Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Static Taint Analysis for JavaScript Programs

5206c19df417b8876825b5561344c1a0?s=47 Exactpro
PRO
November 07, 2019

Static Taint Analysis for JavaScript Programs

Nabil Almashfi and Lunjin Lu

International Conference on Software Testing, Machine Learning and Complex Process Analysis (TMPA-2019)
7-9 November 2019, Tbilisi

Video: https://youtu.be/bouTxh76yeU

TMPA Conference website https://tmpaconf.org/
TMPA Conference on Facebook https://www.facebook.com/groups/tmpaconf/

5206c19df417b8876825b5561344c1a0?s=128

Exactpro
PRO

November 07, 2019
Tweet

Transcript

  1. Static Taint Analysis for JavaScript Programs / 25 1 Static

    Taint Analysis for JavaScript Programs Nabil Almashfi & Lunjin Lu
  2. Static Taint Analysis for JavaScript Programs / 25 Outline ▪

    Background ▪ Related Work ▪ Motivation ▪ Approach ▪ Evaluation ▪ Conclusion 2
  3. Static Taint Analysis for JavaScript Programs / 25 Background -

    JavaScript ▪ JavaScript is primarily a web scripting language. ▪ JavaScript code is written into an HTML page and it gets executed on the client-side. ▪ JavaScript is dynamic and prototype-based. ▪ Object properties can be added and deleted on the fly. 3
  4. Static Taint Analysis for JavaScript Programs / 25 Background -

    JavaScript Security ▪ Web applications moving towards client-side functionality and storage. ▪ Exploitable JavaScript code exposes the user and the system to significant damage. ▪ DOM-based Cross-site Scripting (XSS) is one of top JavaScript vulnerabilities . ▪ DOM-based XSS purely occurs on the client-side. 4
  5. Static Taint Analysis for JavaScript Programs / 25 DOM-based Cross-site

    Scripting (XSS) <html> <head> <title>DOM−based XSS!</title> </head> <body> <script> document.write(document.URL); </script> </body> </html> 5 Attack: www.site.com/page.html?default=<script>alert(document.cookie)</script> ▪ Cause serious damage such as stealing user information or simply break the application display of data.
  6. Static Taint Analysis for JavaScript Programs / 25 Related Work

    - ACTARUS ▪ ACTARUS is a static taint analysis for JavaScript [1]. ▪ Build a static representation of the program which consists of a call graph. ▪ Traverse the call graph to find sources, sinks and sanitizers in the code and partition them into rules. ▪ These flows are potential security issues 6
  7. Static Taint Analysis for JavaScript Programs / 25 Related Work

    - Gatekeeper ▪ A mostly static approach to enforce security and reliability policies in JavaScript programs. ▪ The policies are expressed in the form of succinct declarative Datalog queries. ▪ Programs are represented as a database of Datalog rules against which GateKeeper policies are checked. ▪ The policies include preventing code injection attempts, and cross-site scripting detection. ▪ Employs points-to analysis for program understanding, and use the analysis to detect 7
  8. Static Taint Analysis for JavaScript Programs / 25 Related Work

    - Blended Taint Analysis ▪ Combines static and dynamic analysis approach [3]. ▪ In the Dynamic Phase, some information that is not statically known are collected. ▪ In the Static Phase, a static taint analysis is run on the program. ▪ Solutions from both phases are combined into a single solution. 8
  9. Static Taint Analysis for JavaScript Programs / 25 Related Work

    - Summary ▪ None of previous works differentiate between different rendering HTML contexts. ▪ They all use a constant propagation domain to track strings. ▪ Some of them combine dynamic analysis with static analysis whereas our word is purely based on static analysis. 9
  10. Static Taint Analysis for JavaScript Programs / 25 Rendering Contexts

    ▪ Common contexts in a Web page: - JavaScript Context (JSC) - HTML Element Context (HEC) - HTML Attribute Context (HAC) - HTML Event-handler Attribute Context (HHC) - HTML URL Attribute Context (HUC) - CSS attribute Context (HCC) 10 <script>JSC</script> <div id=“HAC” style=“HCC” onclick=“HHC”>HEC</div> <a id=“a1” href=“HUC”>Click Here</a>
  11. Static Taint Analysis for JavaScript Programs / 25 Rendering Contexts

