Presentation is loading. Please wait.

Presentation is loading. Please wait.

Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego."— Presentation transcript:

1 Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego

2 wsj.com searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } z = get(“a.com/ad.js”); eval(z); 2

3 wsj.com a.com/ad.js searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } displayAd = function() {... } displayAd(); 3

4 wsj.com a.com/ad.js searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } displayAd = function() {... } displayAd(); searchUrl = “evil.com/”; 4

5 evil.com Script navigates to malicious page Exploits browser vulnerability 5

6 The Problem, Part 1 Third-party code may affect sensitive data – e.g. writing doc.location – e.g. reading doc.cookie Information flow policies – e.g. integrity of doc.location – e.g. confidentiality of doc.cookie JavaScript difficulties – dynamic typing – first-class functions – objects, but no classes – prototypes 6 server code third-party code var doc =...; doc.location = “evil”; steal(doc.cookie);

7 The Problem, Part 2 Entire code not available until runtime Arrives in stages 7 third-party code server code var doc =...; doc.location = “evil”; steal(doc.cookie);

8 Our Staged Approach: Server context policy 8 Information Flow Policies Confidentiality policy: x should not be read Integrity policy: x should not be written

9 Summarizes how loaded code must behave Syntactically enforceable for speed Our Staged Approach: Server context policy JavaScript Staging Analysis 9 residual policy No Read must-not-read vars No Write must-not-write vars

10 Our Staged Approach: Client Browser JavaScript Engine Residual Policy Checker ✓ ✗ hole context residual policy 10

11 wsj.com searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } No Read No Write searchUrl doSearch s SearchBox.value document.location 11 ✕

12 wsj.com searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } No Read doSearch No Write searchUrl SearchBox.value document.location 12

13 wsj.com searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } No Read doSearch a.com/ad1.js displayAd = function() { if (version < 7) {... } else {... } } displayAd(); No Write searchUrl SearchBox.value document.location 13 ✓

14 wsj.com searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } No Read doSearch a.com/ad2.js searchUrl = “evil.com/”; No Write searchUrl SearchBox.value document.location 14 ✗

15 wsj.com searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } No Read doSearch a.com/ad3.js doSearch(“foo”); No Write searchUrl SearchBox.value document.location 15 ✗

16 Outline Overview JavaScript Static Analysis Computing Residual Policies Additional Challenges Evaluation 16

17 Information Flow Graph Analysis tracks information flow in program Flow-insensitive, set constraint-based Graph representation: – program constants, variables, edges – special nodes for function declarations and calls 17 Fun x x 0 0

18 searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); /* a.com/ad1.js */ displayAd = function() {... }; displayAd(); searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); 18

19 searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); /* a.com/ad1.js */ displayAd = function() {... }; displayAd(); searchUrl “wsj.com/search?” 19

20 searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); /* a.com/ad1.js */ displayAd = function() {... }; displayAd(); searchUrl “wsj.com/search?” Fun s s doSearch 20

21 searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); /* a.com/ad1.js */ displayAd = function() {... }; displayAd(); searchUrl “wsj.com/search?” Fun s s doSearch u u 21

22 searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); /* a.com/ad1.js */ displayAd = function() {... }; displayAd(); searchUrl “wsj.com/search?” Fun s s doSearch u u document.location 22

23 searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); /* a.com/ad1.js */ displayAd = function() {... }; displayAd(); searchUrl “wsj.com/search?” Fun s s doSearch u u document.location Fun SearchBox.value 23

24 searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); /* a.com/ad1.js */ displayAd = function() {... }; displayAd(); Fun s s doSearch u u searchUrl document.location Fun SearchBox.value “wsj.com/search?” 24

25 searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); /* a.com/ad1.js */ displayAd = function() {... }; displayAd(); Fun s s doSearch u u searchUrl document.location Fun SearchBox.value “wsj.com/search?” Fun displayAd 25

