Enforcement of JavaScript Security Polices
JavaScript has become the language of the Web, present on both server and client tiers. Modern web applications are a combination of content and JavaScript code loaded from different parties. While this empowers web developers and eases the creation of rich internet applications, it also opens the door to attackers and malicious code, compromising security. In the latest year, this has motivated many research in security policies for the Web, in particular, how to express application-dependent security policies.
This thesis focuses on programming technology for enforcing application-dependent security policies.
Enforcement can be achieved at runtime by employing the underlying meta-level facilities of the language ( i.e. JavaScript proxies). However, this may limit the expressiveness of the security policies. In JavaScript this means that security policies can be only applied to objects and interactions with primitive values may circumvent the policy. To solve this issue, a program instrumentation framework could be used to inject necessary instrumentation in a program that monitors the execution of the whole program. However, this this may incur in a high performance overhead. Alternatively, enforcement can be achieve at compile-time, by means of static analysis in which security policies are verified statically using the program control-flow graph. However, many security policies depend on the interactions with code from other parties (libraries, other sources on the Web, communication with the server, etc.).
The goal of this thesis is to explore a hybrid of runtime and compile-type techniques for enforcing application-dependent security policies. We will start by getting familiar with both realms of techniques.
On the one hand, we will employ an instrumentation platform developed at SOFT called Aran to express security policies and as runtime enforcement mechanism. Aran relies on JavaScript proxies to ensure at runtime that the invariants expressed by a security policy are safeguarded. During the research training the student will thus need to learn Aran by expressing some security policies on it, and by extending it to support third party services. This means Aran should be able to monitor and/or edit the input/output events of the untrusted parts of the application at runtime and it can modify the execution path by providing different inputs, but it won't be able to inspect the source code of the unstruted program (e.g. a web service).
On the other hand, in order to verify security policies ahead of time, we will employ an abstract interpreter for JavaScript developed at SOFT called JIPDA. Given a JavaScript program, it produces a state transition graph that represents a finite representation of the behavior of that program at runtime. This state graph can then be queried to deduce program properties, thereby implementing different kinds of analyses. In order to get familiar with JIPDA the student will express similar security policies implemented in Aran, but as queries in JIPDA.
The thesis will build on on these experiments to explore an enforcement platform (starting from Aran) which does ahead of time enforcement (by employing JIPDA) in order to reduce the performance overhead of JavaScript proxies. When compile-time enforcement is not possible, the platform will still need to inject corresponding proxies in the application code in order to monitor the runtime behaviour of the application and ensure it complies with the given security policies.