Sandboxing JavaScript via Libraries and Wrappers

Presented at AppSec USA 2013, Nov. 20, 2013, 4 p.m. (50 minutes).

The large majority of websites nowadays embeds third-party JavaScript into their pages, coming from external partners. Ideally, these scripts are benign and come from trusted sources, but over time, these third-party scripts can start to misbehave, or to come under control of an attacker. Unfortunately, the state-of-practice integration techniques for third- party scripts do not impose restrictions on the execution of JavaScript code, allowing such an attacker to perform unwanted actions on behalf of the website owner and/or website visitor. In this paper, we present a two-tier sandbox architecture to enable a website owner to enforce modular fine- grained security policies for potential untrusted third-party JavaScript code. The architecture contains an outer sand- box that provides strong baseline isolation guarantees with generic, coarse-grained policies and an inner sandbox that enables fine-grained, stateful policy enforcement specific to a particular untrusted application. The two-tier approach ensures that the application-specific policies and untrusted code are by default confined to a basic security policy, with- out imposing restrictions on the expressiveness of the policies. Our proposed architecture improves upon the state-of-the- art as it does not depend on browser modification nor pre-processing or transformation of untrusted code, and allows the secure enforcement of fine-grained, stateful access control policies. We have developed a prototype implementation on top of a open-source sandbox library in the ECMAScript 5 specification, and validated it with several real-world JavaScript applications such as Google Analytics, Google Maps, and jQuery UI.

Presenters:

  • Phu Phung - Research Associate - University of Illinois at Chicago
    Dr Phu Phung is a Research Associate at the University of Illinois at Chicago from December 2012, employed by the University of Gothenburg, Sweden. From October, 2011 to December 2012, he was a postdoctoral researcher at Department of Computer Science and Engineering, Chalmers University of Technology, where he received his PhD in October, 2011. Phu's research directions include web application security, runtime policy enforcement for untrusted software, and policy enforcement for cloud-based sustainability governance platforms. He was involved in the European WebSand project which aims to provide an end-to-end security framework for web applications. Currently, he is working on a NSF-funded project for securing the web advertisements, and on a DARPA-funded project for building a defensive optimizing compiler.

Links:

Similar Presentations: