Post on 28-Jul-2020
Cross‐OriginJavaScriptCapabilityLeaksDetec9on:Detec9on,Exploita9on,andDefense
JointworkwithAdamBarthandDawnSong
1
JavaScriptisasimplelanguagewithcomplexsecurityproper9es.Specifically,itisconcernedabouthos9lecodebeingruninavarietyofJavaScriptcontexts.Takethisexample.Wehave(atleast)threedis9nctJavaScriptcontexts:theESPNpage,anadver9sementrunninginaframe,andNYTimes.comrunninginanothertab.AllofthesecouldberunningJavaScript.
JavaScriptobjectsfromoneJavaScriptcontextshouldnotnecessarilybeaccessiblefromanotherJavaScriptcontext.Thiscouldleadtoallsortsofmaliciousbehaviorsuchasaccessinganothersite’scookiesorchangingtheJavaScriptofthatpage.Inthiswork,we’repar9cularlyworriedaboutaclassofvulnerabili9esthatleaksJavaScriptobjectsfromoneJavaScriptcontexttoanother.
Inpar9cular,aretherewaysforonecontexttomaliciouslyaccessobjectsandproper9esinanothercontext?
2
Inthiswork,weiden9fyanewclassofwebbrowsersecurityvulnerabili9eswhichallowfortheaccessofobjectsandproper9esinotherJavaScriptcontexts.Thesevulnerabili9esexploitapar9cularholeinthesecurityenforcementbywebbrowsersoftheirsecuritypolicies.Wecallthesevulnerabili9es“Cross‐OriginJavaScriptCapabilityLeaks.”
3
Wealsohavecreatedadynamicanalysistoolfordetec9ngthesevulnerabili9es.WeuseanovelformofJavaScriptheapgraphanalysistoaccomplishthis.
4
Usingthetool,wefindtwoseveralrealvulnerabili9esinamajorwebbrowser.Addi9onally,wealsousetothetooltodissecta“safe”mashupJavaScriptlibraryandexploitit.
5
Finally,weproposeanewenforcementmechanismforwebbrowsers.Wedonotproposeanewpolicy;weonlyproposeanew,moreeffec9ve,enforcementmechanismforcurrentpolicies.
6
Tostartthetalk,let’sdiscussthecurrentJavaScriptsecuritymodelforobjectaccess.Then,we’llintroducetheproblemofCross‐OriginJavaScriptCapabilityLeaks.We’llshowamethodofdetec9ngthesevulnerabili9es.Finally,we’lldiscussageneralsolu9ontothisclassofa_acks.
7
TheDocumentObjectModel,orDOM,isthestructurethatrepresentsmanyoftheimportantobjectsonwebpages,suchasthedocument’scookie.Italsoallowsforthephysicalmanipula9onofthewebpageitself.TheDOMisnotdirectlyapartoftheJavaScriptengine;itisasetofbuiltinobjectsandmethodsformanipula9ngobjects,buttheJavaScriptengineistheore9callyseparatefromtheDOM.
InordertogainaccesstoDOMobjects,theDOMdoesasecuritychecktomakesurethattheaccessingcontextisallowedtohandlethespecifiedobject.IftheJavaScriptcontextsmatch,theconnec9onisgrantedandaccessgiven.
8
FromtheJSEngine’sperspec9ve,theJavaScriptcontextnowholdsareferencetotheobject.
9
IftheJavaScriptcontextsdonotmatch,thenaccessisdeniedandnoreferenceisgiven.
10
TheJavaScriptengineitselfhasadifferentwayofdoingthings.Itworksasacapabilitysystem.IfaJavaScriptcontextisgivenareferencetoaJSobject,ithaspermissiontoaccessit.Ifnosuchreferenceexists,theobjectcannotbeaccessed.Thereisnowayto“divine”objectsintheJavaScriptengine.ThisissortofwheretheDOMcomesin.IfyouneedaccesstoaDOMobject,youcanreferenceit,evenifnopar9cularobjecthasareferencetoit.
11
Inshort,insideofwebbrowsers,therearetwodifferentwaysmechanismsforsecurity.Ontheonehand,theDOMprovidesaccesscontrolcheckswhenaDOMobjectisini9allyaccessed.
