Preventing Capability Leaks in Secure JavaScript Subsets

In Proc. of the 17th Network and Distributed System Security Symposium (NDSS 2010)


Publishers wish to sandbox third-party advertisements to protect themselves from malicious advertisements. One promising approach, used by ADsafe, Dojo Secure, and Jacaranda, sandboxes advertisements by statically verifying that their JavaScript conforms to a safe subset of the language. These systems blacklist known dangerous properties that would let advertisements escape the sandbox. Unfortunately, this approach does not prevent advertisements from accessing new methods added to the built-in prototype objects by the hosting page. In this paper, we show that one-third of the Alexa US Top 100 web sites would be exploitable by an ADsafe-verified advertisement. We propose an improved statically verified JavaScript subset that whitelists known-safe properties using namespaces. Our approach maintains the expressiveness and performance of static verification while improving security.

Source Code Release

Below are links to the Blancura compiler, verifier, source code, and runtime library based on Douglas Crockford's ADsafe and JSLint. Of note, both the compiler and verifier are proof-of-concept. While both are secure, in so far as they disallow the vulnerabilities described in the paper, they are incomplete in other ways. For example, the compiler does not compile properties of objects written in object literal notion. Thus, if you want to write objects in object literal notation, you must manually prefix the properties with the BLANCURA_*GUESTID* prefix. This, and the other incomplete parts, are all matters of insufficient time to modify the parser properly; they are not fundamental limitations of Blancura.