Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context....

Cross‐OriginJavaScriptCapabilityLeaksDetec9on:Detec9on,Exploita9on,andDefense

JointworkwithAdamBarthandDawnSong

JavaScriptisasimplelanguagewithcomplexsecurityproper9es.Specifically,itisconcernedabouthos9lecodebeingruninavarietyofJavaScriptcontexts.Takethisexample.Wehave(atleast)threedis9nctJavaScriptcontexts:theESPNpage,anadver9sementrunninginaframe,andNYTimes.comrunninginanothertab.AllofthesecouldberunningJavaScript.

JavaScriptobjectsfromoneJavaScriptcontextshouldnotnecessarilybeaccessiblefromanotherJavaScriptcontext.Thiscouldleadtoallsortsofmaliciousbehaviorsuchasaccessinganothersite’scookiesorchangingtheJavaScriptofthatpage.Inthiswork,we’repar9cularlyworriedaboutaclassofvulnerabili9esthatleaksJavaScriptobjectsfromoneJavaScriptcontexttoanother.

Inpar9cular,aretherewaysforonecontexttomaliciouslyaccessobjectsandproper9esinanothercontext?

Inthiswork,weiden9fyanewclassofwebbrowsersecurityvulnerabili9eswhichallowfortheaccessofobjectsandproper9esinotherJavaScriptcontexts.Thesevulnerabili9esexploitapar9cularholeinthesecurityenforcementbywebbrowsersoftheirsecuritypolicies.Wecallthesevulnerabili9es“Cross‐OriginJavaScriptCapabilityLeaks.”

Wealsohavecreatedadynamicanalysistoolfordetec9ngthesevulnerabili9es.WeuseanovelformofJavaScriptheapgraphanalysistoaccomplishthis.

Usingthetool,wefindtwoseveralrealvulnerabili9esinamajorwebbrowser.Addi9onally,wealsousetothetooltodissecta“safe”mashupJavaScriptlibraryandexploitit.

Finally,weproposeanewenforcementmechanismforwebbrowsers.Wedonotproposeanewpolicy;weonlyproposeanew,moreeffec9ve,enforcementmechanismforcurrentpolicies.

Tostartthetalk,let’sdiscussthecurrentJavaScriptsecuritymodelforobjectaccess.Then,we’llintroducetheproblemofCross‐OriginJavaScriptCapabilityLeaks.We’llshowamethodofdetec9ngthesevulnerabili9es.Finally,we’lldiscussageneralsolu9ontothisclassofa_acks.

TheDocumentObjectModel,orDOM,isthestructurethatrepresentsmanyoftheimportantobjectsonwebpages,suchasthedocument’scookie.Italsoallowsforthephysicalmanipula9onofthewebpageitself.TheDOMisnotdirectlyapartoftheJavaScriptengine;itisasetofbuiltinobjectsandmethodsformanipula9ngobjects,buttheJavaScriptengineistheore9callyseparatefromtheDOM.

InordertogainaccesstoDOMobjects,theDOMdoesasecuritychecktomakesurethattheaccessingcontextisallowedtohandlethespecifiedobject.IftheJavaScriptcontextsmatch,theconnec9onisgrantedandaccessgiven.

FromtheJSEngine’sperspec9ve,theJavaScriptcontextnowholdsareferencetotheobject.

IftheJavaScriptcontextsdonotmatch,thenaccessisdeniedandnoreferenceisgiven.

TheJavaScriptengineitselfhasadifferentwayofdoingthings.Itworksasacapabilitysystem.IfaJavaScriptcontextisgivenareferencetoaJSobject,ithaspermissiontoaccessit.Ifnosuchreferenceexists,theobjectcannotbeaccessed.Thereisnowayto“divine”objectsintheJavaScriptengine.ThisissortofwheretheDOMcomesin.IfyouneedaccesstoaDOMobject,youcanreferenceit,evenifnopar9cularobjecthasareferencetoit.

Inshort,insideofwebbrowsers,therearetwodifferentwaysmechanismsforsecurity.Ontheonehand,theDOMprovidesaccesscontrolcheckswhenaDOMobjectisini9allyaccessed.

Ontheotherhand,theJavaScriptenginetreatsallobjectsascapabili9es,includingDOMobjectsoncetheyhavebeenaccessedandassignedavariable.

Youmightstarttogetasensethatthissitua9onisabitodd.WehavetheDOMac9ngasanaccesscontrolsystemandtheJSEngineasacapabilitysystem,bothofwhicharedealingwiththesameJavaScriptobjects.Let’sdelveintothepreciseproblemwe’redealingwith.

