Virtual Values for Taint and Information Flow Analysis, Thomas H. Austin

Transcript

1. Virtual Values for Taint and Information Flow Analysis Prakasam Kannan

   Thomas H. Austin Mark Stamp Tim Disney Cormac Flanagan

2. Web Security in the News

3. Securing JavaScript • The primary client-side language • Popular server-side language – Node.js,

   Nashorn, IronJS, Rhino • Goal: systemic defense against data leaks/data corruption

4. Good news, everyone! We can secure web applications with information

   flow analysis. We'll need to make extensive changes to the web browser… … and there will be some performance overhead...

5. The browser is already too complex! Yuh ain't slowin' down

   my browser! You'll break the web!

6. How can we best integrate our controls? •  Can't slow

   down JS engines •  Don't break the web – let developers opt in? • Support different JavaScript engines

7. JavaScript proxies (Van Cutsem & Miller 2010) • Intercession API • Part

   of ECMAScript 6 • Behavior of proxy object determined by handler – handler: specifies traps that define the proxy's behavior

8. Proxy traps (partial list) •  get(targ, prop, rcvr) •  set(targ,

   prop, val, rcvr) •  has(targ, prop) •  deleteProperty(targ, prop) •  apply(targ, self, args) •  construct(targ, args, newTarg) Overrides behavior for operations on objects & functions

9. Proxy example: tracing API function trace(o) { return new Proxy(o,

   { get: function(targ, prop) { console.log("Getting " + prop); return targ[prop]; }, set: function(targ, prop, newVal) { console.log("Setting " + prop + " to " + newVal); targ[prop] = newVal; return true; } }); }

10. var o = trace({}); o.hello = "world"; var s =

    "Goodbye cruel " + o.hello; Output: Setting hello to world Getting hello

11. But… primitive values var i = trace(42); var x =

    i++; TypeError: Cannot create proxy with a non-object as target or handler

12. Virtual Values (Austin et al., OOPSLA 2011) •  Extends proxies

    for primitive values •  Additional hooks for values: – unary(target, op, operand) – left(target, op, right) – right(target, op, left) – test(cond, branchExit) – assign(left, right, asgnThunk)

13. Virtual Values (Austin et al., OOPSLA 2011) •  Extends proxies

    for primitive values •  Additional hooks for values: – unary(target, op, operand) – left(target, op, right) – right(target, op, left) – test(cond, branchExit) – assign(left, right, asgnThunk) New traps needed for information flow

14. Strategy • Use Sweet.js (v. 0.7.8) macros to rewrite code – hygienic

    – supports rewriting of operators • Revised code includes hooks for virtual values

15. Helper functions •  Proxy(value, handler, key) – wraps JS Proxy function

    – key lets proxies recognize themselves •  unproxy(value, key) – returns handler for value – unproxyMap stores handlers •  isVProxy(value) – tests whether value is a virtual value

16. harness code: binary function function binary(operator, left, right) { if

    (isVProxy(left)) { var t = unproxyMap.get(left).target; return unproxyMap.get(left).handler .left(t, operator, right); } else if (isVProxy(right)) { var t = unproxyMap.get(right).target; return unproxyMap.get(right).handler .right(t, operator, left); } else if (operator === "*") { return left * right; } // Other operators elided… } Unary operators handled similarly

17. Taint Analysis: Protecting against dirty data

18. Taint analysis •  Taint analysis focuses on integrity: – does "dirty"

    data corrupt trusted data? •  Integrated into Perl and Ruby •  Handles explicit flows only – direct assignment – passing parameters

19. Taint analysis API • taint(value) – marks a value as "dirty" • isTainted(value)

    • endorse(taintedVal) – removes the taint from a value

20. Taint analysis example var username = taint( "Robert'); DROP TABLE

    Students;--"); var query = "select * from Students " + "where username = '" + username + "'"); if (isTainted (query)) throw new Error("Tainted query");

21. taint function function taint(originalValue) { if (isTainted(originalValue)) return originalValue; var

    p = new Proxy(originalValue, taintingHandler, taintingKey); return p; }

22. taint function function taint(originalValue) { if (isTainted(originalValue)) return originalValue; var

    p = new Proxy(originalValue, taintingHandler, taintingKey); return p; } Used to identify tainted values.

23. Handler for tainting { originalValue: originalValue, unary: function (target, op,

    operand) { return taint(unaryOps[op](target)); }, left: function (target, op, right) { return taint(binaryOps[op](target,right)); }, right: function (target, op, left) { return taint(binaryOps[op](left, target)); } }

24. Handler for tainting { originalValue: originalValue, unary: function (target, op,

    operand) { return taint(unaryOps[op](target)); }, left: function (target, op, right) { return taint(binaryOps[op](target,right)); }, right: function (target, op, left) { return taint(binaryOps[op](left, target)); } } Array of functions performing unary operations Array of functions performing binary operations

25. isTainted function function isTainted (x) { if (unproxy(x, taintingKey)) {

    return true; } return false; }

26. endorse function function endorse (value) { if (isTainted(value)) { var

    hndl = unproxy(value, taintingKey); return hndl.originalValue; } return value; }

27. Information Flow Analysis

28. Information Flow Analysis •  Related to taint analysis •  Focuses

    on confidentiality: – does secret data leak to public channels? •  Assumes attacker controls some code •  Must consider implicit flows – can the attacker deduce secrets?

29. Implicit flow var x = secret(true); var y = false;

    if (x) y = true; console.log("x = " + y); Implicit flow from x to y

30. Additional hooks used for information flow •  unary(target, op, operand)

    •  left(target, op, right) •  right(target, op, left) •  test(cond, branchExit) •  assign(left, right, assignThunk)

31. harness code: test function function test(cond, branchExit){ if (isVProxy(cond)){ return

    unproxyMap.get(cond) .handler.test(cond, branchExit); } return cond; }

32. Sweet.js macro for if statements macro if { rule {($cond

    ...) { $body ...}} => { function exit() {} // default no-op if (vvalues.test($cond..., cb => exit = cb)){ $body ... exit(); } } }

33. harness code: assign function function assign(left, right, assignThunk) { if

    (isVProxy(left)) { return unproxyMap.get(left).handler .assign(left, right, assignThunk); } else if (isVProxy(right)) { return unproxyMap.get(right).handler .assign(left, right, assignThunk); } else { return assignThunk (); } }

34. Information Flow analysis API •  Similar to taint analysis – unary

    / left / right traps – secret / isSecret functions •  test trap tracks implicit flows •  assign trap crashes on unsafe updates – no-sensitive-upgrade strategy – Zdancewic 2002

35. test trap tracks implicit flows test: function(cond, branchExit) { if

    (cond) { pcStack.push(cond); branchExit(() => { pcStack.pop(); }) } return cond; }

36. test trap tracks implicit flows test: function(cond, branchExit) { if

    (cond) { pcStack.push(cond); branchExit(() => { pcStack.pop(); }) } return cond; } Array of conditions marked by secret

37. assign trap crashes to stop implicit flows assign: function(left, right,

    assignThunk) { if (!isSecret(left) && pcStack.length > 0) { throw new Error("Implicit leak"); } assignThunk(); } and execution depends on secret data … If the lhs is a public variable … then crash the program.

38. Lies, Damned Lies, and Benchmarks

39. Overhead of Virtual Values Base Virtual Values Slowdown Safari 83.1

    ms 588.1 ms 7.1x Chrome 130.4 ms 544.3 ms 4.2x Firefox 142.3 ms 751.6 ms 5.3x •  SunSpider benchmark suite, v 1.02 •  no-op virtual values

40. Final thoughts •  Virtual values + Sweet.js can introduce advanced

    security controls •  Future plans – More use cases for test and assign? – integrate with new version of Sweet.js – more advanced controls