1 / 19

Sep 2011

Sep 2011. Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group. Why JavaScript Analysis?. According to an IBM study performed in 2010. Why JavaScript Analysis? (cont.). 15 %.

elsu
Télécharger la présentation

Sep 2011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sep 2011 Hybrid Analysis for JavaScript Security AssessmentOmer TrippOmri WeismanSalvatore GuarnieriIBM Software Group

  2. Why JavaScript Analysis? According to an IBM study performed in 2010

  3. Why JavaScript Analysis? (cont.) 15% of Fortune 500 websites have exploitable security issues in JavaScript. According to an IBM study performed in 2010 DOM-based XSS document.write(document.URL.substring( pos,document.URL.length)); Open Redirect var pos = document.location.href.indexOf("name="); var val = document.location.href.substring(pos); document.location.href = "http://" + val;

  4. Complexities of JavaScript function sum() { if (arguments.length > 3) { eval(arguments[1]); } } sum(1, "...”, 3) • Reflective property access • Prototype chain property lookup • Lexical scoping • Function pointers • Arguments array • eval and its relatives function foo() { var y = 42; var bar = function() { write(y); } } function F() { this.bar = document.url; } function G() { } G.prototype = new F(); var a = new G(); write(g.bar); eval("document.write('evil')"); var a = "foo" + "bar"; var b = obj[a]; var m = function() ... var k = function(f) { f(); } k(m);

  5. Analysis Example Taint variable: (v2, foo, <f, *>) function foo(p1, p2) { p1.f = p2.f; } var a = new Object(); var b = new Object(); b.f = window.location.toString(); var c = new Object(); var d = new Object(); d.f = "safe"; foo(a, b); foo(c, d); document.write(a.f); // This is a taint violation document.write(c.f); // This is NOT a taint violation Install taint summary for foo: p2.f -> p1.f Since d.fis not tainted, c.fwill not be tainted

  6. Why Hybrid Analysis? + Performance + Soundness + Coverage + Dynamic Behavior + Performance + Soundness + Coverage - Frameworks - Dynamic loading + Dynamic behavior - Coverage Hybrid analysis Dynamic analysis Static analysis

  7. Static Analysis • Typically applied to server-side JavaScript content • Misses dynamically generated JavaScript! <scripttype="text/javascript"> document.write('<scr'+'ipt '); document.write('src="http://affinity-numerology.com/cgibin/ EmailThisLink.cgi?g'+Email_This_Link+'"'); document.write(' type="text/javascript">'); document.write('</scr'+'ipt>'); </script>

  8. Evil script not sent to server WebApplication Attacker’s evil scriptexecuted using victim’s credentials link embedded withevil script Attacker Victim Traditional Black-box Testing • Sends test payload in HTTP request • Checks response for reflected payload • Does not work for DOM-based XSS!

  9. Sandboxed JavaScript Execution http://mysite/search.aspx?search=<script>alert('hacked')</script> Black-boxScanner

  10. Dynamic Taint Analysis Source document.URL execution flow Sink document.write()

  11. Our Hybrid Architecture HTML/JavaScript, concrete URLs, … Black-boxScanner DOMmodeling Reduce scope Taintanalysis Find issues Stringanalysis Eliminatefalse positives issues

  12. Hybrid Elimination of False Reports • Specialized string analysis using dynamic pieces of information (e.g., concrete URL) • Part controlled by attacker is unknown, but known prefix modeled precisely "https://some-site/release/jsp/sso/login.html?..." var str = document.URL; var url_check = str.indexOf('login.html'); if (url_check > -1) { result = str.substring(0,url_check); result = result + 'login.jsp' + str.substring((url_check+search_term.length), str.length); document.URL = result; } URL as Source http://www.mysite.com/folder/page?a=1&b=2#anchor NOT CONTROLLED BY ATTACKER CONTROLLED BY ATTACKER

  13. String Analysis: Example Stringvariable Integervariable

  14. Hybrid DOM Modeling • The HTML DOM is an important channel of data propagation, but often too big (>105 lines of text) for the analysis to model! • In the hybrid setting • the analysis operates on a fully resolved DOM • the analysis can thus “reduce” the DOM BEFORE DOMreduction AFTER

  15. Implementation & Evaluation • Algorithm featured in IBM Rational AppScan Standard Edition, a black-box security-scanning product • Experimental hypotheses: • (1st experiment) The DOM-modeling and string-analysis specialization features have significant impact on the quality of the static security scanner • (2nd experiment) The hybrid solution is significantly better than the baseline security scanner, which performs sandboxed JavaScript execution

  16. 1st Experiment: Results Total number of JavaScript security vulnerabilities detected for 675 websites • 200-500 pages from each site • 4 configurations: with/without DOM modeling, string analysis • Results: • Without DOM modeling: too many crashes! • String analysis highly effective

  17. 2nd Experiment: Results Client-side vulnerabilities found by black-box scanner with and without hybrid capabilities • Sites selected at random (out of 675 sites used for 1st experiment) • False reports due to infeasible/rare path conditions

  18. Summary • Hybrid JavaScript security analysis is a powerful approach • Allows new and exciting specialization techniques • Transcends inherent weaknesses of static and dynamic analyses • Thousands of real vulnerabilities discovered using our tool when applied to highly popular sites (Fortune 500, top 100 sites list, etc.) • Very low rate of false reports (thanks to string analysis) • Scales to real-world JavaScript and HTML (thanks to DOM modeling)

  19. Thank you

More Related