Mir: Automated Quantifiable Privilege Reduction Against Dynamic Library Compromise in JavaScript

TL;DR

Mir introduces a fine-grained permission model for JavaScript libraries, automatically inferring permissions to reduce privileges and defend against runtime threats with minimal performance overhead.

Contribution

It proposes a novel RWX permission model with automatic permission inference, enhancing security and usability for third-party JavaScript libraries.

Findings

Automatically infers 99.33% of permissions

Defends against 16 real threats

Achieves 1.93% runtime overhead

Abstract

Third-party libraries ease the development of large-scale software systems. However, they often execute with significantly more privilege than needed to complete their task. This additional privilege is often exploited at runtime via dynamic compromise, even when these libraries are not actively malicious. Mir addresses this problem by introducing a fine-grained read-write-execute (RWX) permission model at the boundaries of libraries. Every field of an imported library is governed by a set of permissions, which developers can express when importing libraries. To enforce these permissions during program execution, Mir transforms libraries and their context to add runtime checks. As permissions can overwhelm developers, Mir's permission inference generates default permissions by analyzing how libraries are used by their consumers. Applied to 50 popular libraries, Mir's prototype for JavaScript demonstrates that the RWX permission model combines simplicity with power: it is simple enough to automatically infer 99.33% of required permissions, it is expressive enough to defend against 16 real threats, it is efficient enough to be usable in practice (1.93% overhead), and it enables a novel quantification of privilege reduction.