6.858 Fall 2013 Lab 6: Javascript isolation

Handed out: Wednesday, November 6, 2013
Due: Friday, November 15, 2013 (5:00pm)


In this lab, you will implement a system to allow a limited set of Javascript to execute as part of zoobar user profiles. You will implement a combination of static rewriting and dynamic sandboxing to ensure that code running as part of the profile cannot modify the rest of the page, but yet it can make some changes to HTML elements that were part of the profile itself.

To give you an example of the kind of profile code that we will support, a user should be able to place the following code in their zoobar profile:

<div id="a">x</div>
<div id="b">x</div>
<div id="c">scrolling message.. </div>
<div id="count"></div>
    var count = 0;

    function flip(a, b) {
        document.getElementById(a).textContent = "nothing here";
        document.getElementById(b).textContent = "-- click me! --";
        var bump = function (x) { return x+1; }
        count = bump(count);
        document.getElementById('count').textContent = 'click count: ' + count;

    flip('a', 'b');
    document.getElementById('a').onclick = function() { flip('a', 'b'); };
    document.getElementById('b').onclick = function() { flip('b', 'a'); };

    function scroll(id) {
        var s = document.getElementById(id).textContent;
        var ns = s.substring(1) + s[0];
        document.getElementById(id).textContent = ns;
        setTimeout(function() { scroll(id); }, 100);


and get a profile that looks like the following:

scrolling message..

You will build an HTML/Javascript rewriter that will ensure that this code cannot tamper with the rest of the page, steal the cookies, etc.

The system you will be building will be a simpler version of Facebook's FBJS system. You may find it useful to refer to their documentation to understand how their system works, or refer to the paper on Run-Time Enforcement of Secure JavaScript Subsets. Note that Javascript isolation in general is a very difficult problem, and most systems that have been developed have historically turned out to be insecure in a variety of ways. Although we are not aware of any vulnerabilities in the system that you will be building in this lab assignment, it has not been thoroughly vetted or analyzed, and could very well have some subtle holes in it. (If you find any, let us know!)

You will need to install an additional package for this lab, slimit. Do it as follows:

httpd@vm-6858:~$ sudo apt-get install slimit
[sudo] password for httpd: 6858
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
Suggested packages:
The following NEW packages will be installed:
  python-ply slimit
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 125 kB of archives.
After this operation, 783 kB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://mirrors.mit.edu/ubuntu/ quantal/universe python-ply all 3.4-3 [56.7 kB]
Get:2 http://mirrors.mit.edu/ubuntu/ quantal/universe slimit all 0.7.4-1 [68.7 kB]
Fetched 125 kB in 0s (393 kB/s)
Selecting previously unselected package python-ply.
(Reading database ... 42719 files and directories currently installed.)
Unpacking python-ply (from .../python-ply_3.4-3_all.deb) ...
Selecting previously unselected package slimit.
Unpacking slimit (from .../slimit_0.7.4-1_all.deb) ...
Processing triggers for man-db ...
Setting up python-ply (3.4-3) ...
Setting up slimit (0.7.4-1) ...

Next, log in as the httpd user, check in your solution for lab 5, and fetch the new code for lab 6. Note that, for simplicity, you do not need to integrate changes from previous labs into this lab; we will focus just on rewriting HTML code in profiles for now.

httpd@vm-6858:~$ cd lab
httpd@vm-6858:~/lab$ git add answer-1.txt answer-2.html answer-3.html answer-4.txt answer-chal.html
httpd@vm-6858:~/lab$ git commit -am 'my solution to lab5'
[lab5 dc6f228] my solution to lab5
 1 files changed, 1 insertions(+), 0 deletions(-)
httpd@vm-6858:~/lab$ git pull
Already up-to-date.
httpd@vm-6858:~/lab$ git checkout -b lab6 origin/lab6
Branch lab6 set up to track remote branch lab6 from origin.
Switched to a new branch 'lab6'

Now, build and run this code as before:

httpd@vm-6858:~/lab$ make clean
rm -f *.o *.pyc *.bin zookld zookfs zookd zooksvc *.log
httpd@vm-6858:~/lab$ make
httpd@vm-6858:~/lab$ ./zookld

Javascript rewriting

To understand how we will isolate Javascript code, let's first examine the new code in this lab. We have implemented a new function, called filter_html, in zoobar/htmlfilter.py, which sanitizes user profiles. This function is invoked from users.py on each user profile. The filter_html function does three things, as follows.

We have constructed a number of test cases to help you debug your Javascript sandboxing system. They are stored in profiles, and include the sample profile above with the annoying scrolling message (demo.html), an automated test case checking that this example profile works (good-all.html), and thirteen different malicious profiles that you will need to confine (bad-00-eval.html through bad-12-definegetter.html).

You can invoke the HTML / Javascript rewriter by running zoobar/filter-test.py; it reads profile code as input and prints out sandboxed HTML and Javascript. For example:

httpd@vm-6858:~/lab$ ./zoobar/filter-test.py < ./profiles/bad-00-eval.html 
var s = "window.location = 'http://localhost:8900/test-bad';";

To isolate Javascript, you will take the following approach:

Exercise. Implement Javascript sandboxing as described above. You will need to modify lab6visitor.py and libcode in htmlfilter.py.

Make sure that your sandbox works correctly with the demo.html profile, and stops the attacks in bad-*.html profiles. You can test this profile code by uploading it into (and viewing it through) the zoobar site on your VM. Alternatively, you can manually test it by running the profile code through ./zoobar/filter-test.py (as shown above), and then loading the resulting HTML code in your browser. It will redirect to a URL containing either test-ok, test-bad, or test-broken.

You can check whether your system works correctly by running make check. This uses the PhantomJS JavaScript engine, which should produce the same results as actually running it in Firefox.

You are done! Run make submit to upload your answers.