Securing JavaScript Information Flow with Staged Approach

Staged Information Flow
for JavaScript
Ravi Chugh
, Jeff Meister, Ranjit Jhala, Sorin Lerner
UC San Diego
 
wsj.com
 
<textbox id=“SearchBox”>
<button onclick=“doSearch(SearchBox.value)”>
 
<script type=“javascript”>
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  var u = searchUrl + s;
  document.location = u;
}
</script>
 
z = get(“a.com/ad.js”);
eval(z);
2
wsj.com
<textbox id=“SearchBox”>
<button onclick=“doSearch(SearchBox.value)”>
 
a.com/ad.js
<script type=“javascript”>
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  var u = searchUrl + s;
  document.location = u;
}
</script>
 
displayAd = function() {
  ...
}
displayAd();
3
wsj.com
<textbox id=“SearchBox”>
<button onclick=“doSearch(SearchBox.value)”>
a.com/ad.js
<script type=“javascript”>
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  var u = searchUrl + s;
  document.location = u;
}
</script>
displayAd = function() {
  ...
}
displayAd();
 
searchUrl = “evil.com/”;
4
evil.com
 
Script navigates to malicious page
Exploits
 browser vulnerability
5
The Problem, Part 1
 
Third-party code may affect sensitive data
e.g. writing 
doc.location
e.g. reading 
doc.cookie
Information flow policies
e.g. integrity of 
doc.location
e.g. confidentiality of 
doc.cookie
JavaScript difficulties
dynamic typing
first-class functions
objects, but no classes
prototypes
6
server code
 
third-party code
var doc = ...;
 
doc.location = “evil”;
 
steal(doc.cookie);
The Problem, Part 2
 
Entire code not available until runtime
 
Arrives in stages
7
third-party code
server code
var doc = ...;
doc.location = “evil”;
steal(doc.cookie);
Our Staged Approach: Server
8
 
Summarizes how loaded code must behave
Syntactically enforceable for speed
Our Staged Approach: Server
JavaScript
Staging
Analysis
9
Our Staged Approach: Client
Browser
JavaScript Engine
Residual
Policy
Checker
 
 
10
wsj.com
<textbox id=“SearchBox”>
<button onclick=“doSearch(SearchBox.value)”>
<script type=“javascript”>
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  var u = searchUrl + s;
  document.location = u;
}
</script>
searchUrl
doSearch
s
SearchBox.value
document.location
11
 
wsj.com
<textbox id=“SearchBox”>
<button onclick=“doSearch(SearchBox.value)”>
<script type=“javascript”>
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  var u = searchUrl + s;
  document.location = u;
}
</script>
doSearch
12
wsj.com
<textbox id=“SearchBox”>
<button onclick=“doSearch(SearchBox.value)”>
<script type=“javascript”>
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  var u = searchUrl + s;
  document.location = u;
}
</script>
doSearch
searchUrl
SearchBox.value
document.location
13
 
wsj.com
<textbox id=“SearchBox”>
<button onclick=“doSearch(SearchBox.value)”>
<script type=“javascript”>
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  var u = searchUrl + s;
  document.location = u;
}
</script>
doSearch
searchUrl
SearchBox.value
document.location
14
 
wsj.com
<textbox id=“SearchBox”>
<button onclick=“doSearch(SearchBox.value)”>
<script type=“javascript”>
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  var u = searchUrl + s;
  document.location = u;
}
</script>
doSearch
searchUrl
SearchBox.value
document.location
15
 
Outline
Overview
J
avaScript Static Analysis
Computing Residual Policies
Additional Challenges
Evaluation
16
Information Flow Graph
 
