Isolating JavaScript with Filters, Rewriting, and Wrappers

  • Sergio Maffeis
  • John C. Mitchell
  • Ankur Taly
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5789)

Abstract

We study methods that allow web sites to safely combine JavaScript from untrusted sources. If implemented properly, filters can prevent dangerous code from loading into the execution environment, while rewriting allows greater expressiveness by inserting run-time checks.

Wrapping properties of the execution environment can prevent misuse without requiring changes to imported JavaScript. Using a formal semantics for the ECMA 262-3 standard language, we prove security properties of a subset of JavaScript, comparable in expressiveness to Facebook FBJS, obtained by combining three isolation mechanisms. The isolation guarantees of the three mechanisms are interdependent, with rewriting and wrapper functions relying on the absence of JavaScript constructs eliminated by language filters.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Aktug, I., Dam, M., Gurov, D.: Provably correct runtime monitoring. In: Cuellar, J., Maibaum, T., Sere, K. (eds.) FM 2008. LNCS, vol. 5014, pp. 262–277. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Anderson, C., Giannini, P., Drossopoulou, S.: Towards type inference for JavaScript. In: Black, A.P. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 429–452. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. 3.
    Barth, A., Jackson, C., Mitchell, J.C.: Securing browser frame communication. In: 17th USENIX Security Symposium (2008)Google Scholar
  4. 4.
    Google Caja Team. Google-Caja: A source-to-source translator for securing JavaScript-based web, http://code.google.com/p/google-caja/
  5. 5.
    Crockford, D.: ADsafe: Making JavaScript safe for advertising (2008), http://www.adsafe.org/
  6. 6.
    Eich, B.: JavaScript at ten years, http://www.mozilla.org/js/language/ICFP-Keynote.ppt
  7. 7.
  8. 8.
    Flanagan, D.: JavaScript: The Definitive Guide. O’Reilly, Sebastopol (2006), http://proquest.safaribooksonline.com/0596101996 MATHGoogle Scholar
  9. 9.
    Heidegger, P., Thiemann, P.: Recency types for dynamically-typed, object-based languages. In: Foundations of Object-Oriented Languages, FOOL 2009 (2009)Google Scholar
  10. 10.
  11. 11.
    ECMA International. ECMAScript language specification. stardard ECMA-262, 3rd edn. (1999), http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-262.pdf
  12. 12.
    Livshits, B., Guarnieri, S.: Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. MSR-TR-2009-16 (February 2009)Google Scholar
  13. 13.
    Maffeis, S., Mitchell, J., Taly, A.: Complete ECMA 262-3 operational semantics, http://jssec.net/semantics/
  14. 14.
    Maffeis, S., Mitchell, J.C., Taly, A.: An operational semantics for JavaScript. In: Ramalingam, G. (ed.) APLAS 2008. LNCS, vol. 5356, pp. 307–325. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Maffeis, S., Mitchell, J.C., Taly, A.: Isolating JavaScript with filters, rewriting, and wrappers. Dep. of Computing, Imperial College London, Technical Report DTR09-6 (2009)Google Scholar
  16. 16.
    Maffeis, S., Mitchell, J.C., Taly, A.: Run-time enforcement of untrusted javascript subsets. In: Web 2.0 Security & Privacy, W2SP (2009)Google Scholar
  17. 17.
    Maffeis, S., Taly, A.: Language-based isolation of untrusted Javascript. In: Proc. of CSF 2009. IEEE, Los Alamitos (2009); See also: Dep. of Computing, Imperial College London, Technical Report DTR09-3 (2009)Google Scholar
  18. 18.
  19. 19.
    Sands, D., Phung, P.H., Chudnov, A.: Lightweight self protecting JavaScript. In: ASIACCS 2009. ACM Press, New York (2009)Google Scholar
  20. 20.
    Plotkin, G.D.: A structural approach to operational semantics. J. Log. Algebr. Program. 60-61, 117–139 (2004)MathSciNetCrossRefMATHGoogle Scholar
  21. 21.
    Reis, C., Dunagan, J., Wang, H., Dubrovsky, O., Esmeir, S.: BrowserShield: Vulnerability-driven filtering of Dynamic HTML. ACM Transactions on the Web 1(3) (2007)Google Scholar
  22. 22.
    Sabelfeld, A., Askarov, A.: Tight enforcement of flexible information-release policies for dynamic languages. In: Second International Workshop on Proof-Carrying Code 2008 (2008)Google Scholar
  23. 23.
  24. 24.
  25. 25.
    Thiemann, P.: Towards a type system for analyzing javascript programs. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 408–422. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  26. 26.
    Thiemann, P.: A type safe DOM API. In: Proc. of DBPL, pp. 169–183 (2005)Google Scholar
  27. 27.
    Vikram, K., Steiner, M.: Mashup component isolation via server-side analysis and instrumentation. In: Web 2.0 Security & Privacy, W2SP (2008)Google Scholar
  28. 28.
  29. 29.
    Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: Proc. of POPL 2007, pp. 237–249 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Sergio Maffeis
    • 1
  • John C. Mitchell
    • 2
  • Ankur Taly
    • 2
  1. 1.Imperial College LondonUK
  2. 2.Stanford UniversityUSA

Personalised recommendations