cross‐origin javascript capability leaks detecon: detecon ... · from another javascript context....
TRANSCRIPT
![Page 1: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/1.jpg)
Cross‐OriginJavaScriptCapabilityLeaksDetec9on:Detec9on,Exploita9on,andDefense
JointworkwithAdamBarthandDawnSong
1
![Page 2: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/2.jpg)
JavaScriptisasimplelanguagewithcomplexsecurityproper9es.Specifically,itisconcernedabouthos9lecodebeingruninavarietyofJavaScriptcontexts.Takethisexample.Wehave(atleast)threedis9nctJavaScriptcontexts:theESPNpage,anadver9sementrunninginaframe,andNYTimes.comrunninginanothertab.AllofthesecouldberunningJavaScript.
JavaScriptobjectsfromoneJavaScriptcontextshouldnotnecessarilybeaccessiblefromanotherJavaScriptcontext.Thiscouldleadtoallsortsofmaliciousbehaviorsuchasaccessinganothersite’scookiesorchangingtheJavaScriptofthatpage.Inthiswork,we’repar9cularlyworriedaboutaclassofvulnerabili9esthatleaksJavaScriptobjectsfromoneJavaScriptcontexttoanother.
Inpar9cular,aretherewaysforonecontexttomaliciouslyaccessobjectsandproper9esinanothercontext?
2
![Page 3: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/3.jpg)
Inthiswork,weiden9fyanewclassofwebbrowsersecurityvulnerabili9eswhichallowfortheaccessofobjectsandproper9esinotherJavaScriptcontexts.Thesevulnerabili9esexploitapar9cularholeinthesecurityenforcementbywebbrowsersoftheirsecuritypolicies.Wecallthesevulnerabili9es“Cross‐OriginJavaScriptCapabilityLeaks.”
3
![Page 4: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/4.jpg)
Wealsohavecreatedadynamicanalysistoolfordetec9ngthesevulnerabili9es.WeuseanovelformofJavaScriptheapgraphanalysistoaccomplishthis.
4
![Page 5: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/5.jpg)
Usingthetool,wefindtwoseveralrealvulnerabili9esinamajorwebbrowser.Addi9onally,wealsousetothetooltodissecta“safe”mashupJavaScriptlibraryandexploitit.
5
![Page 6: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/6.jpg)
Finally,weproposeanewenforcementmechanismforwebbrowsers.Wedonotproposeanewpolicy;weonlyproposeanew,moreeffec9ve,enforcementmechanismforcurrentpolicies.
6
![Page 7: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/7.jpg)
Tostartthetalk,let’sdiscussthecurrentJavaScriptsecuritymodelforobjectaccess.Then,we’llintroducetheproblemofCross‐OriginJavaScriptCapabilityLeaks.We’llshowamethodofdetec9ngthesevulnerabili9es.Finally,we’lldiscussageneralsolu9ontothisclassofa_acks.
7
![Page 8: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/8.jpg)
TheDocumentObjectModel,orDOM,isthestructurethatrepresentsmanyoftheimportantobjectsonwebpages,suchasthedocument’scookie.Italsoallowsforthephysicalmanipula9onofthewebpageitself.TheDOMisnotdirectlyapartoftheJavaScriptengine;itisasetofbuiltinobjectsandmethodsformanipula9ngobjects,buttheJavaScriptengineistheore9callyseparatefromtheDOM.
InordertogainaccesstoDOMobjects,theDOMdoesasecuritychecktomakesurethattheaccessingcontextisallowedtohandlethespecifiedobject.IftheJavaScriptcontextsmatch,theconnec9onisgrantedandaccessgiven.
8
![Page 9: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/9.jpg)
FromtheJSEngine’sperspec9ve,theJavaScriptcontextnowholdsareferencetotheobject.
9
![Page 10: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/10.jpg)
IftheJavaScriptcontextsdonotmatch,thenaccessisdeniedandnoreferenceisgiven.
10
![Page 11: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/11.jpg)
TheJavaScriptengineitselfhasadifferentwayofdoingthings.Itworksasacapabilitysystem.IfaJavaScriptcontextisgivenareferencetoaJSobject,ithaspermissiontoaccessit.Ifnosuchreferenceexists,theobjectcannotbeaccessed.Thereisnowayto“divine”objectsintheJavaScriptengine.ThisissortofwheretheDOMcomesin.IfyouneedaccesstoaDOMobject,youcanreferenceit,evenifnopar9cularobjecthasareferencetoit.
