& objects as protocol secure objects

  7. Too big a jump Corba/C++ Complexity EJB C++ AJAX Java JS ? C ST,Self E Scheme Paradigm Actors function, closures, safe mobile code distributed resilient struct,*,& objects as protocol secure objects

  8. Today Corba/C++ Complexity EJB C++ AJAX Java JS ? Caja, ES5 ,SES C ST,Self E Scheme Paradigm Actors function, closures, safe mobile code distributed resilient struct,*,& objects as protocol secure objects

  9. Tomorrow? Corba/C++ Complexity EJB C++ AJAX Java JS Dr. SES Caja, ES5 , SES C ST,Self E Scheme Paradigm Actors function, closures, safe mobile code distributed resilient struct,*,& objects as protocol secure objects

  10. Encapsulated objects in ES3 function makeCounter () { makeCounter var count = 0; return { incr incr incr: function() { return ++count; }, incr incr incr incr decr: function() { return --count; } count }; count count } decr decr decr decr decr decr

  11. Encapsulated objects in ES3 function makeCounter () { makeCounter var count = 0; return { incr incr incr: function() { return ++count; }, incr incr incr incr decr: function() { return --count; } count }; count count } decr decr decr decr decr decr A record of closures hiding state is a fine representation of an object of methods hiding instance vars

  12. Encapsulated objects in ES3 function makeCounter () { makeCounter var count = 0; return { evil evil incr: function() { return ++count; }, incr incr incr incr decr: function() { return --count; } count }; count count } decr decr decr decr decr decr Indefensible: var counter = makeCounter(); bob(counter); carol(counter); Bob says: counter.incr = function evil (){…};

  13. Robustness impossible in ES3 Objects necessarily mutable (monkey patching) Not statically scoped – repaired by ES5 (function n () {…x…}) // named function exprs try{throw fn;}catch( f ){f();…x…} // thrown function Object = Date; …{}… // “as if by” Not statically scoped – repaired by ES5/strict with (o) {…x…} // attractive but botched delete x; // dynamic deletion eval(str); …x… // eval exports binding

  14. Tamper-proof objects in ES5 function makeCounter () { makeCounter var count = 0; return Object.freeze({ incr incr incr: function() { return ++count; }, incr incr incr incr decr: function() { return --count; } count }); count count } decr decr decr decr decr decr Bob’s attack fails: counter.incr = function evil (){…};

  15. Encapsulation Leaks in non-strict ES5 function doSomething ( ifBobKnows , passwd ) { if (ifBobKnows() === passwd) { //… do something with passwd } }

  16. Encapsulation Leaks in non-strict ES5 function doSomething ( ifBobKnows , passwd ) { if (ifBobKnows() === passwd) { //… do something with passwd } } Bob says: var stash ; function ifBobKnows () { stash = arguments.caller.arguments[1]; return arguments.caller.arguments[1] = badPasswd; }

  17. Encapsulation & Scope in ES5/strict “use strict”; function doSomething ( ifBobKnows , passwd ) { if (ifBobKnows() === passwd) { //… do something with passwd } } Bob’s attack fails: return arguments.caller.arguments[1] = badPasswd; Parameters not joined to arguments .

  18. Encapsulation & Scope in ES5/strict “use strict”; function doSomething ( ifBobKnows , passwd ) { if (ifBobKnows() === passwd) { //… do something with passwd } } Bob’s attack fails: return arguments.caller.arguments[1] = badPasswd; Poison pills.

  19. Encapsulation & Scope in ES5/strict “use strict”; function doSomething ( ifBobKnows , passwd ) { if (ifBobKnows() === passwd) { //… do something with passwd } } Bob’s attack fails: return arguments.caller.arguments[1] = badPasswd; Even non-strict “ .caller ” can’t reveal a strict caller.

  20. Defensive objects in ES5/strict “use strict”; makeCounter function makeCounter () { var count = 0; incr incr return Object.freeze({ incr incr incr incr incr: function() { return ++count; }, count decr: function() { return --count; } count count }); decr decr decr decr } decr decr

  21. Confining offensive objects in SES Alice says: Alice Bob var bobSrc = //site B bob var carolSrc = //site C var bob = safeEval(bobSrc); Carol var carol = safeEval(carolSrc); carol Bob and Carol are confined . Only Alice controls how they can interact or get more connected.

