client side static analysis
play

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research - PowerPoint PPT Presentation

Sep 24, 2022 •294 likes •812 views

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Client-side JavaScript Browser Analysis of JavaScript Plugins eval and code Extensions obfuscation Firefox extension model

  1. CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research

  2. Overview of Today’s Lecture 2  Client-side JavaScript  Browser  Analysis of JavaScript  Plugins  eval and code  Extensions obfuscation  Firefox extension model  Need for runtime  Chrome extension enforcement model  Looking forward  Gatekeeper as illustration

  3. Layers of Browser Security 3 JavaScript JavaScript Extension plugin plugin plugin browser OS

  4. App Store: Centralized Software Distribution 4 developer app store Code submission Do checking/verification as part of app approval process

  5. Static Analysis 5 Last time Today  Server-side analysis  Client-side analysis  Benign but buggy  Buggy or potentially code malicious code Analysis soundness really helps

  6. Same Origin Policy Is Not Enough 6  Primary focus: statically enforcing security and reliability policies for JavaScript code  These policies include semantic properties  restricting widget capabilities,  making sure built- in objects are not modified,  preventing code injection attempts,  redirect and cross-site scripting detection,  preventing global namespace pollution,  taint checking,  etc.  Soundly enforcing security policies is hard

  7. Gatekeeper Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code 7

  8. alert(„hi‟); program malicious Catch me if you can don’t want to allow alert box ? can we figure this out statically? 8

  9. alert („hi‟); document.write( “<script>alert(„hi‟);</script>”); var d = document; var w = d.write; w(“<script>alert(„hi‟);”); 9

  10. eval (“do”+”cu”+” ment.write (”+… var e = window.eval; e(“do”+”cu”+” ment.write (”…”); 10

  11. var e = new Function (“ eval ”); e.call( “do”+”cu”+” ment.write (”…”); var e = new Function(unescape (“%65%76%61%6C”)); e.call (“do”+”cu”+” ment.write (”…”); 11

  12. Gatekeeper Static analysis for JavaScript • General technology we developed for JavaScript • Can use for performance optimizations, etc. This paper • Use to enforce security and reliability policies • Analyze Web widgets Focus on whole program analysis. Contrast with: • JavaScript language subsets (do a little of) • JavaScript code rewriting (do a little of) 12

  13. Goal of Gatekeeper: Reason about JavaScript code alert(„hi‟); statically Gatekeeper 13

  14. JavaScript Widgets // register your Gadget's namespace registerNamespace("GadgetGamez"); // define the constructor for your Gadget (this must match the name in the manifest xml) GadgetGamez.gg2manybugs = function(p_elSource, p_args, p_namespace) { // always call initializeBase before anything else! GadgetGamez.gg2manybugs.initializeBase(this, arguments); // setup private member variables var m_this = this; var m_el = p_elSource; var m_module = p_args.module; /**************************************** ** initialize Method ****************************************/ // initialize is always called immediately after your object is instantiated this.initialize = function(p_objScope) { // always call the base object's initialize first! GadgetGamez.gg2manybugs.getBaseMethod(this, "initialize", "Web.Bindings.Base").call(this, p_objScope); var url = "http://www.gadgetgamez.com/live/2manybugs.htm" m_iframe = document.createElement("iframe"); m_iframe.scrolling = "yes"; m_iframe.frameBorder = "0"; m_iframe.src = url; m_iframe.width="95%"; m_iframe.height="250px"; p_elSource.appendChild(m_iframe); }; GadgetGamez.gg2manybugs.registerBaseMethod(this, "initialize"); /**************************************** ** dispose Method ****************************************/ this.dispose = function(p_blnUnload) { //TODO: add your dispose code here 14 // null out all member variables m_this = null;

  15. Sample iGoogle Gadget 15

  16. Widget counts 5,000 4,500 4,000 3,500 3,000 Widgets are 2,500 2,000 everywhere… 1,500 1,000 500 0 Live.com Vista sidebar Google/IG Lines of code 300 We use over 8,500 250 200 widgets to evaluate 150 Gatekeeper 100 50 0 Live.com Vista sidebar Google/IG 16

  17. Gatekeeper: Deployment Step on Widget Host user developer Hosting site: control widgets Widget: by enforcing policies: … alert(‘hi’); - No alert … - No redirects - No document.write 17

