Towards Fine-Grained Access Control in JavaScript Contexts Kailas Patil, Xinshu Dong, Xiaolei Li, Zhenkai Liang Xuxian Jiang School of Computing Department of Computer Science National University of Singapore North Carolina State University Abstract—A typical Web 2.0 application usually includes as the Document Object Model (DOM) [37] in web JavaScript from various sources with different trust. It is browsers. Under SOP, scripts from the same origin share critical to properly regulate JavaScript’s access to web a JavaScript context and host objects. application resources. Unfortunately, existing protection mechanisms in web browsers do not provide enough gran- A common solution for protecting web applications ularity in JavaScript access control. Specifically, existing against a malicious JavaScript component is to host it solutions partially mitigate this sort of threat by only on a separate domain and isolate it in an iFrame in providing access control for certain types of JavaScript the web application. In this way, JavaScript in the third- objects, or by unnecessarily restricting the functionality party component is automatically isolated by browser’s of untrusted JavaScript. In this paper, we systematically analyze the complete access control requirements in a same-origin policy. However, the third-party component web browser’s JavaScript environment and identify the often needs to access host objects to obtain information fundamental lack of fine-grained JavaScript access control from other parts of the web application. To address this mechanisms in modern web browsers. As our solution, we problem, one type of solutions is to restrict the access propose a reference monitor called JCShadow that enables from untrusted JavaScript [3], [15], [24], [28], [29], fine-grained access control in JavaScript contexts without unnecessarily restricting the functionality of JavaScript. We but they unnecessarily impede existing web applications have developed a proof-of-concept prototype in the Mozilla that require a rich set of JavaScript features. For less Firefox browser and the evaluation with real-world attacks restriction on JavaScript functionality, another type of indicates that JCShadow effectively prevents such attacks approaches [18], [25] develops access control mecha- with low performance overhead. nisms to regulate the access to host objects. However, the access control to the objects in a JavaScript context I. INTRODUCTION is still not regulated. JavaScript is one of the most important components on In this paper, we systematically analyze the complete the web platform. It enables a new generation of dynamic access control requirements in the JavaScript environ- and interactive web applications, which commonly use ment, and identify the fundamental lack of fine-grained JavaScript from various sources, such as third-party JavaScript access control mechanisms in modern web JavaScript libraries. Some of these third-party scripts browsers. More specifically, existing access control solu- are untrusted and can become malicious. To ensure web tions in the JavaScript context are still too coarse-grained application security, it is critical to properly regulate and are insufficient to mitigate the threats from third- accesses by JavaScript to web application resources. Web party JavaScript. The overly restrictive policy that blocks browsers control the accesses made by JavaScript using a certain JavaScript feature affects normal functionality the same-origin policy (SOP) [30]. In SOP, an origin is of legitimate web applications. For example, JavaScript defined as the triplet of protocol type, host, and port. allows functions to be overridden during execution, SOP allows a piece of JavaScript to access an object which is commonly used in web application toolkits to only if the JavaScript and the object are from the same smooth out browser differences or fix browser bugs [39]. origin. Under SOP, loading untrusted JavaScript, such as On the other hand, this very feature is being exploited JavaScript libraries and advertisement scripts, opens up by attackers to change the behavior of trusted JavaScript the resources of the whole origin to the script. This is where it should be blocked. When one native object the root of a series of attacks. is overridden by a malicious script, all other scripts To better understand the attacks and existing solu- accessing that object in the same JavaScript context tions, we need to understand the environment in which may be compromised [2], [6], [32]. Therefore, instead JavaScript is executed. A typical JavaScript environment of imposing an all-or-none restriction, the JavaScript includes three components: the JavaScript engine, the context needs a fine-grained access control mechanism JavaScript context, and the host objects. The JavaScript to accommodate both security and functionality. engine executes JavaScript; The JavaScript context con- As our solution, we present JCShadow, a reference tains the objects defined by the JavaScript standard monitor that provides the desired fine-grained access and the objects created in JavaScript code; the host control mechanism for JavaScript context protection. In objects are supplied by the hosting environment, such essence, JCShadow partitions JavaScript objects in a JavaScript context into multiple groups, and confines JavaScript Environment shadow JavaScript context each group using a . With JavaScript Engine the presence of a (shadow) context for each group, we can efficiently isolate one group from another and JS Execution Module effectively regulate cross-group accesses with a security policy so that untrusted JavaScript can execute poten- JavaScript Contexts Native Custom tially dangerous JavaScript features without affecting Objects Objects trusted JavaScript from the same origin. We have implemented a proof-of-concept JCShadow Host Objects by extending the JavaScript engine of Mozilla Firefox. Document XMLHttpRequest Object Model … Our evaluation with real-world example attacks indi- (XHR) cates that JCShadow can effectively block malicious (DOM) JavaScript code from compromising benign JavaScript from the same origin. The capability of performing fine- Fig. 1. Components in a JavaScript Environment. grained access control on JavaScript objects is achieved with a low performance overhead. Moreover, our ex- provides access control in the JavaScript environment. perience indicates that our solution is not limited to We then present a motivating attack example. web browsers. Instead, it can be generally applicable to a variety of JavaScript environments that integrate A. Access Control in the JavaScript Environment JavaScript from different sources, such as bookmarklet- based tools and Firefox extensions. Figure 1 illustrates the components of a JavaScript To summarize, our paper makes the following contri- environment. JavaScript runs in the execution module of butions: the JavaScript engine, which has access to the JavaScript context and the host objects [14]. The JavaScript context • We systematically analyzed the access control prob- contains two types of objects, native objects and custom lem of a JavaScript environment and identified the objects. Native objects (a.k.a., built-in objects) are de- common weakness of existing solutions in handling fined by the JavaScript standard, such as Date, String, untrusted JavaScript, i.e., the lack of fine-grained and etc. Custom objects are defined by JavaScript code, access control mechanism for JavaScript context including variables and functions. Host objects are ob- protection. jects provided by the hosting application (for example, • We presented a novel solution called JCShadow. By the web browser) of the JavaScript engine for accessing effectively dividing JavaScript objects into different peripheral resources outside the JavaScript engine, for groups and providing each group with its own example, DOM and network services. Therefore, for shadow context, JCShadow enables fine-grained ac- each origin, browsers create a JavaScript context and cess control in a JavaScript context. a set of host objects under the same-origin policy. • We demonstrated the effectiveness and practicality JavaScript in one JavaScript context can access all ob- of our approach by implementing a JCShadow jects in the same context, as well as those host objects prototype in Mozilla Firefox 3.5. The evaluation from the same origin, but it is not allowed to access with a number of example attacks confirmed its objects from other origins. Therefore, the access control effectiveness and practicality. in the JavaScript environment is on an all-or-none basis. The rest of this paper is organized as follows. Section To address the lack of granularity in the JavaScript II discusses the problem and existing research work, environment, researchers have proposed a number of and illustrates the attack threat with an example. Next, systems. According to the way these systems handle Section III explains the detailed design of JCShadow various components in the JavaScript environment, we and Section IV presents key implementation details in categorize them as follows: our Mozilla Firefox-based prototype. After that, Section • To prevent malicious JavaScript from accessing V reports our evaluation results and Section VI examines objects from an origin, a few projects recog- possible limitations and suggests ways for improvement. nize unwanted JavaScript and exclude it from the Finally, Section VII covers the related work and Section JavaScript environment [4],