CISPA
Browse
cispa_all_3908.pdf (359.92 kB)

SandDriller: A Fully-Automated Approach for Testing Language-Based JavaScript Sandboxes

Download (359.92 kB)
conference contribution
posted on 2023-11-29, 18:24 authored by Abdullah AlhamdanAbdullah Alhamdan, Cristian-Alexandru StaicuCristian-Alexandru Staicu
Language-based isolation offers a cheap way to restrict the privileges of untrusted code. Previous work proposes a plethora of such techniques for isolating JavaScript code on the client-side, enabling the creation of web mashups. While these solutions are mostly out of fashion among practitioners, there is a growing trend to use analogous techniques for JavaScript code running outside of the browser, e.g., for protecting against supply chain attacks on the server-side. Irrespective of the use case, bugs in the implementation of language-based isolation can have devastating consequences. Hence, we propose SandDriller, the first dynamic analysis-based approach for detecting sandbox escape vulnerabilities. Our core insight is to design testing oracles based on two main objectives of language-based sandboxes: Prevent writes outside the sandbox and restrict access to privileged operations. Using instrumentation, we interpose oracle checks on all the references exchanged between the host and the guest code to detect foreign references that allow the guest code to escape the sandbox. If at run time, a foreign reference is detected by an oracle, SandDriller proceeds to synthesize an exploit for it. We apply our approach to six sandbox systems and find eight unique zero-day sandbox breakout vulnerabilities and two crashes. We believe that SandDriller can be integrated in the development process of sandboxes to detect security vulnerabilities in the pre-release phase.

History

Preferred Citation

Abdullah AlHamdan and Cristian-Alexandru Staicu. SandDriller: A Fully-Automated Approach for Testing Language-Based JavaScript Sandboxes. In: Usenix Security Symposium (USENIX-Security). 2023.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

Usenix Security Symposium (USENIX-Security)

Legacy Posted Date

2023-03-09

Open Access Type

  • Green

BibTeX

@inproceedings{cispa_all_3908, title = "SandDriller: A Fully-Automated Approach for Testing Language-Based JavaScript Sandboxes", author = "AlHamdan, Abdullah and Staicu, Cristian-Alexandru", booktitle="{Usenix Security Symposium (USENIX-Security)}", year="2023", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC