Self-Protecting JavaScript- A Lightweight Approach to Enforcing Security Policies
Phu H. Phung
Abstract:
We describe our method to control JavaScript execution. The aim is to prevent or modify inappropriate behavior caused by e.g. malicious injected scripts or poorly designed third-party code. The protection mechanism (security policy) is embedded into the code itself and intercepts security relevant built-in functions. This approach is appealing because it does not require the user to be proactive (installing a specific browser/plug-in). Policies could be embedded in the web pages at a variety of points including at server, web proxy or browser plug-in. Furthermore, the approach is ``lightweight'' in the sense that it does not require any aggressive code manipulation. The method works by focusing on policies which control the use of the built-in functions. By redefining built-in functions of the language using policy wrappers we ensure that calls to the built-ins are mediated by the policy code. The method distinguishes itself from other approaches in that (i) it is i nsensitive to code obfuscation and the use of difficult language features such as dynamic code creation, (ii) it does not require browser modification, and (iii) it has low run-time overhead since it does not require deep parsing of the program. To achieve this both the wrapper library and the policy code must be protected. Ongoing work focuses on a number of outstanding issues such as support for writing robust policies (policies that cannot be manipulated by the attacker), and implementing stateful policies which span multiple pages. This talk is based on 2 joint papers (ASIACCS'09, OWASP AppSec'10) with David Sands, Andrey Chudnov, and Jonas Magazinius