Sandboxing Untrusted JavaScript

Опубликовано 12 августа 2016, 0:14

Most websites today incorporate untrusted JavaScript content in the form of advertisements, maps and social networking gadgets. Untrusted JavaScript, if embedded directly, has complete access to the page's Document Object Model(DOM) and can therefore steal cookies, navigate the page, maliciously alter the page or cause other harm. In order to combat the above threat, websites use browser-based or language-based methods for sandboxing untrusted JavaScript. In this talk, I will present language-based techniques for sandboxing untrusted JavaScript, using Facebook FBJS, Yahoo! ADSafe and Google Caja as motivating examples. In particular, I will present provably-correct techniques for completely isolating untrusted JavaScript from security-critical hosting page resources, and for providing mediated access to security-critical hosting page resources. I will also present security vulnerabilities that we found in the Facebook FBJS and Yahoo! ADSafe sandboxing mechanisms during the course of this work, along with principled approaches to fixing those vulnerabilities. The talk will span JavaScript based on 3rd edition of the ECMA262 specification and also the recently released 'strict mode' of JavaScript based on 5th edition of the ECMA262 specification. This is joint work with John C. Mitchell, Sergio Maffeis, Ulfar Erlingsson, Mark S. Miller and Jasvir Nagra