Cross‐OriginJavaScriptCapabilityLeaksDetec9on:Detec9on,Exploita9on,andDefense

JointworkwithAdamBarthandDawnSong

1

JavaScriptisasimplelanguagewithcomplexsecurityproper9es.Specifically,itisconcernedabouthos9lecodebeingruninavarietyofJavaScriptcontexts.Takethisexample.Wehave(atleast)threedis9nctJavaScriptcontexts:theESPNpage,anadver9sementrunninginaframe,andNYTimes.comrunninginanothertab.AllofthesecouldberunningJavaScript.

JavaScriptobjectsfromoneJavaScriptcontextshouldnotnecessarilybeaccessiblefromanotherJavaScriptcontext.Thiscouldleadtoallsortsofmaliciousbehaviorsuchasaccessinganothersite’scookiesorchangingtheJavaScriptofthatpage.Inthiswork,we’repar9cularlyworriedaboutaclassofvulnerabili9esthatleaksJavaScriptobjectsfromoneJavaScriptcontexttoanother.

Inpar9cular,aretherewaysforonecontexttomaliciouslyaccessobjectsandproper9esinanothercontext?

2

Inthiswork,weiden9fyanewclassofwebbrowsersecurityvulnerabili9eswhichallowfortheaccessofobjectsandproper9esinotherJavaScriptcontexts.Thesevulnerabili9esexploitapar9cularholeinthesecurityenforcementbywebbrowsersoftheirsecuritypolicies.Wecallthesevulnerabili9es“Cross‐OriginJavaScriptCapabilityLeaks.”

3

Wealsohavecreatedadynamicanalysistoolfordetec9ngthesevulnerabili9es.WeuseanovelformofJavaScriptheapgraphanalysistoaccomplishthis.

4

Usingthetool,wefindtwoseveralrealvulnerabili9esinamajorwebbrowser.Addi9onally,wealsousetothetooltodissecta“safe”mashupJavaScriptlibraryandexploitit.

5

Finally,weproposeanewenforcementmechanismforwebbrowsers.Wedonotproposeanewpolicy;weonlyproposeanew,moreeffec9ve,enforcementmechanismforcurrentpolicies.

6

Tostartthetalk,let’sdiscussthecurrentJavaScriptsecuritymodelforobjectaccess.Then,we’llintroducetheproblemofCross‐OriginJavaScriptCapabilityLeaks.We’llshowamethodofdetec9ngthesevulnerabili9es.Finally,we’lldiscussageneralsolu9ontothisclassofa_acks.

7

TheDocumentObjectModel,orDOM,isthestructurethatrepresentsmanyoftheimportantobjectsonwebpages,suchasthedocument’scookie.Italsoallowsforthephysicalmanipula9onofthewebpageitself.TheDOMisnotdirectlyapartoftheJavaScriptengine;itisasetofbuiltinobjectsandmethodsformanipula9ngobjects,buttheJavaScriptengineistheore9callyseparatefromtheDOM.

InordertogainaccesstoDOMobjects,theDOMdoesasecuritychecktomakesurethattheaccessingcontextisallowedtohandlethespecifiedobject.IftheJavaScriptcontextsmatch,theconnec9onisgrantedandaccessgiven.

8

FromtheJSEngine’sperspec9ve,theJavaScriptcontextnowholdsareferencetotheobject.

9

IftheJavaScriptcontextsdonotmatch,thenaccessisdeniedandnoreferenceisgiven.

10

TheJavaScriptengineitselfhasadifferentwayofdoingthings.Itworksasacapabilitysystem.IfaJavaScriptcontextisgivenareferencetoaJSobject,ithaspermissiontoaccessit.Ifnosuchreferenceexists,theobjectcannotbeaccessed.Thereisnowayto“divine”objectsintheJavaScriptengine.ThisissortofwheretheDOMcomesin.IfyouneedaccesstoaDOMobject,youcanreferenceit,evenifnopar9cularobjecthasareferencetoit.

11

Inshort,insideofwebbrowsers,therearetwodifferentwaysmechanismsforsecurity.Ontheonehand,theDOMprovidesaccesscontrolcheckswhenaDOMobjectisini9allyaccessed.