Analysis tracks information flow in program
Flow-insensitive, set constraint-based
Graph representation:
program constants, variables, edges
 
special nodes for function declarations and calls
17
x
0
 
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  var u = searchUrl + s;
  document.location = u;
}
doSearch(SearchBox.value);
/* a.com/ad1.js */
displayAd = function() { ... };
displayAd();
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  
var u = searchUrl + s;
 
 document.location = u;
}
doSearch(SearchBox.value);
18
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  var u = searchUrl + s;
  document.location = u;
}
doSearch(SearchBox.value);
/* a.com/ad1.js */
displayAd = function() { ... };
displayAd();
19
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  var u = searchUrl + s;
  document.location = u;
}
doSearch(SearchBox.value);
/* a.com/ad1.js */
displayAd = function() { ... };
displayAd();
doSearch
20
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  var u = searchUrl + s;
  document.location = u;
}
doSearch(SearchBox.value);
/* a.com/ad1.js */
displayAd = function() { ... };
displayAd();
u
21
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  var u = searchUrl + s;
  document.location = u;
}
doSearch(SearchBox.value);
/* a.com/ad1.js */
displayAd = function() { ... };
displayAd();
u
document.location
22
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  var u = searchUrl + s;
  document.location = u;
}
doSearch(SearchBox.value);
/* a.com/ad1.js */
displayAd = function() { ... };
displayAd();
u
document.location
23
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  
var u = searchUrl + s;
 
 document.location = u;
}
doSearch(SearchBox.value);
/* a.com/ad1.js */
displayAd = function() { ... };
displayAd();
doSearch
u
searchUrl
document.location
“wsj.com/search?”
24
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  
var u = searchUrl + s;
 
 document.location = u;
}
doSearch(SearchBox.value);
/* a.com/ad1.js */
displayAd = function() { ... };
displayAd();
doSearch
u
searchUrl
document.location
“wsj.com/search?”
25
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  
var u = searchUrl + s;
 
 document.location = u;
}
doSearch(SearchBox.value);
/* a.com/ad1.js */
displayAd = function() { ... };
displayAd();
doSearch
u
searchUrl
document.location
“wsj.com/search?”
26
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  
var u = searchUrl + s;
 
 document.location = u;
}
doSearch(SearchBox.value);
/* a.com/ad1.js */
displayAd = function() { ... };
displayAd();
doSearch
u
searchUrl
document.location
“wsj.com/search?”
displayAd
 
27
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  
var u = searchUrl + s;
 
 document.location = u;
}
doSearch(SearchBox.value);
doSearch
u
searchUrl
document.location
“wsj.com/search?”
28
 
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  var u = searchUrl + s;
  document.location = u;
}
doSearch(SearchBox.value);
/* a.com/ad2.js */
searchUrl = “evil.com”;
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  
var u = searchUrl + s;
 
 document.location = u;
}
doSearch(SearchBox.value);
doSearch
u
searchUrl
document.location
“wsj.com/search?”
“evil.com/”
 
29
doSearch
u
searchUrl
document.location
“wsj.com/search?”
30
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  
var u = searchUrl + s;
 
 document.location = u;
}
doSearch(SearchBox.value);
 
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  var u = searchUrl + s;
  document.location = u;
}
doSearch(SearchBox.value);
/* a.com/ad3.js */
doSearch(“foo”);
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  
var u = searchUrl + s;
 
 document.location = u;
}
doSearch(SearchBox.value);
doSearch
u
searchUrl
document.location
“wsj.com/search?”
31
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  
var u = searchUrl + s;
 
 document.location = u;
}
doSearch(SearchBox.value);
/* a.com/ad3.js */
doSearch(“foo”);
doSearch
u
searchUrl
document.location
“wsj.com/search?”
 
32
Outline
Overview
JavaScript Static Analysis
Computing Residual Policies
Additional Challenges
Evaluation
33
Fun
searchUrl = “wsj.com/search?”;
doSearch = function(s) {
  
var u = searchUrl + s;
 
 document.location = u;
}
doSearch(SearchBox.value);
doSearch
Fun
u
searchUrl
document.location
“wsj.com/search?”
document.location
u
searchUrl
SearchBox.value
doSearch
34
doSearch
searchUrl
SearchBox.value
document.location
s
s
Add taint to
sensitive data
and propagate
Residual Policies
 
Difficulties:
Aliasing
First-class functions
Don’t want flow analysis in browser
 
Solution:
Conservatively taint functions
Conservatively taint fields
35
 
Transfer taints from parameters to functions
 
 
 
 
 
 
 
Transfer taints from return values to functions
 
Fun
Fun
Tainted Functions
36
 
No Write
to
No Read
Fun
foo
foo
 
No Read
to
No Write
 foo(document.cookie);
 // hole redefines foo
 foo = function(t) {
   // reads t, hence cookie
 }
foo
foo
Fun
Aliasing and Tainted Fields
 
 
 
 
 
 
 
Residual policy misses future aliasing
Conservative approach:
 
if field 
f
 is tainted for some object, 
f
 tainted for all
37
document.cookie
tmp.cookie
z
tmp = document;
// reads z
Outline
Overview
JavaScript Static Analysis
Computing Residual Policies
Additional Challenges
Evaluation
38
Objects
 
Used pervasively in JavaScript
Hence, analysis must be field-sensitive
Encode 
“setter”
 and 
“getter”
 
for field 
f
 using
 
 
F
ields can be dynamically added
Initially assume no fields
Iteratively add constraints until fixpoint
 
x = { f:1 };
x.g = 2;
39
Prototypes
 
JavaScript uses prototype-based inheritance
Intuitively, each object 
x
has a link to its parent
inherits parent’s fields
 
 
 
Ensures each object has fields of its ancestors
40
Indirect Flows
 
   
if (document.cookie == “foo”) {
    
y = 1;
   
}
document.cookie
 
Propagate taints along indirect flow edges
But not program values
 
INDIRECT
41
Outline
Overview
JavaScript Static Analysis
Computing Residual Policies
Additional Challenges
Evaluation
42
Implementation
 
Flow analysis and residual policy generator
parse JavaScript (JSure)
generate set constraints (6,000 lines of OCaml)
solve constraints (Banshee + 400 lines of C)
 
Stand-alone residual policy checker
not yet incorporated into browser
 
JavaScript collector
Firefox extension (500 lines of JavaScript)
43
Experimental Setup
44
 
Collect JavaScript for Alexa top 100 web sites
97/100 have JavaScript
63/97 have holes
 
Context:
 
all server code
 
Hole:
 
all third-party code
Experimental Setup
 
Information flow analysis on context + hole
 
 
 
 
Compute residual policy, check it on hole
45
80% run in <12 sec
Average: 9.9 sec
Scalability of Full Analysis
46
Average Running Times
47
 
Full Analysis
 
9.9 sec
 
Staged Analysis
 
14.0 sec
 
0.13 sec
Results of Analysis: Full
48
 
Hole satisfies cookie policy?
 
 30   
 32
Results of Analysis: Staged
49
Hole satisfies cookie policy?
 30   
 32
 
Residual checker:
 
26/30 safe
Imprecision:
4 false positives
Future Work
 
Context-sensitivity
 
Dynamically-constructed field names
 
Test more complicated policies
 
Embed residual policy checker in browser
50
Related Work
 
Information flow
type systems
dynamic instrumentation
JavaScript analysis
types [Thiemann 05, Anderson et al. 05]
dynamic policies [Chander et al. 07]
static analysis [Guarnieri/Livshits 09]
Browser security
finer-grained interaction between scripts [Howell et al. 07]
51
Summary
 
JavaScript static analysis is scalable
 
Residual checks are fast enough for client
 
Residual policies precisely capture
information flow
52
Thanks!
53
Extra Slides
Information Flow Policies
if (x) { holeVar = 1 };
Confidentiality of 
x
:
x
 should not affect hole variables
indirectly
or
holeVar = x;
directly
if (holeVar) { x = 1 };
Integrity of 
x
:
hole variables should not affect 
x
indirectly
or
x = holeVar;
directly
55
Fields
56
Running Times
Full analysis too slow to run on client
Quick to compute residual policy on server
Small run-time overhead to check
running time includes parsing time
parser is not optimized for speed
57
Results of Staged Analysis
Residual policy usually agrees with full
information flow analysis
Imprecision from tainted functions/fields
No false negatives
58
imprecision
soundness

								

								
								

										

												
Slide Note

												

										

								


								
						

							
						


							

								

									
										
Embed
									
									
										
Share
									

									
									
									

								

								
							


							

							 
 							 
 							 
						  


							
							

								
This content discusses the challenges of third-party code affecting sensitive data in JavaScript and proposes a staged approach for securing information flow, emphasizing server-side context and policies to enforce confidentiality and integrity. The solution involves analyzing JavaScript staging to ensure no unauthorized data read or write operations occur, providing a syntactically enforceable method for improved security.


