A Two-Tier Sandbox Architecture to Enforce Modular Fine-Grained Security Policies for Untrusted JavaScript

Report, 2011

Existing approaches to providing security for untrusted JavaScript include isolation of capabilities -- a.k.a. sandboxing. Features of the JavaScript language conspire to make this nontrivial, and isolation normally requires complex filtering, transforming and wrapping untrusted code to restrict the code to a manageable subset. The latest JavaScript specification (ECMAScript 5) has been modified to make sandboxing easier and more widely applicable. This is illustrated in a sandboxing library recently developed by the Google Caja Team which allows untrusted code to interact with a restricted API. However, specifying and enforcing fine-grained policies within an API implementation is complex and inflexible, since each sandboxed application (there may be several within a single web page) may need an application-specific policy. In this paper, we present a two-tier architecture for sandboxed code which combines a baseline sandbox with a stateful fine-grained policy specified in an aspect-oriented programming style. The implementation of the fine-grained policy part is an adaptation of lightweight self-protecting JavaScript mechanism proposed by Phung at el (ASIACCS'09). This enforcement mechanism allows the policies to be defined in a modular way so that, for example, different policies can be specified and enforced for different untrusted applications within the same page. The mechanism is realized as a JavaScript library, so that it does not require a modified browser and untrusted code can be dynamically loaded and executed without run-time checking or transformation. We show the effectiveness of the mechanism by deploying some case studies and analyzing their security features.