Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense

Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense

Cached

Download Links

by Adam Barth , Joel Weinberger , Dawn Song

Citations:

BibTeX

@MISC{Barth_cross-originjavascript,
    author = {Adam Barth and Joel Weinberger and Dawn Song},
    title = {Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense},
    year = {}
}

Bookmark

OpenURL

Abstract

We identify a class of Web browser implementation vulnerabilities, cross-origin JavaScript capability leaks, which occur when the browser leaks a JavaScript pointer from one security origin to another. We devise an algorithm for detecting these vulnerabilities by monitoring the “points-to ” relation of the JavaScript heap. Our algorithm finds a number of new vulnerabilities in the opensource WebKit browser engine used by Safari. We propose an approach to mitigate this class of vulnerabilities by adding access control checks to browser JavaScript engines. These access control checks are backwardscompatible because they do not alter semantics of the Web platform. Through an application of the inline cache, we implement these checks with an overhead of 1–2 % on industry-standard benchmarks. 1

Citations

191	Amoeba: A Distributed Operating System for the 1990s - Mullender, Rossum, et al. - 1990 (Show Context) Citation Context ...r JavaScript objects only if those objects are from the same security origin. 6 Related Work The operating system literature has a rich history of work on access control and object-capability systems =-=[13, 21, 23, 8]-=-. In this section, we focus on comparing our work to related work on access control and object-capability systems in Web browsers. FBJS, Caja, and ADsafe. Facebook, Yahoo!, and Google have developed J...
187	EROS: A Fast Capability System - Shapiro, Smith, et al. - 1999 (Show Context) Citation Context ...r JavaScript objects only if those objects are from the same security origin. 6 Related Work The operating system literature has a rich history of work on access control and object-capability systems =-=[13, 21, 23, 8]-=-. In this section, we focus on comparing our work to related work on access control and object-capability systems in Web browsers. FBJS, Caja, and ADsafe. Facebook, Yahoo!, and Google have developed J...
73	Secure web browsing with the op web browser - Grier, Tang, et al. - 2008 (Show Context) Citation Context ... opposite constraints: we cannot alter legacy content but we can change the browser. For these reasons, we recommend the opposite design point. Opus Palladianum. The Opus Palladianum (OP) Web browser =-=[6]-=- isolates security origins into separate sandboxed components. This component-based browser architecture makes it easier to reason about crossorigin JavaScript capability leaks because these capabilit...
73	The KeyKOS architecture - HARDY - 1985 (Show Context) Citation Context ...r JavaScript objects only if those objects are from the same security origin. 6 Related Work The operating system literature has a rich history of work on access control and object-capability systems =-=[13, 21, 23, 8]-=-. In this section, we focus on comparing our work to related work on access control and object-capability systems in Web browsers. FBJS, Caja, and ADsafe. Facebook, Yahoo!, and Google have developed J...
68	The Confused Deputy (or Why Capabilities Might Have - Hardy - 1988 (Show Context) Citation Context ...ined by the honest document, the DOM’s reference monitor allows the access [10]. However, if the attacker calls these functions with unexpected arguments, the functions might become confused deputies =-=[9]-=- and inadvertently perform the attacker’s misdeeds. Most Web sites contains innumerable laundries. We illustrate how an attacker can abuse a laundry by examining a representative laundry from the Prot...
53	Securing frame communication in browsers - Jackson, Barth, et al. - 2008 (Show Context) Citation Context ...rary properties of the object. This reference monitor does not forbid all accesses because some are desirable. For example, the postMessage method [10] is exposed across origins to facilitate mashups =-=[1]-=-. These exposed properties complicate the enforcement of the same-origin policy, which can lead to vulnerabilities.2.2 Capability Leaks Browsers occasionally contain bugs that leak JavaScript pointer...
51	Subspace: secure cross-domain communication for web mashups - Jackson, Wang - 2007 (Show Context) Citation Context ..., we illuminate the vulnerabilities by constructing proof-of-concept exploits using three different techniques. In addition, we apply our understanding of JavaScript pointers to breaking the Subspace =-=[11]-=- mashup design. 4.1 Test Suite To find example cross-origin JavaScript capability leaks, we run our instrumented browser through a test suite. Ideally, to reduce the number of false negatives, we woul...
25	An Analysis of Browser Domain-Isolation Bugs and A Light-Weight Transparent Defense Mechanism - Chen, Ross, et al. - 2007 (Show Context) Citation Context ...nces, but without a public implementation, we are unable to evaluate whether these inter-component references give rise to cross-origin JavaScript capability leaks. Script Accenting. Script accenting =-=[2]-=- is a technique for adding defense-in-depth to the browser’s enforcement of the same-origin policy. To mitigate mistaken script execution, the browser encrypts script source code with a key specific t...
11	Ankur Taly. An operational semantics for javascript - Maffeis, Mitchell - 2008 (Show Context) Citation Context ...bjects either by accessing properties of JavaScript object to which the script already has a JavaScript pointer or by conjuring certain built-in objects such as the global object and Object.prototype =-=[14]-=-. As in other objectcapability systems, the ability to influence an object is tied to the ability to designate the object. In browsers, a script can manipulate a JavaScript object only if the script h...
5	Protection and Access Control in Operating Systems - Lampson - 1972 (Show Context) Citation Context ...r JavaScript objects only if those objects are from the same security origin. 6 Related Work The operating system literature has a rich history of work on access control and object-capability systems =-=[13, 21, 23, 8]-=-. In this section, we focus on comparing our work to related work on access control and object-capability systems in Web browsers. FBJS, Caja, and ADsafe. Facebook, Yahoo!, and Google have developed J...
3	Clickjacking: Web pages can see and hear you - Grossman - 2008 (Show Context) Citation Context ... these objects to the Object.prototype of a foreign security origin, creating a vulnerability if, for example, a document uses the following script to “frame bust” [12] in order to avoid clickjacking =-=[7]-=- attacks: top.location.href = "http://example.com/"; Attacker Global Object@0x1c1d0040 location object@0x1c1d2720 object@0x1c1d2740 __proto__ __proto__ object@0x1c1d2700 Victim Global Object@0x1c1d13e...
2	A theory of taming - Miller (Show Context) Citation Context ...he underlying architectural security issue, but we recommend adopting the access control paradigm for two main reasons: • Adopting an object-capability discipline throughout the DOM requires “taming” =-=[15]-=- the DOM API. The current DOM API imbues every DOM node with the full authority of the node’s security origin because the API exposes a number of “universal” methods, such as innerHTML that can be use...
2	XPConnect wrappers. http://developer.mozilla.org/en/ docs/XPConnect_wrappers - Mozilla (Show Context) Citation Context ...res XOR encryption to achieve sufficient performance, but XOR encryption lacks the integrity protection required to make the scheme secure. Cross-Origin Wrappers. Firefox 3 uses cross-origin wrappers =-=[20]-=- to mitigate security vulnerabilities caused by cross-origin JavaScript capability leaks. Instead of exposing JavaScript objects directly to foreign security origins, Firefox exposes a “wrapper” objec...
2	Introducing SquirrelFish Extreme - Stachowiak - 2008 (Show Context) Citation Context ...Script Engine, Google Chrome’s V8 JavaScript engine, Firefox 3.5’s TraceMonkey JavaScript engine, and Opera 11’s Carakan JavaScript engine, optimize JavaScript property accesses using aninline cache =-=[24]-=-. (Of the major browser vendors, only Microsoft has yet to announce plans to implement this optimization.) These JavaScript engines group together JavaScript objects with the same “structure” (i.e., w...