We’vebeentalkingaboutJavaScriptratherabstractlysofar,butwhatarealltheseJavaScriptcontexts,andwhatdoesitmeanforacontexttoreferenceanobjectinanothercontext?

Whathappenswhenonecontexthasareferencetoanobjectinanothercontext?ItturnsoutthatJavaScriptdefinesasetofveryspecialobjectscalledglobalobjects.Eachwindowandframehasitsownglobalobject,and,infact,JavaScriptcontextsaredefinedbyJavaScriptenginesbytheglobalobjectofthecontext.Globalobjectshaveanumberofspecialproper9es,themostimportantofwhich,forourpurposes,isthatitisthereferencemonitorfortheDOMdiscussedearlier.Anycontextisallowedtoaccessanyglobalobjectandtheitwillperformtheappropriateaccesscontrolchecksonaccessedproper9es.

Forexample,thefunc9on“bar”maymakeareferencetotheglobalobjectfromthecontext“Window1.”

However,itwouldbebadifbar()wasabletoreferencealloftheobjectsthattheglobalobjectpointsto.Fortunately,globalobjectsprovidethereferencemonitor,sothisisnotanissue.

Itwouldalsobeverybadifbar()heldadirectreferencetoeitheroftheotherobjectsinthe“Window1”context.Unfortunately,theydonothavereferencemonitorswrappingthem,soifbar()heldareferencetothem,itwouldbegameover,unlikeifitheldareferencetotheothercontext’sglobalobject.

Solet’sjumpbacktothetwopoliciesoftheDOMandJavaScriptengine.Whathappenswhenthetwomeet?

Specifically,letusassumethatcontext1isgrantedaccesstoanobjectthroughthereferencemonitor.Fromtheperspec9veoftheJavaScriptengine,thecontextnowholdsareferencetotheobjectwhichisalsoacapability.

TheJavaScriptcontextcandowhateveritwantswiththereference,includinghandingthereferencetoanotherJavaScriptcontext,onpurposeorotherwise.

Becausetheengineisacapabilitysystem,itnowcanaccesstheobjectwithfullpermissions.EventhoughitisaDOMobject,itisnowbypassingthereferencemonitorcheck.Now,wehaven’testablishedthisaproblemyetperse;itisnotclearthatthereisanywayforaJavaScriptcontexttodothisillegi9mately.However,itturnsoutthatthisisaseriousproblembecauseofanumberofbugsinwebbrowsers.Inthesebugs,amaliciousscriptcan“trick”thebrowserintothinkingthatit’sfromadifferentJavaScriptcontext,thusgainingaccesstoasensi9veobjectthroughtheDOMaccesscontrol.ThemaliciousJavaScriptcontextnowhasacapabilitytothisobjectsoitcanmanipulateithoweveritseesfit,includingallofthethingstowhichitreferences.

ThisisaCross‐OriginJavaScriptCapabilityLeak.Onecontextleaksacapabilityreferencetoanothercontext,andthissecondcontextnowholdsanunbridledreferencetotheDOMobject.Thisisaverybadthing.

Let’sdiscusshowtohelpdetecttheseproblemsinanapplica9onusingourheapgraphanalysistool.

Thestatewewanttodetectiswhenanobjectfromonecontextholdsareferencetoanobjectinadifferentcontext.Oursolu9onistouseaheapgraphanalysistodynamicallymarktheJavaScriptcontextofallobjectsintheJavaScriptheapandtothroughanalertwhenthereisareferencebetweentwoobjectsindifferentcontexts.WemodifytheWebKitJavaScriptenginetoperformtheinstrumenta9onandanalysisforthistool.

WeneededtoinstrumenttheWebKitJavaScriptenginewithcallstoourheapgraphanalysislibrary.Thesepointsareratherstraighhorward.Ratherthanpujngtheinstrumenta9onintheinterpreterandJIT,weplacedtheinstrumenta9onwithintheobjectsystemen9relysincethatiswhatwewereen9relyconcernedwith.Weplacedinstrumenta9onpointsatobjectcrea9on,objectdestruc9on,andthecrea9onofobjectreferences(alongwithseveralotherspecializedpoints).

Here’sangraphoftheemptypage.Becausewearetrackingallobjectsontheheap,atany9mewecandumpanimageoftheheapasaGraphvizgraph.Clearly,eventheemptypageisrathercomplex,andthesegraphsweremainlyusefulfor(a)debuggingourwork,and(b)reducedversionsareusefulforfindingexploits.

Thisistheheapgraphofgoogle.com.Clearly,morecomplicatedbutitturnsoutthatgoogle.comdoesn’thavethatmuchJavaScriptonitandevenreachesthislevelofcomplexity.

