client side static analysis
play

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research - PowerPoint PPT Presentation

Sep 24, 2022 •294 likes •812 views

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Client-side JavaScript Browser Analysis of JavaScript Plugins eval and code Extensions obfuscation Firefox extension model

  1. CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research

  2. Overview of Today’s Lecture 2  Client-side JavaScript  Browser  Analysis of JavaScript  Plugins  eval and code  Extensions obfuscation  Firefox extension model  Need for runtime  Chrome extension enforcement model  Looking forward  Gatekeeper as illustration

  3. Layers of Browser Security 3 JavaScript JavaScript Extension plugin plugin plugin browser OS

  4. App Store: Centralized Software Distribution 4 developer app store Code submission Do checking/verification as part of app approval process

  5. Static Analysis 5 Last time Today  Server-side analysis  Client-side analysis  Benign but buggy  Buggy or potentially code malicious code Analysis soundness really helps

  6. Same Origin Policy Is Not Enough 6  Primary focus: statically enforcing security and reliability policies for JavaScript code  These policies include semantic properties  restricting widget capabilities,  making sure built- in objects are not modified,  preventing code injection attempts,  redirect and cross-site scripting detection,  preventing global namespace pollution,  taint checking,  etc.  Soundly enforcing security policies is hard

  7. Gatekeeper Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code 7

  8. alert(„hi‟); program malicious Catch me if you can don’t want to allow alert box ? can we figure this out statically? 8

  9. alert („hi‟); document.write( “<script>alert(„hi‟);</script>”); var d = document; var w = d.write; w(“<script>alert(„hi‟);”); 9

  10. eval (“do”+”cu”+” ment.write (”+… var e = window.eval; e(“do”+”cu”+” ment.write (”…”); 10

  11. var e = new Function (“ eval ”); e.call( “do”+”cu”+” ment.write (”…”); var e = new Function(unescape (“%65%76%61%6C”)); e.call (“do”+”cu”+” ment.write (”…”); 11

  12. Gatekeeper Static analysis for JavaScript • General technology we developed for JavaScript • Can use for performance optimizations, etc. This paper • Use to enforce security and reliability policies • Analyze Web widgets Focus on whole program analysis. Contrast with: • JavaScript language subsets (do a little of) • JavaScript code rewriting (do a little of) 12

  13. Goal of Gatekeeper: Reason about JavaScript code alert(„hi‟); statically Gatekeeper 13

  14. JavaScript Widgets // register your Gadget's namespace registerNamespace("GadgetGamez"); // define the constructor for your Gadget (this must match the name in the manifest xml) GadgetGamez.gg2manybugs = function(p_elSource, p_args, p_namespace) { // always call initializeBase before anything else! GadgetGamez.gg2manybugs.initializeBase(this, arguments); // setup private member variables var m_this = this; var m_el = p_elSource; var m_module = p_args.module; /**************************************** ** initialize Method ****************************************/ // initialize is always called immediately after your object is instantiated this.initialize = function(p_objScope) { // always call the base object's initialize first! GadgetGamez.gg2manybugs.getBaseMethod(this, "initialize", "Web.Bindings.Base").call(this, p_objScope); var url = "http://www.gadgetgamez.com/live/2manybugs.htm" m_iframe = document.createElement("iframe"); m_iframe.scrolling = "yes"; m_iframe.frameBorder = "0"; m_iframe.src = url; m_iframe.width="95%"; m_iframe.height="250px"; p_elSource.appendChild(m_iframe); }; GadgetGamez.gg2manybugs.registerBaseMethod(this, "initialize"); /**************************************** ** dispose Method ****************************************/ this.dispose = function(p_blnUnload) { //TODO: add your dispose code here 14 // null out all member variables m_this = null;

  15. Sample iGoogle Gadget 15

  16. Widget counts 5,000 4,500 4,000 3,500 3,000 Widgets are 2,500 2,000 everywhere… 1,500 1,000 500 0 Live.com Vista sidebar Google/IG Lines of code 300 We use over 8,500 250 200 widgets to evaluate 150 Gatekeeper 100 50 0 Live.com Vista sidebar Google/IG 16

  17. Gatekeeper: Deployment Step on Widget Host user developer Hosting site: control widgets Widget: by enforcing policies: … alert(‘hi’); - No alert … - No redirects - No document.write 17

  18. Outline • Statically analyzable subset JavaScript SAFE • Points-to analysis for JavaScript • Formulate nine security & reliability policies • Experiments 18

  19. T ECHNIQUES 19

  20. Start with Entire JavaScript… EcmaScript-262 var e = new Function(“ eval ”); e.call( “do”+”cu”+” ment.write (”…”); var e = new Function(unescape (“%65%76%61%6C”)); e.call (“do”+”cu”+” ment.write (”…”); 20