								
    
																		
  •   JavaScript Security
    • 
																	
  •    Information Flow
    • 
																	
  •    Staged Approach
    • 
																	
  •    Server-side Policies
    • 
																

								

								

									

										onestipe
										

											 onestipe Follow
											

										

									

									
Uploaded on Oct 03, 2024 | 1 Views

								

								


								

									
Download Presentation

									
								

								
Please find below an Image/Link to download the presentation.

								
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
									Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.


									
									

									


										 
										 
										 
										 

									

									

									

									

										
 E N D 

									


								
Presentation Transcript

								

								
  1. Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego
    2. 
            
            
            
  2. wsj.com <textbox id=   SearchBox   > <button onclick=   doSearch(SearchBox.value)   > <script type=   javascript   > searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } z = get(   a.com/ad.js   ); eval(z); </script> 2
    3. 
            
            
            
  3. wsj.com <textbox id=   SearchBox   > <button onclick=   doSearch(SearchBox.value)   > <script type=   javascript   > searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } a.com/ad.js displayAd = function() {   ... } displayAd(); </script> 3
    4. 
            
            
            
  4. wsj.com <textbox id=   SearchBox   > <button onclick=   doSearch(SearchBox.value)   > <script type=   javascript   > searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } a.com/ad.js displayAd = function() {   ... } displayAd(); searchUrl =    evil.com/   ; </script> 4
    5. 
            
            
            
  5. evil.com     Script navigates to malicious page     Exploits browser vulnerability 5
    6. 
            
            
            
  6. The Problem, Part 1     Third-party code may affect sensitive data     e.g. writing doc.location     e.g. reading doc.cookie     Information flow policies     e.g. integrity of doc.location     e.g. confidentiality of doc.cookie     JavaScript difficulties     dynamic typing     first-class functions     objects, but no classes     prototypes server code var doc = ...; third-party code doc.location =    evil   ; steal(doc.cookie); 6
    7. 
            
            
            
  7. The Problem, Part 2     Entire code not available until runtime server code     Arrives in stages var doc = ...; third-party code doc.location =    evil   ; steal(doc.cookie); 7
    8. 
            
            
            
  8. Our Staged Approach: Server context Information Flow Policies Confidentiality policy: x should not be read policy Integrity policy: x should not be written 8
    9. 
            
            
            
  9. Our Staged Approach: Server context residual policy JavaScript Staging Analysis No Write No Read policy must-not-write vars must-not-read vars         Summarizes how loaded code must behave Syntactically enforceable for speed 9
    10. 
            
            
            
  10. Our Staged Approach: Client Browser context JavaScript Engine residual policy     Residual  Policy  Checker hole     10
    11. 
            
            
            
  11. wsj.com <textbox id=   SearchBox   > <button onclick=   doSearch(SearchBox.value)   > <script type=   javascript   > document.location     searchUrl =    wsj.com/search?   ; No  Write s searchUrl SearchBox.value doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } No  Read doSearch </script> 11
    12. 
            
            
            
  12. wsj.com <textbox id=   SearchBox   > <button onclick=   doSearch(SearchBox.value)   > <script type=   javascript   > document.location searchUrl =    wsj.com/search?   ; No  Write searchUrl SearchBox.value doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } No  Read doSearch </script> 12
    13. 
            
            
            
  13. wsj.com <textbox id=   SearchBox   > <button onclick=   doSearch(SearchBox.value)   > <script type=   javascript   > document.location searchUrl =    wsj.com/search?   ; No  Write searchUrl a.com/ad1.js     SearchBox.value doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } No  Read displayAd = function() {   if (version < 7)     { ... }   else     { ... } } displayAd(); doSearch </script> 13
    14. 
            
            
            
  14. wsj.com <textbox id=   SearchBox   > <button onclick=   doSearch(SearchBox.value)   > <script type=   javascript   > document.location searchUrl =    wsj.com/search?   ; No  Write searchUrl a.com/ad2.js     SearchBox.value doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } No  Read searchUrl =    evil.com/   ; doSearch </script> 14
    15. 
            
            
            
  15. wsj.com <textbox id=   SearchBox   > <button onclick=   doSearch(SearchBox.value)   > <script type=   javascript   > document.location searchUrl =    wsj.com/search?   ; No  Write searchUrl a.com/ad3.js     SearchBox.value doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } No  Read doSearch(   foo   ); doSearch </script> 15
    16. 
            
            
            
  16. Outline     Overview     JavaScript Static Analysis     Computing Residual Policies     Additional Challenges     Evaluation 16
    17. 
            
            
            
  17. Information Flow Graph     Analysis tracks information flow in program     Flow-insensitive, set constraint-based     Graph representation:     program constants, variables, edges 0 x     special nodes for function declarations and calls Fun 17
    18. 
            
            
            
  18. searchUrl = wsj.com/search?; doSearch = function(s) {   var u = searchUrl + s;  document.location = u; } searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } doSearch(SearchBox.value); doSearch(SearchBox.value); /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); 18
    19. 
            
            
            
  19. wsj.com/search? searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); 19
    20. 
            
            
            
  20. wsj.com/search? searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); s Fun doSearch 20
    21. 
            
            
            
  21. wsj.com/search? searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); u s Fun doSearch 21
    22. 
            
            
            
  22. wsj.com/search? searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); u s Fun doSearch document.location 22
    23. 
            
            
            
  23. wsj.com/search? searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); u s Fun doSearch SearchBox.value Fun document.location 23
    24. 
            
            
            
  24. wsj.com/search? searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;  document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); u s Fun doSearch SearchBox.value Fun document.location 24
    25. 
            
            
            
  25. wsj.com/search? searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;  document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); u s Fun Fun doSearch displayAd SearchBox.value Fun document.location 25
    26. 
            
            
            
  26. wsj.com/search? searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;  document.location = u; } doSearch(SearchBox.value); searchUrl /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); u s Fun Fun doSearch displayAd SearchBox.value Fun Fun document.location 26
    27. 
            
            
            
  27. wsj.com/search? searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;  document.location = u; } doSearch(SearchBox.value); searchUrl     /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); u s Fun Fun doSearch displayAd SearchBox.value Fun Fun document.location 27
    28. 
            
            
            
  28. wsj.com/search? searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;  document.location = u; } searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } doSearch(SearchBox.value); doSearch(SearchBox.value); searchUrl     /* a.com/ad1.js */ displayAd = function() { ... }; displayAd(); u s Fun Fun doSearch displayAd SearchBox.value Fun Fun document.location 28
    29. 
            
            
            
  29. wsj.com/search? searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;  document.location = u; } searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } doSearch(SearchBox.value); doSearch(SearchBox.value); searchUrl    evil.com/        /* a.com/ad2.js */ searchUrl =    evil.com   ; u s Fun doSearch SearchBox.value Fun document.location 29
    30. 
            
            
            
  30. wsj.com/search? searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;  document.location = u; } searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } doSearch(SearchBox.value); doSearch(SearchBox.value); searchUrl    evil.com/        /* a.com/ad2.js */ searchUrl =    evil.com   ; u s Fun doSearch SearchBox.value Fun document.location 30
    31. 
            
            
            
  31. wsj.com/search? searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;  document.location = u; } searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;   document.location = u; } doSearch(SearchBox.value); doSearch(SearchBox.value); searchUrl /* a.com/ad3.js */ doSearch(   foo   ); u s Fun doSearch    foo    Fun SearchBox.value Fun document.location 31
    32. 
            
            
            
  32. wsj.com/search? searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;  document.location = u; } doSearch(SearchBox.value); searchUrl     /* a.com/ad3.js */ doSearch(   foo   ); u s Fun doSearch    foo    Fun SearchBox.value Fun document.location 32
    33. 
            
            
            
  33. Outline     Overview     JavaScript Static Analysis     Computing Residual Policies     Additional Challenges     Evaluation 33
    34. 
            