26 searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); /* a.com/ad1.js */ displayAd = function() {... }; displayAd(); Fun s s doSearch u u searchUrl document.location Fun SearchBox.value “wsj.com/search?” Fun displayAd Fun 26

27 searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); /* a.com/ad1.js */ displayAd = function() {... }; displayAd(); Fun s s doSearch u u searchUrl document.location Fun SearchBox.value “wsj.com/search?” Fun displayAd Fun ✓ 27

28 searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); /* a.com/ad1.js */ displayAd = function() {... }; displayAd(); Fun displayAd Fun ✓ searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); Fun s s doSearch u u searchUrl document.location Fun SearchBox.value “wsj.com/search?” 28

29 searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); /* a.com/ad2.js */ searchUrl = “evil.com”; searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); Fun s s doSearch u u searchUrl document.location Fun SearchBox.value “wsj.com/search?” “evil.com/” ✗ 29

30 Fun s s doSearch u u searchUrl document.location Fun SearchBox.value “wsj.com/search?” searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); /* a.com/ad2.js */ searchUrl = “evil.com”; “evil.com/” ✗ 30 searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value);

31 searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); /* a.com/ad3.js */ doSearch(“foo”); searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); Fun s s doSearch u u searchUrl document.location Fun SearchBox.value “wsj.com/search?” Fun “foo” 31

32 searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); /* a.com/ad3.js */ doSearch(“foo”); Fun s s doSearch u u searchUrl document.location Fun SearchBox.value “wsj.com/search?” Fun “foo” ✗ 32

33 Outline Overview JavaScript Static Analysis Computing Residual Policies Additional Challenges Evaluation 33

34 Fun searchUrl = “wsj.com/search?”; doSearch = function(s) { var u = searchUrl + s; document.location = u; } doSearch(SearchBox.value); doSearch Fun u u searchUrl document.location Fun SearchBox.value “wsj.com/search?” No Write No Read document.location u u searchUrl SearchBox.value doSearch 34 doSearch searchUrl SearchBox.value document.location s s s s Add taint to sensitive data and propagate

35 Residual Policies Difficulties: – Aliasing – First-class functions – Don’t want flow analysis in browser Solution: – Conservatively taint functions – Conservatively taint fields 35

36 Transfer taints from parameters to functions Transfer taints from return values to functions Fun Tainted Functions 36 No Write to No Read Fun foo No Read to No Write foo(document.cookie); // hole redefines foo foo = function(t) { // reads t, hence cookie } // hole redefines foo foo = function(t) { // reads t, hence cookie } foo Fun No Write Taint No Read Taint No Write Taint No Read Taint

37 Aliasing and Tainted Fields Residual policy misses future aliasing Conservative approach: if field f is tainted for some object, f tainted for all 37 z = tmp.cookie; No Write No Read document.cookie tmp.cookie z tmp = document; // reads z

38 Outline Overview JavaScript Static Analysis Computing Residual Policies Additional Challenges Evaluation 38

39 Objects Used pervasively in JavaScript Hence, analysis must be field-sensitive Encode “setter” and “getter” for field f using F ields can be dynamically added Initially assume no fields Iteratively add constraints until fixpoint Fld f x = { f:1 }; x.g = 2; 39

40 Prototypes JavaScript uses prototype-based inheritance Intuitively, each object x – has a link to its parent – inherits parent’s fields Ensures each object has fields of its ancestors x.parent x x 40

41 Indirect Flows if (document.cookie == “foo”) { y = 1; } document.cookie y y 1 1 Propagate taints along indirect flow edges But not program values INDIRECT 41

42 Outline Overview JavaScript Static Analysis Computing Residual Policies Additional Challenges Evaluation 42

43 Implementation Flow analysis and residual policy generator – parse JavaScript (JSure) – generate set constraints (6,000 lines of OCaml) – solve constraints (Banshee + 400 lines of C) Stand-alone residual policy checker – not yet incorporated into browser JavaScript collector – Firefox extension (500 lines of JavaScript) 43

