client-side static analysiscss.csail.mit.edu/6.858/2011/slides/lec8.pdf · 2016. 1. 29. ·...
TRANSCRIPT
![Page 1: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/1.jpg)
CLIENT-SIDE STATIC ANALYSIS
Ben Livshits, Microsoft Research
![Page 2: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/2.jpg)
Overview of Today’s Lecture
Client-side JavaScript Analysis of JavaScript
eval and code obfuscation
Need for runtime enforcement
Gatekeeper as illustration
Browser Plugins
Extensions Firefox extension model
Chrome extension model
Looking forward
2
![Page 3: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/3.jpg)
Layers of Browser Security 3
OS
browser
plugin plugin plugin
JavaScript
Extension
JavaScript
![Page 4: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/4.jpg)
App Store: Centralized Software Distribution
4
Code submission
Do checking/verification as part of app approval process
developer app store
![Page 5: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/5.jpg)
Static Analysis
Server-side analysis
Benign but buggy code
Client-side analysis
Buggy or potentially malicious code
5
Last time Today
Analysis soundness really helps
![Page 6: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/6.jpg)
Same Origin Policy Is Not Enough 6
Primary focus: statically enforcing security and reliability policies for JavaScript code
These policies include semantic properties restricting widget capabilities,
making sure built-in objects are not modified,
preventing code injection attempts,
redirect and cross-site scripting detection,
preventing global namespace pollution,
taint checking,
etc.
Soundly enforcing security policies is hard
![Page 7: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/7.jpg)
Gatekeeper
Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code
7
![Page 8: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/8.jpg)
Catch me if you can
alert(„hi‟); program
malicious
don’t want to allow alert box
? can we figure this out statically?
8
![Page 9: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/9.jpg)
var d = document;
var w = d.write;
w(“<script>alert(„hi‟);”);
document.write(
“<script>alert(„hi‟);</script>”);
alert(„hi‟);
9
![Page 10: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/10.jpg)
eval(“do”+”cu”+”ment.write(”+…
var e = window.eval;
e(“do”+”cu”+”ment.write(”…”);
10
![Page 11: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/11.jpg)
var e = new Function(“eval”);
e.call(
“do”+”cu”+”ment.write(”…”);
var e = new
Function(unescape(“%65%76%61%6C”));
e.call(“do”+”cu”+”ment.write(”…”);
11
![Page 12: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/12.jpg)
Gatekeeper
• General technology we developed for JavaScript
• Can use for performance optimizations, etc.
Static analysis for JavaScript
• Use to enforce security and reliability policies
• Analyze Web widgets
This paper
• JavaScript language subsets (do a little of)
• JavaScript code rewriting (do a little of)
Focus on whole program analysis. Contrast with:
12
![Page 13: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/13.jpg)
Goal of
Gatekeeper:
Reason about
JavaScript code
statically
alert(„hi‟);
Gatekeeper
13
![Page 14: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/14.jpg)
JavaScript Widgets
14
// register your Gadget's namespace
registerNamespace("GadgetGamez");
// define the constructor for your Gadget (this must match the name in the manifest xml)
GadgetGamez.gg2manybugs = function(p_elSource, p_args, p_namespace) {
// always call initializeBase before anything else!
GadgetGamez.gg2manybugs.initializeBase(this, arguments);
// setup private member variables
var m_this = this;
var m_el = p_elSource;
var m_module = p_args.module;
/****************************************
** initialize Method
****************************************/
// initialize is always called immediately after your object is instantiated
this.initialize = function(p_objScope)
{
// always call the base object's initialize first!
GadgetGamez.gg2manybugs.getBaseMethod(this, "initialize", "Web.Bindings.Base").call(this,
p_objScope);
var url = "http://www.gadgetgamez.com/live/2manybugs.htm"
m_iframe = document.createElement("iframe");
m_iframe.scrolling = "yes";
m_iframe.frameBorder = "0";
m_iframe.src = url;
m_iframe.width="95%";
m_iframe.height="250px";
p_elSource.appendChild(m_iframe);
};
GadgetGamez.gg2manybugs.registerBaseMethod(this, "initialize");
/****************************************
** dispose Method
****************************************/
this.dispose = function(p_blnUnload) {
//TODO: add your dispose code here
// null out all member variables
m_this = null;
m_el = null;
m_module = null;
// always call the base object's dispose last!