            
            
  34. wsj.com/search? searchUrl =    wsj.com/search?   ; doSearch = function(s) {   var u = searchUrl + s;  document.location = u; } doSearch(SearchBox.value); Add taint to  sensitive data  and propagate searchUrl searchUrl No Write u u document.location s s Fun Fun searchUrl doSearch doSearch SearchBox.value No Read SearchBox.value SearchBox.value Fun doSearch document.location document.location 34
    35. 
            
            
            
  35. Residual Policies     Difficulties:     Aliasing     First-class functions     Don   t want flow analysis in browser     Solution:     Conservatively taint functions     Conservatively taint fields 35
    36. 
            
            
            
  36. No Write Taint Tainted Functions         No Read Taint     Transfer taints from parameters to functions Fun Fun No Write to No Read foo foo // hole redefines foo  foo = function(t) {    // reads t, hence cookie  } No Read  to No Write foo foo Fun Fun foo(document.cookie);     Transfer taints from return values to functions 36
    37. 
            
            
            
  37. Aliasing and Tainted Fields No Write tmp = document; No Read z = tmp.cookie; document.cookie // reads z tmp.cookie z     Residual policy misses future aliasing     Conservative approach: if field f is tainted for some object, f tainted for all 37
    38. 
            
            
            
  38. Outline     Overview     JavaScript Static Analysis     Computing Residual Policies     Additional Challenges     Evaluation 38
    39. 
            
            
            
  39. Objects     Used pervasively in JavaScript     Hence, analysis must be field-sensitive     Encode    setter    and    getter    for field f using Fldf x = { f:1 }; x.g = 2;     Fields can be dynamically added     Initially assume no fields     Iteratively add constraints until fixpoint 39
    40. 
            
            
            
  40. Prototypes     JavaScript uses prototype-based inheritance     Intuitively, each object x     has a link to its parent     inherits parent   s fields x.parent x     Ensures each object has fields of its ancestors 40
    41. 
            
            
            
  41. Indirect Flows if (document.cookie ==    foo   ) { y = 1; } INDIRECT document.cookie y 1     Propagate taints along indirect flow edges     But not program values 41
    42. 
            
            
            
  42. Outline     Overview     JavaScript Static Analysis     Computing Residual Policies     Additional Challenges     Evaluation 42
    43. 
            
            
            
  43. Implementation     Flow analysis and residual policy generator     parse JavaScript (JSure)     generate set constraints (6,000 lines of OCaml)     solve constraints (Banshee + 400 lines of C)     Stand-alone residual policy checker     not yet incorporated into browser     JavaScript collector     Firefox extension (500 lines of JavaScript) 43
    44. 
            
            
            
  44. Experimental Setup     Collect JavaScript for Alexa top 100 web sites server code Context: all server code Hole: all third-party code third-party code 97/100 have JavaScript 63/97 have holes 44
    45. 
            
            
            
  45. Experimental Setup     Information flow analysis on context + hole cookie confidentiality    /    location integrity     Compute residual policy, check it on hole    /    45
    46. 
            
            
            
  46. Scalability of Full Analysis 90 80 70 Running time (seconds) 60 Average: 9.9 sec 50 80% run in <12 sec 40 30 20 10 0 0 5 10 15 Lines of code (thousands) 20 25 30 35 40 45 46
    47. 
            
            
            
  47. Average Running Times Full Analysis    /    9.9 sec Staged Analysis    /    14.0 sec 0.13 sec 47
    48. 
            
            
            
  48. Results of Analysis: Full     30       32     Hole satisfies cookie policy? 30 32 48
    49. 
            
            
            
  49. Results of Analysis: Staged     30       32     Hole satisfies cookie policy? Residual checker: 26 32     26/30 safe     Imprecision: 4 false positives 4 49
    50. 
            
            
            
  50. Future Work     Context-sensitivity     Dynamically-constructed field names     Test more complicated policies     Embed residual policy checker in browser 50
    51. 
            
