javascript information flow analysis
DESCRIPTION
JavaScript Information Flow Analysis. Shiyi Wei CS6204 term project. Overview. Project motivation Literature review Paper orgnization Selected papers Observations Framework overview Analysis components On-going work & conclusion. Project Motivation. Jif: Java information flow - PowerPoint PPT PresentationTRANSCRIPT
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
JavaScript Information Flow Analysis
Shiyi WeiCS6204 term project
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
2Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Project motivationLiterature review
Paper orgnization Selected papers Observations
Framework overviewAnalysis componentsOn-going work & conclusion
Overview
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
3Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Project Motivation
Jif: Java information flow Type-based approach• Language extension• Imprecise
Java programming language• Static typing• Class hierarchy
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
4Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Information flow analysis for JavaScript Type-based approach works?• Dynamic typing
Challenges• Dynamic language features
– Prototyping– Dynamic code generation– Variadic functions– Fields
• Benchmark
Project Motivation
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
5Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Paper categories Information flow analysis for C, C++, and Java Analyzing dynamic languages• Performance• Correctness
Security analysis of JavaScript• Static analysis• Dynamic analysis
Literature Review
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
6Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
GATEKEEPER[1] JavaScript widget JavaScriptSAFE
• Static JavaScriptGK
• Dynamic
Literature Review
References[1] S. Guarnieri, and B. Livshits. GATEKEEPER: mostly static enforcement of security and reliability policies for JavaScript code. In proceedings of the 18th conference on USENIX security symposium(2009), pp. 151-168
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
7Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Staged information flow for JavaScript[2] Integrity policy• The code loaded at any eval site must not into the value
of document.location Confidential policy• The value of document.cookie must not flow into any
variable within the code loaded at any eval site Staged information flow• Stage 1: Compute policy• Stage 2: Check policy
Literature Review
References[2] R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for JavaScript. In proceedings of the 2009 ACM SIGPLAN conference on Programming Language Design and Implementation
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
8Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
JavaScript taint analysis[3] Prototypes
Object creations
Reflective property accesses Lexical scoping
Literature Review
References[3] S. Guarnieri, M. Pistoia, O. Tripp, J. Dolby, S. Teilhet, R. Berg. Saving the world wide web from vulnerable JavaScript. In proceedings of the 2011 International Symposium on Software Testing and Analysis.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
9Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Observations Handle limited language features• Prototype[2, 4]• Properties deletion• eval
Experimental design• JavaScript benchmark not representative[5]
Literature Review
References[4] A. Guha, S. Krishnamurthi, and T. Jim. Using static analysis for ajax intrusion detection. In Internation Conference on World Wide World(WWW), 2009[5] G. Richards, S. Lebresne, B. Burg, J. Vitek. An analysis of the dynamic behavior of JavaScript programs. In proceedings of the 2010 ACM SIGPLAN conference on Programming Language Design and Implementation.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
10Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Framework Overview
Instrumented WebKit
Call graph + dynamically generated code
Website source
Static analysis Infrastructure
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
11Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Instrumented WebKit TracingSafari[5] Instrumented code• Function calls
– Method signature– Arguments
• Object creation sites• Dynamically generated code
– Eval– document.write– etc.
Analysis Components
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
12Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Static Infrastructure WALA• IBM T.J. Watson Libraries for Analysis
Extract JavaScript code• From web site source
Import dynamic information• Dynamic call graph• Dynamically generated code
Analysis Components
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
13Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Static infrastructure Handle JavaScript language features
• Variadic functions– Method definitions + arguments– Pruning with argument.length– twitter.com, amazon.com, msn.com, …
• Dynamic code generation
Analysis Components
1. function F(a, b)2. {3. if(arguments.length =1)4. {…}5. else if(arguments.length =2)6. {…}7. else if (arguments.length >= 3)8. {…}9. }
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
14Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
On-going work Information flow algorithm Benchmark Handle other language features
• Prototyping, etcConclusion
Literature review• JavaScript Information flow is hard
– Dynamic language features
Blended approach• Works on unsolved issues
On-going Work & Conclusion