Article

GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code

Authors:

Salvatore Guarnieri,

Benjamin LivshitsAuthors Info & Claims

SSYM'09: Proceedings of the 18th conference on USENIX security symposium

Pages 151 - 168

Published: 10 August 2009 Publication History

Abstract

The advent of Web 2.0 has lead to the proliferation of client-side code that is typically written in JavaScript. This code is often combined -- or mashed-up -- with other code and content from disparate, mutually untrusting parties, leading to undesirable security and reliability consequences.

This paper proposes GATEKEEPER, a mostly static approach for soundly enforcing security and reliability policies for JavaScript programs. GATEKEEPER is a highly extensible system with a rich, expressive policy language, allowing the hosting site administrator to formulate their policies as succinct Datalog queries.

The primary application of GATEKEEPER this paper explores is in reasoning about JavaScript widgets such as those hosted by widget portals Live.com and Google/IG. Widgets submitted to these sites can be either malicious or just buggy and poorly written, and the hosting site has the authority to reject the submission of widgets that do not meet the site's security policies.

To show the practicality of our approach, we describe nine representative security and reliability policies. Statically checking these policies results in 1,341 verified warnings in 684 widgets, no false negatives, due to the soundness of our analysis, and false positives affecting only two widgets.

References

[1]

A. V. Aho, M. Lam, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley, 2007.

Digital Library

[2]

Ajaxian. Facebook JavaScript and security. http://ajaxian.com/ archives/facebook-javascript-and-security, Aug. 2007.

[3]

L. O. Andersen. Program analysis and specialization for the C programming language. Technical report, University of Copenhagen, 1994.

[4]

C. Anderson and P. Giannini. Type checking for JavaScript. In In WOOD 04, volume WOOD of ENTCS. Elsevier, 2004. http://www.binarylord.com/ work/js0wood.pdf, 2004.

[5]

C. Anderson, P. Giannini, and S. Drossopoulou. Towards type inference for JavaScript. In In Proceedings of the European Conference on Object-Oriented Programming, pages 429-452, July 2005.

Digital Library

[6]

D. Avots, M. Dalton, B. Livshits, and M. S. Lam. Improving software security with a C pointer analysis. In Proceedings of the International Conference on Software Engineering, pages 332-341, May 2005.

Digital Library

[7]

T. Ball, E. Bounimova, B. Cook, V. Levin, J. Lichtenberg, C. Mc-Garvey, B. Ondrusek, S. K. Rajamani, and A. Ustuner. Thorough static analysis of device drivers. In European Conference on Computer Systems, pages 73-85, 2006.

Digital Library

[8]

R. Cartwright and M. Fagan. Soft typing. ACM SIGPLAN Notices, 39(4):412-428, 2004.

Digital Library

[9]

B. Chess, Y. T. O'Neil, and J. West. JavaScript hijacking. www.fortifysoftware.com/servlet/downloads/public/ JavaScript Hijacking.pdf, Mar. 2007.

[10]

R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for JavaScript. In Proceedings of the Conference on Programming Language Design and Implementation, June 2009.

Digital Library

[11]

D. Crockford. Globals are evil. http://yuiblog.com/blog/2006/ 06/01/global-domination/, June 2006.

[12]

D. Crockford. JavaScript: the good parts. 2008.

Digital Library

[13]

D. Crockford. AdSafe: Making JavaScript safe for advertising. http://www.adsafe.org, 2009.

[14]

ECMA. Ecma-262: Ecma/tc39/2009/025, 5th edition, final draft. http://www.ecma-international.org/publications/ files/drafts/tc39-2009-025.pdf, Apr. 2009.

[15]

Facebook, Inc. Fbjs. http://wiki.developers.facebook.com/ index.php/FBJS, 2007.

[16]

A. Felt, P. Hooimeijer, D. Evans, and W. Weimer. Talking to strangers without taking their candy: isolating proxied content. In Proceedings of the Workshop on Social Network Systems, pages 25-30, 2008.

Digital Library

[17]

Finjan Inc. Web security trends report. http://www.finjan.com/ GetObject.aspx?ObjId=506.

[18]

J. Howell, C. Jackson, H. J. Wang, and X. Fan. MashupOS: Operating system abstractions for client mashups. In Proceedings of the Workshop on Hot Topics in Operating Systems, May 2007.

Digital Library

[19]

javascript-reference.info. JavaScript obfuscators review. http://javascript-reference.info/ javascript-obfuscators-review.htm, 2008.

[20]

E. Kiciman and B. Livshits. AjaxScope: a platform for remotely monitoring the client-side behavior of Web 2.0 applications. In Proceedings of Symposium on Operating Systems Principles, Oct. 2007.

Digital Library

[21]

M. S. Lam, J. Whaley, B. Livshits, M. C. Martin, D. Avots, M. Carbin, and C. Unkel. Context-sensitive program analysis as database queries. In Proceedings of the Symposium on Principles of Database Systems, June 2005.

Digital Library

[22]

B. Livshits and S. Guarnieri. Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. Technical Report MSR-TR-2009-43, Microsoft Research, Feb. 2009.

[23]

B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the Usenix Security Symposium, pages 271-286, Aug. 2005.

Digital Library

[24]

Microsoft Corporation. Static driver verifier. http://www. microsoft.com/whdc/devtools/tools/SDV.mspx, 2005.

[25]

Microsoft Live Labs. Live Labs Websandbox. http:// websandbox.org, 2008.