Thegraphscangetratherbigquickly.WhileevenGoogledoesn’tappearthatlarge,thingsquicklyexplodeonlargerpages,makinggraphsratherunwieldy.Thus,werealizedthatweneededtoautoma9callydetectviola9onsratherthanjustmanuallyexaminingheapgraphs.

ThekeyinsighttofindingtheseexploitsishowtheJavaScriptcontextiscalculated.RememberthatJavaScriptcontextsaredefinedbytheglobalobjecttheyareassociatedwith.Whenanewcontextiscreated,severalthingsarebuilt,includingainstanceofaglobalobject,andaunique“objectprototype,”which,intheprototypeclasshierarchy,servesastheul9mateparentofallobjects.

Whenanewobjectiscreated,thereiseitheradirectorindirectpathtotheObjectPrototype.Thispathgoesthroughthespecial“__proto__”property.Thus,ouralgorithmtracksthecrea9onofnewcontexts,andevery9meanewobjectiscreated,checksthe__proto__property,lookingupthereferencedobject.Becausethecontextisdefinedbythetransi9veclosureof__proto__referencestotheobjectprototype,wecanassignthenewobjectthecontextof__proto__object.

Alongtheway,ifweeverycomeacrossareferencebetweentwoobjectsofdifferentcontexts(otherthanthe__proto__reference),wemarkitasapoten9alproblem.Ofcourse,therearesomeexcep9onstothis,suchastheglobalobject,asdiscussedearlier,andwewhitelistthese.

Wewereabletogeneratefairlygoodcoveragebyexecu9ngourtoolacrossalloftheWebKitregressiontests.Ofcourse,thisishardlyacompletetest,butweweresimplytryingtofindproof‐of‐conceptvulnerabili9es,notperformanexhaus9vesearchofallpossiblecross‐originreferences.

This“zoomsin”ononeofthevulnerabili9eswefound.Here,theblackrepresentsanobjectfromsecuritycontext1whilethewhiterepresentsobjectsfromsecuritycontext2.Thisiswhatwepar9cularlywanttodetect…oneJavaScriptcontextreferencinganother.Despitethegraphsbeingsolarge,wecanperformthisreachabilityanalysisratherquickly.

Inthisexample,thevulnerabilityoccurredinWebKitbecauseitwaslazilycrea9ngtheloca9onobject.Iftheloca9onobjectwascreatedduringtheexecu9onofanothercontext(i.e.ifitbelongedtocontext1,butcontext2wasaccessingit),itwouldbecreatedwiththewrongObjectprototype.Thisisdangerousbecauseitallowstheobjecttoredefinethebehavioroffunc9ons,suchastoString,thatapplytoallObjectscreatedintheothercontext.Then,ifthatfunc9oniscalled,arbitraryJavaScriptwillbeexecuted.

Overall,inourtestsetup,wefound2vulnerabili9esinWebKitamongthe143testsran.Addi9onallywefoundthattheCrossSafecross‐domainJSONrequestlibraryhadanumberofvulnerabili9es.Inallcases,wewereabletodesignsubtleexploitsofthevulnerabili9esthatcreatedarbitrarycodeexecu9onintheothersecuritycontext.

Thegoodnewsisthatwehaveaproposaltopreventtheseproblemsinthefuture.

Herewehaveasmallviewofsomeoftheobjectsincurrentwebbrowsers.Forthemostpart,ifthereisaleakinthebrowserthatgivesanobjectfromcontexttoasecondcontext,thatcontextcanaccessthoseobjects.Yes,therearesomeexcep9ons,suchaswrappedobjectsinFirefox,butthosearehardlyexhaus9veandcannotcovercasesforwhichobjectsarenotexplicitlywrapped.

Inthispar9cularexample,func9onbar()inWindow2hasaccesstoWindow2’sdocumentobject(asitshould),butitalsoholdsareferencetothedocumentobjectofWindow1,whichitcannowaccess.

Oursolu9onistoaddanaccesscontrolchecktogetandputopera9onstomakeitlookmorelikethis…

ThesecheckswillverifythattheJavaScriptcontextofthetwoobjectsinques9onmatch.Ifnot,theengineshouldrejecttheaccess.It’sasimpleideathathasbeenconsideredinthepast.Howeverpeoplehavebeenveryconcernedaboutitsperformance.Addi9onally,wehadconcernsini9allythatitwouldbedifficulttoassurethatallthatplacesthatneedtohaveaccesscontrolcheckswouldbeeasytofindandsuchanimplementa9onwouldbeerrorproneitself.Astotheimplementa9onconcerns,wediscoveredthattherearerela9velyfewplacesthatthisneedstobeactuallycalculated,andit’sfairlyclearwherethosepointsare.Addi9onally,inanon‐prototypeimplementa9on,theaccesscontrolcheckscouldbebuiltinasamorefundamentalandsimplemechanisminWebKit,therebyreducingthenumberofplacescheckswouldhavetobeexplicitlyplaced.

