Damien Cassou,Stéphane Ducasse,Nicolas Petton

DOI: https://doi.org/10.48550/arXiv.1309.3914

2013-09-16

Abstract:Isolating programs is an important mechanism to support more secure applications. Isolating program in dynamic languages such as JavaScript is even more challenging since reflective operations can circumvent simple mechanisms that could protect program parts. In this article we present SafeJS, an approach and implementation that offers isolation based on separate sandboxes and control of information exchanged between them. In SafeJS, sandboxes based on web workers do not share any data. Data exchanged between sandboxes is solely based on strings. Using different policies, this infrastructure supports the isolation of the different scripts that usually populate web pages. A foreign component cannot modify the main DOM tree in unexpected manner. Our SafeJS implementation is currently being used in an industrial setting in the context of the Resilience FUI 12 project.

Programming Languages,Cryptography and Security

Joe Gibbs Politz,Spiridon Eliopoulos,Arjun Guha,Shriram Krishnamurthi

DOI: https://doi.org/10.48550/arXiv.1506.07813

2015-06-25

Programming Languages

Abstract:Web sites routinely incorporate JavaScript programs from several sources into a single page. These sources must be protected from one another, which requires robust sandboxing. The many entry-points of sandboxes and the subtleties of JavaScript demand robust verification of the actual sandbox source. We use a novel type system for JavaScript to encode and verify sandboxing properties. The resulting verifier is lightweight and efficient, and operates on actual source. We demonstrate the effectiveness of our technique by applying it to ADsafe, which revealed several bugs and other weaknesses.

程龙,杨小虎

2004-01-01

Abstract:This paper illustrates a sandbox system on Linux operating system. Users can put untrusted or flawed programs running in the sandbox system,so they are isolated from other parts of the operating system. It protects the system from application exploits. Thus it greatly improves the system's security level. Deploying this sandbox system needs no modification to existing operating system kernel and applications,because it is implemented as a Linux kernel module.

Yinzhi Cao,Zhichun Li,Vaibhav Rastogi,Yan Chen,Xitao Wen

DOI: https://doi.org/10.1145/2414456.2414460

2012-01-01

Abstract:Third party JavaScripts not only offer much richer features to the web and its applications but also introduce new threats. These scripts cannot be completely trusted and executed with the privileges given to host web sites. Due to incomplete virtualization and lack of tracking all the data flows, all existing approaches without native sandbox support can secure only a subset of third party JavaScripts, and they are vulnerable to attacks encoded in non-standard HTNIL/Java-Script (browser quirks) as these approaches will parse third party JavaScripts independently at server side without considering client-side non-standard parsing quirks. At the same time, native sandboxes are vulnerable to attacks based on unknown native lava,Script, engine bugs.In this paper, we propose Virtual Browser, a full browser level virtualized environment within existing browsers for executing untrusted third party code. Our approach supports more complete JavaScript language features including those hard-to-secure functions, such as with and eval. Since Virtual Browser does not rely on native browser parsing behavior, there is no possibility of attacks being executed through browser quirks. Moreover, given the third-party Javascripts are running in Virtual Browser instead of native browsers, it is harder for the attackers to exploit unknown vulnerabilities in the native JavaScript engine. In our design, we first completely isolate Virtual Browser from the native browser components and then introduce communication by adding data flows carefully examined for security. The evaluation of the Virtual Browser prototype shows that our execution speed is the same as Microsoft, Web Sandbox[27], a state of the art runtime web-level sandbox. In addition, Virtual Browser is more secure and supports more complete JavaScript for third party JavaScript development.

Yinzhi Cao,Zhichun Li,Vaibhav Rastogi,Yan Chen

DOI: https://doi.org/10.1145/1866307.1866387

2010-01-01

Abstract:Third-party JavaScript offers much more diversity to Web and its applications but also introduces new threats. Those scripts cannot he completely trusted and executed with the privileges given to host web sites. Due to incomplete virtualization and lack of tracking all the data flows, all the existing works in this area can secure only a subset of third-party JavaScript. At the same time, because of the existence of not so well documented browser quirks, attacks may be encoded in non standard HTML/JavaScript so that they can bypass existing approaches as these approaches will parse third party JavaScript twice, at both server and clint side.In this paper, we propose Virtual Browser, a completely virtualized environment within existing browsers for executing untrusted third-party code. We secure complete JavaScript, including all the hard-to-secure functions of JavaScript programs, such as with and eval. Since this approach parses scripts only once, there is no possibility of attacks being executed through browser quirks. We first completely isolate Virtual Browser from the native browser components and then introduce communication by adding data flows carefully examined for security.

Holger Machens

DOI: https://doi.org/10.48550/arXiv.1409.5313

2014-09-23

Abstract:Software transactional memory implementations which allow transactions to work on inconsistent states of shared data, risk to cause application visible errors such as memory access violations or endless loops. Hence, many implementations rely on repeated incremental validation of every read of the transaction to always guarantee for a consistent view of shared data. Because this eager validation technique generates significant processing costs several proposals have been published to establish a sandbox for transactions, which transparently prevents or suppresses those errors and thereby allows to reduce the frequency of in-flight validations. The most comprehensive sandboxing concept of transactions in software transactional memory based on deferred updates and considering unmanaged languages, integrates multiple techniques such as signal interposition, out-of-band validation and static and dynamic instrumentation. The latter comprises the insertion of a validation barrier in front of every direct write which addresses the execution stack of the thread and potentially results from unvalidated reads. This paper basically results from a review of this sandboxing approach, which revealed some improvements for sandboxing on C/C++. Based on knowledge about the runtime environment and the compiler an error model has been developed to identify critical paths to application visible errors. This analysis lead to a concept for stack protection with less frequent validation, an alternative out-of-band validation technique and revealed additional risks of so-called waivered regions without instrumentation inside transactions.

Distributed, Parallel, and Cluster Computing

Yajin Zhou,Kunal Patel,Lei Wu,Zhi Wang,Xuxian Jiang

DOI: https://doi.org/10.1145/2714576.2714598

2015-01-01

Abstract:ABSTRACTUsers of Android phones increasingly entrust personal information to third-party apps. However, recent studies reveal that many apps, even benign ones, could leak sensitive information without user awareness or consent. Previous solutions either require to modify the Android framework thus significantly impairing their practical deployment, or could be easily defeated by malicious apps using a native library. In this paper, we propose AppCage, a system that thoroughly confines the run-time behavior of third-party Android apps without requiring framework modifications or root privilege. AppCage leverages two complimentary user-level sandboxes to interpose and regulate an app's access to sensitive APIs. Specifically, dex sandbox hooks into the app's Dalvik virtual machine instance and redirects each sensitive framework API to a proxy which strictly enforces the user-defined policies, and native sandbox leverages software fault isolation to prevent the app's native libraries from directly accessing the protected APIs or subverting the dex sandbox. We have implemented a prototype of AppCage. Our evaluation shows that AppCage can successfully detect and block attempts to leak private information by third-party apps, and the performance overhead caused by AppCage is negligible for apps without native libraries and minor for apps with them.

Xia Zhou,Yujie Bu,Meng Xu,Yajin Zhou,Lei Wu

DOI: https://doi.org/10.1109/tdsc.2024.3454421

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Multicore embedded systems employ a big.LITTLE architecture to combine different cores into a single microcontroller (MCU). However, resources sharing among cores raises security challenges. Once LITTLE cores (which often receive external inputs) are compromised, the whole system will be affected. Existing hardware-assisted isolation approaches use privilege separation and code instrumentation to enforce memory isolation, which suffer from inefficiencies. This paper presents u BOX , a lightweight sandbox for multicore embedded systems. The goal of u BOX is to enforce memory isolation over untrusted software (on LITTLE cores) at the same privileged level. Specifically, it uses the Memory Protection Unit (MPU) to restrict memory access by untrusted software. To protect sandbox policies, u BOX deprives the write capability of untrusted software towards MPU configurations by replacing its regular store instructions with unprivileged counterparts. Additionally, to protect u BOX 's necessary regular store instructions from being abused, u BOX 's memory is set to read-only and non-executable when running untrusted software. For the normal operation of u BOX , we use an overlooked feature of the MPU and develop secure gates that quickly disable and re-enable the MPU, allowing u BOX to execute at a permissive memory view. Our evaluation demonstrates that u BOX effectively enforces isolation with average 1.27% runtime overhead, 0.83X Flash overhead, and 36.50X SRAM overhead.

