Sandboxing JavaScript via Libraries and Wrappers presented at AppSec USA 2013

by Phu H. Phung,

Summary : The large majority of websites nowadays embeds third-party JavaScript into their pages, coming from external partners. Ideally, these scripts are benign and come from trusted sources, but over time, these third-party scripts can start to misbehave, or to come under control of an attacker. Unfortunately, the state-of-practice integration techniques for third- party scripts do not impose restrictions on the execution of JavaScript code, allowing such an attacker to perform unwanted actions on behalf of the website owner and/or website visitor.
In this paper, we present a two-tier sandbox architecture to enable a website owner to enforce modular fine- grained security policies for potential untrusted third-party JavaScript code. The architecture contains an outer sand- box that provides strong baseline isolation guarantees with generic, coarse-grained policies and an inner sandbox that enables fine-grained, stateful policy enforcement specific to a particular untrusted application. The two-tier approach ensures that the application-specific policies and untrusted code are by default confined to a basic security policy, with- out imposing restrictions on the expressiveness of the policies.
Our proposed architecture improves upon the state-of-the- art as it does not depend on browser modification nor pre-processing or transformation of untrusted code, and allows the secure enforcement of fine-grained, stateful access control policies. We have developed a prototype implementation on top of a open-source sandbox library in the ECMAScript 5 specification, and validated it with several real-world JavaScript applications such as Google Analytics, Google Maps, and jQuery UI.