Theaccesscontroladdsnegligibleperformancehitstogeneralbenchmarks.Acrossallofthemajorindustrybenchmarks,ouraccesscontrolprototypeaddsnomorethan2%overheadtothebaseimplementa9on(+/‐error).

However,ifyouconsiderthatInthelastyearalonetherehasbeena300%performanceincreasetoWebKit,a2%hitstartstolookabitpaltry..

Wehypothesizedthatouraccesscontrolwasrela9velyfastbecauseoftheinlinecacheinthenewWebKitimplementa9on.Inshort,formostobjects,whenapropertyislookedupthefirst9me,itislookedupinahashtableandtheoffsetintothestructureisrecorded.Whenthatpar9cularpieceofcodeisaccessedagaininthefuture,Insteadofhashinginfuturelookups,thepropertyisaccessedbyjustgoingdirectlyintothestructurewiththerecordedoffset.Becauseoftheoffsetlookup,weknowthattheobjecthasaccesstothisobjectbecausethefirstlookupmadeanaccesscontrolcheck.However,wheneverapropertyisdeleted,thislookupsystemisforgoneandahashtablelookupisdone,makinganaccesscontrolcheckevery9me.

Inordertotestiftheinlinecacheiswhat’scausingthespeedup,wemademicro‐benchmarksforrepeatedlyreadingandwri9nganobjectproperty.Intwoofthebenchmarks,however,wedeletedapropertyfromtheobjectfirst,thusforcingthelookupstooccurinthehashtableratherthanthroughtheinlinecache.Asthechartclearlyshows,wheretheinlinecacheisused,thereishardlyano9ceableslowdown.However,whenthecacheisnotinuse,thereisa9‐10%slowdownintheaccesscontrolimplementa9on.

Inconclusion,wehaveintroducedanoveltoolusingheapgraphanalysistoaidusinfindinganewclassofvulnerabili9esinwebbrowsers,cross‐originJavaScriptcapabilityleaks.Addi9onally,thedamageofthesevulnerabili9escanbemi9gatedinthefuturebeimplemen9nganewaccesscontrolmechanisminthewebbrowser.

Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context....

Documents

Transcript of Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context....

Detecon Study Costing System Maturity in Telecommunications Companies. Results of a Detecon Survey

Detecon Opinion Paper International Brand Positioning and Insight from Brain Research

INTEGRAL BUSINESS @ DETECON

Transformation, HR & Restructuring Best-Practice - DMR Blue Special - Detecon

DETECON Technical Final Report part1-1

TowardsFullyReflectiveEnvironments · talk, Ruby, Javascript, or Python, via reflective APIs. ForinstanceSmalltalk,withitsreflectiveobjectmodel, ... with another algorithm for

Detecon Study

Future work@detecon teaser 2016 incl. references

Smart Working / Future Work - Praxisbeispiel Detecon (Absolventenkongress 2014)

Detecon - Innovation in Practice

Detecon Study Impact of the Financial Crisis on the European Telecommunications Industry: Results of the Detecon Survey

BMW Brilliance Automotive - Detecon

Document1 1 - Tripod.commaher.kamal.tripod.com/detecon.pdf · DETECON GmbH Postfach 2601 01 • 5300 Bonn 2 DETECON Deutsche Telepost Consulting GmbH Beteiligungsgesellschaft der

ARTINALI: Dynamic Invariant Detecon for Cyber-Physical ...blogs.ubc.ca/karthik/files/2017/09/FSE17-slides.pdf · Dynamic Invariant Detecon for Cyber-Physical System Security Maryam

Detecon Policy Making Workshop

Detecon Opinion Paper P2P TV: a looming media revolution?

STUDIE - Detecon · 2019-10-17 · Studie „Digital Twin – Enabler für Ökosysteme von morgen“, welche die Managementberatung Detecon in Kooperation mit dem Cross-Business-Architecture

Detecon Study Management Reporting: A Study by Detecon (Switzerland) AG in Cooperation with the University of St. Gallen

Interview with Thies-Christian Bruhn, - Detecon€¦ · 53 Detecon Management Report blue • 2015 such as sales and marketing where it is advantageous to bring in some fresh air

Detecon Opinion Paper Architektur für ein zukunftsorientiertes Skill-Management