Presentation is loading. Please wait.

Presentation is loading. Please wait.

Saving the World Wide Web from Vulnerable JavaScript International Symposium on Software Testing and Analysis (ISSTA 2011) Omer Tripp IBM Software Group.

Published byCecil Morgan Modified over 9 years ago

Similar presentations

Presentation on theme: "Saving the World Wide Web from Vulnerable JavaScript International Symposium on Software Testing and Analysis (ISSTA 2011) Omer Tripp IBM Software Group."— Presentation transcript:

1 Saving the World Wide Web from Vulnerable JavaScript International Symposium on Software Testing and Analysis (ISSTA 2011) Omer Tripp IBM Software Group omert@il.ibm.com Marco Pistoia IBM T. J. Watson Research Center pistoia@us.ibm.com Julian Dolby IBM T.J. Watson Research Center dolby@us.ibm.com Stephen Teilhet IBM Software Group steilhet@us.ibm.com Ryan Berg IBM Software Group ryan.berg@us.ibm.com www.research.ibm.com/labasec Salvatore Guarnieri IBM Software Group sguarni@us.ibm.com

2 JavaScript is present on many popular Web sites 1

3 2

4 Consequences of Taint Violations Read and write access to saved data in cookies and local data stores Read and write access to data in the web page Key loggers Impersonation Phishing via page modifications or redirects 3

5 var el1 = document.getElementById("d1"); function foo() { var el2 = document.getElementById("d2"); function bar() { var el3 = new Element(); var s = encodeURIComponent(el2.innerText); document.write(s); el1.innerHTML = el2.innerText; document.location = el3.innerText; } bar(); } foo(); function baz(a, b) { a.f = document.URL; document.write(b.f); } var x = new Object(); baz(x, x); Getting data from the DOM Sanitizing some, but not all, of the data Writing untrusted data into web page Writing unchecked data to the web page 4

6 Motivation Sources, Sinks, and Sanitizers Taint Analysis Results 5

7 var el1 = document.getElementById("d1"); function foo() { var el2 = document.getElementById("d2"); function bar() { var el3 = new Element(); var s = encodeURIComponent(el2.innerText); document.write(s); el1.innerHTML = el2.innerText; document.location = el3.innerText; } bar(); } foo(); function baz(a, b) { a.f = document.URL; document.write(b.f); } var x = new Object(); baz(x, x); 6

8 var el1 = document.getElementById("d1"); function foo() { var el2 = document.getElementById("d2"); function bar() { var el3 = new Element(); var s = encodeURIComponent(el2.innerText); document.write(s); el1.innerHTML = el2.innerText; document.location = el3.innerText; } bar(); } foo(); function baz(a, b) { a.f = document.URL; document.write(b.f); } var x = new Object(); baz(x, x); 7

9 Rules A rule is a triple Not all sources are valid for all sinks, and not all sanitizers are valid for all sinks 8

10 Rules A rule is a triple Not all sources are valid for all sinks, and not all sanitizers are valid for all sinks Sources –Seeds of untrusted data –Field gets or returns of function calls –Ex: document.url 9

11 Rules A rule is a triple Not all sources are valid for all sinks, and not all sanitizers are valid for all sinks Sources –Seeds of untrusted data –Field gets or returns of function calls –Ex: document.url Sinks –Security critical operations –Field puts or parameters to function calls –Ex: element.innerHTML 10

12 Rules A rule is a triple Not all sources are valid for all sinks, and not all sanitizers are valid for all sinks Sources –Seeds of untrusted data –Field gets or returns of function calls –Ex: document.url Sinks –Security critical operations –Field puts or parameters to function calls –Ex: element.innerHTML Sanitizers –Marks flow as non-dangerous –Function calls –Ex: encodeURIComponent(str) 11

13 Motivation Sources, Sinks, and Sanitizers Taint Analysis Results 12

14 var a = "foo" + "bar"; var b = obj[a]; function F() { this.bar = document.url; } function G() { } G.prototype = new F(); var a = new G(); write(g.bar); function foo() { var y = 42; var bar = function() { write(y); } Complexities of JavaScript Reflective property access Prototype chain property lookup Lexical scoping Function pointers eval and its relatives var m = function()... var k = function(f) { f(); } k(m); 13 eval("document.write('evil')");

