Article

TreeHouse: JavaScript sandboxes to helpWeb developers help themselves

Authors:

Michael WalfishAuthors Info & Claims

USENIX ATC'12: Proceedings of the 2012 USENIX conference on Annual Technical Conference

Page 13

Published: 13 June 2012 Publication History

Abstract

Many Web applications (meaning sites that employ JavaScript) incorporate third-party code and, for reasons rooted in today's Web ecosystem, are vulnerable to bugs or malice in that code. Our goal is to give Web developers a mechanism that (a) contains included code, limiting (or eliminating) its influence as appropriate; and (b) is deployable today, or very shortly. While the goal of containment is far from new, the requirement of deployability leads us to a new design point, one that applies the OS ideas of sandboxing and virtualization to the JavaScript context. Our approach, called TreeHouse, sandboxes JavaScript code by repurposing a feature of current browsers (namely Web Workers). TreeHouse virtualizes the browser's API to the sandboxed code (allowing the code to run with few or no modifications) and gives the application author fine-grained control over that code. Our implementation and evaluation of Tree-House show that its overhead is modest enough to handle performance-sensitive applications and that sandboxing existing code is not difficult.

References

[1]

Dromaeo: JavaScript performance testing. http://dromaeo.com/.

[2]

HTML5 living standard. http://www.whatwg.org/specs/web-apps/current-work/multipage/.

[3]

A. Gal et al. dom.js. https://github.com/andreasgal/dom.js.

[4]

K. Adams and O. Agesen. A comparison of software and hardware techniques for ×86 virtualization. In ASPLOS, 2006.

[5]

A. Barth, C. Jackson, C. Reis, and the Google Chrome Team. The security architecture of the Chromium browser. http://seclab.stanford.edu/websec/chromium/ chromium-security-architecture.pdf, 2008.

[6]

A. Barth, J. Weinberger, and D. Song. Cross-origin JavaScript capability leaks: Detection, exploitation, and defense. In USENIX Security, 2009.

[7]

http://www.bazaarvoice.com/.

[8]

J. Bixby. Fourth-party calls: What you don't know can hurt your site... and your visitors, July 2011. http://www.webperformancetoday.com/2011/07/14/ fourth-party-calls-third-party-content/.

[9]

R. S. Cox, S. D. Gribble, H. M. Levy, and J. G. Hansen. A safety-oriented platform for web applications. In IEEE Symp. on Security & Privacy, 2006.

[10]

S. Crites, F. Hsu, and H. Chen. OMash: Enabling secure web mashups via object abstractions. In ACM CCS, 2008.

[11]

D. Crockford. ADsafe: Making JavaScript safe for advertising. http://www.adsafe.org.

[12]

Department of Defense. Trusted computer system evaluation criteria (orange book), 1985. DoD 5200.28-STD.

[13]

Dojo Team. Dojo toolkit. http://dojotoolkit.org/.

[14]

X. Dong, M. Tran, Z. Liang, and X. Jiang. AdSentry: comprehensive and flexible confinement of JavaScript-based advertisements. In Annual Computer Security Applications Conference (ACSAC), 2011.

[15]

J. R. Douceur, J. Elson, J. Howell, and J. R. Lorch. Leveraging legacy code to deploy desktop applications on the web. In OSDI, 2008.

[16]

J. R. Douceur, J. Howell, B. Parno, M. Walfish, and X. Xiong. The Web interface should be radically refactored. In ACM Workshop on Hot Topics in Networks (HotNets), 2011.

[17]

E. Insua et al. jsdom. https://github.com/tmpvar/jsdom.

[18]

ECMA. ECMA-262: ECMAScript Language Specification, 5.1 edition, June 2011.

[19]

Ext JS Team. Ext JS. http://www.sencha.com/products/extjs.

[20]

Facebook Team. FBJS. http://developers.facebook.com/docs/fbjs/.

[21]

B. Ford and R. Cox. V×32: Lightweight user-level sandboxing on the ×86. In USENIX Annual Technical Conference, 2008.

[22]

T. Garfinkel, B. Pfaff, and M. Rosenblum. Ostia: A delegating architecture for secure system call interposition. In NDSS, 2003.

[23]

E. Grey. JSandbox. https://github.com/eligrey/jsandbox.

[24]

C. Grier, S. Tang, and S. T. King. Secure web browsing with the OP web browser. In IEEE Symp. on Security & Privacy, 2008.

