© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group Sep 2011

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment 2 Why JavaScript Analysis? According to an IBM study performed in 2010

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment 3 Why JavaScript Analysis? (cont.) 15 % According to an IBM study performed in 2010 of Fortune 500 websites have exploitable security issues in JavaScript. DOM-based XSS document.write(document.URL.substring( pos,document.URL.length)); DOM-based XSS document.write(document.URL.substring( pos,document.URL.length)); Open Redirect var pos = document.location.href.indexOf("name="); var val = document.location.href.substring(pos); document.location.href = " + val; Open Redirect var pos = document.location.href.indexOf("name="); var val = document.location.href.substring(pos); document.location.href = " + val;

Reflective property access Prototype chain property lookup Lexical scoping Function pointers Arguments array eval and its relatives Complexities of JavaScript var a = "foo" + "bar"; var b = obj[a]; function F() { this.bar = document.url; } function G() { } G.prototype = new F(); var a = new G(); write(g.bar); function foo() { var y = 42; var bar = function() { write(y); } var m = function()... var k = function(f) { f(); } k(m); function sum() { if (arguments.length > 3) { eval(arguments[1]); } sum(1, "...”, 3) eval("document.write('evil')"); 4

Analysis Example function foo(p1, p2) { p1.f = p2.f; } var a = new Object(); var b = new Object(); b.f = window.location.toString(); var c = new Object(); var d = new Object(); d.f = "safe"; foo(a, b); foo(c, d); document.write(a.f); // This is a taint violation document.write(c.f); // This is NOT a taint violation Since d.f is not tainted, c.f will not be tainted Install taint summary for foo: p2.f -> p1.f 5 Taint variable: (v2, foo, )

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment 6 Hybrid analysis Why Hybrid Analysis? Static analysis + Performance + Soundness + Coverage - Frameworks - Dynamic loading Dynamic analysis + Dynamic behavior - Coverage + Performance + Soundness + Coverage + Dynamic Behavior

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment 7 Static Analysis  Typically applied to server-side JavaScript content  Misses dynamically generated JavaScript! document.write('<scr'+'ipt '); document.write('src=" ThisLink.cgi?g'+ _This_Link+'"'); document.write(' type="text/javascript">'); document.write(' ');

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment 8 Traditional Black-box Testing  Sends test payload in HTTP request  Checks response for reflected payload  Does not work for DOM-based XSS! AttackerVictim Web Application link embedded with evil script Attacker’s evil script executed using victim’s credentials Evil script not sent to server

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment 9 Sandboxed JavaScript Execution alert('hacked') Black-box Scanner

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment 10 Dynamic Taint Analysis Source Sink document.URL document.write() execution flow

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment 11 Our Hybrid Architecture Black-box Scanner DOM modeling Taint analysis String analysis Reduce scope Find issues Eliminate false positives HTML/JavaScript, concrete URLs, … issues

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment 12  Specialized string analysis using dynamic pieces of information (e.g., concrete URL)  Part controlled by attacker is unknown, but known prefix modeled precisely var str = document.URL; var url_check = str.indexOf('login.html'); if (url_check > -1) { result = str.substring(0,url_check); result = result + 'login.jsp' + str.substring((url_check+search_term.length), str.length); document.URL = result; } Hybrid Elimination of False Reports CONTROLLED BY ATTACKERNOT CONTROLLED BY ATTACKER URL as Source "

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment 13 String Analysis: Example String variable Integer variable

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment 14 Hybrid DOM Modeling  The HTML DOM is an important channel of data propagation, but often too big (>10 5 lines of text) for the analysis to model!  In the hybrid setting –the analysis operates on a fully resolved DOM –the analysis can thus “reduce” the DOM BEFORE DOM reduction AFTER

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment 15 Implementation & Evaluation  Algorithm featured in IBM Rational AppScan Standard Edition, a black-box security-scanning product  Experimental hypotheses: –(1 st experiment) The DOM-modeling and string-analysis specialization features have significant impact on the quality of the static security scanner –(2 nd experiment) The hybrid solution is significantly better than the baseline security scanner, which performs sandboxed JavaScript execution

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment 16 1 st Experiment: Results  pages from each site  4 configurations: with/without DOM modeling, string analysis  Results: –Without DOM modeling: too many crashes! –String analysis highly effective Total number of JavaScript security vulnerabilities detected for 675 websites

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment 17 2 nd Experiment: Results Number of websites tested60 Websites found to be vulnerable by baseline scanner (w/o hybrid capabilities) 8 (0 false positives) Websites found to be vulnerable by scanner with hybrid capabilities 33 (4 false positives)  Sites selected at random (out of 675 sites used for 1 st experiment)  False reports due to infeasible/rare path conditions Client-side vulnerabilities found by black-box scanner with and without hybrid capabilities

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment 18 Summary  Hybrid JavaScript security analysis is a powerful approach –Allows new and exciting specialization techniques –Transcends inherent weaknesses of static and dynamic analyses  Thousands of real vulnerabilities discovered using our tool when applied to highly popular sites (Fortune 500, top 100 sites list, etc.) –Very low rate of false reports (thanks to string analysis) –Scales to real-world JavaScript and HTML (thanks to DOM modeling)

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Thank you 19