saving the world wide web from vulnerable javascript international symposium on software testing and...
TRANSCRIPT
Saving the World Wide Web
from Vulnerable JavaScript
International Symposium on Software Testing and Analysis (ISSTA 2011)
Omer TrippIBM Software
Marco PistoiaIBM T. J. Watson Research
Julian DolbyIBM T.J. Watson Research
Stephen TeilhetIBM Software [email protected]
Ryan BergIBM Software [email protected]
m
www.research.ibm.com/labasec
Salvatore GuarnieriIBM Software [email protected]
JavaScript is present on many popular Web sites
2
3
Consequences of Taint Violations
• Read and write access to saved data in cookies and local data stores• Read and write access to data in the web page • Key loggers• Impersonation• Phishing via page modifications or redirects
4
var el1 = document.getElementById("d1");function foo() { var el2 = document.getElementById("d2"); function bar() { var el3 = new Element(); var s = encodeURIComponent(el2.innerText); document.write(s); el1.innerHTML = el2.innerText; document.location = el3.innerText; } bar();}foo();function baz(a, b) { a.f = document.URL; document.write(b.f); }var x = new Object();baz(x, x);
Getting data from the DOMGetting data from the DOM
Sanitizing some, but not all, of the data
Sanitizing some, but not all, of the data
Writing untrusted data into web page
Writing untrusted data into web page
Writing unchecked data to the web page
Writing unchecked data to the web page
5
MotivationSources, Sinks, and SanitizersTaint AnalysisResults
6
var el1 = document.getElementById("d1");function foo() { var el2 = document.getElementById("d2"); function bar() { var el3 = new Element(); var s = encodeURIComponent(el2.innerText); document.write(s); el1.innerHTML = el2.innerText; document.location = el3.innerText; } bar();}foo();function baz(a, b) { a.f = document.URL; document.write(b.f); }var x = new Object();baz(x, x);
7
var el1 = document.getElementById("d1");function foo() { var el2 = document.getElementById("d2"); function bar() { var el3 = new Element(); var s = encodeURIComponent(el2.innerText); document.write(s); el1.innerHTML = el2.innerText; document.location = el3.innerText; } bar();}foo();function baz(a, b) { a.f = document.URL; document.write(b.f); }var x = new Object();baz(x, x);
8
Rules
• A rule is a triple <Sources, Sinks, Sanitizers>• Not all sources are valid for all sinks, and not all
sanitizers are valid for all sinks
9
Rules
• A rule is a triple <Sources, Sinks, Sanitizers>• Not all sources are valid for all sinks, and not all
sanitizers are valid for all sinks
• Sources– Seeds of untrusted data– Field gets or returns of function calls– Ex: document.url
10
Rules
• A rule is a triple <Sources, Sinks, Sanitizers>• Not all sources are valid for all sinks, and not all
sanitizers are valid for all sinks
• Sources– Seeds of untrusted data– Field gets or returns of function calls– Ex: document.url
• Sinks– Security critical operations– Field puts or parameters to function calls– Ex: element.innerHTML
11
Rules
• A rule is a triple <Sources, Sinks, Sanitizers>• Not all sources are valid for all sinks, and not all
sanitizers are valid for all sinks
• Sources– Seeds of untrusted data– Field gets or returns of function calls– Ex: document.url
• Sinks– Security critical operations– Field puts or parameters to function calls– Ex: element.innerHTML
• Sanitizers– Marks flow as non-dangerous– Function calls– Ex: encodeURIComponent(str)
12
MotivationSources, Sinks, and SanitizersTaint AnalysisResults
13
var a = "foo" + "bar";var b = obj[a];function F() { this.bar = document.url;}
function G() {}
G.prototype = new F();var a = new G();write(g.bar);
function foo() { var y = 42; var bar = function() { write(y); }}
Complexities of JavaScript
• Reflective property access
• Prototype chain property lookup
• Lexical scoping• Function pointers• eval and its
relatives
var m = function() ...var k = function(f) { f();}k(m);
14
eval("document.write('evil')");
Demand Driven Taint Analysis
• The seeds are the assignments to sources or return values from sources
• The analysis proceeds by tainting variables
• Variables consist of triplets:– Static Single Assignment
(SSA) variable ID– Method where SSA
variable is defined– Access path– Ex: (v7, m, <f, g>)
15
Context Sensitive Taint Analysis
m1()
m2(p1, p2, p3)
m3(q1, q2)
16
Analysis Examplefunction foo(p1, p2) { p1.f = p2.f;}
var a = new Object();var b = new Object();b.f = window.location.toString();
var c = new Object();var d = new Object();d.f = "safe";
foo(a, b);foo(c, d);
document.write(a.f); // This is a taint violationdocument.write(c.f); // This is NOT a taint violation
Since d.f is not tainted, c.f will not be tainted
Since d.f is not tainted, c.f will not be tainted
Install taint summary for foo: p2.f -> p1.f Install taint summary for foo: p2.f -> p1.f
17
Taint variable: (v2, foo, <f, *>)Taint variable: (v2, foo, <f, *>)
MotivationSources, Sinks, and SanitizersTaint AnalysisResults
18
Data Sets
• Developed a micro-benchmark suite of about 150 test scripts
• Downloaded Web pages and ran Actarus on them
19
Real World Data Set
• Crawled portions of top Alexa Web sites and downloaded pages to disk
• Ran Actarus on a sample of the saved pages
• Ran on over 12,000 pages• Successfully analyzed over 9,000
pages• ~22% failure due to a 4 minute
timeout20
Findings
• Several vulnerable Web sites were found• Duplicates of vulnerabilities were found
on many pages from the same site• Some exploits were found in third party
code that was shared among several websites
• 40% true positive rate
• Vulnerabilities can be fixed with common sanitization routines
21
FindingsSite Unique True Positives Total True Positives
A 7 80
B 4 12
C 4 91
D 7 13
E 2 4
F 1 200
G 1 1
H 1 114
I 3 7
J 1 3
K 1 1
22
User Friendly Output
• Flows are highlighted and numbered in the source code
• JavaScript was pretty printed to improve readability and usefulness of line numbers
23
24
Future Work
• Using string analysis to reduce false positives
• Make analysis modular so library code does not have to be reanalyzed
25
Thank You
E-mail: [email protected] 26