Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Writing

Virtual Browser

advertisement 
Virtual Browser: a Virtualized Browser to
Sandbox Third-party JavaScripts with
Enhanced Security
Yinzhi Cao, Zhichun Li*, Vaibhav Rastogi, Yan
Chen, and Xitao Wen
Labs of Internet Security and Technology
Northwestern University
*NEC Labs America
1
Outline
•
•
•
•
•
•
Introduction
Related Work
Design
Security Analysis
Evaluation
Conclusions
2
Introduction
• Third-party JavaScripts are popular.
–
–
–
–
Web Mashups
Third-party Games
Widgets
Visitor Counters
• However, they share the same privilege as
host web site, and thus
– They can sabotage host web site.
– They can exploit client browsers.
• So we propose: Virtual Browser, a virtualized
browser built upon native browsers.
3
Outline
•
•
•
•
•
•
Introduction
Related Work
Design
Security Analysis
Evaluation
Conclusions
4
Related Work
• JavaScript level approaches
– Static methods (ADSafe, FBJS, CoreScript, and
Maffeis et al.)
– Runtime Approaches (Microsoft Web Sandbox,
and Google Caja)
– Mixed Approaches (GateKeeper, Huang et al.)
• Native approaches
– Browser modification (ConScript, MashupOS and
WebJail)
– Approaches using NaCl (AdSentry)
– Approaches using iframes (AdJail and SMash)
5
JavaScript level approaches
• No dynamic JavaScript feature support
(eval and with)
• Vulnerable to drive-by-download
(especially unknown attacks)
• Vulnerable to browser quirks
– Undocumented HTML/JavaScript parsing
behavior such as <scri\npt> is parsed as
<script>
6
Native approaches
• Modification to browsers.
• Many are vulnerable to drive-by-download
attacks.
7
8
9
Therefore we propose:
• An approach that is (your take-away)
– Robust to drive-by-download
– Support dynamic JavaScript features
– Supported by all the browsers
– Robust to browser quirks
Virtual Browser
10
Outline
•
•
•
•
•
•
Introduction
Related Work
Design
Security Analysis
Evaluation
Conclusions
11
System Architecture
Virtual Browser
Components
Data Objects
Native JavaScript Execution Engine
12
System Architecture
Virtual Browser
Components
Data Objects
Trusted
Code
Native
JavaScript
Parser
Native JavaScript Execution Engine
13
System Architecture
Third-Party
JavaScript
Code
Only one parser: mitigating quirks
Virtual Browser
Components
Data Objects
Trusted
Code
Virtual
JavaScript
Parser
Native
JavaScript
Parser
Native JavaScript Execution Engine
14
System Architecture
Third-Party
JavaScript
Code
Virtual Browser
Components
Data Objects
Trusted
Code
Virtual
JavaScript
Parser
AST
Native
JavaScript
Parser
Virtual JavaScript
Execution Engine
Native JavaScript Execution Engine
15
System Architecture
Third-Party
JavaScript
Code
Virtual Browser
Components
Virtual
JavaScript
Parser
Data Objects
Trusted
Code
Virtual
HTML
Parser
AST
HTML
Virtual JavaScript
Execution Engine
Native JavaScript Execution Engine
Native
JavaScript
Parser
16
System Architecture
Third-Party
JavaScript
Code
Virtual Browser
Components
Virtual
JavaScript
Parser
Script
Data Objects
Trusted
Code
Virtual
HTML
Parser
AST
HTML
Virtual JavaScript
Execution Engine
Native JavaScript Execution Engine
Native
JavaScript
Parser
17
System Architecture
Third-Party
JavaScript
Code
Virtual Browser
Data Objects
Components
Virtual
JavaScript
Parser
Script
Virtual
HTML
Parser
Virtual
CSS
Parser
Style Sheet
AST
HTML
Virtual JavaScript
Execution Engine
Trusted
Code
Style Sheet
Native JavaScript Execution Engine
Native
JavaScript
Parser
18
System Architecture
Third-Party
JavaScript
Code
Virtual Browser
Data Objects
Components
Virtual
JavaScript
Parser
Script
Virtual
HTML
Parser
Style Sheet
AST
HTML
Virtual JavaScript
Execution Engine
Virtual
CSS
Parser
Trusted
Code
Virtual
DOM
Style Sheet
Call
Native JavaScript Execution Engine
Native
JavaScript
Parser
19
System Architecture
Third-Party
JavaScript
Code
Virtual Browser
Data Objects
Components
Virtual
JavaScript