            
            
							

							

					

					
					
					

						
Related

						

						


							
							
							
							

						

							

									

      

        
          

            

              ASPEN Staged Separation Unit-Ops
            

            

              
ASPEN Staged Separation Unit-Ops

              
elouise

            

          

        
      


     

      

        
          

            

              Introduction to Web Programming with JavaScript
            

            

              
Introduction to Web Programming with JavaScript

              
icarus

            

          

        
      


     

      

        
          

            

              JavaScript While Loops
            

            

              
JavaScript While Loops

              
maura

            

          

        
      


     

      

        
          

            

              Introduction to JavaScript: History, Features, and Functional Paradigm
            

            

              
Introduction to JavaScript: History, Features, and Functional Paradigm

              
delyth

            

          

        
      


     

      

        
          

            

              Working with JavaScript Arrays: Storing and Accessing Data
            

            

              
Working with JavaScript Arrays: Storing and Accessing Data

              
antoinette

            

          

        
      


     

      

        
          

            

              Flow Monitoring in OVS for Efficient Network Management
            

            

              
Flow Monitoring in OVS for Efficient Network Management

              
andreea

            

          

        
      


     

      

        
          

            

              Staged Development Tool (SDT) for NPHIs - Background and Description
            

            

              
Staged Development Tool (SDT) for NPHIs - Background and Description

              
emmalyn

            

          

        
      


     

      

        
          

            

              Staged Development Tool for National Public Health Institutes
            

            

              
Staged Development Tool for National Public Health Institutes

              
fritz

            

          

        
      


     

      

        
          

            

              Building JavaScript Slot Machine Code with These Easy Tips
            

            

              
Building JavaScript Slot Machine Code with These Easy Tips

              
ridh

            

          

        
      


     

      

        
          

            

              Web Application Development and Programming CTE Program Overview
            

            

              
Web Application Development and Programming CTE Program Overview

              
harm_21

            

          

        
      


     

      

        
          

            

              Loops and Arrays in JavaScript
            

            

              
Loops and Arrays in JavaScript

              
ada_bev

            

          

        
      


     

      

        
          

            

              How to Write a Simple JavaScript Slot Machine Code
            

            

              
How to Write a Simple JavaScript Slot Machine Code

              
Bryan1

            

          

        
      


     

      

        
          

            

              Variable Declaration in JavaScript and Its Impact on Web Design
            

            

              
Variable Declaration in JavaScript and Its Impact on Web Design

              
blew_zir

            

          

        
      


     

      

        
          

            

              Using JavaScript, CSS, and jQuery to Create Searchable Shuttle APEX Plug-in
            

            

              
Using JavaScript, CSS, and jQuery to Create Searchable Shuttle APEX Plug-in

              
stefha

            

          

        
      


     

      

        
          

            

              Excise Readiness Event and Policy Summary for GB-EU Trade
            

            

              
Excise Readiness Event and Policy Summary for GB-EU Trade

              
allgood_r

            

          

        
      


     

      

        
          

            

              Exploring the World of JavaScript and DOM
            

            

              
Exploring the World of JavaScript and DOM

              
brennank

            

          

        
      


     

      

        
          

            

              Casino JavaScript_ Unlocking the Potential of Web-Based Gambling Games
            

            

              
Casino JavaScript_ Unlocking the Potential of Web-Based Gambling Games

              
ridh

            

          

        
      


     

      

        
          

            

              JavaScript: A Brief Overview
            

            

              
JavaScript: A Brief Overview

              
noga_ney

            

          

        
      


     

      

        
          

            

              JavaScript Slot Machine Code Simplified_ Develop in Just Minutes
            

            

              
JavaScript Slot Machine Code Simplified_ Develop in Just Minutes

              
ridh

            

          

        
      


     

      

        
          

            

              JavaScript Cookies and Storing Data
            

            

              
JavaScript Cookies and Storing Data

              
oteh

            

          

        
      


     

      

        
          

            

              Harnessing the Power of Casino JavaScript for HTML5 Casino Game Development
            

            

              
Harnessing the Power of Casino JavaScript for HTML5 Casino Game Development

              
ridh

            

          

        
      


     

      

        
          

            

              Introduction to Client-side Web Programming with JavaScript by Jaana Holvikivi
            

            

              
Introduction to Client-side Web Programming with JavaScript by Jaana Holvikivi

              
maij_48

            

          

        
      


     							

						

					

					

				


				

			

		
		

			

				
				

					
More Related Content

					

						

														

					

				

				
			

		












 





  
  
  



giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#