11
![Page 12: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/12.jpg)
Inshort,insideofwebbrowsers,therearetwodifferentwaysmechanismsforsecurity.Ontheonehand,theDOMprovidesaccesscontrolcheckswhenaDOMobjectisini9allyaccessed.
12
![Page 13: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/13.jpg)
Ontheotherhand,theJavaScriptenginetreatsallobjectsascapabili9es,includingDOMobjectsoncetheyhavebeenaccessedandassignedavariable.
13
![Page 14: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/14.jpg)
Youmightstarttogetasensethatthissitua9onisabitodd.WehavetheDOMac9ngasanaccesscontrolsystemandtheJSEngineasacapabilitysystem,bothofwhicharedealingwiththesameJavaScriptobjects.Let’sdelveintothepreciseproblemwe’redealingwith.
14
![Page 15: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/15.jpg)
We’vebeentalkingaboutJavaScriptratherabstractlysofar,butwhatarealltheseJavaScriptcontexts,andwhatdoesitmeanforacontexttoreferenceanobjectinanothercontext?
Whathappenswhenonecontexthasareferencetoanobjectinanothercontext?ItturnsoutthatJavaScriptdefinesasetofveryspecialobjectscalledglobalobjects.Eachwindowandframehasitsownglobalobject,and,infact,JavaScriptcontextsaredefinedbyJavaScriptenginesbytheglobalobjectofthecontext.Globalobjectshaveanumberofspecialproper9es,themostimportantofwhich,forourpurposes,isthatitisthereferencemonitorfortheDOMdiscussedearlier.Anycontextisallowedtoaccessanyglobalobjectandtheitwillperformtheappropriateaccesscontrolchecksonaccessedproper9es.
15
![Page 16: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/16.jpg)
Forexample,thefunc9on“bar”maymakeareferencetotheglobalobjectfromthecontext“Window1.”
16
![Page 17: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/17.jpg)
However,itwouldbebadifbar()wasabletoreferencealloftheobjectsthattheglobalobjectpointsto.Fortunately,globalobjectsprovidethereferencemonitor,sothisisnotanissue.
17
![Page 18: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/18.jpg)
Itwouldalsobeverybadifbar()heldadirectreferencetoeitheroftheotherobjectsinthe“Window1”context.Unfortunately,theydonothavereferencemonitorswrappingthem,soifbar()heldareferencetothem,itwouldbegameover,unlikeifitheldareferencetotheothercontext’sglobalobject.
18
![Page 19: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/19.jpg)
Solet’sjumpbacktothetwopoliciesoftheDOMandJavaScriptengine.Whathappenswhenthetwomeet?
19
![Page 20: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/20.jpg)
Specifically,letusassumethatcontext1isgrantedaccesstoanobjectthroughthereferencemonitor.Fromtheperspec9veoftheJavaScriptengine,thecontextnowholdsareferencetotheobjectwhichisalsoacapability.
20
![Page 21: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/21.jpg)
TheJavaScriptcontextcandowhateveritwantswiththereference,includinghandingthereferencetoanotherJavaScriptcontext,onpurposeorotherwise.
21
![Page 22: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/22.jpg)
Becausetheengineisacapabilitysystem,itnowcanaccesstheobjectwithfullpermissions.EventhoughitisaDOMobject,itisnowbypassingthereferencemonitorcheck.Now,wehaven’testablishedthisaproblemyetperse;itisnotclearthatthereisanywayforaJavaScriptcontexttodothisillegi9mately.However,itturnsoutthatthisisaseriousproblembecauseofanumberofbugsinwebbrowsers.Inthesebugs,amaliciousscriptcan“trick”thebrowserintothinkingthatit’sfromadifferentJavaScriptcontext,thusgainingaccesstoasensi9veobjectthroughtheDOMaccesscontrol.ThemaliciousJavaScriptcontextnowhasacapabilitytothisobjectsoitcanmanipulateithoweveritseesfit,includingallofthethingstowhichitreferences.
22
![Page 23: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/23.jpg)
ThisisaCross‐OriginJavaScriptCapabilityLeak.Onecontextleaksacapabilityreferencetoanothercontext,andthissecondcontextnowholdsanunbridledreferencetotheDOMobject.Thisisaverybadthing.
23
![Page 24: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/24.jpg)
Let’sdiscusshowtohelpdetecttheseproblemsinanapplica9onusingourheapgraphanalysistool.
24
![Page 25: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/25.jpg)
Thestatewewanttodetectiswhenanobjectfromonecontextholdsareferencetoanobjectinadifferentcontext.Oursolu9onistouseaheapgraphanalysistodynamicallymarktheJavaScriptcontextofallobjectsintheJavaScriptheapandtothroughanalertwhenthereisareferencebetweentwoobjectsindifferentcontexts.WemodifytheWebKitJavaScriptenginetoperformtheinstrumenta9onandanalysisforthistool.
25
![Page 26: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/26.jpg)
WeneededtoinstrumenttheWebKitJavaScriptenginewithcallstoourheapgraphanalysislibrary.Thesepointsareratherstraighhorward.Ratherthanpujngtheinstrumenta9onintheinterpreterandJIT,weplacedtheinstrumenta9onwithintheobjectsystemen9relysincethatiswhatwewereen9relyconcernedwith.Weplacedinstrumenta9onpointsatobjectcrea9on,objectdestruc9on,andthecrea9onofobjectreferences(alongwithseveralotherspecializedpoints).
26
![Page 27: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/27.jpg)
Here’sangraphoftheemptypage.Becausewearetrackingallobjectsontheheap,atany9mewecandumpanimageoftheheapasaGraphvizgraph.Clearly,eventheemptypageisrathercomplex,andthesegraphsweremainlyusefulfor(a)debuggingourwork,and(b)reducedversionsareusefulforfindingexploits.
27
![Page 28: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/28.jpg)
Thisistheheapgraphofgoogle.com.Clearly,morecomplicatedbutitturnsoutthatgoogle.comdoesn’thavethatmuchJavaScriptonitandevenreachesthislevelofcomplexity.
28
![Page 29: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/29.jpg)
Thegraphscangetratherbigquickly.WhileevenGoogledoesn’tappearthatlarge,thingsquicklyexplodeonlargerpages,makinggraphsratherunwieldy.Thus,werealizedthatweneededtoautoma9callydetectviola9onsratherthanjustmanuallyexaminingheapgraphs.
29
![Page 30: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/30.jpg)
ThekeyinsighttofindingtheseexploitsishowtheJavaScriptcontextiscalculated.RememberthatJavaScriptcontextsaredefinedbytheglobalobjecttheyareassociatedwith.Whenanewcontextiscreated,severalthingsarebuilt,includingainstanceofaglobalobject,andaunique“objectprototype,”which,intheprototypeclasshierarchy,servesastheul9mateparentofallobjects.
30
![Page 31: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/31.jpg)
Whenanewobjectiscreated,thereiseitheradirectorindirectpathtotheObjectPrototype.Thispathgoesthroughthespecial“__proto__”property.Thus,ouralgorithmtracksthecrea9onofnewcontexts,andevery9meanewobjectiscreated,checksthe__proto__property,lookingupthereferencedobject.Becausethecontextisdefinedbythetransi9veclosureof__proto__referencestotheobjectprototype,wecanassignthenewobjectthecontextof__proto__object.
Alongtheway,ifweeverycomeacrossareferencebetweentwoobjectsofdifferentcontexts(otherthanthe__proto__reference),wemarkitasapoten9alproblem.Ofcourse,therearesomeexcep9onstothis,suchastheglobalobject,asdiscussedearlier,andwewhitelistthese.
31
![Page 32: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/32.jpg)
Wewereabletogeneratefairlygoodcoveragebyexecu9ngourtoolacrossalloftheWebKitregressiontests.Ofcourse,thisishardlyacompletetest,butweweresimplytryingtofindproof‐of‐conceptvulnerabili9es,notperformanexhaus9vesearchofallpossiblecross‐originreferences.
32
![Page 33: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/33.jpg)
This“zoomsin”ononeofthevulnerabili9eswefound.Here,theblackrepresentsanobjectfromsecuritycontext1whilethewhiterepresentsobjectsfromsecuritycontext2.Thisiswhatwepar9cularlywanttodetect…oneJavaScriptcontextreferencinganother.Despitethegraphsbeingsolarge,wecanperformthisreachabilityanalysisratherquickly.
Inthisexample,thevulnerabilityoccurredinWebKitbecauseitwaslazilycrea9ngtheloca9onobject.Iftheloca9onobjectwascreatedduringtheexecu9onofanothercontext(i.e.ifitbelongedtocontext1,butcontext2wasaccessingit),itwouldbecreatedwiththewrongObjectprototype.Thisisdangerousbecauseitallowstheobjecttoredefinethebehavioroffunc9ons,suchastoString,thatapplytoallObjectscreatedintheothercontext.Then,ifthatfunc9oniscalled,arbitraryJavaScriptwillbeexecuted.
33
![Page 34: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/34.jpg)
Overall,inourtestsetup,wefound2vulnerabili9esinWebKitamongthe143testsran.Addi9onallywefoundthattheCrossSafecross‐domainJSONrequestlibraryhadanumberofvulnerabili9es.Inallcases,wewereabletodesignsubtleexploitsofthevulnerabili9esthatcreatedarbitrarycodeexecu9onintheothersecuritycontext.
