you can t touch this
play

You Cant Touch This WG2.8 meeting 2012 Albert-Ludwigs-Universit at - PowerPoint PPT Presentation

You Cant Touch This WG2.8 meeting 2012 Albert-Ludwigs-Universit at Freiburg Peter Thiemann Manuel Geffken Phillip Heidegger University of Freiburg thiemann@informatik.uni-freiburg.de 07 November 2012 Motivation 92% of all websites


  1. You Can’t Touch This WG2.8 meeting 2012 Albert-Ludwigs-Universit¨ at Freiburg Peter Thiemann Manuel Geffken Phillip Heidegger University of Freiburg thiemann@informatik.uni-freiburg.de 07 November 2012

  2. Motivation 92% of all websites use JavaScript according to: http://w3techs.com/ , 30/09/12 Thiemann You Can’t Touch This 07/11/12 2 / 20

  3. Thesis The Full Employment Theorem for Research on JavaScript There will always be another JavaScript feature Thiemann You Can’t Touch This 07/11/12 3 / 20

  4. Situation of a Web Programmer Thiemann You Can’t Touch This 07/11/12 4 / 20

  5. Situation of a Web Programmer Thiemann You Can’t Touch This 07/11/12 4 / 20

  6. Situation of a Web Programmer Thiemann You Can’t Touch This 07/11/12 4 / 20

  7. Situation of a Web Programmer Thiemann You Can’t Touch This 07/11/12 4 / 20

  8. Situation of a Web Programmer Thiemann You Can’t Touch This 07/11/12 4 / 20

  9. Visualization of the Code Mashup Mashup Mashup Base Application Thiemann You Can’t Touch This 07/11/12 5 / 20

  10. Visualization of the Code Mashup Mashup Mashup Base Application Thiemann You Can’t Touch This 07/11/12 6 / 20

  11. Visualization of the Code Mashup Mashup Mashup Base Application Thiemann You Can’t Touch This 07/11/12 7 / 20

  12. Visualization of the Code Mashup Mashup Mashup Base Application Thiemann You Can’t Touch This 07/11/12 8 / 20

  13. Problem (Mandatory) Access Control for Mashups No access to private data of the client No access to sensitive resources Thiemann You Can’t Touch This 07/11/12 9 / 20

  14. Problem (Mandatory) Access Control for Mashups No access to private data of the client No access to sensitive resources What is Needed? Demarcation between trusted and untrusted code Mashup-specific access-control policies Enforcement of these policies Thiemann You Can’t Touch This 07/11/12 9 / 20

  15. Observation In JavaScript, every resource is controlled by reading or writing a property in scope. Examples document.location , document.cookie , . . . document.write() , . . . window.onload , window.onkeypress , . . . window.alert() , window.open() , . . . node.data , node.innerHtml , . . . myData.contacts.JohnDoe.email , . . . Thiemann You Can’t Touch This 07/11/12 10 / 20

  16. Controlling Access to Properties is Key! Access Permissions — sets of object references Perm (document , "location|cookie|write "); Perm (window , "/on .*/"); Perm (window , "alert|open "); Perm (document.documentElement , "*./ data|innerHtml /"); Perm (myData , "*. email "); Thiemann You Can’t Touch This 07/11/12 11 / 20

  17. Controlling Access to Properties is Key! Access Permissions — sets of object references Perm (document , "location|cookie|write "); Perm (window , "/on .*/"); Perm (window , "alert|open "); Perm (document.documentElement , "*./ data|innerHtml /"); Perm (myData , "*. email "); Building blocks ::= Perm ( e , path ) anchored path set p | p ∪ p | p ∩ p | ¬ p boolean operations | Ω universal permission Thiemann You Can’t Touch This 07/11/12 11 / 20

  18. Enforcing Restrictions Enforcing Restrictions ENFORCE( Deny (Perm (...) , Perm (...)) , function () { // scope of enforcement }); Thiemann You Can’t Touch This 07/11/12 12 / 20

