GUARDIA: specification and enforcement of javascript security policies without VM modifications

The complex architecture of browser technologies and dynamic characteristics of JavaScript make it difficult to ensure security in client-side web applications. Browser-level security policies alone are not sufficient because it is difficult to apply them correctly and they can be bypassed. As a result, they need to be completed by application-level security policies. In this paper, we survey existing solutions for specifying and enforcing application-level security policies for client-side web applications, and distill a number of desirable features. Based on these features we developed Guardia, a framework for declaratively specifying and dynamically enforcing application-level security policies for JavaScript web applications without requiring VM modifications. We describe Guardia enforcement mechanism by means of JavaScript reflection with respect to three important security properties (transparency, tamper-proofness, and completeness). We also use Guardia to specify and deploy 12 access control policies discussed in related work in three experimental applications that are representative of real-world applications. Our experiments indicate that Guardia is correct, transparent, and tamper-proof, while only incurring a reasonable runtime overhead.

[1]  Koushik Sen,et al.  Jalangi: a tool framework for concolic testing, selective record-replay, and dynamic analysis of JavaScript , 2013, ESEC/FSE 2013.

[2]  Kevin W. Hamlen,et al.  Aspect-Oriented Runtime Monitor Certification , 2012, TACAS.

[3]  David Sands,et al.  Safe Wrappers and Sane Policies for Self Protecting JavaScript , 2010, NordSec.

[4]  Christian Hammer Flexible access control for javascript , 2014, Software Engineering.

[5]  Giovanni Vigna,et al.  Detecting malicious JavaScript code in Mozilla , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[6]  Nataliia Bielova Survey on JavaScript security policies and their enforcement mechanisms in a web browser , 2013, J. Log. Algebraic Methods Program..

[7]  Coen De Roover,et al.  Linvail: A General-Purpose Platform for Shadow Execution of JavaScript , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[8]  JagannathanSuresh,et al.  Flexible access control for javascript , 2013 .

[9]  Heng Yin,et al.  Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation , 2014, CCS.

[10]  Wouter Joosen,et al.  WebJail: least-privilege integration of third-party components in web mashups , 2011, ACSAC '11.

[11]  Leo A. Meyerovich,et al.  Object views: fine-grained sharing in browsers , 2010, WWW '10.

[12]  Debasish Ghosh,et al.  DSLs in Action , 2010 .

[13]  Kevin W. Hamlen,et al.  Disambiguating aspect-oriented security policies , 2010, AOSD.

[14]  ChanderAjay,et al.  JavaScript instrumentation for browser security , 2007 .

[15]  Ben Stock,et al.  The Unexpected Dangers of Dynamic JavaScript , 2015, USENIX Security Symposium.

[16]  David Sands,et al.  Lightweight self-protecting JavaScript , 2009, ASIACCS '09.

[17]  Hiroshi Inamura,et al.  JavaScript Instrumentation in Practice , 2008, APLAS.

[18]  Barbara König,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2012, Lecture Notes in Computer Science.

[19]  Sebastian Lekies,et al.  CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy , 2016, CCS.

[20]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[21]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[22]  Sophia Drossopoulou,et al.  Swapsies on the Internet: First Steps towards Reasoning about Risk and Trust in an Open World , 2015, PLAS@ECOOP.

[23]  Hossein Saiedian,et al.  Security Vulnerabilities in the Same-Origin Policy: Implications and Alternatives , 2011, Computer.

[24]  Frank Piessens,et al.  JSand: complete client-side sandboxing of third-party JavaScript without browser modifications , 2012, ACSAC '12.

[25]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[26]  Thomas H. Austin,et al.  Virtual values for language extension , 2011, OOPSLA '11.

[27]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[28]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[29]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[30]  G. Pannu A Survey on Web Application Attacks , 2014 .