My OperaConScript : A browser extension
Saturday, May 22, 2010 8:19:50 AM
ConScript.pdf
Websites depend on third-party JavaScript APIs and other libraries. These APIs may be prone to attacks, security vulnerabilities and poor programming practices. To solve this problem, ConScript, a browser extension/browser-based aspect system for security, allows hosting page to express fine-grained application-specific security policies that are enforced at runtime. Policies can also be generated automatically through static analysis of server-side code or run-time analysis of client-side code. There is also a type system that can help ensure correctness of ConScript policies. This system was tested with Google Maps, MSN, GMail and Live Desktop and the overhead was significantly lower than other proposed systems.
Websites depend on third-party JavaScript APIs and other libraries. These APIs may be prone to attacks, security vulnerabilities and poor programming practices. To solve this problem, ConScript, a browser extension/browser-based aspect system for security, allows hosting page to express fine-grained application-specific security policies that are enforced at runtime. Policies can also be generated automatically through static analysis of server-side code or run-time analysis of client-side code. There is also a type system that can help ensure correctness of ConScript policies. This system was tested with Google Maps, MSN, GMail and Live Desktop and the overhead was significantly lower than other proposed systems.
One of the fundamental concept behind ConScript is Aspect-based programming. ConScript advocates deep aspects that are directly supported by the JavaScript and browser runtimes. ConScript's modification to the JavaScript runtime introduces so called around advice by providing a new built-in function Object.around. How is it used will be shown later.
1. The syntax for specifying the policies is as follows :
<SCRIPT SRC="script.js" POLICY="(function () {...}">
2. Policy example in ConScript :
One feature of the JavaScript language that is often considered undesirable for security is the eval construct. The following shows how ConScript supports eval interception and argument checking.
<SCRIPT SRC="" POLICY="
var substr = String.prototype.substring;
var parse = JSON.parse;
around(window.eval,
function (oldEval, str) {
var str2 = uCall(str, substr, 1, str.length - 1);
var res = parse(str2);
if (res) return res;
else throw "eval only for JSON";
} );">
3. Some of the policies can be :
- Disallow any code from being introduced after a point, such as after the main library loads. It can be done in the following way :
<script src="main.js" policy=" around(script, function () { return ''; }); "/>. - Restrict XMLHttpRequest to secure connections. An instance of the XMLHttpRequest object provides the method open(mode, url, sync, username, password), where the last two parameters are optional. A program that specifies a username and password has heightened security concerns. The following policy ensures, if a username and password is supplied, that the connection is over HTTPS.
let substr : K = String.prototype.substr; around((new XMLHttpRequest()).open, function (o : K, m : U, u : U, a : U, nm : U, pw: U) { let name : K = toPrimitive(nm); let password : K = toPrimitive(pw); let url : K = toPrimitive(u); if ((name || password) && uCall(url, substr, 0, 8) != "https://") { curse(); throw "Use HTTPS for secure a XHR."; } else return uCall(this, o, m, url, a, name, password); }); - Disable dynamic IFRAME creation. It can be done as follows :
around(document.createElement, function (c : K, tag : U) { let elt : U = uCall(document, c, tag); if (elt.nodeName == "IFRAME") throw ’err’; else return elt; }); - eval restrictions. Let us understand this through an example, you might allow the trusted jQuery library to initialize itself using eval but, for all subsequent code, you might then restrict usage of eval to deserializing JSON objects.
<script src="jQuery.js" policy=" let parse : K = JSON.parse; around(eval : K, function (_ : K, evalStrArg : U) { curse(); return parse(evalStrArg); }); }); "/>
ConScript requires adding a relatively small amount of code to the browser(about 1,000 lines). One advantage of ConScript's design, Meyerovich says, is that it should allow developers to use older code without having to alter it, even if it contains known security vulnerabilities. This is important not only for new websites but also to allow users to safely access existing websites that aren't being kept up-to-date. If the policies are well-designed and carefully selected, the researchers say, they shouldn't interfere with any of a site's intended functionality.
For further reading, you can download the file attached.
(0%)