12
Ontheotherhand,theJavaScriptenginetreatsallobjectsascapabili9es,includingDOMobjectsoncetheyhavebeenaccessedandassignedavariable.
13
Youmightstarttogetasensethatthissitua9onisabitodd.WehavetheDOMac9ngasanaccesscontrolsystemandtheJSEngineasacapabilitysystem,bothofwhicharedealingwiththesameJavaScriptobjects.Let’sdelveintothepreciseproblemwe’redealingwith.
14
We’vebeentalkingaboutJavaScriptratherabstractlysofar,butwhatarealltheseJavaScriptcontexts,andwhatdoesitmeanforacontexttoreferenceanobjectinanothercontext?
Whathappenswhenonecontexthasareferencetoanobjectinanothercontext?ItturnsoutthatJavaScriptdefinesasetofveryspecialobjectscalledglobalobjects.Eachwindowandframehasitsownglobalobject,and,infact,JavaScriptcontextsaredefinedbyJavaScriptenginesbytheglobalobjectofthecontext.Globalobjectshaveanumberofspecialproper9es,themostimportantofwhich,forourpurposes,isthatitisthereferencemonitorfortheDOMdiscussedearlier.Anycontextisallowedtoaccessanyglobalobjectandtheitwillperformtheappropriateaccesscontrolchecksonaccessedproper9es.
15
Forexample,thefunc9on“bar”maymakeareferencetotheglobalobjectfromthecontext“Window1.”
16
However,itwouldbebadifbar()wasabletoreferencealloftheobjectsthattheglobalobjectpointsto.Fortunately,globalobjectsprovidethereferencemonitor,sothisisnotanissue.
17
Itwouldalsobeverybadifbar()heldadirectreferencetoeitheroftheotherobjectsinthe“Window1”context.Unfortunately,theydonothavereferencemonitorswrappingthem,soifbar()heldareferencetothem,itwouldbegameover,unlikeifitheldareferencetotheothercontext’sglobalobject.
18
Solet’sjumpbacktothetwopoliciesoftheDOMandJavaScriptengine.Whathappenswhenthetwomeet?
19
Specifically,letusassumethatcontext1isgrantedaccesstoanobjectthroughthereferencemonitor.Fromtheperspec9veoftheJavaScriptengine,thecontextnowholdsareferencetotheobjectwhichisalsoacapability.
20
TheJavaScriptcontextcandowhateveritwantswiththereference,includinghandingthereferencetoanotherJavaScriptcontext,onpurposeorotherwise.
21
Becausetheengineisacapabilitysystem,itnowcanaccesstheobjectwithfullpermissions.EventhoughitisaDOMobject,itisnowbypassingthereferencemonitorcheck.Now,wehaven’testablishedthisaproblemyetperse;itisnotclearthatthereisanywayforaJavaScriptcontexttodothisillegi9mately.However,itturnsoutthatthisisaseriousproblembecauseofanumberofbugsinwebbrowsers.Inthesebugs,amaliciousscriptcan“trick”thebrowserintothinkingthatit’sfromadifferentJavaScriptcontext,thusgainingaccesstoasensi9veobjectthroughtheDOMaccesscontrol.ThemaliciousJavaScriptcontextnowhasacapabilitytothisobjectsoitcanmanipulateithoweveritseesfit,includingallofthethingstowhichitreferences.
22
ThisisaCross‐OriginJavaScriptCapabilityLeak.Onecontextleaksacapabilityreferencetoanothercontext,andthissecondcontextnowholdsanunbridledreferencetotheDOMobject.Thisisaverybadthing.
23
Let’sdiscusshowtohelpdetecttheseproblemsinanapplica9onusingourheapgraphanalysistool.
24
Thestatewewanttodetectiswhenanobjectfromonecontextholdsareferencetoanobjectinadifferentcontext.Oursolu9onistouseaheapgraphanalysistodynamicallymarktheJavaScriptcontextofallobjectsintheJavaScriptheapandtothroughanalertwhenthereisareferencebetweentwoobjectsindifferentcontexts.WemodifytheWebKitJavaScriptenginetoperformtheinstrumenta9onandanalysisforthistool.