[25]

G. Heyes. JSReg: JavaScript regular expression based sandbox. http://code.google.com/p/jsreg/.

[26]

W. Huang. "HDD Plus" malware spread through major ad networks, using malvertising and drive-by download, Dec. 2010. http://blog.armorize.com/2010/12/ hdd-plus-malware-spread-through.html.

[27]

C. Jackson. Crossing the chasm: Pitching security research to mainstream browser vendors. http://www.usenix.org/events/sec11/stream/jackson/index.html.

[28]

C. Jackson and H. J. Wang. Subspace: Secure cross-domain communication for web mashups. In WWW, 2007.

[29]

T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In WWW, 2007.

[30]

jQuery Team. jQuery. http://jquery.com/.

[31]

F. D. Keukelaere, S. Bhola, M. Steiner, S. Chari, and S. Yoshihama. SMash: Secure component model for cross-domain mashups on unmodied browsers. In WWW, 2008.

[32]

M. T. Louw, K. T. Ganesh, and V. N. Venkatakrishnan. AdJail: Practical enforcement of confidentiality and integrity policies on web advertisements. In USENIX Security, 2010.

[33]

T. Luo and W. Du. Contego: Capability-based access control for web browsers. In International Conference on Trust and Trustworthy Computing, 2011.

[34]

S. Maffeis, J. Mitchell, and A. Taly. Object capabilities and isolation of untrusted web applications. In IEEE Symp. on Security & Privacy, 2010.

[35]

S. Maffeis, J. C. Mitchell, and A. Taly. Isolating JavaScript with filters, rewriting, and wrappers. In European Conference on Research in Computer Security, 2009.

[36]

S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In USENIX Security, 2006.

[37]

L. A. Meyerovich, A. P. Felt, and M. S. Miller. Object views: Fine-grained sharing in browsers. In WWW, 2010.

[38]

L. A. Meyerovich and B. Livshits. ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In IEEE Symp. on Security & Privacy, 2010.

[39]

J. Mickens and M. Dhawan. Atlantis: Robust, extensible execution environments for web applications. In SOSP, 2011.

[40]

J. Mickens, J. Elson, and J. Howell. Mugshot: Deterministic capture and replay for JavaScript applications. In NSDI, 2010.

[41]

M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized JavaScript, Jan. 2008. http://google-caja.googlecode.com/files/ caja-spec-2008-01-15.pdf.

[42]

CLOC: Count Lines of Code. http://cloc.sourceforge.net/.

[43]

K. Patil, X. Dong, X. Li, Z. Liang, and X. Jiang. Towards fine-grained access control in JavaScript contexts. In Intl. Conference on Distributed Computing Systems (ICDCS), 2011.

[44]

J. G. Politz, S. A. Eliopoulos, A. Guha, and S. Krishnamurthi. ADsafety: Type-based verification of JavaScript sandboxing. In USENIX Security, 2011.

[45]

Prototype Team. Prototype. http://www.prototypejs.org/.

[46]

C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In OSDI, 2006.

[47]

C. Reis and S. D. Gribble. Isolating web programs in modern browser architectures. In EuroSys, 2009.

[48]

J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proc. IEEE, 63(9):1278-1308, Sept. 1975.

[49]

M. Seaborn. Plash: tools for practical least privilege. http://plash.beasts.org/index.html.

[50]

J. Seidelin. DOMTRIS: A DHTML Tetris clone. http://www.nihilogic.dk/labs/tetris/.

[51]

C. Small and M. Seltzer. MiSFIT: Constructing safe extensible systems. IEEE Concurrency, 6(3):34-41, 1998.

[52]

S. Souders. Performance of 3rd party content, Feb. 2010. http://www.stevesouders.com/blog/2010/02/17/ performance-of-3rd-party-content/.

[53]

S. Tang, H. Mai, and S. T. King. Trust and protection in the Illinois browser operating system. In OSDI, 2010.

[54]

J. Terrace, S. R. Beard, and N. P. K. Katta. JavaScript in JavaScript (js.js): Sandboxing third-party scripts. In USENIX WebApps, 2012.

[55]

P. Theriault. Bawks JavaScript sandbox. http://bawks.creativemisuse.com/.

[56]

https://twitter.com/about/resources/widgets.

[57]

A. Vance. Times web ads show security breach. The New York Times, page B5, Sept. 2009. http://www.nytimes.com/2009/09/15/ technology/internet/15adco.html.

[58]

R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In SOSP, 1993.

[59]

H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and communication abstractions for Web browsers in MashupOS. In SOSP, 2007.

[60]

H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal OS construction of the Gazelle Web browser. In USENIX Security, 2009.

