Joe Gibbs Politz Spiridon Aristides Eliopoulos Arjun Guha Shriram Krishnamurthi 1 2 3 Third-Party Ad

ADsafety Type-based Veriﬁcation of JavaScript Sandboxing

Joe Gibbs Politz Spiridon Aristides Eliopoulos Arjun Guha Shriram Krishnamurthi 1 2 3 third-party ad

third-party ad

4 Who is running code in your browser?

5 Who is running code in your browser?

5 the host you visit

6 the host you visit

6 the host the ad server you visit

same JavaScript context

6 the host the ad server you visit

6 the host the ad server you visit<iframe> top.location.href6 Microsoft Web SandboxGoogle Facebook JavaScript Caja (FBJS)Yahoo! ADsafeAll are defining safe sub-languages7 8 eval8 eval8 eval e8 eval e wrap(e)8 eval e wrap wrap(e)8 “filters”“wrappers” eval e“rewriters” wrap wrap(e)— Maffeis, Mitchell, and Taly, ESORICS 20098 9 eval9 evalADSAFE.get(obj, x) untrusted widget9 evalADSAFE.get ADSAFE.get(obj, x) untrusted widget9 • 1, 800 LOC adsafe.js library • 50 calls to three kinds of assertions • 40 type-tests • 5 regular-expression based checks • 60 privileged DOM method calls10 ?• 1, 800 LOC adsafe.js library • 50 calls to three kinds of assertions • 40 type-tests • 5 regular-expression based checks • 60 privileged DOM method calls10 Type-based Verification of 11 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then:12 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: eval() document.write() document.createElement("script") 1.Widgets cannot load new code ... at runtime, or cause ADsafe to load new code on their behalf;12 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: eval() document.write() document.createElement("script") 1.Widgets cannot load new code ... at runtime, or cause ADsafe to load new code on their behalf;12 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf;2.Widgets cannot obtain direct <div> references to DOM nodes;Untrusted <div> ADsafe Widget12 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf;2.Widgets cannot obtain direct <div> references to DOM nodes;Untrusted <div> ADsafe Widget12 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf;2.Widgets cannot obtain direct <div> references to DOM nodes;3.Widgets cannot affect the <div id="WIDGET"> DOM outside of their subtree; and Untrusted <div> ADsafe Widget12 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf;2.Widgets cannot obtain direct <div> references to DOM nodes;3.Widgets cannot affect the <div id="WIDGET"> DOM outside of their subtree; and Untrusted <div> ADsafe Widget12 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.Widgets cannot obtain direct references to DOM nodes; 3.Widgets cannot affect the DOM outside of their subtree; and 4.Multiple widgets on the same page cannot communicate.Widget A ADsafe Widget B12 eval Goal: Verify ADsafeADSAFE.get ADSAFE.get(obj, x)13 eval Goal: Verify ADsafeADSAFE.get ADSAFE.get(obj, x) untrusted, but passes JSLint13 eval Goal: Verify ADsafe Goal: model JSLintADSAFE.get ADSAFE.get(obj, x) untrusted, but passes JSLint13 JSLint ensures: no DOM node references <div>Untrusted <div> ADsafe Widget“Widgets cannot obtain direct references to DOM nodes.”14 JSLint ensures: no DOM node references ADsafe ensures: bunch = { only “safe” __nodes__ : array of nodes, methods on append: function ..., bunches getText: function ..., ... 20 functions }<div>Untrusted <div> ADsafe Widget“Widgets cannot obtain direct references to DOM nodes.”14 JSLint ensures: no DOM node references ADsafe ensures: bunch = { only “safe” __nodes__ : array of nodes, methods on append: function ..., bunches getText: function ..., ... 20 functions }<div> No private fields in JavaScript! Untrusted <div> ADsafe bunch.__nodes__ Widget“Widgets cannot obtain direct references to DOM nodes.”14 JSLint ensures: no DOM node references ADsafe ensures: bunch = { only “safe” __nodes__ : array of nodes, methods on append: function ..., bunches getText: function ..., ... 20 functions }<div> JSLint ensures: Untrusted <div> ADsafe __nodes__ is bunch.__nodes__ Widget “private”“Widgets cannot obtain direct references to DOM nodes.”14 JSLint ensures: no DOM node references ADsafe ensures: bunch = { only “safe” __nodes__ : array of nodes, methods on append: function ..., bunches getText: function ..., ... 20 functions }<div> JSLint ensures: Untrusted <div> ADsafe __nodes__ is bunch.