25
WeneededtoinstrumenttheWebKitJavaScriptenginewithcallstoourheapgraphanalysislibrary.Thesepointsareratherstraighhorward.Ratherthanpujngtheinstrumenta9onintheinterpreterandJIT,weplacedtheinstrumenta9onwithintheobjectsystemen9relysincethatiswhatwewereen9relyconcernedwith.Weplacedinstrumenta9onpointsatobjectcrea9on,objectdestruc9on,andthecrea9onofobjectreferences(alongwithseveralotherspecializedpoints).
26
Here’sangraphoftheemptypage.Becausewearetrackingallobjectsontheheap,atany9mewecandumpanimageoftheheapasaGraphvizgraph.Clearly,eventheemptypageisrathercomplex,andthesegraphsweremainlyusefulfor(a)debuggingourwork,and(b)reducedversionsareusefulforfindingexploits.
27
Thisistheheapgraphofgoogle.com.Clearly,morecomplicatedbutitturnsoutthatgoogle.comdoesn’thavethatmuchJavaScriptonitandevenreachesthislevelofcomplexity.
28
Thegraphscangetratherbigquickly.WhileevenGoogledoesn’tappearthatlarge,thingsquicklyexplodeonlargerpages,makinggraphsratherunwieldy.Thus,werealizedthatweneededtoautoma9callydetectviola9onsratherthanjustmanuallyexaminingheapgraphs.
29
ThekeyinsighttofindingtheseexploitsishowtheJavaScriptcontextiscalculated.RememberthatJavaScriptcontextsaredefinedbytheglobalobjecttheyareassociatedwith.Whenanewcontextiscreated,severalthingsarebuilt,includingainstanceofaglobalobject,andaunique“objectprototype,”which,intheprototypeclasshierarchy,servesastheul9mateparentofallobjects.
30
Whenanewobjectiscreated,thereiseitheradirectorindirectpathtotheObjectPrototype.Thispathgoesthroughthespecial“__proto__”property.Thus,ouralgorithmtracksthecrea9onofnewcontexts,andevery9meanewobjectiscreated,checksthe__proto__property,lookingupthereferencedobject.Becausethecontextisdefinedbythetransi9veclosureof__proto__referencestotheobjectprototype,wecanassignthenewobjectthecontextof__proto__object.
Alongtheway,ifweeverycomeacrossareferencebetweentwoobjectsofdifferentcontexts(otherthanthe__proto__reference),wemarkitasapoten9alproblem.Ofcourse,therearesomeexcep9onstothis,suchastheglobalobject,asdiscussedearlier,andwewhitelistthese.
31
Wewereabletogeneratefairlygoodcoveragebyexecu9ngourtoolacrossalloftheWebKitregressiontests.Ofcourse,thisishardlyacompletetest,butweweresimplytryingtofindproof‐of‐conceptvulnerabili9es,notperformanexhaus9vesearchofallpossiblecross‐originreferences.
32
This“zoomsin”ononeofthevulnerabili9eswefound.Here,theblackrepresentsanobjectfromsecuritycontext1whilethewhiterepresentsobjectsfromsecuritycontext2.Thisiswhatwepar9cularlywanttodetect…oneJavaScriptcontextreferencinganother.Despitethegraphsbeingsolarge,wecanperformthisreachabilityanalysisratherquickly.
Inthisexample,thevulnerabilityoccurredinWebKitbecauseitwaslazilycrea9ngtheloca9onobject.Iftheloca9onobjectwascreatedduringtheexecu9onofanothercontext(i.e.ifitbelongedtocontext1,butcontext2wasaccessingit),itwouldbecreatedwiththewrongObjectprototype.Thisisdangerousbecauseitallowstheobjecttoredefinethebehavioroffunc9ons,suchastoString,thatapplytoallObjectscreatedintheothercontext.Then,ifthatfunc9oniscalled,arbitraryJavaScriptwillbeexecuted.