44 Experimental Setup 44 Collect JavaScript for Alexa top 100 web sites third-party code server code 97/100 have JavaScript 63/97 have holes Context: all server code Hole: all third-party code

45 Experimental Setup Information flow analysis on context + hole Compute residual policy, check it on hole ✓/✗✓/✗ 45 ✓/✗✓/✗ cookie confidentiality location integrity

46 80% run in <12 sec Average: 9.9 sec Scalability of Full Analysis 46

47 Average Running Times 47 ✓/✗✓/✗ ✓/✗✓/✗ Full Analysis 9.9 sec Staged Analysis 14.0 sec0.13 sec

48 Results of Analysis: Full 48 Hole satisfies cookie policy? ✓ 30 ✗ 32

49 Results of Analysis: Staged 49 Hole satisfies cookie policy? ✓ 30 ✗ 32 Residual checker: 26/30 safe Imprecision: 4 false positives

50 Future Work Context-sensitivity Dynamically-constructed field names Test more complicated policies Embed residual policy checker in browser 50

51 Related Work Information flow – type systems – dynamic instrumentation JavaScript analysis – types [Thiemann 05, Anderson et al. 05] – dynamic policies [Chander et al. 07] – static analysis [Guarnieri/Livshits 09] Browser security – finer-grained interaction between scripts [Howell et al. 07] 51

52 Summary JavaScript static analysis is scalable Residual checks are fast enough for client Residual policies precisely capture information flow 52

53 Thanks! 53

54 Extra Slides

55 Information Flow Policies if (x) { holeVar = 1 }; Confidentiality of x : x should not affect hole variables indirectlyor holeVar = x; directly if (holeVar) { x = 1 }; Integrity of x : hole variables should not affect x indirectlyor x = holeVar; directly 55

56 Fields 56

57 Running Times Full analysis too slow to run on client Quick to compute residual policy on server Small run-time overhead to check – running time includes parsing time – parser is not optimized for speed 57 cookie policylocation policy Flow analysis on context + hole Computing residual policy Checking residual policy 9.910.7 14.028.4 0.130.12

58 Results of Staged Analysis Residual policy usually agrees with full information flow analysis Imprecision from tainted functions/fields No false negatives 58 Full: Policy Satisfied? Staged: Policy Satisfied? cookie policylocation policy ✓ ✓ 2649 ✗ 48 ✗ ✗ 325 ✓ 00 imprecision soundness

Download ppt "Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego."

Similar presentations

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
ECE 454 Computer Systems Programming Compiler and Optimization (I) Ding Yuan ECE Dept., University of Toronto

ECE 454 Computer Systems Programming Compiler and Optimization (I) Ding Yuan ECE Dept., University of Toronto
Java Script Session1 INTRODUCTION.

Java Script Session1 INTRODUCTION.
CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.

CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.
1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.

1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Parallel Inclusion-based Points-to Analysis Mario Méndez-Lojo Augustine Mathew Keshav Pingali The University of Texas at Austin (USA) 1.

Parallel Inclusion-based Points-to Analysis Mario Méndez-Lojo Augustine Mathew Keshav Pingali The University of Texas at Austin (USA) 1.
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.

Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
1 Integrating Influence Mechanisms into Impact Analysis for Increased Precision Ben Breech Lori Pollock Mike Tegtmeyer University of Delaware Army Research.

1 Integrating Influence Mechanisms into Impact Analysis for Increased Precision Ben Breech Lori Pollock Mike Tegtmeyer University of Delaware Army Research.
Program Analysis with Set Constraints Ravi Chugh.

Program Analysis with Set Constraints Ravi Chugh.
Chapter 12: Web Usage Mining - An introduction

Chapter 12: Web Usage Mining - An introduction
Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.

Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
1 Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006.

1 Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006.

Similar presentations

Ads by Google