  22. The Mashup problem: Code as Media <html> <head> <title>Basic Mashup</title> <script> function animate ( id ) { var element = document.getElementById(id); var textNode = element.childNodes[0]; var text = textNode.data; var reverse = false; element.onclick = function() { reverse = !reverse; }; setInterval(function() { textNode.data = text = reverse ? text.substring(1) + text[0] : text[text.length-1] + text.substring(0, text.length-1); }, 100); } </script> </head> <body onload="animate('target')"> <pre id="target">Hello Programmable World! </pre> </body> </html>

  24. Future objects on old browsers

  25. Future objects on old browsers

  26. Turning ES5/strict into SES Monkey patch away bad non-std behaviors Remove non-whitelisted primordials Install leaky WeakMap emulation Make virtual global root Freeze whitelisted global variables Replace eval & Function with safe alternatives Freeze accessible primordials

  27. Monkey patch away bad non-std behaviors Secure ES5 reality, not just spec. Ch16 exemptions destroy security reasoning.  /x/.test(‘axb’); true  RegExp.leftContext; a  new RegExp(‘(.|\r|\n)*’,‘’).exec(); axb,b

  28. Monkey patch away bad non-std behaviors Specified primordials replaceable, whew! var unsafeExec = RegExp.prototype.exec; RegExp.prototype.exec = function( specimen ) { return unsafeExec.call(this, String(specimen)); } var unsafeTest = …

  29. Monkey patch away bad non-std behaviors Unspecified primordials unspecified, darn!  delete RegExp.leftContext; false  ‘leftContext’ in RegExp; true Allowed by Ch16 exemptions

  30. Monkey patch away bad non-std behaviors Most specified globals replaceable, whew! var UnsafeRegExp = RegExp; RegExp = function( pattern , flags ) { return UnsafeRegExp(pattern, flags); } RegExp.prototype = UnsafeRegExp.prototype; RegExp.prototype.constructor = RegExp;

  31. Remove non-whitelisted primordials Object.getOwnPropertyNames(o)  string[] Object.getPrototypeOf(o)  o | null var whitelist = { "escape": true, // ES5 Appendix B de-facto "unescape": true, // ES5 Appendix B de-facto "Object": { "prototype": { "constructor": "*", "toString": "*", "toLocaleString": "*", "valueOf": true, "hasOwnProperty": true, "isPrototypeOf": true, "propertyIsEnumerable": true }, "getPropertyDescriptor": true, // ES-Harmony proposal "getPropertyNames": true, // ES-Harmony proposal "identical": true, // ES-Harmony strawman "getPrototypeOf": true, "getOwnPropertyDescriptor": true, "getOwnPropertyNames": true,

  32. Remove non-whitelisted primordials… … or die trying.  delete Object.caller; false  ‘caller’ in Object; true The trivial secureability of ES5 is easily lost. A suggestion for ES5 implementers: Please make all non-std properties configurable (deletable).

  33. Install leaky WeakMap emulation Too kludgy to explain in this talk. A suggestion for ES5 implementers: Please implement the ES-Harmony WeakMap proposal.

  34. Make virtual global root var root = Object.create(null, { Object: {value: Object}, Array: {value: Array}, NaN: {value: NaN}, //… });

Recommend

From E to EcmaScript and back again Mark S. Miller and the Cajadores Overview

From E to EcmaScript and back again Mark S. Miller and the Cajadores Overview

From E to EcmaScript and back again Mark S. Miller and the Cajadores Overview Object-Capabilities Security as extreme modularity Securing JavaScript Why and How? E Caja ES5 SES Dr. SES Patterns of Safe Cooperation In

1.49k views • 72 slides
ADVANCED JS &amp; CSS flexb ox ES6 WHAT IS ES6? ES (ECMAScript) is a scripting language standard

ADVANCED JS &amp; CSS flexb ox ES6 WHAT IS ES6? ES (ECMAScript) is a scripting language standard

CS498RK SPRING 2020 e s 6 ADVANCED JS &amp; CSS flexb ox ES6 WHAT IS ES6? ES (ECMAScript) is a scripting language standard . JavaScript implements ECMAScript. ES6 means the 6th Edition of ECMAScript. Timelin e 6 years later, ES6! Started in