Parser
Script
Virtual
HTML
Parser
Style Sheet
AST
HTML
Virtual JavaScript
Execution Engine
Virtual
CSS
Parser
Trusted
Code
Attach
Virtual
DOM
Style Sheet
Call
Native JavaScript Execution Engine
Native
JavaScript
Parser
20
System Architecture
Third-Party
JavaScript
Code
Virtual Browser
Data Objects
Components
Virtual
JavaScript
Parser
Script
Virtual
HTML
Parser
Style Sheet
AST
HTML
Virtual JavaScript
Execution Engine
Virtual
CSS
Parser
Attach
Trusted
Code
Link to
DOM
Virtual
DOM
Style Sheet
Call
Event
Native
JavaScript
Parser
Access
Native JavaScript Execution Engine
21
System Architecture
Third-Party
JavaScript
Code
Virtual Browser
Data Objects
Components
Virtual
JavaScript
Parser
Script
Virtual
HTML
Parser
Style Sheet
AST
HTML
Virtual JavaScript
Execution Engine
Virtual
CSS
Parser
Attach
Link to
DOM
Virtual
DOM
Access
Event
Native
JavaScript
Parser
Style Sheet
Call
Trusted
Code
Private
Objects
Native JavaScript Execution Engine
Shared
Object
22
System Architecture
All written in JavaScript:
supported by all browsers
Third-Party
JavaScript
Code
Virtual Browser
Data Objects
Components
Virtual
JavaScript
Parser
Script
Virtual
HTML
Parser
Style Sheet
AST
HTML
Virtual JavaScript
Execution Engine
Virtual
CSS
Parser
Attach
Link to
DOM
Virtual
DOM
Access
Event
Native
JavaScript
Parser
Style Sheet
Call
Trusted
Code
Private
Objects
Native JavaScript Execution Engine
Shared
Object
23
System Architecture
Virtualization: Robust to drive-bydownload
Third-Party
JavaScript
Code
Virtual Browser
Data Objects
Components
Virtual
JavaScript
Parser
Script
Virtual
HTML
Parser
Style Sheet
AST
HTML
Virtual JavaScript
Execution Engine
Virtual
CSS
Parser
Attach
Link to
DOM
Virtual
DOM
Access
Event
Native
JavaScript
Parser
Style Sheet
Call
Trusted
Code
Private
Objects
Native JavaScript Execution Engine
Shared
Object
24
An Example
How to support dynamic features?
document.write(str)
Virtual JS Parser
Virtual JS
Exec Engine
Virtual HTML Parser
Same Origin
Web Server
Virtual DOM
Real src
Web Server
25
An Example
document.write(str)
Virtual JS Parser
document
write
str
Virtual JS
Exec Engine
Virtual HTML Parser
Same Origin
Web Server
Virtual DOM
Real src
Web Server
26
An Example
document.write(str)
Virtual JS Parser
document
write
str
Virtual JS
Exec Engine
Virtual HTML Parser
Same Origin
Web Server
str
Virtual DOM
Real src
Web Server
27
An Example
src for script tag
Same Origin
Virtual HTML Parser
Web Server
document.write(str)
Virtual JS Parser
document
write
str
Virtual JS
Exec Engine
str
call
Virtual DOM
Real src
Web Server
28
An Example
src for script tag
Same Origin
Virtual HTML Parser
Web Server
forward
request
str
call
document.write(str)
Virtual JS Parser
document
write
str
Virtual JS
Exec Engine
Virtual DOM
Real src
Web Server
29
An Example
src for script tag
Same Origin
Virtual HTML Parser
Web Server
response
forward
request
str
call
document.write(str)
Virtual JS Parser
document
write
str
Virtual JS
Exec Engine
Virtual DOM
Real src
Web Server
30
An Example
src for script tag
Same Origin
Virtual HTML Parser
Web Server
response
forward
request
str
call
document.write(str)
Virtual JS Parser
document
write
str
Virtual JS
Exec Engine
Virtual DOM
Real src
Web Server
31
Outline
•
•
•
•
•
•
Introduction
Related Work
Design
Security Analysis
Evaluation
Conclusions
32
Security Analysis
• Isolating third-party JavaScript through
Avoidance
– Cutting off Outflows of Virtual Browser
– Cutting off Inflows of Virtual Browser
• Communication between third-party
JavaScript and trusted JavaScript
– Data Security
– Script Security
– Securing Data Flows in Virtual Browser
33
Isolation through Avoidance
• Cutting off Outflows of Virtual Browser
– We ensure third-party codes are trapped
inside Virtual Browser.
– An assumption: Any JavaScript code has to
be parsed in the native JavaScript parsers
before it can be executed in native browser.