[26]

Microsoft Live Labs. Quality of service (QoS) protections. http://websandbox.livelabs.com/documentation/use qos.aspx, 2008.

[27]

Microsoft Security Bulletin. Vulnerabilities in Windows gadgets could allow remote code execution (938123). http://www. microsoft.com/technet/security/Bulletin/MS07-048.mspx, 2007.

[28]

M. S. Miller. Is it possible to mix ExtJS and google-caja to enhance security. http://extjs.com/forum/showthread.php?p= 268731#post268731, Jan. 2009.

[29]

M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized JavaScript. http://google-caja. googlecode.com/files/caja-2007.pdf, 2007.

[30]

C. Reis, J. Dunagan, H. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In Proceedings of the Symposium on Operating Systems Design and Implementation, 2006.

Digital Library

[31]

P. Thiemann. Towards a type system for analyzing JavaScript programs. 2005.

[32]

J. Whaley, D. Avots, M. Carbin, and M. S. Lam. Using Datalog and binary decision diagrams for program analysis. In Proceedings of the Asian Symposium on Programming Languages and Systems, Nov. 2005.

Digital Library

[33]

J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In Proceedings of the Conference on Programming Language Design and Implementation, pages 131-144, June 2004.

Digital Library

[34]

Windows Live. Windows live gadget developer checklist. http: //dev.live.com/gadgets/sdk/docs/checklist.htm, 2008.

[35]

D. Yu, A. Chander, N. Islam, and I. Serikov. JavaScript instrumentation for browser security. In Proceedings of Conference on Principles of Programming Languages, Jan. 2007.

Digital Library

Cited By

Salis VSotiropoulos TLouridas PSpinellis DMitropoulos D(2021)PyCGProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00146(1646-1657)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00146
Ferreira GJia LSunshine JKästner C(2021)Containing Malicious Package Updates in npm with a Lightweight Permission SystemProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00121(1334-1346)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00121
Zou CXue JRothermel GBae D(2020)Burn after readingProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380439(258-270)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3377811.3380439
Show More Cited By

GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code
1. Theory of computation
  1. Semantics and reasoning

Recommendations

Gatekeeper: providing secure interoperability between mobile web-browser and local resources
DIM '10: Proceedings of the 6th ACM workshop on Digital identity management

The most popular platforms being developed currently are those used in mobile devices. In particular, mobile Web-based services have attracted the attention of platform developers. However, mobile Web applications offer limited functionality. Therefore, ...
Browser wars: Metaphor, Web browser, Microsoft, Internet Explorer, Netscape, Netscape Navigator, Mozilla Firefox, Google Chrome, Safari (web browser), Opera (web browser), Usage share of web browsers
GateKeeper: An UltraLite malicious traffic identification method with dual-aspect optimization strategies on IoT gateways
Abstract
The Internet of Things (IoT) landscape is booming, and a wide range of IoT endpoints has been integrated into various aspects of life, opening opportunities for malicious attacks that compromise IoT security. Consequently, effective malicious ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SSYM'09: Proceedings of the 18th conference on USENIX security symposium

August 2009

432 pages

Publisher

USENIX Association

United States

Publication History

Published: 10 August 2009

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

109
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Salis VSotiropoulos TLouridas PSpinellis DMitropoulos D(2021)PyCGProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00146(1646-1657)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00146
Ferreira GJia LSunshine JKästner C(2021)Containing Malicious Package Updates in npm with a Lightweight Permission SystemProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00121(1334-1346)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00121
Zou CXue JRothermel GBae D(2020)Burn after readingProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380439(258-270)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3377811.3380439
Nielsen BHassanshahi BGauthier FDumas MPfahl DApel SRusso A(2019)Nodest: feedback-driven static analysis of Node.js applicationsProceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3338906.3338933(455-465)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.1145/3338906.3338933
Fourtounis GKastrinis GSmaragdakis YTip FBodden E(2018)Static analysis of Java dynamic proxiesProceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3213846.3213864(209-220)Online publication date: 12-Jul-2018
https://dl.acm.org/doi/10.1145/3213846.3213864
AbdelKhalek MShosha A(2017)JSDESProceedings of the 12th International Conference on Availability, Reliability and Security10.1145/3098954.3107009(1-13)Online publication date: 29-Aug-2017
https://dl.acm.org/doi/10.1145/3098954.3107009
Antoniadis TTriantafyllou KSmaragdakis YAli KCifuentes C(2017)Porting doop to SouffléProceedings of the 6th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis10.1145/3088515.3088522(25-30)Online publication date: 18-Jun-2017
https://dl.acm.org/doi/10.1145/3088515.3088522
Ocariza FBajaj KPattabiraman KMesbah A(2017)A Study of Causes and Consequences of Client-Side JavaScript BugsIEEE Transactions on Software Engineering10.1109/TSE.2016.258606643:2(128-144)Online publication date: 1-Feb-2017
https://dl.acm.org/doi/10.1109/TSE.2016.2586066
Zhang LWang CUchitel SOrso ARobillard M(2017)RClassifyProceedings of the 39th International Conference on Software Engineering10.1109/ICSE.2017.33(278-288)Online publication date: 20-May-2017
https://dl.acm.org/doi/10.1109/ICSE.2017.33
Nicolay JSpruyt VDe Roover CMurray TStefan D(2016)Static Detection of User-specified Security Vulnerabilities in Client-side JavaScriptProceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security10.1145/2993600.2993612(3-13)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2993600.2993612
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents