Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Type-based Dependency Analysis for JavaScript
PLAS’13
University of Freiburg
Matthias Keil, Peter Thiemann
Institute for C...
JavaScript
University of Freiburg
JavaScript is the most important language for web sites
92 % of all websites use JavaScr...
JavaScript (cont.)
University of Freiburg
Dynamic programming language
e.g. eval, mashups
JavaScript has no security aware...
Security Scenarios
University of Freiburg
1 Libraries may get access to sensitive data
2 User code may be prone to injecti...
Examples
University of Freiburg
Information flow
1 var t = Cookie . get ( ’ access_token ’ ) ;
2 // processing
3 // ...
4 A...
Examples
University of Freiburg
Information flow
1 var t = Cookie . get ( ’ access_token ’ ) ;
2 // processing
3 // ...
4 A...
Design Principles
University of Freiburg
Dependency Analysis
Information flow pioneered by Denning
Determines potential dat...
Tainting
University of Freiburg
Built-in traceℓ(e[, id]) and untrace(e, id) function
ℓ – unique taint
id – tag name
Behave...
Application Scenario
Sensitive Data
University of Freiburg
1 var userH a ndl er = function ( uid ) {
2 var name = ’ ’ ;
3 ...
Application Scenario
Sensitive Data
University of Freiburg
1 var userH a ndl er = function ( uid ) {
2 var name = ’ ’ ;
3 ...
Application Scenario
Sensitive Data
University of Freiburg
1 var userH a ndl er = function ( uid ) {
2 var name = ’ ’ ;
3 ...
Application Scenario
Foreign Code
University of Freiburg
1 loadForeignCode = trace ( function () {
2 Array . prototy pe . ...
Application Scenario
Sanitization
University of Freiburg
1 $ = function ( i d ) {
2 return trace ( document . getElementBy...
Application Scenario
Sanitization (cont)
University of Freiburg
var s a n i t i z e d I n p u t =
i_know_what_i_do ? s a n...
Dependency Tracking Semantics
University of Freiburg
v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’);
var input
...
Dependency Tracking Semantics
University of Freiburg
v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’);
var input
...
Dependency Tracking Semantics
University of Freiburg
v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’);
var input
...
Dependency Tracking Semantics
University of Freiburg
v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’);
var input
...
Dependency Tracking Semantics
University of Freiburg
input = trace(value, ’#DOM’);
if
input = untrace(input, ’#DOM’);
fi
Ma...
Dependency Tracking Semantics
University of Freiburg
input = trace(value, ’#DOM’);
if
input = untrace(input, ’#DOM’);
fi
in...
Dependency Tracking Semantics
University of Freiburg
input = trace(value, ’#DOM’);
if
input = untrace(input, ’#DOM’);
fi
in...
Technical Contribution
University of Freiburg
Formalization based on a typed JavaScript Core calculus
Dependency Tracking ...
Implementation
University of Freiburg
Implementation extends TAJS, a Type Analyzer for
JavaScript developed by Anders Møll...
Conclusion
University of Freiburg
Designed and implemented a type-based dependency analysis
for JavaScript
Analysis of inf...
Type-based Dependency Analysis for JavaScript
University of Freiburg
Questions?
Thank you for your attention.
Matthias Kei...
Upcoming SlideShare
Loading in …5
×

Type-based Dependency Analysis for JavaScript

ACM SIGPLAN Eighth Workshop on Programming Languages and Analysis for Security, PLAS'13
Seattle, WA, USA, June 20, 2013

  • Login to see the comments

  • Be the first to like this

Type-based Dependency Analysis for JavaScript

  1. 1. Type-based Dependency Analysis for JavaScript PLAS’13 University of Freiburg Matthias Keil, Peter Thiemann Institute for Computer Science University of Freiburg Freiburg, Germany June 20, 2013, Seattle, WA, USA.
  2. 2. JavaScript University of Freiburg JavaScript is the most important language for web sites 92 % of all websites use JavaScript Web-developers rely on third-party libraries e.g. for calendars, maps, social networks 1 <s c r i p t type=" t e x t / j a v a s c r i p t " 2 s r c=" http :// example . org / a pi / j s /?ARGS"> 3 </ s c r i p t> Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 2 / 17
  3. 3. JavaScript (cont.) University of Freiburg Dynamic programming language e.g. eval, mashups JavaScript has no security awareness No namespace or encapsulation management Global scope for variables/functions All scripts have the same authority Security aspects of JavaScript received much attention Static or dynamic analysis techniques Guarantees by reducing the functionality Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 3 / 17
  4. 4. Security Scenarios University of Freiburg 1 Libraries may get access to sensitive data 2 User code may be prone to injection attacks Naive approach: detect information flow Pure information flow is too unflexible for investigating injection attacks Ignores sanitized values Our approach: dependency analysis Addresses both scenarios Sanitized values are acceptable Static Analysis Implemented as extension of a type analyzer Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 4 / 17
  5. 5. Examples University of Freiburg Information flow 1 var t = Cookie . get ( ’ access_token ’ ) ; 2 // processing 3 // ... 4 Ajax . r e q u e s t ( ’ example . org ’ , t ) ; Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 5 / 17
  6. 6. Examples University of Freiburg Information flow 1 var t = Cookie . get ( ’ access_token ’ ) ; 2 // processing 3 // ... 4 Ajax . r e q u e s t ( ’ example . org ’ , t ) ; Sanitization 1 var i nput = document . getElementById ( ’ id ’ ) ; 2 function s a n i t i z e r ( v a l ue ) { 3 // clean up value 4 } 5 // processing 6 // ... 7 Ajax . r e q u e s t ( ’ example . org ’ , s a n i t i z e r ( i nput ) ) ; Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 5 / 17
  7. 7. Design Principles University of Freiburg Dependency Analysis Information flow pioneered by Denning Determines potential data flow between program points Related to simple security types Flow-sensitive analysis Abstracts data tainting Stated as type-system Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 6 / 17
  8. 8. Tainting University of Freiburg Built-in traceℓ(e[, id]) and untrace(e, id) function ℓ – unique taint id – tag name Behaves like an identity function Implicit classes: UNSAFE, SAFE Policy-file For predefined values (e.g. DOM, JavaScript API) trace.policy 1 # Object Trace 2 t r a c e : HTMLDocument. cooki e ; Ajax . r e q u e s t ; 3 Array . prototy pe ; Math . abs ; Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 7 / 17
  9. 9. Application Scenario Sensitive Data University of Freiburg 1 var userH a ndl er = function ( uid ) { 2 var name = ’ ’ ; 3 var onSuccess = function ( response ) {name = response ; } ; 4 i f ( alreadyLoaded ) { 5 Cookie . r e q u e s t ( uid , onSuccess ) ; 6 } e l s e { 7 Ajax . r e q u e s t ( ’ example . org ’ , uid , onSuccess ) ; 8 } 9 return name ; 10 }; 11 var name = userH a ndl er ( trace (" uid " ) ) ; Security properties on a fine level of granularity Distinguish different sources Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 8 / 17
  10. 10. Application Scenario Sensitive Data University of Freiburg 1 var userH a ndl er = function ( uid ) { 2 var name = ’ ’ ; 3 var onSuccess = function ( response ) {name = response ; } ; 4 i f ( alreadyLoaded ) { // alreadyLoaded=true 5 Cookie . r e q u e s t ( uid , onSuccess ) ; 6 } e l s e { 7 Ajax . r e q u e s t ( ’ example . org ’ , uid , onSuccess ) ; 8 } 9 return name ; 10 }; 11 var name = userH a ndl er ( trace ( " uid " ) ) ; Security properties on a fine level of granularity Distinguish different sources Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 8 / 17
  11. 11. Application Scenario Sensitive Data University of Freiburg 1 var userH a ndl er = function ( uid ) { 2 var name = ’ ’ ; 3 var onSuccess = function ( response ) {name = response ; } ; 4 i f ( alreadyLoaded ) { // alreadyLoaded=( true|false ) 5 Cookie . r e q u e s t ( uid , onSuccess ) ; 6 } e l s e { 7 Ajax . r e q u e s t ( ’ example . org ’ , uid , onSuccess ) ; 8 } 9 return name ; 10 }; 11 var name = userH a ndl er ( trace ( " uid " ) ) ; Security properties on a fine level of granularity Distinguish different sources Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 8 / 17
  12. 12. Application Scenario Foreign Code University of Freiburg 1 loadForeignCode = trace ( function () { 2 Array . prototy pe . f orea ch = function ( c a l l b a c k ) { 3 // do something 4 }; 5 } ) ; 6 loadForeignCode ( ) ; 7 // do something 8 a r r a y . f orea ch ( function ( k , v ) { 9 r e s u l t = k + v ; 10 } ) ; Protect code from being compromised Encapsulation of foreign code Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 9 / 17
  13. 13. Application Scenario Sanitization University of Freiburg 1 $ = function ( i d ) { 2 return trace ( document . getElementById ( i d ) . value , "#DOM" ) ; 3 } 4 function s a n i t i z e r ( v a l ue ) { 5 // escape value 6 return untrace ( value , "#DOM" ) ; 7 } 8 // do something 9 var i nput = $(" t e x t " ) ; 10 var s a n i t i z e d I n p u t = s a n i t i z e r ( i nput ) ; 11 consumer ( s a n i t i z e d I n p u t ) ; Avoid injection attacks e.g. only escaped values used Change taint classes Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 10 / 17
  14. 14. Application Scenario Sanitization (cont) University of Freiburg var s a n i t i z e d I n p u t = i_know_what_i_do ? s a n i t i z e r ( i nput ) : i nput ; Mixture of sanitized and unsanitized taints Flagged as an error Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 11 / 17
  15. 15. Dependency Tracking Semantics University of Freiburg v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’); var input sanitized = untrace(input, ’#DOM’); Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 12 / 17
  16. 16. Dependency Tracking Semantics University of Freiburg v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’); var input sanitized = untrace(input, ’#DOM’); v : ℓ#DOM,UNSAFE v′ : ℓ′#ANOTHER,UNSAFE Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 12 / 17
  17. 17. Dependency Tracking Semantics University of Freiburg v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’); var input sanitized = untrace(input, ’#DOM’); v : ℓ#DOM,UNSAFE v′ : ℓ′#ANOTHER,UNSAFE input : ℓ#DOM,UNSAFE , ℓ′#ANOTHER,UNSAFE Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 12 / 17
  18. 18. Dependency Tracking Semantics University of Freiburg v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’); var input sanitized = untrace(input, ’#DOM’); v : ℓ#DOM,UNSAFE v′ : ℓ′#ANOTHER,UNSAFE input : ℓ#DOM,UNSAFE , ℓ′#ANOTHER,UNSAFE sanitized : ℓ#DOM,SAFE , ℓ′#ANOTHER,UNSAFE Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 12 / 17
  19. 19. Dependency Tracking Semantics University of Freiburg input = trace(value, ’#DOM’); if input = untrace(input, ’#DOM’); fi Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 13 / 17
  20. 20. Dependency Tracking Semantics University of Freiburg input = trace(value, ’#DOM’); if input = untrace(input, ’#DOM’); fi input : ℓ#DOM,UNSAFE input : ℓ#DOM,UNSAFE input : ℓ#DOM,SAFE input : ℓ#DOM,SAFE Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 13 / 17
  21. 21. Dependency Tracking Semantics University of Freiburg input = trace(value, ’#DOM’); if input = untrace(input, ’#DOM’); fi input : ℓ#DOM,UNSAFE input : ℓ#DOM,UNSAFE input : ℓ#DOM,SAFE input : ℓ#DOM,UNSAFE input : ℓ#DOM,SAFE , ℓ#DOM,UNSAFE Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 13 / 17
  22. 22. Technical Contribution University of Freiburg Formalization based on a typed JavaScript Core calculus Dependency Tracking Semantics Marker propagation for upcoming values Not meant to perform a dynamic analysis Static analysis based on the type system for dependency tracking Termination-insensitive noninterference based on the types Correct abstraction of the tracking semantics Termination of the abstract analysis Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 14 / 17
  23. 23. Implementation University of Freiburg Implementation extends TAJS, a Type Analyzer for JavaScript developed by Anders Møller and others Abstract values and states are extended with abstract taints The control flow graph is extended by special nodes for implicit flows traceℓ and untrace implemented as built-in functions Policy file for pre-labeling of built-in objects Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 15 / 17
  24. 24. Conclusion University of Freiburg Designed and implemented a type-based dependency analysis for JavaScript Analysis of information flow Encapsulation of foreign code Declassification of values (by changing taint-classes) Dependency analysis is not a security analysis Investigate noninterference Ensure confidentiality Verify correct sanitizer placement Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 16 / 17
  25. 25. Type-based Dependency Analysis for JavaScript University of Freiburg Questions? Thank you for your attention. Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 17 / 17

×