Tien-Duy B. Le,Lingfeng Bao,David Lo,Debin Gao,Li

DOI: https://doi.org/10.1109/iceccs2018.2018.00014

2018-01-01

Abstract:Android is the most widely used mobile operating system with billions of users and devices. The popularity of Android apps have enticed malware writers to target them. Recently, Jamrozik et al. proposed an approach, named Boxmate, to mine sandboxes to protect Android users from malicious behaviors. In a nutshell, Boxmate analyzes the execution of an app, and collects a list of sensitive APIs that are invoked by that app in a monitoring phase. Then, it constructs a sandbox that can restrict accesses to sensitive APIs not called by the app. In such a way, malicious behaviors that are not observed in the monitoring phase - occurring, for example, due to malicious code injection during an attack - can be prevented. Nevertheless, Boxmate only focuses on a specific API type (i.e., sensitive APIs); it also ignores parameter values of many API methods and requested permissions during the execution of a target app. As a result, Boxmate is not able to detect malicious behaviors in many cases. In this work, we address the limitation of Jamrozik et al.'s work by considering input parameters of many different types of API methods for mining a more comprehensive sandbox. Given a benign app, we first extract a list of Android permissions that the app may request during its execution. Next, we leverage an automated test case generation tool, named Droidbot, to generate a rich set of GUI test cases for exploring behaviors of the app. During the execution of these test cases, we analyze the execution of four different types of API methods. Furthermore, we record input parameters to these API methods, and classify those into four different categories. We leverage the collected parameter values, and the list of requested permissions to create a sandbox that can protect users from malicious behaviors. Our experiments on 25 pairs of real benign and malicious apps show that our approach is more effective than the coarse-and fine-grained variants of Boxmate by 267.37% and 81.64% in terms of F-measure respectively.

Maysara Alhindi,Joseph Hallett

2024-05-14

Abstract:Sandboxing mechanisms allow developers to limit how much access applications have to resources, following the least-privilege principle. However, it's not clear how much and in what ways developers are using these mechanisms. This study looks at the use of Seccomp, Landlock, Capsicum, Pledge, and Unveil in all packages of four open-source operating systems. We found that less than 1% of packages directly use these mechanisms, but many more indirectly use them. Examining how developers apply these mechanisms reveals interesting usage patterns, such as cases where developers simplify their sandbox implementation. It also highlights challenges that may be hindering the widespread adoption of sandboxing mechanisms.

Software Engineering,Cryptography and Security

Jinqian Liang,Xiaohong Guan

2007-01-01

Abstract:A widely used technique for detecting malicious code is to execute potential malicious applications inside protection domains that enforce established security policies. These containers often referred to as sandboxes, come in a variety of forms. This paper presents a novel sandbox that can protect computer system from destruction while malicious code running. Our solution provides a general-purpose virtual environment for executing the untrusted applications. In this environment, malicious code has no opportunity to destroy the data in the storage devices or propagate itself through the network. Algorithms for protecting the disk data and simulating the network are given, and the experimental results of the sandbox are discussed.

Matthias Keil,Peter Thiemann

DOI: https://doi.org/10.48550/arXiv.1504.08110

2015-04-30

Programming Languages

Abstract:TreatJS is a language embedded, higher-order contract system for JavaScript which enforces contracts by run-time monitoring. Beyond providing the standard abstractions for building higher-order contracts (base, function, and object contracts), TreatJS's novel contributions are its guarantee of non-interfering contract execution, its systematic approach to blame assignment, its support for contracts in the style of union and intersection types, and its notion of a parameterized contract scope, which is the building block for composable run-time generated contracts that generalize dependent function contracts. TreatJS is implemented as a library so that all aspects of a contract can be specified using the full JavaScript language. The library relies on JavaScript proxies to guarantee full interposition for contracts. It further exploits JavaScript's reflective features to run contracts in a sandbox environment, which guarantees that the execution of contract code does not modify the application state. No source code transformation or change in the JavaScript run-time system is required. The impact of contracts on execution speed is evaluated using the Google Octane benchmark.

Adam Rapley,Xavier Bellekens,Lynsay A. Shepherd,Colin McLean

DOI: https://doi.org/10.3390/informatics5040046

2018-11-15

Abstract:Writing desktop applications in JavaScript offers developers the opportunity to write cross-platform applications with cutting edge capabilities. However in doing so, they are potentially submitting their code to a number of unsanctioned modifications from malicious actors. Electron is one such JavaScript application framework which facilitates this multi-platform out-the-box paradigm and is based upon the <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> JavaScript runtime --- an increasingly popular server-side technology. In bringing this technology to the client-side environment, previously unrealized risks are exposed to users due to the powerful system programming interface that <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> exposes. In a concerted effort to highlight previously unexposed risks in these rapidly expanding frameworks, this paper presents the Mayall Framework, an extensible toolkit aimed at JavaScript security auditing and post-exploitation analysis. The paper also exposes fifteen highly popular Electron applications and demonstrates that two thirds of applications were found to be using known vulnerable elements with high CVSS scores. Moreover, this paper discloses a wide-reaching and overlooked vulnerability within the Electron Framework which is a direct byproduct of shipping the runtime unaltered with each application, allowing malicious actors to modify source code and inject covert malware inside verified and signed applications without restriction. Finally, a number of injection vectors are explored and appropriate remediations are proposed.

Cryptography and Security,Software Engineering

Nikos Vasilakis,Cristian-Alexandru Staicu,Grigoris Ntousakis,Konstantinos Kallas,Ben Karel,André DeHon,Michael Pradel

DOI: https://doi.org/10.48550/arXiv.2011.00253

2021-01-02

Abstract:Third-party libraries ease the development of large-scale software systems. However, they often execute with significantly more privilege than needed to complete their task. This additional privilege is often exploited at runtime via dynamic compromise, even when these libraries are not actively malicious. Mir addresses this problem by introducing a fine-grained read-write-execute (RWX) permission model at the boundaries of libraries. Every field of an imported library is governed by a set of permissions, which developers can express when importing libraries. To enforce these permissions during program execution, Mir transforms libraries and their context to add runtime checks. As permissions can overwhelm developers, Mir's permission inference generates default permissions by analyzing how libraries are used by their consumers. Applied to 50 popular libraries, Mir's prototype for JavaScript demonstrates that the RWX permission model combines simplicity with power: it is simple enough to automatically infer 99.33% of required permissions, it is expressive enough to defend against 16 real threats, it is efficient enough to be usable in practice (1.93% overhead), and it enables a novel quantification of privilege reduction.

Cryptography and Security

Stéphane Ducasse,Nicolas Petton,Guillermo Polito,Damien Cassou

DOI: https://doi.org/10.48550/arXiv.1212.2341

2012-12-11

Programming Languages

Abstract:There is a plethora of research articles describing the deep semantics of JavaScript. Nevertheless, such articles are often difficult to grasp for readers not familiar with formal semantics. In this report, we propose a digest of the semantics of JavaScript centered around security concerns. This document proposes an overview of the JavaScript language and the misleading semantic points in its design. The first part of the document describes the main characteristics of the language itself. The second part presents how those characteristics can lead to problems. It finishes by showing some coding patterns to avoid certain traps and presents some ECMAScript 5 new features.

Mahya Soleimani Jadidi,Mariusz Zaborski,Brian Kidney,Jonathan Anderson

DOI: https://doi.org/10.48550/arXiv.1909.12282

2019-09-26

Cryptography and Security

Abstract:Network services are among the riskiest programs executed by production systems. Such services execute large quantities of complex code and process data from arbitrary and untrusted network sources, often with high levels of system privilege. It is desirable to confine system services to a least-privileged environment so that the potential damage from a malicious attacker can be limited, but existing mechanisms for sandboxing services require invasive and system-specific code changes and are insufficient to confine broad classes of network services. Rather than sandboxing one service at a time, we propose that the best place to add sandboxing to network services is in the service manager that starts those services. As a first step towards this vision, we propose CapExec, a process supervisor that can execute a single service within a sandbox based on a service declaration file in which, required resources whose limited access to are supported by Caper services, are specified. Using the Capsicum compartmentalization framework and its Casper service framework, CapExec provides robust application sandboxing without requiring any modifications to the application itself. We believe that this is a first step towards ubiquitous sandboxing of network services without the costs of virtualization. Keywords: application security, sandboxing, service manager, Capsicum, compartmentalization

Alexi Turcotte,Ellen Arteca,Ashish Mishra,Saba Alimadadi,Frank Tip

DOI: https://doi.org/10.48550/arXiv.2110.14162

2021-10-27

Abstract:JavaScript is an increasingly popular language for server-side development, thanks in part to the <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> runtime environment and its vast ecosystem of modules. With the <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> package manager npm, users are able to easily include external modules as dependencies in their projects. However, npm installs modules with all of their functionality, even if only a fraction is needed, which causes an undue increase in code size. Eliminating this unused functionality from distributions is desirable, but the sound analysis required to find unused code is difficult due to JavaScript's extreme dynamicity. We present a fully automatic technique that identifies unused code by constructing static or dynamic call graphs from the application's tests, and replacing code deemed unreachable with either file- or function-level stubs. If a stub is called, it will fetch and execute the original code on-demand, thus relaxing the requirement that the call graph be sound. The technique also provides an optional guarded execution mode to guard application against injection vulnerabilities in untested code that resulted from stub expansion. This technique is implemented in an open source tool called Stubbifier, which supports the ECMAScript 2019 standard. In an empirical evaluation on 15 <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> applications and 75 clients of these applications, Stubbifier reduced application size by 56% on average while incurring only minor performance overhead. The evaluation also shows that Stubbifier's guarded execution mode is capable of preventing several known injection vulnerabilities that are manifested in stubbed-out code. Finally, Stubbifier can work alongside bundlers, popular JavaScript tools for bundling an application with its dependencies. For the considered subject applications, we measured an average size reduction of 37% in bundled distributions.

Software Engineering

Zhiyuan Wan,David Lo,Xin Xia,Liang Cai

DOI: https://doi.org/10.1007/s10664-019-09737-2

IF: 3.762

2019-01-01

Empirical Software Engineering

Abstract:A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through the system call interface. In this paper, we present an approach that mines sandboxes and enables fine-grained sandbox enforcement for containers. We first explore the behavior of a container by running test cases and monitor the accessed system calls including types and arguments during testing. We then characterize the types and arguments of system call invocations and translate them into sandbox rules for the container. The mined sandbox restricts the container’s access to system calls which are not seen during testing and thus reduces the attack surface. In the experiment, our approach requires less than eleven minutes to mine a sandbox for each of the containers. The estimation of system call coverage of sandbox mining ranges from 96.4% to 99.8% across the containers under the limiting assumptions that the test cases are complete and only static system/application paths are used. The enforcement of mined sandboxes incurs low performance overhead. The mined sandboxes effectively reduce the attack surface of containers and can prevent the containers from security breaches in reality.

Anthony Savidis,Yannis Apostolidis,Yannis Lilis

DOI: https://doi.org/10.48550/arXiv.1807.01611

2018-07-04

Abstract:Multi-stage languages support generative metaprogramming via macros evaluated in a process preceding the actual interpretation or compilation of the program in which they are used. Macros update the source of their hosting program by emitting code that takes their place in the file, while their code may also be produced, fully or partially, by nested macros. All macros at the same nesting belong to the same stage, with the outer stage collecting the macros affect-ing only the main program. We extended JavaScript with staging annotations and implemented them in Spider Monkey, emitting pure JavaScript code as the final outcome of stage computation. We discuss how the original Spider Monkey system is minimally affected with extensions in the syntax, parser and internal AST structures, and the addition of an unparser, a staging loop, some library functions and a debugger backend component for AST inspection. Since stages have a generative metaprogramming role we do not foresee any interplay with the browser DOM, and thus there is no reason to repeat their evalua-tion on every page load. Hence, such JavaScript extensions are meant only for development-time, emitting pure JavaScript code that can be run in any browser. Finally, to enable debugging stages in any browser we implemented a pure JavaScript client, communicating with the extended Spider Monkey, and offering the necessary AST display and unparsing that a browser debugger does not provide.

Programming Languages

Gayatri Priyadarsini Kancherla,Dishank Goel,Abhishek Bichhawat

2024-11-23

Abstract:Web applications often include third-party content and scripts to personalize a user's online experience. These scripts have unrestricted access to a user's private data stored in the browser's persistent storage like cookies, localstorage and IndexedDB, associated with the host page. Various mechanisms have been implemented to restrict access to these storage objects, e.g., content security policy, the HttpOnly attribute with cookies, etc. However, the existing mechanisms provide an all-or-none access and do not work in scenarios where web applications need to allow controlled access to cookies and localstorage objects by third-party scripts. If some of these scripts behave maliciously, they can easily access and modify private user information that are stored in the browser objects. The goal of our work is to design a mechanism to enforce fine-grained control of persistent storage objects. We perform an empirical study of persistent storage access by third-party scripts on Tranco's top 10,000 websites and find that 89.84% of all cookie accesses, 90.98% of all localstorage accesses and 72.49% of IndexedDB accesses are done by third-party scripts. Our approach enforces least privilege access for third-party scripts on these objects to ensure their security by attaching labels to the storage objects that specify which domains are allowed to read from and write to these objects. We implement our approach on the Firefox browser and show that it effectively blocks scripts from other domains, which are not allowed access based on these labels, from accessing the storage objects. We show that our enforcement results in some functionality breakage in websites with the default settings, which can be fixed by correctly labeling the storage objects used by the third-party scripts.

Cryptography and Security