JSProxy: Safety from JavascriptBenjamin Prosnitz,Tang Yi,Yinzhi Cao

Motivation

•Most web attacks today are performed through JavaScript▫Vulnerabilities in the execution engine▫Invocations of vulnerable plug-in code

Goals

•Run Javascript code remotely in a way that▫Does not require client modification▫Is high performance▫Maintains original functionality

•Test whether the JavaScript code performs an attack

•Filter code when it can be done safely

Fu

ture

Running Javascript Remotely

•Modify pages viewed by client▫Replace original scripts with remote calls

(AJAX)•Repeat the user’s actions on the server•Send changes made by scripts that should

be visible to the user back to client

Diagram of System

Web Serve

r

Proxy

Proxy Interfac

e

Modification Engine

Session Manager

Interface

Javascript ExecutionEngine

(modified browser)

User

Timeline of Events

t

Client

Proxy

Server

Requestfor page

Original Page

Modified Page

Button Pressed

remote_call()

Inject buttonpress

Changesto page

Changesto page(it is reallyasynchronous)

DEMO: Page Modification

•Uses Mozilla Gecko engine•Searches for javascript and replaces it

with calls (which will eventually be remote calls)

•Suggest a URL to download and modify!

Performance of Page Modification

CDF of Processing Time

Performance of Page ModificationStrong correlation between Page Size and Processing Time

Performance of Page Modification

Processing Time is not clearly correlated with Number of Scripts

Interface and Session Management•Client-server interface using

Javascript/AJAX and FastCGI/C++ (not being demoed today)

•Session manager which▫Identifies sessions that are alive and dead▫Redirects calls to the correct browser

session▫Closes browser sessions which have ended

DEMO: Executing Javascript on Proxy•Browser on Proxy is Webkit-based•Remote execution of Javascript code

would occur when user performs an action

DEMO: User-Visible Change Detection•Also based on Webkit•Can detect approximately 8 different

changes now▫.innerHTML changes▫alert()▫print()▫close()▫…

Where is state (cookies,etc.) kept?•On both client and proxy

▫Proxy needs it to have javascript (esp. AJAX) work as expected

▫Client needs it to submit forms, display the data, etc.

Future Work: Remote Execution•Create session manager•Finalize interface•Detect and fix cases that it doesn’t work

with

Future Work: The Filter

•Acquire or implement a virtual-machine based vulnerability detector

•Determine how to safely identify which pages to run remotely

•Implement a mechanism to transparently switch between remote and local page execution

Conclusion

•Work on our system is in progress and will continue next quarter

•Key components of the remote execution system are currently functional and work well

•The remainder of the remote execution system can likely be finished soon

Q&A?