Towards Fine-Grained Access Control in Javascript Contexts
Towards Fine-Grained Access Control in JavaScript Contexts
Kailas Patil, Xinshu Dong, Xiaolei Li, Zhenkai Liang Xuxian Jiang School of Computing Department of Computer Science National University of Singapore North Carolina State University
Abstract—A typical Web 2.0 application usually includes as the Document Object Model (DOM) [37] in web JavaScript from various sources with different trust. It is browsers. Under SOP, scripts from the same origin share critical to properly regulate JavaScript’s access to web a JavaScript context and host objects. application resources. Unfortunately, existing protection mechanisms in web browsers do not provide enough gran- A common solution for protecting web applications ularity in JavaScript access control. Specifically, existing against a malicious JavaScript component is to host it solutions partially mitigate this sort of threat by only on a separate domain and isolate it in an iFrame in providing access control for certain types of JavaScript the web application. In this way, JavaScript in the third- objects, or by unnecessarily restricting the functionality party component is automatically isolated by browser’s of untrusted JavaScript. In this paper, we systematically analyze the complete access control requirements in a same-origin policy. However, the third-party component web browser’s JavaScript environment and identify the often needs to access host objects to obtain information fundamental lack of fine-grained JavaScript access control from other parts of the web application. To address this mechanisms in modern web browsers. As our solution, we problem, one type of solutions is to restrict the access propose a reference monitor called JCShadow that enables from untrusted JavaScript [3], [15], [24], [28], [29], fine-grained access control in JavaScript contexts without unnecessarily restricting the functionality of JavaScript. We but they unnecessarily impede existing web applications have developed a proof-of-concept prototype in the Mozilla that require a rich set of JavaScript features. For less Firefox browser and the evaluation with real-world attacks restriction on JavaScript functionality, another type of indicates that JCShadow effectively prevents such attacks approaches [18], [25] develops access control mecha- with low performance overhead. nisms to regulate the access to host objects. However, the access control to the objects in a JavaScript context I.INTRODUCTION is still not regulated. JavaScript is one of the most important components on In this paper, we systematically analyze the complete the web platform. It enables a new generation of dynamic access control requirements in the JavaScript environ- and interactive web applications, which commonly use ment, and identify the fundamental lack of fine-grained JavaScript from various sources, such as third-party JavaScript access control mechanisms in modern web JavaScript libraries. Some of these third-party scripts browsers. More specifically, existing access control solu- are untrusted and can become malicious. To ensure web tions in the JavaScript context are still too coarse-grained application security, it is critical to properly regulate and are insufficient to mitigate the threats from third- accesses by JavaScript to web application resources. Web party JavaScript. The overly restrictive policy that blocks browsers control the accesses made by JavaScript using a certain JavaScript feature affects normal functionality the same-origin policy (SOP) [30]. In SOP, an origin is of legitimate web applications. For example, JavaScript defined as the triplet of protocol type, host, and port. allows functions to be overridden during execution, SOP allows a piece of JavaScript to access an object which is commonly used in web application toolkits to only if the JavaScript and the object are from the same smooth out browser differences or fix browser bugs [39]. origin. Under SOP, loading untrusted JavaScript, such as On the other hand, this very feature is being exploited JavaScript libraries and advertisement scripts, opens up by attackers to change the behavior of trusted JavaScript the resources of the whole origin to the script. This is where it should be blocked. When one native object the root of a series of attacks. is overridden by a malicious script, all other scripts To better understand the attacks and existing solu- accessing that object in the same JavaScript context tions, we need to understand the environment in which may be compromised [2], [6], [32]. Therefore, instead JavaScript is executed. A typical JavaScript environment of imposing an all-or-none restriction, the JavaScript includes three components: the JavaScript engine, the context needs a fine-grained access control mechanism JavaScript context, and the host objects. The JavaScript to accommodate both security and functionality. engine executes JavaScript; The JavaScript context con- As our solution, we present JCShadow, a reference tains the objects defined by the JavaScript standard monitor that provides the desired fine-grained access and the objects created in JavaScript code; the host control mechanism for JavaScript context protection. In objects are supplied by the hosting environment, such essence, JCShadow partitions JavaScript objects in a JavaScript context into multiple groups, and confines JavaScript Environment shadow JavaScript context each group using a . With JavaScript Engine the presence of a (shadow) context for each group, we can efficiently isolate one group from another and JS Execution Module effectively regulate cross-group accesses with a security policy so that untrusted JavaScript can execute poten- JavaScript Contexts Native Custom tially dangerous JavaScript features without affecting Objects Objects trusted JavaScript from the same origin. We have implemented a proof-of-concept JCShadow Host Objects by extending the JavaScript engine of Mozilla Firefox. Document XMLHttpRequest Object Model … Our evaluation with real-world example attacks indi- (XHR) cates that JCShadow can effectively block malicious (DOM) JavaScript code from compromising benign JavaScript from the same origin. The capability of performing fine- Fig. 1. Components in a JavaScript Environment. grained access control on JavaScript objects is achieved with a low performance overhead. Moreover, our ex- provides access control in the JavaScript environment. perience indicates that our solution is not limited to We then present a motivating attack example. web browsers. Instead, it can be generally applicable to a variety of JavaScript environments that integrate A. Access Control in the JavaScript Environment JavaScript from different sources, such as bookmarklet- based tools and Firefox extensions. Figure 1 illustrates the components of a