12

Ontheotherhand,theJavaScriptenginetreatsallobjectsascapabili9es,includingDOMobjectsoncetheyhavebeenaccessedandassignedavariable.

13

Youmightstarttogetasensethatthissitua9onisabitodd.WehavetheDOMac9ngasanaccesscontrolsystemandtheJSEngineasacapabilitysystem,bothofwhicharedealingwiththesameJavaScriptobjects.Let’sdelveintothepreciseproblemwe’redealingwith.

14

We’vebeentalkingaboutJavaScriptratherabstractlysofar,butwhatarealltheseJavaScriptcontexts,andwhatdoesitmeanforacontexttoreferenceanobjectinanothercontext?

Whathappenswhenonecontexthasareferencetoanobjectinanothercontext?ItturnsoutthatJavaScriptdefinesasetofveryspecialobjectscalledglobalobjects.Eachwindowandframehasitsownglobalobject,and,infact,JavaScriptcontextsaredefinedbyJavaScriptenginesbytheglobalobjectofthecontext.Globalobjectshaveanumberofspecialproper9es,themostimportantofwhich,forourpurposes,isthatitisthereferencemonitorfortheDOMdiscussedearlier.Anycontextisallowedtoaccessanyglobalobjectandtheitwillperformtheappropriateaccesscontrolchecksonaccessedproper9es.

15

Forexample,thefunc9on“bar”maymakeareferencetotheglobalobjectfromthecontext“Window1.”

16

However,itwouldbebadifbar()wasabletoreferencealloftheobjectsthattheglobalobjectpointsto.Fortunately,globalobjectsprovidethereferencemonitor,sothisisnotanissue.

17

Itwouldalsobeverybadifbar()heldadirectreferencetoeitheroftheotherobjectsinthe“Window1”context.Unfortunately,theydonothavereferencemonitorswrappingthem,soifbar()heldareferencetothem,itwouldbegameover,unlikeifitheldareferencetotheothercontext’sglobalobject.

18

Solet’sjumpbacktothetwopoliciesoftheDOMandJavaScriptengine.Whathappenswhenthetwomeet?

19

Specifically,letusassumethatcontext1isgrantedaccesstoanobjectthroughthereferencemonitor.Fromtheperspec9veoftheJavaScriptengine,thecontextnowholdsareferencetotheobjectwhichisalsoacapability.

20

TheJavaScriptcontextcandowhateveritwantswiththereference,includinghandingthereferencetoanotherJavaScriptcontext,onpurposeorotherwise.

21

Becausetheengineisacapabilitysystem,itnowcanaccesstheobjectwithfullpermissions.EventhoughitisaDOMobject,itisnowbypassingthereferencemonitorcheck.Now,wehaven’testablishedthisaproblemyetperse;itisnotclearthatthereisanywayforaJavaScriptcontexttodothisillegi9mately.However,itturnsoutthatthisisaseriousproblembecauseofanumberofbugsinwebbrowsers.Inthesebugs,amaliciousscriptcan“trick”thebrowserintothinkingthatit’sfromadifferentJavaScriptcontext,thusgainingaccesstoasensi9veobjectthroughtheDOMaccesscontrol.ThemaliciousJavaScriptcontextnowhasacapabilitytothisobjectsoitcanmanipulateithoweveritseesfit,includingallofthethingstowhichitreferences.

22

ThisisaCross‐OriginJavaScriptCapabilityLeak.Onecontextleaksacapabilityreferencetoanothercontext,andthissecondcontextnowholdsanunbridledreferencetotheDOMobject.Thisisaverybadthing.

23

Let’sdiscusshowtohelpdetecttheseproblemsinanapplica9onusingourheapgraphanalysistool.

24

Thestatewewanttodetectiswhenanobjectfromonecontextholdsareferencetoanobjectinadifferentcontext.Oursolu9onistouseaheapgraphanalysistodynamicallymarktheJavaScriptcontextofallobjectsintheJavaScriptheapandtothroughanalertwhenthereisareferencebetweentwoobjectsindifferentcontexts.WemodifytheWebKitJavaScriptenginetoperformtheinstrumenta9onandanalysisforthistool.