34
![Page 35: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/35.jpg)
Thegoodnewsisthatwehaveaproposaltopreventtheseproblemsinthefuture.
35
![Page 36: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/36.jpg)
Herewehaveasmallviewofsomeoftheobjectsincurrentwebbrowsers.Forthemostpart,ifthereisaleakinthebrowserthatgivesanobjectfromcontexttoasecondcontext,thatcontextcanaccessthoseobjects.Yes,therearesomeexcep9ons,suchaswrappedobjectsinFirefox,butthosearehardlyexhaus9veandcannotcovercasesforwhichobjectsarenotexplicitlywrapped.
Inthispar9cularexample,func9onbar()inWindow2hasaccesstoWindow2’sdocumentobject(asitshould),butitalsoholdsareferencetothedocumentobjectofWindow1,whichitcannowaccess.
Oursolu9onistoaddanaccesscontrolchecktogetandputopera9onstomakeitlookmorelikethis…
36
![Page 37: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/37.jpg)
ThesecheckswillverifythattheJavaScriptcontextofthetwoobjectsinques9onmatch.Ifnot,theengineshouldrejecttheaccess.It’sasimpleideathathasbeenconsideredinthepast.Howeverpeoplehavebeenveryconcernedaboutitsperformance.Addi9onally,wehadconcernsini9allythatitwouldbedifficulttoassurethatallthatplacesthatneedtohaveaccesscontrolcheckswouldbeeasytofindandsuchanimplementa9onwouldbeerrorproneitself.Astotheimplementa9onconcerns,wediscoveredthattherearerela9velyfewplacesthatthisneedstobeactuallycalculated,andit’sfairlyclearwherethosepointsare.Addi9onally,inanon‐prototypeimplementa9on,theaccesscontrolcheckscouldbebuiltinasamorefundamentalandsimplemechanisminWebKit,therebyreducingthenumberofplacescheckswouldhavetobeexplicitlyplaced.
37
![Page 38: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/38.jpg)
Theaccesscontroladdsnegligibleperformancehitstogeneralbenchmarks.Acrossallofthemajorindustrybenchmarks,ouraccesscontrolprototypeaddsnomorethan2%overheadtothebaseimplementa9on(+/‐error).
However,ifyouconsiderthatInthelastyearalonetherehasbeena300%performanceincreasetoWebKit,a2%hitstartstolookabitpaltry..
38
![Page 39: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/39.jpg)
Wehypothesizedthatouraccesscontrolwasrela9velyfastbecauseoftheinlinecacheinthenewWebKitimplementa9on.Inshort,formostobjects,whenapropertyislookedupthefirst9me,itislookedupinahashtableandtheoffsetintothestructureisrecorded.Whenthatpar9cularpieceofcodeisaccessedagaininthefuture,Insteadofhashinginfuturelookups,thepropertyisaccessedbyjustgoingdirectlyintothestructurewiththerecordedoffset.Becauseoftheoffsetlookup,weknowthattheobjecthasaccesstothisobjectbecausethefirstlookupmadeanaccesscontrolcheck.However,wheneverapropertyisdeleted,thislookupsystemisforgoneandahashtablelookupisdone,makinganaccesscontrolcheckevery9me.
Inordertotestiftheinlinecacheiswhat’scausingthespeedup,wemademicro‐benchmarksforrepeatedlyreadingandwri9nganobjectproperty.Intwoofthebenchmarks,however,wedeletedapropertyfromtheobjectfirst,thusforcingthelookupstooccurinthehashtableratherthanthroughtheinlinecache.Asthechartclearlyshows,wheretheinlinecacheisused,thereishardlyano9ceableslowdown.However,whenthecacheisnotinuse,thereisa9‐10%slowdownintheaccesscontrolimplementa9on.
39
![Page 40: Cross‐Origin JavaScript Capability Leaks Detecon: Detecon ... · from another JavaScript context. This could lead to all sorts of malicious behavior such as accessing another site’s](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f7c45cbcce0e27e7b2dc120/html5/thumbnails/40.jpg)
Inconclusion,wehaveintroducedanoveltoolusingheapgraphanalysistoaidusinfindinganewclassofvulnerabili9esinwebbrowsers,cross‐originJavaScriptcapabilityleaks.Addi9onally,thedamageofthesevulnerabili9escanbemi9gatedinthefuturebeimplemen9nganewaccesscontrolmechanisminthewebbrowser.
40