710 views • 42 slides
Modern JavaScript Shan-Hung Wu &amp; DataLab CS, NTHU ES5, ES6 and ES7 Javascript:

Modern JavaScript Shan-Hung Wu &amp; DataLab CS, NTHU ES5, ES6 and ES7 Javascript:

Modern JavaScript Shan-Hung Wu &amp; DataLab CS, NTHU ES5, ES6 and ES7 Javascript: implementation of ECMAScript (ES) ES5 = ECMAScript 5 (2009) ES6 = ECMAScript 6 = ES2015 ES7 = ECMAScript 7 = ES2016 2 Outline Project-based

730 views • 49 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Advanced JavaScript and ECMAScript ECMAScript and JavaScript

CS/COE 1520 pitt.edu/~ach54/cs1520 Advanced JavaScript and ECMAScript ECMAScript and JavaScript

CS/COE 1520 pitt.edu/~ach54/cs1520 Advanced JavaScript and ECMAScript ECMAScript and JavaScript ECMAScript is based on JavaScript, and JavaScript is based on ECMAScript ... 2 First of all, what is ECMA? Ecma International

779 views • 55 slides
ES6 JavaScript, Metaprogramming, &amp; Object Proxies Prof. Tom Austin San Jos State

ES6 JavaScript, Metaprogramming, &amp; Object Proxies Prof. Tom Austin San Jos State

CS 152: Programming Language Paradigm ES6 JavaScript, Metaprogramming, &amp; Object Proxies Prof. Tom Austin San Jos State University ECMAScript Schism ECMAScript 4 was divisive A group broke off to create ECMAScript 3.1 more

695 views • 37 slides
Remaining Hazards and Mitigating Patterns for Secure Mashups in EcmaScript 5 Mark S. Miller and

Remaining Hazards and Mitigating Patterns for Secure Mashups in EcmaScript 5 Mark S. Miller and

Remaining Hazards and Mitigating Patterns for Secure Mashups in EcmaScript 5 Mark S. Miller and the Cajadores Overview The Mashup Problem The Offensive and Defensive Code Problems JavaScript (EcmaScript) gets simpler ES3, ES5, ES5/strict,

716 views • 52 slides
Metaprogramming &amp; JavaScript Object Proxies Prof. Tom Austin San Jos State University

Metaprogramming &amp; JavaScript Object Proxies Prof. Tom Austin San Jos State University

CS 252: Advanced Programming Language Principles Metaprogramming &amp; JavaScript Object Proxies Prof. Tom Austin San Jos State University ECMAScript Schism ECMAScript 4 was divisive A group broke off to create ECMAScript 3.1

480 views • 32 slides
TypeScript - a look at SPA's and Angular 2 Christian Holm Diget Agenda EcmaScript 6

TypeScript - a look at SPA's and Angular 2 Christian Holm Diget Agenda EcmaScript 6

TypeScript - a look at SPA's and Angular 2 Christian Holm Diget Agenda EcmaScript 6 TypeScript Libraries: ImmutableJS + React SPA architecture Angular 2.0 EcmaScript 6/2015 Let + const function f() { { let x; { //

859 views • 48 slides
Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

Looking backwards to look forward: Mark Twain and best practice for developing clear and effective content in our globalised, digitally-connected world Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

437 views • 21 slides
ECMAScript &quot;3.1&quot; Pratap Lakshman, ECMA TC39 Representative Microsoft Corp.

ECMAScript &quot;3.1&quot; Pratap Lakshman, ECMA TC39 Representative Microsoft Corp.

ECMAScript &quot;3.1&quot; Pratap Lakshman, ECMA TC39 Representative Microsoft Corp. pratapL@microsoft.com JAOO Aarhus 2008 1 ECMAScript A brief introduction to the language Standardization History, Motivation, and Status

1.12k views • 22 slides
Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey

Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey

Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey M. Voelker Alex C. Snoeren On account compromise Compromise of email/social network/etc is devastating Personal/professional reputational, financial

798 views • 49 slides
Adventures in Elm GOTO Chicago, 24 May 2016 Adventures in Elm Events, Reproducibility, and

Adventures in Elm GOTO Chicago, 24 May 2016 Adventures in Elm Events, Reproducibility, and

Adventures in Elm GOTO Chicago, 24 May 2016 Adventures in Elm Events, Reproducibility, and Kindness question your principles @jessitron Adventures in Elm Events, Reproducibility, and Kindness Data Data In Out Server UI Everything My