__nodes__ Widget “private” bunch.append(...) “Widgets cannot obtain direct references to DOM nodes.” Exploit append to return nodes?14 JSLint ensures: no DOM node references ADsafe ensures: bunch = { only “safe” __nodes__ : array of nodes, methods on append: function ..., bunches getText: function ..., ... 20 functions }<div> JSLint ensures: Untrusted <div> ADsafe __nodes__ is bunch.__nodes__ Widget “private” ADsafe ensures: DOM nodes are bunch.append(...) “Widgets cannot obtain direct not returned references to DOM nodes.”14 eval Goal 2: Verify ADsafe Goal 1: model JSLintADSAFE.get ADSAFE.get(obj, x) untrusted, but passes JSLint15 var n = 6 var s = "a string" var b = true16 var n = 6 var s = "a string" var b = trueWidget := Number + String + Boolean + Undefined + Null +16 Widget := Number + String + Boolean + Undefined + Null +17 { x: 6, b: "car" }Widget := Number + String + Boolean + Undefined + Null +17 { x: 6, b: "car" } { nested: { y: 10, b: false } }Widget := Number + String + Boolean + Undefined + Null + ★: Widget __nodes__: Array<Node> caller: � prototype: � ... code : Widget ⨉ ... → Widget __proto__: Object + Function + Array + ...17 { x: 6, b: "car" } { nested: { y: 10, b: false } } { __nodes__: 90 } myObj.prototype = { };Widget := Number + String + Boolean + Undefined + Null + ★: Widget __nodes__: Array<Node> caller: � prototype: � ... code : Widget ⨉ ... → Widget __proto__: Object + Function + Array + ...17 { x: 6, b: "car" } { nested: { y: 10, b: false } } { __nodes__: 90 } myObj.prototype = { }; function foo(x) { return x + 1; } foo(900) foo.w = "functions are objects" ["array", "of", "strings"] /regular[ \t]*expressions/ Widget := Number + String + Boolean + Undefined + Null + ★: Widget __nodes__: Array<Node> caller: � prototype: � ... code : Widget ⨉ ... → Widget __proto__: Object + Function + Array + ...17 JSLint Widget type-checker typable widgets widgets that pass JSLint18 JSLint Widget type-checker typable widgets widgets that Claim: pass JSLint evidence: 1,100 LOC of tests or, passing JSLint ⇒Widget-typable18 JSLint Widget type-checker type-based typable arguments about widgets widgets widgets that Claim: pass JSLint evidence: 1,100 LOC of tests or, passing JSLint ⇒Widget-typable18 eval Goal 2: Verify ADsafe Goal 1: model JSLintADSAFE.get ADSAFE.get(obj, x) untrusted, but passes JSLint19 window.setTimeout(callback, delay);String eval window.setTimeoutWidget→Widget20 Object Widget →WidgetString Number/*: Widget ⨉ Widget → Widget */ ADSAFE.later = function(callback, delay) { if (typeof callback !== "function") { Widget throw "expected function"; →Widget } window.setTimeout(callback, delay); String } eval window.setTimeoutWidget→Widget20 Object window : { Widget →Widget eval: ☠, setTimeout : (Widget ⨉ ... → Widget) ⨉ Widget → Undefined, String ... Number }/*: Widget ⨉ Widget → Widget */ ADSAFE.later = function(callback, delay) { if (typeof callback !== "function") { Widget throw "expected function"; →Widget } window.setTimeout(callback, delay); String } eval window.setTimeoutWidget→Widget20 Object window : { Widget →Widget eval: ☠, setTimeout : (Widget ⨉ ... → Widget) ⨉ Widget → Undefined, String ... Number } Widget/*: Widget ⨉ Widget → Widget */ ADSAFE.later = function(callback, delay) { if (typeof callback !== "function") { Widget throw "expected function"; →Widget } window.setTimeout(callback, delay); String } eval window.setTimeoutWidget→Widget20 Object window : { Widget →Widget eval: ☠, setTimeout : (Widget ⨉ ... → Widget) ⨉ Widget → Undefined, String ... Number } Widget/*: Widget ⨉ Widget → Widget */ ADSAFE.later = function(callback, delay) { if (typeof callback !== "function") { Widget throw "expected function"; →Widget } window.setTimeout(callback, delay); String } eval Widget ⨉ ... → Widget window.setTimeoutWidget→Widget20 Object window : { Widget →Widget eval: ☠, setTimeout : (Widget ⨉ ... → Widget) ⨉ Widget → Undefined, String ... Number } Widget/*: Widget ⨉ Widget → Widget */ ADSAFE.later = function(callback, delay) { if (typeof callback !== "function") { Widget throw "expected function"; →Widget } window.setTimeout(callback, delay); String } eval Widget ⨉ ... → Widget window.setTimeout This is just one kind of if-split we handle.Widget→Widget —Politz et al. USENIX Security 2011 and Guha, Saftoiu, Krishnamurthi. ESOP 2011.20 JSLinted adsafe.js widget21 JSLinted adsafe.js widget21 JSLinted adsafe.js widget21 WidgetWidgetWidgetWidgetJSLinted adsafe.js widget21 WidgetWidgetWidgetWidgetJSLinted adsafe.js widget21 WidgetWidget WidgetWidgetWidgetWidget WidgetWidgetJSLinted adsafe.js widget21 WidgetWidget WidgetWidgetWidgetWidget WidgetNode Array<Node> WidgetJSLinted adsafe.js widget21 Node WidgetWidget Node WidgetWidgetWidgetWidget WidgetNode Array<Node> WidgetJSLinted adsafe.js widget21 WidgetWidget typable Widget widgets Widget widgets that Widget pass JSLint Widget ⋯ + Widget = Node Array<Node> WidgetJSLinted adsafe.js widgetJSLint model Type-checked ADsafe22 typable widgets var fakeNode = { widgets that tagName: "div", pass JSLint appendChild: function(elt) { var win = elt.ownerDocument.defaultView; win.eval("alert('hacked')"); } };23 typable widgets var fakeNode = { widgets that tagName: "div", pass JSLint appendChild: function(elt) { var win = elt.ownerDocument.defaultView; win.eval("alert('hacked')"); } }; var fakeBunch = { __nodes__: [fakeNode] };Rejected by JSLint23 typable widgets var fakeNode = { widgets that tagName: "div", pass JSLint appendChild: function(elt) { var win = elt.ownerDocument.defaultView; win.eval("alert('hacked')"); } }; var fakeBunch = { __nodes__: [fakeNode] }; var fakeBunch = { '__nodes__': [fakeNode] }; Rejected by JSLintAccepted by JSLint type error: expected Array<HTML>, received Array<Widget>23 /*: Widget ⨉ Widget → Widget */ WrappedElt.prototype.style = function(name, val) { var regexp = new Regexp("url"); if (regexp.test(val)) { return error(); } ... this.__node__.style[name] = val ... }24 /*: Widget ⨉ Widget → Widget */ WrappedElt.prototype.style = function(name, val) { var regexp = new Regexp("url"); if (regexp.test(val)) { expected return error(); String, received } Widget ... this.__node__.style[name] = val ... }24 /*: Widget ⨉ Widget → Widget */ WrappedElt.prototype.style = function(name, val) { var regexp = new Regexp("url"); if (regexp.test(val)) { expected return error(); String, received } Widget ... this.__node__.style[name] = val ... } var firstCall = true; var badName = { toString: function() { passes safety check if (firstCall) { firstCall = false; return "font"; } else { return "url('/evil.xml')"; } returns bad value } };24 /*: Widget ⨉ Widget → Widget */ WrappedElt.prototype.style = function(name, val) { var regexp = new Regexp("url"); Fix: if (regexp.test(val)) { check_string expected return error(); assertion inserted String, received here, and in 16 } Widget other places ... this.__node__.style[name] = val ... } var firstCall = true; var badName = { toString: function() { passes safety check if (firstCall) { firstCall = false; return "font"; } else { return "url('/evil.xml')"; } returns bad value } };24 Definition 1 (ADsafety): If all eval() document.write() document.createElement("script") embedded widgets pass JSLint, then: ... 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; <div>Untrusted <div> ADsafe 2.Widgets cannot obtain direct Widget references to DOM nodes; <div> 3.Widgets cannot affect the DOM outside of their subtree; <div id="WIDGET">Untrusted <div> ADsafe and Widget 4.Multiple widgets on the same page cannot communicate. Widget A ADsafe Widget B25 Definition 1 (ADsafety): If all eval() document.write() document.createElement("script") embedded widgets pass JSLint, then: ... 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; <div>Untrusted <div> ADsafe 2.Widgets cannot obtain direct Widget references to DOM nodes; <div> 3.Widgets cannot affect the DOM outside of their subtree; <div id="WIDGET">Untrusted <div> ADsafe and Widget 4.Multiple widgets on the same page cannot communicate. Widget A ADsafe Widget B25 Definition 1 (ADsafety): If all eval() document.write() document.createElement("script") embedded widgets pass JSLint, then: ... 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; <div>Untrusted <div> ADsafe 2.Widgets cannot obtain direct Widget references to DOM nodes; <div> 3.Widgets cannot affect the DOM outside of their subtree; <div id="WIDGET">Untrusted <div> ADsafe and Widget 4.Multiple widgets on the same page cannot communicate. Widget A ADsafe Widget B25 Definition 1 (ADsafety): If all eval() document.write() document.createElement("script") embedded widgets pass JSLint, then: ... 