Cross-Origin JavaScript Capability Leaks
Abstract
We identify a class of Web browser implementation vulnerabilities, cross-origin JavaScript capability leaks, which occur when the browser leaks a JavaScript pointer from one security origin to another. We devise an algo- rithm for detecting these vulnerabilities by monitoring the "points-to" relation of the JavaScript heap. Our algorithm finds a number of new vulnerabilities in the open- source WebKit browser engine used by Safari. We propose an approach to mitigate this class of vulnerabilities by adding access control checks to browser JavaScript engines. These access control checks are backwards- compatible because they do not alter semantics of the Web platform. Through an application of the inline cache, we implement these checks with an overhead of 1-2% on industry-standard benchmarks.
Source Code
The following patches are the code for our heap graph tool and access control prototype. Note that the patches presented here are meant to be simple, demonstrative prototypes, not exhaustive implementations. This means two things: (a) the code is not the best or prettiest that has ever been written, and (b) it may be buggy and/or incomplete. The patch is meant to work with version 3 of WebKit, current on November 11th, 2008. It might require modification to work on the more recent versions of WebKit. All of our new code is released under the terms of the GNU Library General Public License.