EAGER: Real-time Enforcement of Content Security Policy upon Real-world Websites

EAGER：在真实网站上实时执行内容安全策略

• 批准号: 1646662
• 负责人: Yinzhi Cao
• 金额: $ 9.47万
• 依托单位: Lehigh University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-09-01 至 2017-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1646662&HistoricalAwards=false
• 关键词: EAGER; Real; time; Enforcement; Content

Cross-site scripting (XSS) vulnerabilities -- though being known for more than ten years -- are still one of the most commonly-found web application vulnerabilities in the wild. Among all the defenses proposed by researchers, one widely-adopted approach is called Content Security Policy (CSP) -- which has been standardized by W3C and adopted by all major commercial browsers, such as Google Chrome, Internet Explorer, Safari, and Firefox. Though being successful in the client-side adoption, the server-side adoption of CSP is worrisome: According to a recent Internet-scale survey of 1M websites, at the time of the study, only 2% of top 100 Alexa websites enabled CSP, and 0.00086% of 900,000 least popular sites did so. This project is creating a backend-language-agnostic approach to help CSP's deployment at the server side, which automatically transforms existing real-world web contents to comply with CSP. The key insight of the project is that although web scripts may occur in different formats, contain real-time, user-related information, or be generated dynamically, these scripts are originated from the server and generated from certain templates. Therefore, the project can group scripts based on their similarities and infer the templates behind the scripts. Specifically, there are two types of scripts to handle: inline scripts and dynamic scripts. For the former, the project generalizes the script structures -- such as for loop and if statement -- as well as the type information of each object as templates and only allows scripts that matches the templates. For the latter, in addition to the matching with templates, the project instantiates these templates in runtime.

跨站脚本 (XSS) 漏洞虽然已为人所知十多年了，但仍然是最常见的 Web 应用程序漏洞之一。在研究人员提出的所有防御措施中，一种被广泛采用的方法称为内容安全策略 (CSP)，它已由 W3C 标准化，并被所有主要商业浏览器采用，例如 Google Chrome、Internet Explorer、Safari 和 Firefox。 尽管在客户端采用方面取得了成功，但 CSP 在服务器端的采用却令人担忧：根据最近对 100 万个网站进行的互联网规模调查，在研究时，前 100 个 Alexa 网站中只有 2% 启用了 CSP， 900,000 个最不受欢迎的网站中有 0.00086% 这样做了。 该项目正在创建一种与后端语言无关的方法来帮助 CSP 在服务器端的部署，该方法会自动转换现有的现实世界 Web 内容以符合 CSP。该项目的关键见解是，尽管 Web 脚本可能以不同的格式出现，包含实时的、与用户相关的信息，或者动态生成，但这些脚本源自服务器并根据某些模板生成。因此，项目可以根据脚本的相似性对脚本进行分组，并推断脚本背后的模板。具体来说，有两种类型的脚本需要处理：内联脚本和动态脚本。 对于前者，该项目将脚本结构（例如 for 循环和 if 语句）以及每个对象的类型信息概括为模板，并且只允许与模板匹配的脚本。 对于后者，除了与模板匹配之外，项目还在运行时实例化这些模板。