Abstract
In this paper we present a new tool called DOCaT (Dynamic Object Capability Tracer), a model checker for JavaScript that detects capability leaks in an object capability system. DOCaT includes an editor that highlights the sections of code that can be potentially transferred to untrusted third-party code along with a trace showing how the code could be leaked in an actual execution. This code highlighting provides a simple way of visualizing the references untrusted code potentially has access to and helps programmers to discover if their code is leaking more capabilities then required. DOCaT is implemented using a combination of source code rewriting (using Sweet.js, a JavaScript macro system), dynamic behavioral intercession (Proxies, introduced in ES6, the most recent version of JavaScript), and model checking. Together these methods are able to locate common ways for untrusted code to elevate its authority.
- Adsafe. http://www.adsafe.org/, accessed June 2014.Google Scholar
- T. H. Austin, T. Disney, and C. Flanagan. Virtual values for language extension. SIGPLAN Not., 46(10):921--938, Oct. 2011. Google Scholar
Digital Library
- A. Barth, U. Berkeley, J. Weinberger, and D. Song. Cross-origin javascript capability leaks: Detection, exploitation, and defense. In Proc. of the 18th USENIX Security Symposium (USENIX Security 2009), 2009. Google Scholar
Digital Library
- A. Bruni, T. Disney, and C. Flanagan. A peer architecture for lightweight symbolic execution. 2013.Google Scholar
- T. V. Cutsem and M. S. Miller. Trustworthy proxies: Virtualizing objects with invariants. In ECOOP 2013, 2013. Google Scholar
Digital Library
- T. V. Cutsem and S. Miller. Proxies: Design principles for robust object-oriented intercession APIs. In Dynamic Languages Symposium, 2010. Google Scholar
Digital Library
- C. Dimoulas, S. D. Moore, A. Askarov, and S. N. Chong. Declarative policies for capability control. Institute of Electrical and Electronics Engineers, 2014.Google Scholar
Digital Library
- S. Drossopoulou and J. Noble. The need for capability policies. In Proceedings of the 15th Workshop on Formal Techniques for Java-like Programs, FTfJP '13, pages 6:1--6:7, New York, NY, USA, 2013. ACM. Google Scholar
Digital Library
- FacebookAPI. https://developers.facebook.com/docs /reference/php/facebook-api/, accessed June 2014.Google Scholar
- M. Flatt and PLT. Reference: Racket. Technical Report PLT-TR2010-1, PLT Inc., June 7, 2010. http://racketlang.org/tr1/.Google Scholar
- Global object poisoning. http://code.google.com/p/google- caja/wiki/GlobalObjectPoisoning, accessed June 2014.Google Scholar
- A. Goldberg and D. Robson. Smalltalk-80: the language and its implementation. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1983. Google Scholar
Digital Library
- Caja. http://code.google.com/p/google-caja/, accessed June 2014.Google Scholar
- V. Kashyap and B. Hardekopf. Security signature inference for javascript-based browser addons. In Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO '14, pages 219:219--219:229, New York, NY, USA, 2014. ACM. Google Scholar
Digital Library
- S. Maffeis, J. Mitchell, and A. Taly. Object capabilities and isolation of untrusted web applications. Dep. of Computing, Imperial College London, Technical Report DTR10-04, 2010.Google Scholar
- M. S. Miller. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. PhD thesis, Johns Hopkins University, 2006. Google Scholar
Digital Library
- M. S. Miller and T. V. Cutsem. Catch-all proxies. http:// wiki.ecmascript.org/doku.php?id=harmony:proxies.Google Scholar
- M. S. Miller, T. V. Cutsem, and B. Tulloh. Distributed electronic rights in javascript. ESOP'13 22nd European Symposium on Programming, 2013. Google Scholar
Digital Library
- M. S. Miller, E. D. Tribble, and J. Shapiro. Concurrency among strangers: Programming in E as plan coordination. In In Trustworthy Global Computing, International Symposium, TGC 2005, pages 195--229. Springer, 2005. Google Scholar
Digital Library
- M. S. Miller, B. Tulloh, and J. S. Shapiro. The structure of authority: Why security is not a separable concern. In Proceedings of the Second International Conference on Multiparadigm Programming in Mozart/Oz, MOZ'04, pages 2--20, Berlin, Heidelberg, 2005. Springer-Verlag. Google Scholar
Digital Library
- Sweet.js. http://http://sweetjs.org/, accessed June 2014.Google Scholar
- Global scope reachable via this. http://code.google.com/p /google-caja/wiki/GlobalScopeViaThis, accessed June 2014.Google Scholar
- S. Tobin-Hochstadt and D. Van Horn. Higher-order symbolic execution via contracts. SIGPLAN Not., 47(10):537--554, Oct. 2012. Google Scholar
Digital Library
- G. van Rossum and F. Drake. Python Reference Manual. PythonLabs, Virginia, USA, 2001. Google Scholar
Digital Library
Index Terms
Dynamic detection of object capability violations through model checking
Recommendations
Dynamic detection of object capability violations through model checking
DLS '14: Proceedings of the 10th ACM Symposium on Dynamic languagesIn this paper we present a new tool called DOCaT (Dynamic Object Capability Tracer), a model checker for JavaScript that detects capability leaks in an object capability system. DOCaT includes an editor that highlights the sections of code that can be ...
Model-checking Erlang: a comparison between EtomCRL2 and McErlang
TAIC PART'10: Proceedings of the 5th international academic and industrial conference on Testing - practice and research techniquesModel-checking programs is important in the development of a reliable software system. Two approaches might be applied to model-check a system at a source code level. One is to directly apply model-checking algorithm to the programming language; the ...
Isolating JavaScript in dynamic code environments
APLWACA '10: Proceedings of the 2010 Workshop on Analysis and Programming Languages for Web Applications and Cloud ApplicationsWe analyze the source code of four well-known large web applications, namely WordPress, phpBB, phpMyAdmin and Drupal. We want to quantify the level of language intermixing in modern web applications and, if possible, we want to categorize all coding ...







Comments