Presentation is loading. Please wait.

Presentation is loading. Please wait.

Workshop in compile-time techniques for detecting Javascript exploits Shir Landau-Feibish, Shmulik Regev, Noam Rinetzky

Published byAnna Townsend Modified over 9 years ago

Similar presentations

Presentation on theme: "Workshop in compile-time techniques for detecting Javascript exploits Shir Landau-Feibish, Shmulik Regev, Noam Rinetzky"— Presentation transcript:

1 Workshop in compile-time techniques for detecting Javascript exploits Shir Landau-Feibish, Shmulik Regev, Noam Rinetzky http://www.cs.tau.ac.il/~maon/teaching/2013- 2014/workshop/workshop1314b.html Semester B. Monday, 16:00-18:00. Kaplun 319

2 Scope Automatic tools for analyzing Javascripts Detecting malicious code Static tools: Compile-time Dynamic tools: Run-time

3 Admin Projects in groups of 2-3 Talking and helping is OK – Copying is not All members should participate Hands-off guidance

4 Goals Learn Javascript Implement a simple analyzer (mini-project) Implement a sophisticated analyzer – Choose a vulnerability – Find tell-tale signs – Implement a detector Compile-time analysis Can have a runtime component Experimental evaluation Presentation of tools & results

5 Short term schedule Today: Problem description Next week: – Review of existing tools/techniques – Mini-project description

6 Long Term Schedule (Tentative) 17/02/2014: Problem description 24/02/2014: Mini-project description 07/04/2014: Progress report (mini project) 09/06/2014: Progress report – Mini project submission – Presenting chosen project 02/09/2014: Project submission ~15/September/2014: Project presentation

7 Javascript Self study Next lecture in Programming Languages – Next Monday (24/2/14), 10:00-12:00 – Dan David 001

8 Next week: Review of Techniques&Tools Heap feng shui Address disclosure – Pointer inference + integer sieve sections JIT spray – JIT spry Section ROP – Sections 1-2 Zozzle

9

10 Text links Heap feng shui – https://www.usenix.org/legacy/events/woot08/tech/full_papers/daniel/daniel_html/wo ot08.html https://www.usenix.org/legacy/events/woot08/tech/full_papers/daniel/daniel_html/wo ot08.html Address disclosure – http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf – Pointer inference + integer sieve sections JIT spray – http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf – JIT spray section ROP – http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf – Only sections 1 & 2 Zozzle – http://research.microsoft.com/apps/pubs/?id=141930 http://research.microsoft.com/apps/pubs/?id=141930

Download ppt "Workshop in compile-time techniques for detecting Javascript exploits Shir Landau-Feibish, Shmulik Regev, Noam Rinetzky"

Similar presentations

Indistar® Leadership Team Meetings. Where can we plan a meeting? Choose ‘Plan Your Meeting’ from the main menu screen Click on Meeting Agenda Setup.

Indistar® Leadership Team Meetings. Where can we plan a meeting? Choose ‘Plan Your Meeting’ from the main menu screen Click on Meeting Agenda Setup.
Automatic Memory Management Noam Rinetzky Schreiber 123A 2015/seminar/seminar1415a.html.

Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
Compilation 0368-3133 (Semester A, 2013/14) Lecture 14: Compiling Object Oriented Programs Noam Rinetzky Slides credit: Mooly Sagiv 1.

Compilation (Semester A, 2013/14) Lecture 14: Compiling Object Oriented Programs Noam Rinetzky Slides credit: Mooly Sagiv 1.
CSI 3120, Implementing subprograms, page 1 Implementing subprograms The environment in block-structured languages The structure of the activation stack.

CSI 3120, Implementing subprograms, page 1 Implementing subprograms The environment in block-structured languages The structure of the activation stack.
A quasi-experimental comparison of assessment feedback mechanisms Sven Venema School of Information and Communication Technology.

A quasi-experimental comparison of assessment feedback mechanisms Sven Venema School of Information and Communication Technology.
DSP Implementation Lecture 3. Anatomy of a DSP Project In VDSP Linker Description File (.LDF) Source Files (.asm,.c,.h,.cpp,.dat) Object Files (.doj)

DSP Implementation Lecture 3. Anatomy of a DSP Project In VDSP Linker Description File (.LDF) Source Files (.asm,.c,.h,.cpp,.dat) Object Files (.doj)
 Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab.

 Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab.
Software Security Lecture 10 Fang Yu Dept. of MIS, National Chengchi University Spring 2011.

Software Security Lecture 10 Fang Yu Dept. of MIS, National Chengchi University Spring 2011.
Software Security Lecture 0 Fang Yu Dept. of MIS National Chengchi University Spring 2011.

Software Security Lecture 0 Fang Yu Dept. of MIS National Chengchi University Spring 2011.
CS 330 Programming Languages 10 / 16 / 2008 Instructor: Michael Eckmann.

CS 330 Programming Languages 10 / 16 / 2008 Instructor: Michael Eckmann.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Advanced Compilers CSE 231 Instructor: Sorin Lerner.

Advanced Compilers CSE 231 Instructor: Sorin Lerner.
Run-Time Storage Organization

Run-Time Storage Organization
COMS S1007 Object-Oriented Programming and Design in Java July 24, 2008.

COMS S1007 Object-Oriented Programming and Design in Java July 24, 2008.
Chapter 9: Subprogram Control

Chapter 9: Subprogram Control
Evaluating a Formal Methods Technique via Student Assessed Exercises Alastair Donaldson, Alice Miller University of Glasgow.

Evaluating a Formal Methods Technique via Student Assessed Exercises Alastair Donaldson, Alice Miller University of Glasgow.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.

Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.
Week 7 February 17, 2004 Adrienne Noble. Important Dates Due Monday, Feb 23 Homework 7 Due Wednesday, Feb 25 Project 3 Due Friday, Feb 27 Homework 8.

Week 7 February 17, 2004 Adrienne Noble. Important Dates Due Monday, Feb 23 Homework 7 Due Wednesday, Feb 25 Project 3 Due Friday, Feb 27 Homework 8.
Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.

Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.

Similar presentations

Ads by Google