15 Demand Driven Taint Analysis The seeds are the assignments to sources or return values from sources The analysis proceeds by tainting variables Variables consist of triplets: –Static Single Assignment (SSA) variable ID –Method where SSA variable is defined –Access path –Ex: (v7, m, ) 14

16 Context Sensitive Taint Analysis Start from taint sources Propagate taint intra- procedurally through def- use Inter-procedurally propagate taint forward Resolve aliasing by using Andersen alias analysis Record constraints on call sites, recursively In the final constraint- propagation graph, detect paths between sources and sinks not intercepted by sanitizers m1() m2(p1, p2, p3) m3(q1, q2) 15

17 Analysis Example function foo(p1, p2) { p1.f = p2.f; } var a = new Object(); var b = new Object(); b.f = window.location.toString(); var c = new Object(); var d = new Object(); d.f = "safe"; foo(a, b); foo(c, d); document.write(a.f); // This is a taint violation document.write(c.f); // This is NOT a taint violation Since d.f is not tainted, c.f will not be tainted Install taint summary for foo: p2.f -> p1.f 16 Taint variable: (v2, foo, )

18 Motivation Sources, Sinks, and Sanitizers Taint Analysis Results 17

19 Data Sets Developed a micro-benchmark suite of about 150 test scripts Downloaded Web pages and ran Actarus on them 18

20 Real World Data Set Crawled portions of top Alexa Web sites and downloaded pages to disk Ran Actarus on a sample of the saved pages Ran on over 12,000 pages Successfully analyzed over 9,000 pages ~22% failure due to a 4 minute timeout 19

21 Findings Several vulnerable Web sites were found Duplicates of vulnerabilities were found on many pages from the same site Some exploits were found in third party code that was shared among several websites 40% true positive rate Vulnerabilities can be fixed with common sanitization routines 20

22 Findings SiteUnique True PositivesTotal True Positives A780 B412 C491 D713 E24 F1200 G11 H1114 I37 J13 K11 21

23 User Friendly Output Flows are highlighted and numbered in the source code JavaScript was pretty printed to improve readability and usefulness of line numbers 22

24 23

25 Future Work Using string analysis to reduce false positives Make analysis modular so library code does not have to be reanalyzed 24

26 Thank You E-mail: sguarni@us.ibm.com 25

Download ppt "Saving the World Wide Web from Vulnerable JavaScript International Symposium on Software Testing and Analysis (ISSTA 2011) Omer Tripp IBM Software Group."

Similar presentations

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Detecting Logic Vulnerabilities in E- Commerce Applications FANGQI SUN, LIANG XU, ZHENDONG SU UNIVERSITY OF CALIFORNIA, DAVIS NDSS (FEBRUARY,2014) 1.

Detecting Logic Vulnerabilities in E- Commerce Applications FANGQI SUN, LIANG XU, ZHENDONG SU UNIVERSITY OF CALIFORNIA, DAVIS NDSS (FEBRUARY,2014) 1.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
1 CS 201 Compiler Construction Lecture Interprocedural Data Flow Analysis.

1 CS 201 Compiler Construction Lecture Interprocedural Data Flow Analysis.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Specification Inference for Explicit Information Flow Problems Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani Microsoft Research Anindya Banerjee.

Specification Inference for Explicit Information Flow Problems Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani Microsoft Research Anindya Banerjee.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri.

Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri.
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.

Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego.

Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego.
Javascript II Expressions and Data Types. 2 JavaScript Review programs executed by the web browser programs embedded in a web page using the script element.

Javascript II Expressions and Data Types. 2 JavaScript Review programs executed by the web browser programs embedded in a web page using the script element.
Λ λ Language Based Security TAJ: Effective Taint Analysis of Web Applications PLDI 2009 Omer Tripp IBM Software Group Marco Pistoia IBM.

Λ λ Language Based Security TAJ: Effective Taint Analysis of Web Applications PLDI 2009 Omer Tripp IBM Software Group Marco Pistoia IBM.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Similar presentations

Ads by Google