• (1) Look up Manuals
• (2) Call Graph Analysis
34
Cutting off Outflows
• Cutting off Outflows of Virtual JavaScript
Engine
– Only eval and new Function will cause native
parsing.
– Call graph analysis also shows that.
• Cutting off Outflows of Virtual HTML and
CSS parser :Similar
• So we avoid using eval and new Function
in Virtual Browser source codes.
35
Cutting of Inflows
• Anonymous Object Encapsulation
(function(){
this.evaluate= function () {
codes
}
other codes
})
();
36
Communication through
Redirection
• Data Security
– General Data Security
• Mirrored Object
function String(s) {
• Access Control
s = arguments.length ? ""
– Such as Object Views+ s : "";
if (this instanceof String){
this.value = s;
return this;
}
return s;
37
}
Communication through
Redirection
• Data Security
– Script Security
• Determined Scripts
– Scripts that need immediate execution. (evaluate it)
– Scripts that need delayed execution. (such as
setTimeout)
» Pseudo-function Pointer
setTimeout(function(){
execute(parsed node, exe context)
}
,100)
38
Communication through
Redirection
• Data Security
– Script Security
• Undetermined Script
– Privilege escalation may happen.
– We are on par with existing solutions.
– As shown by Finifter et al., we need to adopt narrow
interface.
39
Securing Data Flows
Shared
Object
Trusted
JS Script
Third-Party
JS
Virtual
JS Core
Native JavaScript Engine
40
Securing Data Flows
Redirect them back to virtual
engine
Shared
Object
Trusted
JS Script
Third-Party
JS
Virtual
JS Core
document.write
eval
Native JavaScript Engine
41
Securing Data Flows
Prevented by encapsulation
Shared
Object
Trusted
JS Script
Third-Party
JS
Virtual
JS Core
Native JavaScript Engine
42
Securing Data Flows
Privilege escalation: we are on
par with existing solutions.
Third-Party
JS
Shared
Object
7
Trusted
JS Script
4
3
6
5
Virtual
JS Core
2
1
Native JavaScript Engine
43
Securing Data Flows
Third-Party
JS
Shared
Object
7
Trusted
JS Script
4
3
6
5
Virtual
JS Core
2
1
Native JavaScript Engine
44
Similar analysis can be applied to
virtual CSS parser and HTML
parser.
45
Outline
•
•
•
•
•
•
Introduction
Related Work
Design
Security Analysis
Evaluation
Conclusions
46
Evaluation
• Performance Evaluation
– Speed
– Memory Usage
– Parsing Latency
• Browser Quirk Compatibility
• Robustness to Unknown JavaScript
Vulnerability
• Completeness of Implementation
47
Performance
• Micro-benchmark
•On par with Web Sandbox.
48
Performance
• Macro-benchmark (Game: Connect Four)
49
Memory Usage
50
Parsing Latency (JavaScript)
51
Parsing Latency (HTML)
52
Evaluation
• Robust to Browser Quirk
– Robust to 113 browser quirks in XSS cheat
sheet
• Robust to Unknown JavaScript
Vulnerabilities
– Robust to 14 JavaScript engine vulnerabilities
in CVE
• Completeness of Implementation
– Pass 96% test cases of ECMA-262 Edition 1
53
from Mozilla
Discussion
• Speed – Slow
– Yes. However, latency is acceptable.
– JavaScript engine is becoming faster and
faster
• How do we deal with vulnerability of virtual
engine?
– Type safe language
– Virtual engine adds another layer that make
sure security. (Similar to Virtual Machine)
54
Outline
•
•
•
•
•
•
Introduction
Related Work
Design
Security Analysis
Evaluation
Conclusions
55
Conclusion
• We build Virtual Browser, a virtualized
browser upon native browsers.
• We are
– Robust to browser quirks.
– Robust to drive-by-download.
– Supported by all current browsers.
– Support dynamic JavaScript features
– And Slow – Yes, we are 
56
Thanks 
Any
Questions?
57
Related documents
Spritz - WordPress.com
Spritz - WordPress.com
Portfolio Poster
Portfolio Poster
Document
Document
Document
Document
PowerPoint Presentation - HTML Review
PowerPoint Presentation - HTML Review
Browser Compatibility Testing Risk Analysis
Browser Compatibility Testing Risk Analysis
Graduate Developer - Wowcher | Daily Deals
Graduate Developer - Wowcher | Daily Deals
Writing better HTML5 websites and debugging
Writing better HTML5 websites and debugging
ppt
ppt
Document
Document
Download
advertisement