  19. Alternative: Permitted Accesses Access Permissions /* constructor for person */ function Person(nick , pass , mail) { this.nickname = nick; this.password = pass; this.email = mail; } function base_functionality () { var p = new Person (" honda", "t243v3r", "mh@t2.com "); ... ENFORCE( Allow (Perm (p, "nickname ")), function () { mashup1 (p); }); ... var out = document. getElementById (" for_mashup "); ENFORCE( Allow (Perm (out , "*")) , function () { mashup2 (out, ...); }); } Thiemann You Can’t Touch This 07/11/12 13 / 20

  20. Discussion: Scope of Enforcement function mash(x, my) { ... my.secret ... } var r = ENFORCE( Deny(my , "secret "), function () { mash(x, my); }); Thiemann You Can’t Touch This 07/11/12 14 / 20

  21. Discussion: Scope of Enforcement function mash(x, my) { Lexical Scope ... my.secret ... Restriction applies only to } subphrases of mash(x, my) var r = ENFORCE( Does not impose proper Deny(my , "secret "), demarcation : function () { untrusted body of mash mash(x, my); runs without restriction. }); Thiemann You Can’t Touch This 07/11/12 14 / 20

  22. Discussion: Scope of Enforcement function mash(x, my) { Dynamic Scope ... my.secret ... Restriction applies } throughout execution of var r = ENFORCE( mash . Deny(my , "secret "), Semantics of access function () { permission contracts mash(x, my); [POPL2012] }); Thiemann You Can’t Touch This 07/11/12 15 / 20

  23. Discussion: Scope of Enforcement function mash(x, my) { Dynamic Scope return function() { Restriction applies ... my.secret ... throughout execution of } mash . } Semantics of access permission contracts var r = ENFORCE( Deny(my , "secret "), [POPL2012] function () { Does not impose proper mash(x, my); demarcation : }); If the untrusted mash returned a function, then r();// may access my.secret r() , i.e., code produced by mash , would run without restriction. Thiemann You Can’t Touch This 07/11/12 15 / 20

  24. Discussion: Scope of Enforcement function mash(x, my) { Wrapper Semantics return function() { The restriction applies to ... my.secret ... the execution of } mash(x, y) and to all } functions and objects produced by it, recursively. var r = ENFORCE( If mash(x, y) returns a Deny(my , "secret "), function () { function, then the function mash(x, my); call r() runs with (at least) the same restriction as }); mash . r(); Fits the requirements. // no access to my.secret Thiemann You Can’t Touch This 07/11/12 16 / 20

  25. Discussion: Scope of Enforcement function Wrapper Semantics for mash(x, my) { ... x() ... Higher-Order Functions } Suppose x is a function, var r = ENFORCE( which is called in mash ’s Deny(my , "secret "), body. function () { Which restriction applies to mash(x, my); the execution of x(...) ? }); Choice#1 (system call): // @syscall x ’s creation-time restriction function x() { ... my.secret ... } Thiemann You Can’t Touch This 07/11/12 17 / 20

  26. Discussion: Scope of Enforcement function Wrapper Semantics for mash(x, my) { Higher-Order Functions ... x()... } Suppose x is a function, var r = ENFORCE( which is called in mash ’s Deny(my , "secret "), body. function () { Which restriction applies to mash(x, my); the execution of x(...) ? }); Choice#1 (system call): x ’s creation-time restriction // @callback function x() { Choice#2 (callback): ... my.secret ... same plus the call-site’s } restriction Thiemann You Can’t Touch This 07/11/12 17 / 20

  27. Who Should Use Access Restrictions? Implementer of base application wants to restrict mashups to guarantee confidentiality of the end user’s data. Explicit. Instrumenting script tags. End user wants to restrict applications. Global restriction. Mapping: URL → restrictions. Mapping prepared by third party; might be too complicated / tedious for end user. Implementer of mashup provides access restrictions: run time can check compatibility before executing Thiemann You Can’t Touch This 07/11/12 18 / 20

  28. Project Status Formal, mechanized semantics Properties of the semantics Correctness of implementation Ongoing implementations in Rhino & Firefox Security application requires total interposition Only achievable in the JS engine (Thank you, eval & friends!) Corresponding gradual type system Thiemann You Can’t Touch This 07/11/12 19 / 20

  29. The End Questions? Thiemann You Can’t Touch This 07/11/12 20 / 20

Recommend


More recommend