    ▪ Each context requires following specific encoding rules, defined by owasp [4]. ▪ Three encoding mechanisms: - JavaScript encoding (JE) - HTML encoding (HE) - URL encoding (UE) ▪ Primary recommendation is to avoid putting user input in JSC and HHC contexts. 11
  12. Static Taint Analysis for JavaScript Programs / 25 Motivation ▪

    The function encodeURI() does not encode the single quotation mark. 12 <html><head><title>DOM−based XSS!</title> </head> <body><div id=”d1”></div><div id=”d2”></div> <script> document.write(”<a id=’ ” + encodeURI(DATA) + ” ’>Click Here</a>”); var d2 = document.getElementById(”d2”); d2.innerHTML = encodeForJS(encodeForHTML(DATA)); </script> Attack: 9’ href=’http://www.google.com
  13. Static Taint Analysis for JavaScript Programs / 25 Background: TAJS

    ▪ TAJS is a context-sensitive analyzer for JavaScript that supports the ECMAScript language and parts of the DOM and infers type information. ▪ Construct flow graphs to represent JavaScript program code and performs data flow analysis. ▪ The analysis is based on the monotone framework using a lattice structure. ▪ The lattice is based on constant propagation for all the primitive types of JavaScript values. 13
  14. Static Taint Analysis for JavaScript Programs / 25 Approach: Taint

    Analysis ▪ TAJS taint defines a set of rules, each rule is of the form (S 1 , S 2 , S 3 ) ▪ S 1 ∈ Sources, S 2 ∈ ℘(Sanitizers), and S 3 ∈ Sinks. ▪ Sources are either functions or object properties that can be controlled by the attacker. ▪ Sinks are functions or object properties where data can be executed ▪ Sanitizers are functions that transform data as 14
  15. Static Taint Analysis for JavaScript Programs / 25 Abstract Domain

    for Taint ▪ Example: The following is an example of the way rules are defined in TAJS taint . ▪ S 1 = { document.URL, location.href } ▪ S 2 = { {encodeForJS(), encodeForHTML()} } ▪ S 3 ={ document.write() } 15
  16. Static Taint Analysis for JavaScript Programs / 25 Abstract Domain

    for Taint ▪ Abstract domain to determine the kinds of encodings a tainted value has gone through. ▪ T = {HTML-encoded, JavaScript-encoded, URL-encoded}. ▪ The abstract domain for taint analysis is ℘(T) ordered by ⊇. 16
  17. Static Taint Analysis for JavaScript Programs / 25 Abstract Domain

    for Taint T = { HTML-encoded, JavaScript-encoded, URL-encoded } Let String be the set of all possible strings. γ T (HTML-encodeed) = { HE(s) | s ∈ String } γ T (JavaScript-encoded) = { JE(s) | s ∈ String } γ T (URL-encoded) = { UE(s) | s ∈ String } γ : ℘(T) → ℘(String) is defined as: γ(X) = ∩ { γ T (t) | t ∈ X } α : ℘(String) → ℘(T) is defined as: α(S) = { t | t ∈ T ∧ S ⊆ γ (t) } 17
  18. Static Taint Analysis for JavaScript Programs / 25 String Abstract

    Domain (1) ▪ TAJS taint associates every string variable with a deterministic finite automaton (DFA) ▪ TAJS uses a constant propagation domain to track strings. ▪ DFA is more precise when dealing with dynamic property access. 18
  19. Static Taint Analysis for JavaScript Programs / 25 String Abstract

    Domain (2) ▪ In TAJS, (p) points to all properties of object (obj). ▪ In TAJS taint , (p) is represented by gn1. 19 function lookup (obj, str, p) { while (p.length < N) p = str + p ; return obj[p]; } lookup(obj, ”g”, ”1”);
  20. Static Taint Analysis for JavaScript Programs / 25 ▪ Benchmarks

    are real Web sites chosen from Alexa [5]. ▪ Most true positives caused by using the function encodeURI() in the wrong context. Evaluation 20
  21. Static Taint Analysis for JavaScript Programs / 25 Evaluation -

    Execution time 21
  22. Static Taint Analysis for JavaScript Programs / 25 Conclusion ▪

    We introduced a new approach to analyze JavaScript programs for the detection of DOM-based XSS vulnerability. ▪ The approach is based on identifying various rendering contexts and ensuring the data has been properly sanitized for each context. ▪ TAJS taint uses DFAs as a more precise string domain. ▪ Results show TAJS taint detects DOM-based XSS vulnerability more precisely. 22
  23. Static Taint Analysis for JavaScript Programs / 25 Thank you!

    23