  18. Outline • Statically analyzable subset JavaScript SAFE • Points-to analysis for JavaScript • Formulate nine security & reliability policies • Experiments 18

  19. T ECHNIQUES 19

  20. Start with Entire JavaScript… EcmaScript-262 var e = new Function(“ eval ”); e.call( “do”+”cu”+” ment.write (”…”); var e = new Function(unescape (“%65%76%61%6C”)); e.call (“do”+”cu”+” ment.write (”…”); 20

  21. Remove eval & Friends… EcmaScript 262 - eval - setTimeout - setInterval - Function - with - arguments array ----------------------- = JavaScript GK 21

  22. Remove Unresolved Array Accesses… EcmaScript 262 JavaScript GK - innerHTML assignments - non-const array access a[x+y] -------------------------------- = JavaScript SAFE var z = ‘ ev ’ + x + ‘al’; var e = document[z]; eval is back! 22

  23. Now, this is Amenable to Analysis! EcmaScript 262 JavaScript GK – need basic instrumentation to prevent runtime code introduction JavaScript GK JavaScript SAFE s ::= // assignments v1=v2 v = bot return v // calls JavaScript SAFE – can analyze v = new v0(v1,…, vn) v=v0(vthis,v1,…, vn) fully statically without // heap resorting to runtime checks v1=v2.f v1.f=v2 // declarations v=function(v1,…, vn){s} 23

  24. How Many Widgets are in the Subsets? JavaScript SAFE Gatekeeper Safe JavaScript GK 97% 100% 90% 82% 80% 70% Ultimately, can analyze 65% 65% 60% 65-97% of all widgets 50% 39% 40% 30% 23% 20% 10% 0% Live.com Vista sidebar Google/IG 24

  25. Sound analysis: JavaScript SAFE Sound ensures that our Input Sound with JavaScript GK instrumentation program policy checkers find all violations Everything No guarantees else 25

  26. Points-to Analysis in Gatekeeper Points-to analysis • Program – Inclusion-based representation – Field-sensitive – Build call graph on the fly • Tricky issues: – Prototypes – Function closures • Analysis is expressed in Datalog PointsT o(var, heap) 26

  27. Datalog Policy for Preventing document.write 1. DocumentWrite(i) :- 2. PointsTo("global", h1), 3. HeapPointsTo(h1, "document", h2), 4. HeapPointsTo(h2, "write", h3), 5. Calls(i, h3). document.write('<Td><Input Type="Button" document.write ("<" + "script Name="' + i + '" Value=" " Class="blokje" document.write('<iframe id="dynstuff" src="" language='javascript' type='text/javascript' onClick="wijzig(this.form,this)"></Td>'); '+iframeprops+'></iframe>') src='"); 27

  28. E XPERIMENTAL E VALUATION 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
SERVER-SIDE ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Static

SERVER-SIDE ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Static

SERVER-SIDE ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Static analysis for Runtime analysis bug finding Fuzzing Pen testing Tainting Scripting languages Symbolic execution analyzed

646 views • 41 slides
CLIENT-SIDE RUNTIME ANALYSIS AND ENFORCEMENT Ben Livshits, Microsoft Research Overview of

CLIENT-SIDE RUNTIME ANALYSIS AND ENFORCEMENT Ben Livshits, Microsoft Research Overview of

CLIENT-SIDE RUNTIME ANALYSIS AND ENFORCEMENT Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Background (rehash) Better runtimes CSP HTML5 Sandbox Language restrictions AdSafe FBJS Tradeoffs of

998 views • 48 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Many acting parties on a site

867 views • 62 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Client-side scripting: An introduction to Javascript Why?

CS/COE 1520 pitt.edu/~ach54/cs1520 Client-side scripting: An introduction to Javascript Why?

CS/COE 1520 pitt.edu/~ach54/cs1520 Client-side scripting: An introduction to Javascript Why? By themselves, HTML and CSS can provide a description of the structure and presentation of a document to the browser A static document

461 views • 18 slides
CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side Server Side Web Server Web Browser Web Technologies Content Resources Presentation management Client Side Processing Multimedia The evolution of

1.24k views • 23 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser after page is sent back from server often this code manipulates the page or responds to user actions What is JavaScript? a lightweight

643 views • 29 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Modern web sites are

709 views • 57 slides
DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DEFCON DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side Exploitation Script Based Attack Powershell,Jscript,Vbscript Vbscript:still people use IE, you can call wmic and powershell script to execute.

428 views • 15 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

488 views • 37 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side Direct I/O for NFS Connectathon 1997 Disclaimer This is not a product announcement. 2 Client-Side Direct I/O for NFS Connectathon 1997

311 views • 16 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
CS314 Software Engineering Responsive Clients Dave Matthews Solution Technology Client

CS314 Software Engineering Responsive Clients Dave Matthews Solution Technology Client

9/12/18 CS314 Software Engineering Responsive Clients Dave Matthews Solution Technology Client Protocol Server ReactJS HTTP Java Spark Bootstrap JSON Gson ReactStrap TFFI JavaScript HTML CSS 1

162 views • 4 slides
Thoughts on Software Quality Is it just a cultural thing? Are we doomed? Bertrand Delacrtaz

Thoughts on Software Quality Is it just a cultural thing? Are we doomed? Bertrand Delacrtaz

Thoughts on Software Quality Is it just a cultural thing? Are we doomed? Bertrand Delacrtaz @bdelacretaz, grep.codeconsult.ch Principal Scientist, CQ/AEM R&amp;D group, Adobe Basel Apache Software Foundation Member and Director

359 views • 33 slides
JAVASCRIPT IS COMING TO EAT YOU Citizen Tim Electric Citizen | June 2019 JAVASCRIPT IS COMING

JAVASCRIPT IS COMING TO EAT YOU Citizen Tim Electric Citizen | June 2019 JAVASCRIPT IS COMING

JAVASCRIPT IS COMING TO EAT YOU Citizen Tim Electric Citizen | June 2019 JAVASCRIPT IS COMING TO EAT YOU Citizen Tim Electric Citizen | June 2019 HOW WHO How do I start? Does this affect me? WHEN WHAT Now? What is it?? WHERE WHY W51H

754 views • 52 slides
From JSCert to JSExplain and Beyond Alan Schmitt, with Arthur Charguraud (Inria Nancy) and

From JSCert to JSExplain and Beyond Alan Schmitt, with Arthur Charguraud (Inria Nancy) and

From JSCert to JSExplain and Beyond Alan Schmitt, with Arthur Charguraud (Inria Nancy) and Thomas Wood (Imperial College) March 19, 2018 From JSCert What is JSCert? Two JavaScript semantics in Coq descriptive given a program and a result,

602 views • 19 slides
Get the (Spider)monkey off your back Exploiting Firefox through the Javascript engine by eboda

Get the (Spider)monkey off your back Exploiting Firefox through the Javascript engine by eboda

Get the (Spider)monkey off your back Exploiting Firefox through the Javascript engine by eboda and bkth from phoenhex Who are we? Security enthusiasts who dabble in vulnerability research on their free time as part of phoenhex. Member of CTF

1.02k views • 56 slides
Well-typed programs cant be blamed Philip Wadler University of Edinburgh Robert Bruce Findler

Well-typed programs cant be blamed Philip Wadler University of Edinburgh Robert Bruce Findler

Well-typed programs cant be blamed Philip Wadler University of Edinburgh Robert Bruce Findler University of Chicago The mathematics of programming languages is deep and elegant examples other than Curry-Howard? terms other than

731 views • 38 slides
R2RML-F: Towards Sharing and Executing Domain Logic in R2RML Mappings Christophe Debruyne and

R2RML-F: Towards Sharing and Executing Domain Logic in R2RML Mappings Christophe Debruyne and

R2RML-F: Towards Sharing and Executing Domain Logic in R2RML Mappings Christophe Debruyne and Declan OSullivan ADAPT Centre (http://www.adaptcentre.ie/) Trinity College Dublin (http://www.tcd.ie/) 2016-04-12 @ Linked Data on the Web

532 views • 15 slides
State of JS Implementations, 2014 Edition webengineshackfest.org Andy Wingo Agenda History

State of JS Implementations, 2014 Edition webengineshackfest.org Andy Wingo Agenda History

State of JS Implementations, 2014 Edition webengineshackfest.org Andy Wingo Agenda History New things A brief history of JS 1996-2008: slow 2014: fastish A brief history of JS 1996-2008: slow 2014: fastish Environmental forcing

782 views • 22 slides

More recommend