[61]

B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A sandbox for portable, untrusted x86 native code. In IEEE Symp. on Security & Privacy, 2009.

[62]

A. Yip, N. Narula, M. Krohn, and R. Morris. Privacy-preserving browser-side scripting with BFlow. In EuroSys, 2009.

[63]

YUI Team. YUI. http://yuilibrary.com/.

[64]

S. Zarandioon, D. D. Yao, and V. Ganapathy. OMOS: A framework for secure communication in mashup applications. In Annual Computer Security Applications Conference (ACSAC), 2008.

[65]

A. Zeigler. IE8 and loosely-coupled IE (LCIE), 2008. http://blogs.msdn.com/b/ie/archive/2008/03/11/ ie8-and-loosely-coupled-ie-lcie.aspx.

[66]

A. Zeigler. Tab isolation, 2010. http://blogs.msdn.com/b/ie/ archive/2010/03/04/tab-isolation.aspx.

[67]

Zepto.js Team. Zepto.js. http://zeptojs.com/.

Cited By

Klein DMusch MBarber TKopmann MJohns M(2022)Accept All Exploits: Exploring the Security Impact of Cookie BannersProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564647(911-922)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564647
Ferreira GJia LSunshine JKästner C(2021)Containing Malicious Package Updates in npm with a Lightweight Permission SystemProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00121(1334-1346)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00121
Musch MSteffens MRoth SStock BJohns MGalbraith SRussello GSusilo WGollmann DKirda ELiang Z(2019)ScriptProtectProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329841(391-402)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3321705.3329841
Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

USENIX ATC'12: Proceedings of the 2012 USENIX conference on Annual Technical Conference

June 2012

41 pages

Publisher

USENIX Association

United States

Publication History

Published: 13 June 2012

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Klein DMusch MBarber TKopmann MJohns M(2022)Accept All Exploits: Exploring the Security Impact of Cookie BannersProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564647(911-922)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564647
Ferreira GJia LSunshine JKästner C(2021)Containing Malicious Package Updates in npm with a Lightweight Permission SystemProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00121(1334-1346)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00121
Musch MSteffens MRoth SStock BJohns MGalbraith SRussello GSusilo WGollmann DKirda ELiang Z(2019)ScriptProtectProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329841(391-402)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3321705.3329841
Xu YHunt TKwon YGeorgiev MShmatikov VWitchel EArgyraki KIsaacs R(2016)EarpProceedings of the 13th Usenix Conference on Networked Systems Design and Implementation10.5555/2930611.2930652(627-642)Online publication date: 16-Mar-2016
https://dl.acm.org/doi/10.5555/2930611.2930652
Afanasyev AHalderman JRuoti SSeamons KYu YZappala DZhang LGates CBöhme REgelman SMannan M(2016)Content-based security for the webProceedings of the 2016 New Security Paradigms Workshop10.1145/3011883.3011890(49-60)Online publication date: 26-Sep-2016
https://dl.acm.org/doi/10.1145/3011883.3011890
Cheng RScott WEllenbogen PHowell JRoesner FKrishnamurthy AAnderson T(2016)RadiatusProceedings of the Seventh ACM Symposium on Cloud Computing10.1145/2987550.2987571(237-250)Online publication date: 5-Oct-2016
https://dl.acm.org/doi/10.1145/2987550.2987571
Mitropoulos DStroggylos KSpinellis DKeromytis A(2016)How to Train Your BrowserACM Transactions on Privacy and Security10.1145/293937419:1(1-31)Online publication date: 19-Jul-2016
https://dl.acm.org/doi/10.1145/2939374
De Groef WSubramanian DJohns MPiessens FDesmet LOssowski S(2016)Ensuring endpoint authenticity in WebRTC peer-to-peer communicationProceedings of the 31st Annual ACM Symposium on Applied Computing10.1145/2851613.2851804(2103-2110)Online publication date: 4-Apr-2016
https://dl.acm.org/doi/10.1145/2851613.2851804
Van Acker SSabelfeld A(2016)JavaScript SandboxingTutorial Lectures on Foundations of Security Analysis and Design VIII - Volume 980810.1007/978-3-319-43005-8_2(32-86)Online publication date: 1-Jun-2016
https://dl.acm.org/doi/10.1007/978-3-319-43005-8_2
Tran TPelizzi RSekar R(2015)JaTEProceedings of the 31st Annual Computer Security Applications Conference10.1145/2818000.2818019(151-160)Online publication date: 7-Dec-2015
https://dl.acm.org/doi/10.1145/2818000.2818019
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents