6.858 Fall 2011 Lab 6: Javascript isolation

Handed out: Thursday, November 10, 2011

Due: Wednesday, November 23, 2011 (11:59pm)

Introduction

In this lab, you will implement a system to allow a limited set of Javascript to execute as part of zoobar user profiles. You will implement a combination of static rewriting and dynamic sandboxing to ensure that code running as part of the profile cannot modify the rest of the page, but yet it can make some changes to HTML elements that were part of the profile itself.

To give you an example of the kind of profile code that we will support, a user should be able to place the following code in their zoobar profile:

<div id="a">x</div>
<div id="b">x</div>
<div id="c">scrolling message.. </div>
<div id="count"></div>
<script>
    var count = 0;

    function flip(a, b) {
        document.getElementById(a).innerHTML = "nothing here";
        document.getElementById(b).innerHTML = "-- click me! --";
        var bump = function (x) { return x+1; }
        count = bump(count);
        document.getElementById('count').innerHTML = 'click count: ' + count;
    }

    flip('a', 'b');
    document.getElementById('a').onclick = function() { flip('a', 'b'); };
    document.getElementById('b').onclick = function() { flip('b', 'a'); };

    function scroll(id) {
        var s = document.getElementById(id).innerHTML;
        var ns = s.substring(1) + s[0];
        document.getElementById(id).innerHTML = ns;
        setTimeout(function() { scroll(id); }, 100);
    }

    scroll('c');
</script>

and get a profile that looks like the following:

x

x

scrolling message..

You will build an HTML/Javascript rewriter that will ensure that this code cannot tamper with the rest of the page, steal the cookies, etc.

The system you will be building will be a simpler version of Facebook's FBJS system. You may find it useful to refer to their documentation to understand how their system works, or refer to the paper on Run-Time Enforcement of Secure JavaScript Subsets. Note that Javascript isolation in general is a very difficult problem, and most systems that have been developed have historically turned out to be insecure in a variety of ways. Although we are not aware of any vulnerabilities in the system that you will be building in this lab assignment, it has not been thoroughly vetted or analyzed, and could very well have some subtle holes in it. (If you find any, let us know!)

To get started, you will need to install some additional software in your 6.858 VM to perform HTML and Javascript rewriting, as well as to test the resulting system using the Firefox browser. Type the following commands into your VM shell as root:

root@vm-6858:~# apt-get update
Hit http://ubuntu.media.mit.edu lucid Release.gpg
...
Fetched 1,564kB in 2s (650kB/s) 
Reading package lists... Done
root@vm-6858:~# apt-get install python-lxml firefox xvfb
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  ...
The following NEW packages will be installed:
  ...
1 upgraded, 165 newly installed, 0 to remove and 134 not upgraded.
Need to get 71.9MB of archives.
After this operation, 287MB of additional disk space will be used.
Do you want to continue [Y/n]? Y
...
root@vm-6858:~# easy_install slimit
Searching for slimit
Reading http://pypi.python.org/simple/slimit/
Reading http://slimit.org
Best match: slimit 0.5.5
Downloading http://pypi.python.org/packages/source/s/slimit/slimit-0.5.5.zip#md5=0f77cb80d9b06f364afb9e4ffb8d6ff7
...
Finished processing dependencies for slimit
root@vm-6858:~#

Now, log in as the httpd user, check in any changes you may have made for lab 5, and fetch the new code for lab 6. Note that, for simplicity, you do not need to integrate changes from previous labs into this lab; we will focus just on rewriting HTML code in profiles for now.

httpd@vm-6858:~$ cd lab 
httpd@vm-6858:~/lab$ git commit -am 'my solution to lab5' 
[lab5 dc6f228] my solution to lab5
 1 files changed, 1 insertions(+), 0 deletions(-)
httpd@vm-6858:~/lab$ git pull 
Already up-to-date.
httpd@vm-6858:~/lab$ git checkout -b lab6 origin/lab6 
Branch lab6 set up to track remote branch lab6 from origin.
Switched to a new branch 'lab6'
httpd@vm-6858:~/lab$

Now, build and install this code as before. Since the code for lab 6 differs from the code for previous labs, be sure to remove the /jail directory and start from scratch for this lab:

httpd@vm-6858:~/lab$ make clean
rm -f *.o *.pyc *.bin zookld zookfs zookd zooksvc *.log
httpd@vm-6858:~/lab$ make
...
httpd@vm-6858:~/lab$ sudo rm -rf /jail
[sudo] password for httpd: 6858
httpd@vm-6858:~/lab$ sudo make setup
./chroot-setup.sh
...
httpd@vm-6858:~/lab$

Part 1: Javascript rewriting

To understand how we will isolate Javascript code, let's first examine the new code in this lab. We have implemented a new function, called filter_html, in zoobar/htmlfilter.py, which sanitizes user profiles. This function is invoked from users.py on each user profile. The filter_html function does three things, as follows.

First, it parses the HTML using the lxml library, and strips away any dangerous tags and attributes (such as <style> tags). It also rewrites the id attributes on all HTML elements by prepending the string sandbox- to them. This will help us later identify at runtime which DOM elements belong to the profile, and which DOM elements do not.
Second, this function finds <script> tags and uses the Slimit Javascript parsing library to parse and rewrite that code. Parsing first converts the Javascript code into an AST, and then rewriting is done by using a visitor pattern, as implemented in lab6visitor.py. The code in lab6visitor.py contains a separate method for each AST node, which is invoked recursively: a parent AST node calls self.visit() on child nodes. Each such method is responsible for returning a string object representing the rewritten Javascript code. The initial code in lab6visitor.py that we provide does not modify the Javascript at all, and simply prints back the exact code corresponding to the AST.
Third, to help with Javascript rewriting, the htmlfilter.py code adds a trusted library (included inline at the top of htmlfilter.py as libcode). This library exports trusted interfaces that the rewritten code can access, such as a safe way of accessing the profile's DOM objects.

We have constructed a number of test cases to help you debug your Javascript sandboxing system. They are stored in profiles, and include the sample profile above with the annoying scrolling message (demo.html), an automated test case checking that this example profile works (good-all.html), and ten different malicious profiles that you will need to confine (bad-00-eval.html through bad-09-replace-proto.html).

You can invoke the HTML / Javascript rewriter by running zoobar/filter-test.py; it reads profile code as input and prints out sandboxed HTML and Javascript. For example:

httpd@vm-6858:~/lab$ ./zoobar/filter-test.py < ./profiles/bad-00-eval.html 
...
var s = "window.location = 'http://localhost:8900/test-bad';";
eval(s);</script></div>
httpd@vm-6858:~/lab$

To isolate Javascript, you will take the following approach:

First, you will rewrite all function and variable names to prepend a unique prefix, sandbox_, to ensure that the code cannot directly access any functions or objects natively exported by the browser (such as eval(), the window object, the document object, etc). This way, if the code tries to invoke eval(), the rewritten version will invoke sandbox_eval(); since that function is not defined (or defined by the sandboxed code to point to some other sandboxed code), invoking that function will not allow escaping from the sandbox.
Second, you will need to prevent the sandboxed code from accessing dangerous properties of objects. For example, each object in Javascript has a property that gives access to that object's prototype, which you can think of as being similar to the object's "class" in traditional object-oriented languages. Having access to the prototype allows changing the methods of that prototype ("class"). For example, an adversary can change the substring method of all strings by doing something like:
```
var s = "any string";
s.prototype.substring = function() { return "gotcha!"; };
```
This is dangerous because it affects how other objects in the system behave, including objects used by other (trusted) Javascript code in the same page. Other methods allow indirect access to eval-like functionality, such as the Function constructor:
```
var f = function() { return 0; };
var newfunc = f.constructor("alert(document.cookie);");
newfunc();
```
To do this, you will need to find all instances where an object's property is accessed (as objname.propname), and check that propname is not one of the dangerous attributes: __proto__, prototype, constructor, __defineGetter__, and __defineSetter__.
Third, you will need to ensure that dangerous attributes cannot be accessed using array-like brackets (e.g., object['prototype']), even if the array index inside of the brackets is a variable whose value is only known at runtime. To do this, we suggest using the same trick as FBJS uses: rewrite statements like o[i] to o[bracket_check(i)], where bracket_check() is a Javascript function that you include in your trusted libcode, which checks if its argument is one of the dangerous attributes (listed above), and if not, returns its argument verbatim.
Finally, you will need to extend the trusted library (libcode) to support the setTimeout() Javascript function and the innerHTML property of DOM elements. Be sure to guard against possible attacks through these interfaces. For example, the native setTimeout() function allows specifying the callback object either as a function or as a string (which then gets eval()ed). Similarly, assigning arbitrary strings to the innerHTML property of DOM elements can allow an adversary to inject a <script> tag with arbitrary code. If you use string methods to sanitize the data assigned to an innerHTML attribute, beware of possibly modified attributes on the object: an adversary can pass in an object that is not a string, or whose replace or substring methods do not behave as you may expect.

Exercise 1. Implement Javascript sandboxing as described above. You will need to modify lab6visitor.py and libcode in htmlfilter.py.

Make sure that your sandbox works correctly with the demo.html profile, and stops the attacks in bad-*.html profiles. You can test this profile code by uploading it into (and viewing it through) the zoobar site on your VM. Alternatively, you can manually test it by running the profile code through ./zoobar/filter-test.py (as shown above), and then loading the resulting HTML code in your browser.

You can check whether your system works correctly by running make check. This can take some time, because it spawns a fresh Firefox web browser in your VM to check each profile. If your profile does not work correctly, the script aborts after a 30-second timeout. If your VM is particularly slow, and you find that this timeout fires prematurely, you can increase this timeout in test-url.sh (e.g., change the sleep 30 command to sleep 120).

You are done! Run make handin and follow instructions to upload the resulting file.

Handed out:	Thursday, November 10, 2011
Due:	Wednesday, November 23, 2011 (11:59pm)