JavaScript To summarize, our paper makes the following contri- environment. JavaScript runs in the execution module of butions: the JavaScript engine, which has access to the JavaScript context and the host objects [14]. The JavaScript context • We systematically analyzed the access control prob- contains two types of objects, native objects and custom lem of a JavaScript environment and identified the objects. Native objects (a.k.a., built-in objects) are de- common weakness of existing solutions in handling fined by the JavaScript standard, such as Date, String, untrusted JavaScript, i.e., the lack of fine-grained and etc. Custom objects are defined by JavaScript code, access control mechanism for JavaScript context including variables and functions. Host objects are ob- protection. jects provided by the hosting application (for example, • We presented a novel solution called JCShadow. By the web browser) of the JavaScript engine for accessing effectively dividing JavaScript objects into different peripheral resources outside the JavaScript engine, for groups and providing each group with its own example, DOM and network services. Therefore, for shadow context, JCShadow enables fine-grained ac- each origin, browsers create a JavaScript context and cess control in a JavaScript context. a set of host objects under the same-origin policy. • We demonstrated the effectiveness and practicality JavaScript in one JavaScript context can access all ob- of our approach by implementing a JCShadow jects in the same context, as well as those host objects prototype in Mozilla Firefox 3.5. The evaluation from the same origin, but it is not allowed to access with a number of example attacks confirmed its objects from other origins. Therefore, the access control effectiveness and practicality. in the JavaScript environment is on an all-or-none basis. The rest of this paper is organized as follows. Section To address the lack of granularity in the JavaScript II discusses the problem and existing research work, environment, researchers have proposed a number of and illustrates the attack threat with an example. Next, systems. According to the way these systems handle Section III explains the detailed design of JCShadow various components in the JavaScript environment, we and Section IV presents key implementation details in categorize them as follows: our Mozilla Firefox-based prototype. After that, Section • To prevent malicious JavaScript from accessing V reports our evaluation results and Section VI examines objects from an origin, a few projects recog- possible limitations and suggests ways for improvement. nize unwanted JavaScript and exclude it from the Finally, Section VII covers the related work and Section JavaScript environment [4], [13], [19], [22], [26], VIII concludes this paper. [31], [34]–[36]. • Another group of research work allows third-party II.BACKGROUND JavaScript to be included in a JavaScript environ- In this section, we first introduce the JavaScript ment, but the functionality of third-party JavaScript environment and classify existing research work that is restricted [3], [10], [15], [29]. JavaScript Environment Security JavaScript Engine Context Integrator Policy JS Execution Module
JCShadow Shadow Shadow … Shadow Host Objects Context 1 Context 2 Context N Document XMLHttpRequest Object Model … (XHR) (DOM) JCShadow
Fig. 2. Overview of JCShadow. It extends the JavaScript engine to support shadow JavaScript contexts.
• Other work provides fine-grained access control to JavaScript can be partially mitigated by existing so- host objects [18], [25]. lutions to provide fine-grained access control to host Complete mediation to object accesses in a JavaScript objects. For example, it can disallow the untrusted environment involves fine-grained access control in both script to modify the body of the web page. However, JavaScript context and host objects. However, none of in practice, without fine-grained access control to the existing approaches provides fine-grained access control JavaScript context, either the JavaScript library is iso- in the JavaScript context. lated from other scripts on the page, which breaks the page functionality, or full access to the JavaScript context B. Attack Example is allowed, which is vulnerable to the following attack through the JavaScript context. We use an example to demonstrate the weakness If the access to JavaScript context is fully allowed, caused by the coarse-grained access control in the code in the untrusted JavaScript library ulib.js can JavaScript context. override the native toString function of the String // code to add the malicious AD content ... } function defined by the untrusted JavaScript library, which for example, can add malicious contents to the Fig. 3. An example of using a JavaScript library in web applications. page. In this way, attackers can bypass the access control to host objects and breaks the integrity of web Third-party JavaScript libraries are commonly used applications. in web applications. Figure 3 is an example of using JavaScript library in a web application, which shows scripts on a web page from http://public.com. III.OUR APPROACH It uses a JavaScript library ulib.js hosted on untrusted.com. On the page, there is another piece The goal of JCShadow is to provide fine-grained of JavaScript, which calls function_in_ulib in the access control in JavaScript contexts. To achieve this JavaScript library ulib.js. This piece of JavaScript goal, JCShadow mediates all accesses to objects in the is shared among several pages and behaves differ- JavaScript context, and prevents malicious JavaScript ently on different pages. It checks its location through from affecting the integrity of other JavaScript running location.href.toString(). in the same JavaScript environment. We stress that JC- According to the same-origin policy, the library Shadow’s goal is to provide access control to objects in ulib.js runs in the origin of the web page on JavaScript contexts. It complements other solutions [18], public.com. Therefore, the script can access all re- [25] that develop fine-grained access control to host sources of the page. The threat from the untrusted objects of a JavaScript environment. Web Page JavaScript Library Web Page JavaScript Library
String.prototype String.prototype String.prototype String.prototype .toString() .toString() .toString() .toString()
JavaScript Engine JavaScript Engine JS Execution Module JS Execution Module
Security Context Integrator Policy String.prototype .toString() String.prototype .toString() foo() Original JavaScript Context Shadow Context for Shadow Context for for both Web Page and JavaScript Library Web Page JavaScript Library JCShadow
Without JCShadow With JCShadow
Fig. 4. Illustration of the scenario when an included JavaScript library attempts to override the toString function.