25

WeneededtoinstrumenttheWebKitJavaScriptenginewithcallstoourheapgraphanalysislibrary.Thesepointsareratherstraighhorward.Ratherthanpujngtheinstrumenta9onintheinterpreterandJIT,weplacedtheinstrumenta9onwithintheobjectsystemen9relysincethatiswhatwewereen9relyconcernedwith.Weplacedinstrumenta9onpointsatobjectcrea9on,objectdestruc9on,andthecrea9onofobjectreferences(alongwithseveralotherspecializedpoints).

26

Here’sangraphoftheemptypage.Becausewearetrackingallobjectsontheheap,atany9mewecandumpanimageoftheheapasaGraphvizgraph.Clearly,eventheemptypageisrathercomplex,andthesegraphsweremainlyusefulfor(a)debuggingourwork,and(b)reducedversionsareusefulforfindingexploits.

27

Thisistheheapgraphofgoogle.com.Clearly,morecomplicatedbutitturnsoutthatgoogle.comdoesn’thavethatmuchJavaScriptonitandevenreachesthislevelofcomplexity.

28

Thegraphscangetratherbigquickly.WhileevenGoogledoesn’tappearthatlarge,thingsquicklyexplodeonlargerpages,makinggraphsratherunwieldy.Thus,werealizedthatweneededtoautoma9callydetectviola9onsratherthanjustmanuallyexaminingheapgraphs.

29

ThekeyinsighttofindingtheseexploitsishowtheJavaScriptcontextiscalculated.RememberthatJavaScriptcontextsaredefinedbytheglobalobjecttheyareassociatedwith.Whenanewcontextiscreated,severalthingsarebuilt,includingainstanceofaglobalobject,andaunique“objectprototype,”which,intheprototypeclasshierarchy,servesastheul9mateparentofallobjects.

30

Whenanewobjectiscreated,thereiseitheradirectorindirectpathtotheObjectPrototype.Thispathgoesthroughthespecial“__proto__”property.Thus,ouralgorithmtracksthecrea9onofnewcontexts,andevery9meanewobjectiscreated,checksthe__proto__property,lookingupthereferencedobject.Becausethecontextisdefinedbythetransi9veclosureof__proto__referencestotheobjectprototype,wecanassignthenewobjectthecontextof__proto__object.

Alongtheway,ifweeverycomeacrossareferencebetweentwoobjectsofdifferentcontexts(otherthanthe__proto__reference),wemarkitasapoten9alproblem.Ofcourse,therearesomeexcep9onstothis,suchastheglobalobject,asdiscussedearlier,andwewhitelistthese.

31

Wewereabletogeneratefairlygoodcoveragebyexecu9ngourtoolacrossalloftheWebKitregressiontests.Ofcourse,thisishardlyacompletetest,butweweresimplytryingtofindproof‐of‐conceptvulnerabili9es,notperformanexhaus9vesearchofallpossiblecross‐originreferences.

32

This“zoomsin”ononeofthevulnerabili9eswefound.Here,theblackrepresentsanobjectfromsecuritycontext1whilethewhiterepresentsobjectsfromsecuritycontext2.Thisiswhatwepar9cularlywanttodetect…oneJavaScriptcontextreferencinganother.Despitethegraphsbeingsolarge,wecanperformthisreachabilityanalysisratherquickly.

Inthisexample,thevulnerabilityoccurredinWebKitbecauseitwaslazilycrea9ngtheloca9onobject.Iftheloca9onobjectwascreatedduringtheexecu9onofanothercontext(i.e.ifitbelongedtocontext1,butcontext2wasaccessingit),itwouldbecreatedwiththewrongObjectprototype.Thisisdangerousbecauseitallowstheobjecttoredefinethebehavioroffunc9ons,suchastoString,thatapplytoallObjectscreatedintheothercontext.Then,ifthatfunc9oniscalled,arbitraryJavaScriptwillbeexecuted.