646 views • 39 slides
IRS &amp; FTB Offers in Compromise December 12, 2012 Thank you for attending this seminar. Your

IRS &amp; FTB Offers in Compromise December 12, 2012 Thank you for attending this seminar. Your

IRS &amp; FTB Offers in Compromise December 12, 2012 Thank you for attending this seminar. Your work on behalf of ALRP clients can reduce, or eliminate, the financial burdens that result from having tax problems. FEDERAL OFFERS IN COMPROMISE

403 views • 8 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
Missouri Compromise, 1820 Firebell in the Night The Missouri Compromise, 1820 Divides the

Missouri Compromise, 1820 Firebell in the Night The Missouri Compromise, 1820 Divides the

Missouri Compromise, 1820 Firebell in the Night The Missouri Compromise, 1820 Divides the Louisiana Purchase into Free and Slave territory along 36 30 Admits Missouri as a Slave state and Maine as a Free state Keeps Equal Political Power

378 views • 24 slides
Building&amp;Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

Building&amp;Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

www.securing.pl Building&amp;Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on

998 views • 67 slides
Cougar Helicopters Presentation Offshore Helicopter Safety Inquiry 1 No Compromise No

Cougar Helicopters Presentation Offshore Helicopter Safety Inquiry 1 No Compromise No

EXHIBIT/P-00155 Cougar Helicopters Presentation Offshore Helicopter Safety Inquiry 1 No Compromise No operation or business opportunity, either new or ongoing, should ever compromise safety or unduly affect our accepted levels of risk

838 views • 83 slides
SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks 51 percent of

SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks 51 percent of

SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks 51 percent of respondents admitted that their organizations have already been impacted by an SSH key-related compromise in the last 24 months. Ponemon 2014 SSH

916 views • 57 slides
The Adventures of NIKA2 from the AoD perspective Bilal Ladjelate - Observing the millimeter

The Adventures of NIKA2 from the AoD perspective Bilal Ladjelate - Observing the millimeter

The Adventures of NIKA2 from the AoD perspective Bilal Ladjelate - Observing the millimeter Universe with the NIKA2 Camera Outline of these adventures Review of the di ff erent pools Overview of projects observed Evolution of NIKA2

310 views • 28 slides
Anatomy of a Fraud Business E-mail Compromise &amp; Computer Intrusion What is Business E-Mail

Anatomy of a Fraud Business E-mail Compromise &amp; Computer Intrusion What is Business E-Mail

Anatomy of a Fraud Business E-mail Compromise &amp; Computer Intrusion What is Business E-Mail Compromise? Scam targeting businesses that regularly perform ACH and Wire Transfer payments. Small and Mid Sized businesses but all are susceptible.

564 views • 29 slides
The Simpson-Bowles Social Security Framework: A Bipartisan Compromise Worthy of Support Charles

The Simpson-Bowles Social Security Framework: A Bipartisan Compromise Worthy of Support Charles

The Simpson-Bowles Social Security Framework: A Bipartisan Compromise Worthy of Support Charles Blahous Presentation to NASI Conference National Press Club January 27, 2010 Point #1: Simpson-Bowles strikes a reasonable compromise between

336 views • 11 slides
SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web based Centrally Administrated Divisionally managed Consistent content Central reporting Ability to add custom content (Policy's)

761 views • 10 slides
SAFE Formal Specification and Implementation of a Scalable Analysis Framework for ECMAscript

SAFE Formal Specification and Implementation of a Scalable Analysis Framework for ECMAscript

SAFE Formal Specification and Implementation of a Scalable Analysis Framework for ECMAscript PLRG@KAIST Hongki Lee , Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu Contents Introduction Big Picture Formal Specification

631 views • 25 slides
Compromise Solutions Kai-Simon Goetzmann, TU Berlin (Joint work with Christina B using, Jannik

Compromise Solutions Kai-Simon Goetzmann, TU Berlin (Joint work with Christina B using, Jannik

Introduction Definitions and Notations Approximation Compromise Solutions Kai-Simon Goetzmann, TU Berlin (Joint work with Christina B using, Jannik Matuschke and Sebastian Stiller) SCOR 2012 Kai-Simon Goetzmann, TU Berlin Compromise

380 views • 36 slides

More recommend