33
Overall,inourtestsetup,wefound2vulnerabili9esinWebKitamongthe143testsran.Addi9onallywefoundthattheCrossSafecross‐domainJSONrequestlibraryhadanumberofvulnerabili9es.Inallcases,wewereabletodesignsubtleexploitsofthevulnerabili9esthatcreatedarbitrarycodeexecu9onintheothersecuritycontext.
34
Thegoodnewsisthatwehaveaproposaltopreventtheseproblemsinthefuture.
35
Herewehaveasmallviewofsomeoftheobjectsincurrentwebbrowsers.Forthemostpart,ifthereisaleakinthebrowserthatgivesanobjectfromcontexttoasecondcontext,thatcontextcanaccessthoseobjects.Yes,therearesomeexcep9ons,suchaswrappedobjectsinFirefox,butthosearehardlyexhaus9veandcannotcovercasesforwhichobjectsarenotexplicitlywrapped.
Inthispar9cularexample,func9onbar()inWindow2hasaccesstoWindow2’sdocumentobject(asitshould),butitalsoholdsareferencetothedocumentobjectofWindow1,whichitcannowaccess.
Oursolu9onistoaddanaccesscontrolchecktogetandputopera9onstomakeitlookmorelikethis…
36
ThesecheckswillverifythattheJavaScriptcontextofthetwoobjectsinques9onmatch.Ifnot,theengineshouldrejecttheaccess.It’sasimpleideathathasbeenconsideredinthepast.Howeverpeoplehavebeenveryconcernedaboutitsperformance.Addi9onally,wehadconcernsini9allythatitwouldbedifficulttoassurethatallthatplacesthatneedtohaveaccesscontrolcheckswouldbeeasytofindandsuchanimplementa9onwouldbeerrorproneitself.Astotheimplementa9onconcerns,wediscoveredthattherearerela9velyfewplacesthatthisneedstobeactuallycalculated,andit’sfairlyclearwherethosepointsare.Addi9onally,inanon‐prototypeimplementa9on,theaccesscontrolcheckscouldbebuiltinasamorefundamentalandsimplemechanisminWebKit,therebyreducingthenumberofplacescheckswouldhavetobeexplicitlyplaced.
37
Theaccesscontroladdsnegligibleperformancehitstogeneralbenchmarks.Acrossallofthemajorindustrybenchmarks,ouraccesscontrolprototypeaddsnomorethan2%overheadtothebaseimplementa9on(+/‐error).
However,ifyouconsiderthatInthelastyearalonetherehasbeena300%performanceincreasetoWebKit,a2%hitstartstolookabitpaltry..
38
Wehypothesizedthatouraccesscontrolwasrela9velyfastbecauseoftheinlinecacheinthenewWebKitimplementa9on.Inshort,formostobjects,whenapropertyislookedupthefirst9me,itislookedupinahashtableandtheoffsetintothestructureisrecorded.Whenthatpar9cularpieceofcodeisaccessedagaininthefuture,Insteadofhashinginfuturelookups,thepropertyisaccessedbyjustgoingdirectlyintothestructurewiththerecordedoffset.Becauseoftheoffsetlookup,weknowthattheobjecthasaccesstothisobjectbecausethefirstlookupmadeanaccesscontrolcheck.However,wheneverapropertyisdeleted,thislookupsystemisforgoneandahashtablelookupisdone,makinganaccesscontrolcheckevery9me.
Inordertotestiftheinlinecacheiswhat’scausingthespeedup,wemademicro‐benchmarksforrepeatedlyreadingandwri9nganobjectproperty.Intwoofthebenchmarks,however,wedeletedapropertyfromtheobjectfirst,thusforcingthelookupstooccurinthehashtableratherthanthroughtheinlinecache.Asthechartclearlyshows,wheretheinlinecacheisused,thereishardlyano9ceableslowdown.However,whenthecacheisnotinuse,thereisa9‐10%slowdownintheaccesscontrolimplementa9on.
39
Inconclusion,wehaveintroducedanoveltoolusingheapgraphanalysistoaidusinfindinganewclassofvulnerabili9esinwebbrowsers,cross‐originJavaScriptcapabilityleaks.Addi9onally,thedamageofthesevulnerabili9escanbemi9gatedinthefuturebeimplemen9nganewaccesscontrolmechanisminthewebbrowser.
40