Treehouse: Javascript Sandboxes to Help Web Developers Help Themselves

Many Web applications (meaning sites that employ JavaScript) incorporate third-party code and, for reasons rooted in today's Web ecosystem, are vulnerable to bugs or malice in that code. Our goal is to give Web developers a mechanism that (a) contains included code, limiting (or eliminating) its influence as appropriate; and (b) is deployable today, or very shortly. While the goal of containment is far from new, the requirement of deployability leads us to a new design point, one that applies the OS ideas of sandboxing and virtualization to the JavaScript context. Our approach, called TreeHouse, sandboxes JavaScript code by repurposing a feature of current browsers (namely Web Workers). TreeHouse virtualizes the browser's API to the sandboxed code (allowing the code to run with few or no modifications) and gives the application author fine-grained control over that code. Our implementation and evaluation of Tree-House show that its overhead is modest enough to handle performance-sensitive applications and that sandboxing existing code is not difficult.

[1]  Adam Barth,et al.  The Security Architecture of the Chromium Browser , 2009 .

[2]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[3]  Steven D. Gribble,et al.  A safety-oriented platform for Web applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[4]  Hao Chen,et al.  OMash: enabling secure web mashups via object abstractions , 2008, CCS.

[5]  Dawn Xiaodong Song,et al.  Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense , 2009, USENIX Security Symposium.

[6]  Joe Gibbs Politz,et al.  ADsafety: Type-Based Verification of JavaScript Sandboxing , 2011, USENIX Security Symposium.

[7]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[8]  Wenliang Du,et al.  Contego: Capability-Based Access Control for Web Browsers - (Short Paper) , 2011, TRUST.

[9]  Leo A. Meyerovich,et al.  Object views: fine-grained sharing in browsers , 2010, WWW '10.

[10]  Ankur Taly,et al.  Isolating JavaScript with Filters, Rewriting, and Wrappers , 2009, ESORICS.

[11]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[12]  V. N. Venkatakrishnan,et al.  AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements , 2010, USENIX Security Symposium.

[13]  Zhenkai Liang,et al.  Towards Fine-Grained Access Control in JavaScript Contexts , 2011, 2011 31st International Conference on Distributed Computing Systems.

[14]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[15]  Helen J. Wang,et al.  Subspace: secure cross-domain communication for web mashups , 2007, WWW '07.

[16]  Michael Steiner,et al.  SMash: secure component model for cross-domain mashups on unmodified browsers , 2008, WWW.

[17]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[18]  Samuel T. King,et al.  Trust and Protection in the Illinois Browser Operating System , 2010, OSDI.

[19]  Michael Walfish,et al.  The web interface should be radically refactored , 2011, HotNets-X.

[20]  Helen J. Wang,et al.  Protection and communication abstractions for web browsers in MashupOS , 2007, SOSP.

[21]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[22]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[23]  Tal Garfinkel,et al.  Ostia: A Delegating Architecture for Secure System Call Interposition , 2004, NDSS.

[24]  Zhenkai Liang,et al.  AdSentry: comprehensive and flexible confinement of JavaScript-based advertisements , 2011, ACSAC '11.

[25]  Robert Tappan Morris,et al.  Privacy-preserving browser-side scripting with BFlow , 2009, EuroSys '09.

[26]  Jon Howell,et al.  Leveraging Legacy Code to Deploy Desktop Applications on the Web , 2008, OSDI.

[27]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[28]  Ole Agesen,et al.  A comparison of software and hardware techniques for x86 virtualization , 2006, ASPLOS XII.

[29]  Bryan Ford,et al.  Vx32: Lightweight User-level Sandboxing on the x86 , 2008, USENIX Annual Technical Conference.

[30]  Vinod Ganapathy,et al.  OMOS: A Framework for Secure Communication in Mashup Applications , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[31]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[32]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[33]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[34]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[35]  James W. Mickens,et al.  Atlantis: robust, extensible execution environments for web applications , 2011, SOSP '11.

[36]  Naga Praveen Kumar Katta,et al.  JavaScript in JavaScript (js.js): Sandboxing Third-Party Scripts , 2012, WebApps.

[37]  Jon Howell,et al.  Mugshot: Deterministic Capture and Replay for JavaScript Applications , 2010, NSDI.

[38]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[39]  Margo I. Seltzer,et al.  MiSFIT: constructing safe extensible systems , 1998, IEEE Concurr..