33

Overall,inourtestsetup,wefound2vulnerabili9esinWebKitamongthe143testsran.Addi9onallywefoundthattheCrossSafecross‐domainJSONrequestlibraryhadanumberofvulnerabili9es.Inallcases,wewereabletodesignsubtleexploitsofthevulnerabili9esthatcreatedarbitrarycodeexecu9onintheothersecuritycontext.

34

Thegoodnewsisthatwehaveaproposaltopreventtheseproblemsinthefuture.

35

Herewehaveasmallviewofsomeoftheobjectsincurrentwebbrowsers.Forthemostpart,ifthereisaleakinthebrowserthatgivesanobjectfromcontexttoasecondcontext,thatcontextcanaccessthoseobjects.Yes,therearesomeexcep9ons,suchaswrappedobjectsinFirefox,butthosearehardlyexhaus9veandcannotcovercasesforwhichobjectsarenotexplicitlywrapped.

Inthispar9cularexample,func9onbar()inWindow2hasaccesstoWindow2’sdocumentobject(asitshould),butitalsoholdsareferencetothedocumentobjectofWindow1,whichitcannowaccess.

Oursolu9onistoaddanaccesscontrolchecktogetandputopera9onstomakeitlookmorelikethis…

36

ThesecheckswillverifythattheJavaScriptcontextofthetwoobjectsinques9onmatch.Ifnot,theengineshouldrejecttheaccess.It’sasimpleideathathasbeenconsideredinthepast.Howeverpeoplehavebeenveryconcernedaboutitsperformance.Addi9onally,wehadconcernsini9allythatitwouldbedifficulttoassurethatallthatplacesthatneedtohaveaccesscontrolcheckswouldbeeasytofindandsuchanimplementa9onwouldbeerrorproneitself.Astotheimplementa9onconcerns,wediscoveredthattherearerela9velyfewplacesthatthisneedstobeactuallycalculated,andit’sfairlyclearwherethosepointsare.Addi9onally,inanon‐prototypeimplementa9on,theaccesscontrolcheckscouldbebuiltinasamorefundamentalandsimplemechanisminWebKit,therebyreducingthenumberofplacescheckswouldhavetobeexplicitlyplaced.

37

Theaccesscontroladdsnegligibleperformancehitstogeneralbenchmarks.Acrossallofthemajorindustrybenchmarks,ouraccesscontrolprototypeaddsnomorethan2%overheadtothebaseimplementa9on(+/‐error).

However,ifyouconsiderthatInthelastyearalonetherehasbeena300%performanceincreasetoWebKit,a2%hitstartstolookabitpaltry..

38

Wehypothesizedthatouraccesscontrolwasrela9velyfastbecauseoftheinlinecacheinthenewWebKitimplementa9on.Inshort,formostobjects,whenapropertyislookedupthefirst9me,itislookedupinahashtableandtheoffsetintothestructureisrecorded.Whenthatpar9cularpieceofcodeisaccessedagaininthefuture,Insteadofhashinginfuturelookups,thepropertyisaccessedbyjustgoingdirectlyintothestructurewiththerecordedoffset.Becauseoftheoffsetlookup,weknowthattheobjecthasaccesstothisobjectbecausethefirstlookupmadeanaccesscontrolcheck.However,wheneverapropertyisdeleted,thislookupsystemisforgoneandahashtablelookupisdone,makinganaccesscontrolcheckevery9me.

Inordertotestiftheinlinecacheiswhat’scausingthespeedup,wemademicro‐benchmarksforrepeatedlyreadingandwri9nganobjectproperty.Intwoofthebenchmarks,however,wedeletedapropertyfromtheobjectfirst,thusforcingthelookupstooccurinthehashtableratherthanthroughtheinlinecache.Asthechartclearlyshows,wheretheinlinecacheisused,thereishardlyano9ceableslowdown.However,whenthecacheisnotinuse,thereisa9‐10%slowdownintheaccesscontrolimplementa9on.

39

Inconclusion,wehaveintroducedanoveltoolusingheapgraphanalysistoaidusinfindinganewclassofvulnerabili9esinwebbrowsers,cross‐originJavaScriptcapabilityleaks.Addi9onally,thedamageofthesevulnerabili9escanbemi9gatedinthefuturebeimplemen9nganewaccesscontrolmechanisminthewebbrowser.

40