security signature inference for javascript based browser
play

Security Signature Inference for JavaScript-based Browser Addons - PowerPoint PPT Presentation

Nov 18, 2022 •328 likes •898 views

Security Signature Inference for JavaScript-based Browser Addons Vineeth Kashyap , Ben Hardekopf University of California Santa Barbara CGO 2014 1 JavaScript-based Browser Addons 2 Addons: JavaScript with High Privileges 3

  1. Security Signature Inference for JavaScript-based Browser Addons Vineeth Kashyap , Ben Hardekopf University of California Santa Barbara � CGO 2014 � 1

  2. JavaScript-based Browser Addons � 2

  3. Addons: JavaScript with High Privileges � 3

  4. Urging Security Concern • Proof of concept exploits • FFSni ff , a configurable password stealer • Unintentional vulnerabilities • Wikipedia Toolbar allowed arbitrary privileged code execution • Intentionally malicious • Key loggers � 4

  5. Curated Repositories � 5

  6. � 6

  7. � 7

  8. � 8

  9. � 9

  10. � 10

  11. Manual JavaScript Addon Vetting is Difficult • Ad-hoc • Tedious • Error-prone � 11

  12. Our Goal: Help Automate the Vetting Process • Automatically infer security signatures • Summarize interesting information flows and critical API usages � 12

  13. Our Goal: Help Automate the Vetting Process • Automatically infer security signatures • Summarize interesting information flows and critical API usages � 12

  14. Our Goal: Help Automate the Vetting Process • Automatically infer security signatures • Summarize interesting information flows and critical API usages � 12

  15. Our Goal: Help Automate the Vetting Process • Automatically infer security signatures • Summarize interesting information flows and critical API usages amplified local control flow url send (www.evil.com) � 12

  16. Key Challenges • Flexible security policies • No single policy applies for all addons • Classifying Information Flows • Binary result (secure or insecure) is not enough • Inferring Network Domains • Critical to reason about addon’s network communication � 13

  17. Our Solution • Construct annotated Program Dependence Graphs (PDG) • Use annotated PDGs to generate security signatures • Use prefix string analysis to infer network domains communicated with � 14

  18. Our Solution • Construct annotated Program Dependence Graphs (PDG) • Use annotated PDGs to generate security signatures • Use prefix string analysis to infer network domains communicated with � 14

  19. Our Solution • Construct annotated Program Dependence Graphs (PDG) • Use annotated PDGs to generate security signatures • Use prefix string analysis to infer network domains communicated with � 14

  20. Our Solution • Construct annotated Program Dependence Graphs (PDG) • Use annotated PDGs to generate security signatures • Use prefix string analysis to infer network domains communicated with Automatically summarize API usages, interesting information flows (classified based on the type of flow) � 14

  21. Annotated Program Dependence Graph • Use JSAI † to construct a PDG • Annotate the edges of PDG with the type of dependency † JSAI is a sound and e ffj cient JavaScript abstract interpreter we developed. � 15

  22. Strong vs. Weak Data Dependency 1 var data = {loc: url, other: 1} 2 send(data[“loc”]); 3 send(data[getString()]); � 16

  23. Strong vs. Weak Data Dependency 1 var data = {loc: url, other: 1} 2 send(data[“loc”]); 3 send(data[getString()]); � 16

  24. Strong vs. Weak Data Dependency 1 var data = {loc: url, other: 1} 2 send(data[“loc”]); 3 send(data[getString()]); � 16

  25. Local Control Dependency 5 if (url == "secret.com") 6 send(null); � 17

  26. Local Control Dependency 5 if (url == "secret.com") 6 send(null); � 17

  27. Syntax-obvious Non-local Control Dependency 13 try { 14 if (url != "hush-hush.com") 15 throw "irrelevant"; 16 send(null); 17 } catch(x) {}; 14 � 18

  28. Syntax-obvious Non-local Control Dependency 13 try { 14 if (url != "hush-hush.com") 15 throw "irrelevant"; 16 send(null); 17 } catch(x) {}; 14 � 18

  29. Non-obvious Non-local Control Dependency 18 try { 19 if (url != "mystic.com") 20 obj.prop = 1; 21 send(null); 22 } catch(x) {} � 19

  30. Non-obvious Non-local Control Dependency 18 try { 19 if (url != "mystic.com") 20 obj.prop = 1; 21 send(null); 22 } catch(x) {} � 19

  31. Amplified vs. Simple Control Dependencies 7 var arr = ["covert.com", "priv.com"/*,..*/]; 8 var i=0, count=0; 9 while (arr[i] && url != arr[i]) { 10 i++; 11 count++; } // end while 12 send(count); � 20

  32. Amplified vs. Simple Control Dependencies 7 var arr = ["covert.com", "priv.com"/*,..*/]; 8 var i=0, count=0; 9 while (arr[i] && url != arr[i]) { 10 i++; 11 count++; } // end while 12 send(count); � 20

  33. Lattice of Perceived Flow Strength Stronger � Flow � 21

  34. Lattice of Perceived Flow Strength data Stronger � Flow control � 22

  35. Lattice of Perceived Flow Strength Stronger � Flow amplified not amplified � 23

  36. Lattice of Perceived Flow Strength Stronger � local Flow non local � 24

  37. Lattice of Perceived Flow Strength Stronger � Flow syntax obvious non obvious � 25

  38. Generating Security Signatures • Use the PDG to reason about information flow in addons • Use PDG annotations to classify flows • Output a signature summarizing relevant flows � 26

  39. Generating Security Signatures • Use the PDG to reason about information flow in addons • Use PDG annotations to classify flows • Output a signature summarizing relevant flows amplified local control flow url send (www.evil.com) � 26

  40. Generating Security Signatures � 27

  41. Generating Security Signatures � 27

  42. Generating Security Signatures � 27

  43. Generating Security Signatures � 28

  44. Generating Security Signatures � 29

  45. Generating Security Signatures � 29

  46. Generating Security Signatures � 30

  47. Generating Security Signatures � 31

  48. Generating Security Signatures � 32

  49. Generating Security Signatures � 33

  50. Generating Security Signatures � 33

  51. Generating Security Signatures amplified local control flow url send (www.evil.com) � 33

  52. Evaluation • Evaluated analysis on 10 real addons from Mozilla repository • Manually created security signatures based on submitted addon description • Ran the analysis to get inferred signature, compared against our manual signature • Possible experimental outcomes: • pass (no unexpected information flow) • fail (false unexpected information flow) • leak (true unexpected information flow) � 34

  53. Results † † † In all these cases, the failure was due to insu ffi cient precision in the string domain. � 35

  54. Conclusion • Browser addon vetting is hard, needs automation • Security signatures are useful to understand security behavior of addons Implementation available under the Downloads link at � http://www.cs.ucsb.edu/~pllab � 36

  55. Acknowledgements • Tommy Ashmore and Ben Wiedermann (Harvey Mudd College) • Dave Herman (Mozilla Research) • Mozilla Addon Vetting Team � 37

  56. Questions? vineeth@cs.ucsb.edu � 38

Recommend

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich Benjamin Livshits UC Berkeley Microsoft Research Web Programmability Platform openid.net yelp.com adsense.com Google maps 2

727 views • 41 slides
RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS

RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS

RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS One global namespace Often inline JS code embedded directly in HTML Many <script> tags with hidden ordering dependencies Very

362 views • 15 slides
CE419 Session 5: JavaScript (cont'd) Web Programming 1 JavaScript & The Browser

CE419 Session 5: JavaScript (cont'd) Web Programming 1 JavaScript & The Browser

CE419 Session 5: JavaScript (cont'd) Web Programming 1 JavaScript & The Browser JavaScript can be included in HTML files with <script> tag. <!DOCTYPE html> <html> <head> <title>My home

898 views • 34 slides
AJAX, fetch, and Axios Asynchronous JavaScript? HTTP Requests in the Browser URL bar

AJAX, fetch, and Axios Asynchronous JavaScript? HTTP Requests in the Browser URL bar

AJAX, fetch, and Axios Asynchronous JavaScript? HTTP Requests in the Browser URL bar Links JavaScript window.location.href = http://www.google.com' Submitting forms (GET/POST) All of the above make the browser navigate

760 views • 16 slides
Browser Feature Usage on the Modern Web Summary Analysis of how frequently javascript

Browser Feature Usage on the Modern Web Summary Analysis of how frequently javascript

Browser Feature Usage on the Modern Web Summary Analysis of how frequently javascript features are used Feature defined as browser capability accessed through JavaScript function or property. Considers only sites in Alexa

523 views • 11 slides
Lecture 26 Browser Security Stephen Checkoway Oberlin College Some slides from Bailey's ECE

Lecture 26 Browser Security Stephen Checkoway Oberlin College Some slides from Bailey's ECE

Lecture 26 Browser Security Stephen Checkoway Oberlin College Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised of - HTML - JavaScript - Style sheets (CSS) - Images - Sounds - Movies -

1.74k views • 129 slides
CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic

CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic

CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic programming language. Introduced in 1995 as a way to add programs to web pages in the Netscape Navigator browser. It has made modern web

795 views • 35 slides
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall

Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall

Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised of - HTML - JavaScript - Style

1.67k views • 129 slides
Selenium Tutorial What is Selenium? Javascript framework that runs in your web- browser

Selenium Tutorial What is Selenium? Javascript framework that runs in your web- browser

Selenium Tutorial What is Selenium? Javascript framework that runs in your web- browser Works anywhere Javascript is supported Hooks for many other languages Java, Ruby, Python Can simulate a user navigating through pages and

310 views • 17 slides
Validating Javascript from Realworld Websites in a Browser-like Environment Sander Snajalg

Validating Javascript from Realworld Websites in a Browser-like Environment Sander Snajalg

Validating Javascript from Realworld Websites in a Browser-like Environment Sander Snajalg JavaScript (ECMAScript) Object-oriented / functional scripting language Dynamic typing Prototype inheritance Objects are dictionaries of properties

492 views • 19 slides
Taming JavaScript with Cloud9 IDE: a Tale of Tree Hugging Zef Hemel (@zef) .js browser.js

Taming JavaScript with Cloud9 IDE: a Tale of Tree Hugging Zef Hemel (@zef) .js browser.js

Taming JavaScript with Cloud9 IDE: a Tale of Tree Hugging Zef Hemel (@zef) .js browser.js db.js server.js *.js ~140,000 Tooling matters JavaScript Developer HTML CSS JavaScript HTML5 Client CSS3 JavaScript HTML5 Client CSS3

1.45k views • 87 slides
GWT-Gears The Browser is the Platform The Browser is the Platform Didier Girard

GWT-Gears The Browser is the Platform The Browser is the Platform Didier Girard

GWT-Gears The Browser is the Platform The Browser is the Platform Didier Girard girard.d@sfeir.com Sfeir CTO Member of OSSGTP Before starting, some questions Who knows javascript ? Who is a javascript expert ? Who knows java ?

1.57k views • 93 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
Fast and efficient Browser Identification with JavaScript Engine Fingerprinting Martin Mulazzani ,

Fast and efficient Browser Identification with JavaScript Engine Fingerprinting Martin Mulazzani ,

Fast and efficient Browser Identification with JavaScript Engine Fingerprinting Martin Mulazzani , Philipp Reschl, Manuel Leithner, Markus Huber, Edgar Weippl SBA Research Vienna, Austria Outline Motivation & Background JavaScript Engine

539 views • 33 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
J AVA S CRIPT JavaScript is the programming language of HTML and the Web. JavaScript

J AVA S CRIPT JavaScript is the programming language of HTML and the Web. JavaScript

J AVA S CRIPT JavaScript is the programming language of HTML and the Web. JavaScript Java JavaScript is interpreted by the browser JavaScript 1/15 JS W HERE T O <!DOCTYPE html> <html> <head> <script

591 views • 15 slides
This presentation contains animations which require PDF browser which accepts JavaScript. For

This presentation contains animations which require PDF browser which accepts JavaScript. For

This presentation contains animations which require PDF browser which accepts JavaScript. For best results use Acrobat Reader. RSK problems theorem: bumping routes proof, the easy part proof, science fiction the end R obinson- S chensted- K

1.11k views • 85 slides
JavaScript! What is JavaScript? A (traditionally) client-side scripting language Meant

JavaScript! What is JavaScript? A (traditionally) client-side scripting language Meant

JavaScript! What is JavaScript? A (traditionally) client-side scripting language Meant (traditionally) to run entirely on the users browser Defined by the ECMAscript standard, published by the ECMA foundation JavaScript != Java,

657 views • 32 slides
Distance to the Measure Offset Recon- struction Geometric inference for measures based on

Distance to the Measure Offset Recon- struction Geometric inference for measures based on

Distance to the Measure Zhengchao Wan DTM Distance to the Measure Offset Recon- struction Geometric inference for measures based on distance DTM functions signature The DTM-signature for a geometric comparison of Statistical test

557 views • 31 slides
NDN in Javascript Ryan Bennett Colorado State University 1 A Bit of Background 2 Why

NDN in Javascript Ryan Bennett Colorado State University 1 A Bit of Background 2 Why

NDN in Javascript Ryan Bennett Colorado State University 1 A Bit of Background 2 Why Javascript? A fertile ground for NDN adoption Low deployment overhead in the browser JavaScript is moving from front-end to full stack Node.js

287 views • 14 slides
Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based indexing: designed for pmr queries (conjunction of equalities) does not try to achieve better than O(n) performance attempts to provide an

859 views • 27 slides
Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network Security Hardware Alexandra (Sasha) Boldyreva Browser sends requests May reveal private information (in forms, cookies) Web security.

517 views • 7 slides
jsprobes cross-platform browser instrumentation using JavaScript Brian Burg (@brrian /

jsprobes cross-platform browser instrumentation using JavaScript Brian Burg (@brrian /

jsprobes cross-platform browser instrumentation using JavaScript Brian Burg (@brrian / burg@cs.uw.edu) Background: browser research template 1 2 3

781 views • 23 slides
Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT

Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT

Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT Software Ltd. WAFERs: Overview An application model for HTML + JavaScript content Requires no changes to an existing HTML document Only

233 views • 7 slides

More recommend