  21. Remove eval & Friends… EcmaScript 262 - eval - setTimeout - setInterval - Function - with - arguments array ----------------------- = JavaScript GK 21

  22. Remove Unresolved Array Accesses… EcmaScript 262 JavaScript GK - innerHTML assignments - non-const array access a[x+y] -------------------------------- = JavaScript SAFE var z = ‘ ev ’ + x + ‘al’; var e = document[z]; eval is back! 22

  23. Now, this is Amenable to Analysis! EcmaScript 262 JavaScript GK – need basic instrumentation to prevent runtime code introduction JavaScript GK JavaScript SAFE s ::= // assignments v1=v2 v = bot return v // calls JavaScript SAFE – can analyze v = new v0(v1,…, vn) v=v0(vthis,v1,…, vn) fully statically without // heap resorting to runtime checks v1=v2.f v1.f=v2 // declarations v=function(v1,…, vn){s} 23

  24. How Many Widgets are in the Subsets? JavaScript SAFE Gatekeeper Safe JavaScript GK 97% 100% 90% 82% 80% 70% Ultimately, can analyze 65% 65% 60% 65-97% of all widgets 50% 39% 40% 30% 23% 20% 10% 0% Live.com Vista sidebar Google/IG 24

  25. Sound analysis: JavaScript SAFE Sound ensures that our Input Sound with JavaScript GK instrumentation program policy checkers find all violations Everything No guarantees else 25

  26. Points-to Analysis in Gatekeeper Points-to analysis • Program – Inclusion-based representation – Field-sensitive – Build call graph on the fly • Tricky issues: – Prototypes – Function closures • Analysis is expressed in Datalog PointsT o(var, heap) 26

  27. Datalog Policy for Preventing document.write 1. DocumentWrite(i) :- 2. PointsTo("global", h1), 3. HeapPointsTo(h1, "document", h2), 4. HeapPointsTo(h2, "write", h3), 5. Calls(i, h3). document.write('<Td><Input Type="Button" document.write ("<" + "script Name="' + i + '" Value=" " Class="blokje" document.write('<iframe id="dynstuff" src="" language='javascript' type='text/javascript' onClick="wijzig(this.form,this)"></Td>'); '+iframeprops+'></iframe>') src='"); 27

  28. E XPERIMENTAL E VALUATION 28

Recommend

1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
SERVER-SIDE ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Static

SERVER-SIDE ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Static

SERVER-SIDE ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Static analysis for Runtime analysis bug finding Fuzzing Pen testing Tainting Scripting languages Symbolic execution analyzed

646 views • 41 slides
CLIENT-SIDE RUNTIME ANALYSIS AND ENFORCEMENT Ben Livshits, Microsoft Research Overview of

CLIENT-SIDE RUNTIME ANALYSIS AND ENFORCEMENT Ben Livshits, Microsoft Research Overview of

CLIENT-SIDE RUNTIME ANALYSIS AND ENFORCEMENT Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Background (rehash) Better runtimes CSP HTML5 Sandbox Language restrictions AdSafe FBJS Tradeoffs of

998 views • 48 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Many acting parties on a site

867 views • 62 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Client-side scripting: An introduction to Javascript Why?

CS/COE 1520 pitt.edu/~ach54/cs1520 Client-side scripting: An introduction to Javascript Why?

CS/COE 1520 pitt.edu/~ach54/cs1520 Client-side scripting: An introduction to Javascript Why? By themselves, HTML and CSS can provide a description of the structure and presentation of a document to the browser A static document

461 views • 18 slides
CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side Server Side Web Server Web Browser Web Technologies Content Resources Presentation management Client Side Processing Multimedia The evolution of

1.24k views • 23 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser after page is sent back from server often this code manipulates the page or responds to user actions What is JavaScript? a lightweight

643 views • 29 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Modern web sites are

709 views • 57 slides
DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DEFCON DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side Exploitation Script Based Attack Powershell,Jscript,Vbscript Vbscript:still people use IE, you can call wmic and powershell script to execute.

428 views • 15 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

490 views • 37 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side Direct I/O for NFS Connectathon 1997 Disclaimer This is not a product announcement. 2 Client-Side Direct I/O for NFS Connectathon 1997

311 views • 16 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering Web Programming Paradigms So far we have seen server-side programming Next Enrich user experience, interactivity with client- side

759 views • 24 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques pdp Information Security Researcher, founder of the GNUCITIZEN group OBJECTIVES I was planning to...

948 views • 59 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App

Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App

Challenge: Database Access for Client-side Apps Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App Presented by Marek Zawirski App App Inria / UPMC-LIP6, Paris (now at Google, Zrich) Marek

469 views • 13 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides

More recommend