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; <div>Untrusted <div> ADsafe 2.Widgets cannot obtain direct Widget references to DOM nodes; <div> 3.Widgets cannot affect the DOM outside of their subtree; <div id="WIDGET">Untrusted <div> ADsafe and Widget 4.Multiple widgets on the same page cannot communicate. Widget A ADsafe Widget B25 Definition 1 (ADsafety): If all eval() document.write() document.createElement("script") embedded widgets pass JSLint, then: ... 1.Widgets cannot load new code at runtime, or cause ADsafe to load new code on their behalf; <div>Untrusted <div> ADsafe 2.Widgets cannot obtain direct Widget references to DOM nodes; <div> 3.Widgets cannot affect the DOM outside of their subtree; <div id="WIDGET">Untrusted <div> ADsafe and Widget 4.Multiple widgets on the same Retractedpage cannot communicate. Widget A ADsafe Widget B25 ! Caveats: • 11 LOC unverified • subtree property unverified26 JavaScript programProofs for JavaScript?27 desugar JavaScript λJS program programProofs for Proofs for λJS. JavaScript?27 desugar JavaScript λJS program programProofs for λ SpiderMonkey, 100 LOC Proofs for JS. JavaScript? V8, Rhino interpreter“their “our answer” identical for answer” Mozilla JS test suite*— Guha, Saftoiu, Krishnamurthi. ECOOP 2010.27 banned = { 'arguments' : true, callee : true, caller : true, constructor : true, function reject_global(that) { if (that.window) { if (/url/i.test(string_check(value[i]))) { 'eval' : true, error(); error('ADsafe error.'); prototype : true, } } stack : true, + } + unwatch : true, valueOf : true, watch : true } and other patterns...28 banned = { 'arguments' : true, callee : true, caller : true, constructor : true, function reject_global(that) { if (that.window) { if (/url/i.test(string_check(value[i]))) { 'eval' : true, error(); error('ADsafe error.'); prototype : true, } } stack : true, + } + unwatch : true, valueOf : true, watch : true } and other patterns...... can be succinctly expressed with typesWidget := Number + String + Boolean + Undefined + Null + ★: Widget __nodes__: Array<Node> caller: � prototype: � ... code : Widget ⨉ ... → Widget __proto__: Object + Function + Array + ...28 Conclusion untypable eval 1.Model sandbox as a type e system typable wrap wrap(e) typableWidget := Number + String + Boolean + Undefined + Null + ★: Widget 2.Object types for __proto__: Object + Function + Array + ... code : Widget ⨉ ... → Widget arguments: � ★ caller: � JavaScript ( and ☠) ... desugar JavaScript λJS program programSpiderMonkey, 100 LOC 3.Proofs over tractable V8, Rhino interpreterJavaScript semantics “their “our answer” identical for answer” Mozilla JS test suite*29 Spiridon Aristides EliopoulosExtra Slides30 Unverified Code function F() {};ADSAFE.create = typeof Object.create === 'function' ? Object.create : function (o) { F.prototype = typeof o === 'object' && o ? o : Object.prototype; return new F(); };/*: (banned → True) & (not_banned → False) */ function reject_name(name) { return banned[name] || ((typeof name !== 'number' || name < 0) && (typeof name !== 'string' || name.charAt(0) === '_' || name.slice(-1) === '_' || name.charAt(0) === '-')); }31 Theorems32 Full Widget Type33 </div> </article> </div> </div> </div> <script type="text/javascript" async crossorigin="anonymous" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-8519364510543070"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.1/jquery.min.js" crossorigin="anonymous" referrerpolicy="no-referrer"></script> <script> var docId = '81fbefd0cf00924b753c18d6b199a5bd'; var endPage = 1; var totalPage = 95; var pfLoading = false; window.addEventListener('scroll', function () { if (pfLoading) return; var $now = $('.article-imgview .pf').eq(endPage - 1); if (document.documentElement.scrollTop + $(window).height() > $now.offset().top) { pfLoading = true; endPage++; if (endPage > totalPage) return; var imgEle = new Image(); var imgsrc = "//data.docslib.org/img/81fbefd0cf00924b753c18d6b199a5bd-" + endPage + (endPage > 3 ? ".jpg" : ".webp"); imgEle.src = imgsrc; var $imgLoad = $('<div class="pf" id="pf' + endPage + '"><img src="/loading.gif"></div>'); $('.article-imgview').append($imgLoad); imgEle.addEventListener('load', function () { $imgLoad.find('img').attr('src', imgsrc); pfLoading = false }); if (endPage < 7) { adcall('pf' + endPage); } } }, { passive: true }); </script> <script> var sc_project = 11552861; var sc_invisible = 1; var sc_security = "b956b151"; </script> <script src="https://www.statcounter.com/counter/counter.js" async></script> </html>