A. Overview of JCShadow Each JavaScript context contains custom and native Figure 2 shows the design of JCShadow. It extends objects, and it also provides interfaces to host objects the JavaScript engine to mediate accesses to objects in provided by the hosting application, such as DOM the JavaScript context. Rather than simply allowing or objects and XMLHttpRequest. denying access to JavaScript objects, JCShadow creates JavaScript contexts are isolated from each other to shadow contexts to support less restricted JavaScript enforce the all-or-none same-origin policy: JavaScript functionality. A shadow context is an isolated copy of code running in one context is unable to access objects the JavaScript context, which is associated to selected defined in other contexts; However, once a piece of JavaScript in the JavaScript environment. The context JavaScript is allowed to execute in a context, it has integrator integrates shadow contexts according to user- full control of all objects in that context. To provide specified security policies and presents a single view of finer granularity of access control to JavaScript contexts, JavaScript context to JavaScript in the execution module. JCShadow creates shadow contexts to further isolate It intercepts access to the JavaScript context, and decides JavaScript in the same JavaScript context. which shadow context should be accessed. By default, Each shadow context is conceptually a dedicated sub- JavaScript associated with one shadow context is only set of the original JavaScript context with all of the ob- allowed to access objects in its own shadow context. jects created or updated in the corresponding JavaScript A permissive security policy would allow JavaScript group. As a result, objects in the original JavaScript to have regulated access to objects in other shadow context are now separated into different shadow contexts contexts. according to the way JavaScript is grouped. Native JCShadow divides JavaScript running in a JavaScript objects accessible in the original JavaScript context environment into groups and assigns each group are provided for each derived shadow context. Custom a shadow context. Users or developers can group objects created by the JavaScript are created only in the JavaScript by the trust they have toward the sources of shadow context of the JavaScript to which it belongs. JavaScript. For example, mashup web sites may have Figure 4 illustrates the idea of shadow contexts using gadgets from long-term collaborator domains in one the JavaScript library attack example described in Sec- group, and other newly included gadgets in another, tion II. The attack scenario is illustrated on the left hand or they can put gadgets from each different domain in side. Without JCShadow, the untrusted JavaScript library a separate group to prevent them from affecting one and the web page share the same JavaScript context, and another. thus the JavaScript on the web page can be affected by the JavaScript library. The result of JCShadow is B. Shadow JavaScript Contexts illustrated on the right hand side of Figure 4. JCShadow Stemming from ECMAScript [14], JavaScript code is creates separate JavaScript shadow contexts for the executed in execution contexts. In browsers, a unique trusted JavaScript in the web page and the untrusted JavaScript context is typically assigned for each web JavaScript library. When the toString native function page, including those embedded in iFrames, to prevent of the String object is modified by the JavaScript scripts of different web pages from affecting each other. library by overwriting it with the custom function say, foo toString Access Source Dest. Action . A new function object is created in the Type Trust Trust library’s shadow context, which is assigned to the foo Read, Invoke Low High Disallow function. To the trusted JavaScript on the web page, Read High Low Allow the toString native function object referred to remains Invoke High Low Degrade trust Write Low High Allow-In-Isolation unchanged. Note that our solution allows JavaScript Write High Low Allow to override functions, but the overridden toString TABLE I function is only visible to JavaScript in its own shadow SECURITY POLICY 2 FOR HOSTAND CUSTOM OBJECTS context. Later, when the trusted JavaScript invokes the location.href.toString() function, the context in- results in read operations. tegrator redirects the invocation to the original function If the requested object exists in the requester’s own that would return http://public.com. Therefore, JC- shadow context, the context integrator directly allows the Shadow prevents the execution of trusted JavaScript from access. Otherwise, the context integrator uses security being affected by the malicious behavior of the untrusted policies to choose objects in the shadow contexts. An JavaScript library. access request is in the form of