GadgetGamez.gg2manybugs.getBaseMethod(this, "dispose", "Web.Bindings.Base").call(this,
p_blnUnload);
};
GadgetGamez.gg2manybugs.registerBaseMethod(this, "dispose");
/****************************************
** Other Methods
****************************************/
};
GadgetGamez.gg2manybugs.registerClass("GadgetGamez.gg2manybugs", "Web.Bindings.Base");
![Page 15: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/15.jpg)
Sample iGoogle Gadget 15
![Page 16: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/16.jpg)
Widgets are
everywhere…
We use over 8,500
widgets to evaluate
Gatekeeper
16
0
50
100
150
200
250
300
Live.com Vista sidebar Google/IG
Lines of code
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
5,000
Live.com Vista sidebar Google/IG
Widget counts
![Page 17: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/17.jpg)
Gatekeeper: Deployment Step on Widget Host
17
Widget: … alert(‘hi’);
…
Hosting site: control widgets
by enforcing policies:
- No alert
- No redirects
- No document.write
developer user
![Page 18: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/18.jpg)
Outline
• Statically analyzable subset JavaScriptSAFE
• Points-to analysis for JavaScript
• Formulate nine security & reliability policies
• Experiments
18
![Page 19: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/19.jpg)
TECHNIQUES
19
![Page 20: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/20.jpg)
Start with Entire JavaScript…
20
EcmaScript-262
var e = new Function(“eval”);
e.call(
“do”+”cu”+”ment.write(”…”);
var e = new
Function(unescape(“%65%76%61%6C”));
e.call(“do”+”cu”+”ment.write(”…”);
![Page 21: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/21.jpg)
Remove eval & Friends…
21
EcmaScript 262
- eval
- setTimeout
- setInterval
- Function
- with
- arguments array
-----------------------
= JavaScriptGK
![Page 22: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/22.jpg)
Remove Unresolved Array Accesses…
22
EcmaScript 262
JavaScriptGK
- innerHTML assignments - non-const array access a[x+y]
--------------------------------
= JavaScriptSAFE
var z = ‘ev’ + x + ‘al’;
var e = document[z];
eval is back!
![Page 23: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/23.jpg)
Now, this is Amenable to Analysis!
23
EcmaScript 262
JavaScriptGK
JavaScriptSAFE
s ::=
// assignments
v1=v2
v = bot
return v
// calls
v = new v0(v1,…,vn)
v=v0(vthis,v1,…,vn)
// heap
v1=v2.f
v1.f=v2
// declarations
v=function(v1,…,vn){s}
JavaScriptSAFE – can analyze
fully statically without
resorting to runtime checks
JavaScriptGK – need basic
instrumentation to prevent
runtime code introduction
![Page 24: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/24.jpg)
How Many Widgets are in the Subsets?
24
23%
39%
65%
97%
65%
82%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Live.com Vista sidebar Google/IG
Gatekeeper SafeJavaScriptSAFE JavaScriptGK
Ultimately, can analyze
65-97% of all widgets
![Page 25: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/25.jpg)
Sound analysis:
ensures that our
policy checkers find all
violations
Input
program
JavaScriptSAFE Sound
JavaScriptGK Sound with
instrumentation
Everything else
No guarantees
25
![Page 26: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/26.jpg)
Points-to Analysis in Gatekeeper
• Points-to analysis
– Inclusion-based
– Field-sensitive
– Build call graph on the fly
• Tricky issues:
– Prototypes
– Function closures
• Analysis is expressed in Datalog
26
Program
representation
PointsTo(var, heap)
![Page 27: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/27.jpg)
Datalog Policy for Preventing document.write
27
1. DocumentWrite(i) :-
2. PointsTo("global", h1),
3. HeapPointsTo(h1, "document", h2),
4. HeapPointsTo(h2, "write", h3),
5. Calls(i, h3).
document.write('<Td><Input Type="Button"
Name="' + i + '" Value=" " Class="blokje"
onClick="wijzig(this.form,this)"></Td>');
document.write ("<" + "script
language='javascript' type='text/javascript'
src='");
document.write('<iframe id="dynstuff" src=""
'+iframeprops+'></iframe>')
![Page 28: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/28.jpg)
EXPERIMENTAL EVALUATION
28
![Page 29: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/29.jpg)
Policies for Widget Security & Reliability
1 • Alert calls
2 • Frozen violations
3 • Document.write
4 • Location assign
5 • Location change
6 • Window open
7 • XMLHttpRequest
8 • Global store
9 • ActiveXExecute (taint)
Apply to all
widgets
Live.com only
Vista Sidebar only
29
AlertCalls(i) :- PointsTo("global", h), HeapPointsTo(h, "alert", h2), Calls(i, h2) .
DocumentWrite(i) :- PointsTo("global", h1), HeapPointsTo(h1, "document", h2), HeapPointsTo(h2, "write", h3), Calls(i, h3) .
DocumentWrite(i) :- PointsTo("global", h1), HeapPointsTo(h1, "document", h2), HeapPointsTo(h2, "writeln", h3), Calls(i, h3) .
InnerHTML(v) :- Store(v, "innerHtml", _) .
BuiltinObject(h) :- PointsTo("global", h1), HeapPointsTo(h1, "String", h) .
BuiltinObject(h) :- PointsTo("global", h1), HeapPointsTo(h1, "Date", h) .
BuiltinObject(h) :- PointsTo("global", h1), HeapPointsTo(h1, "Array", h) .
BuiltinObject(h) :- PointsTo("global", h1), HeapPointsTo(h1, "Boolean", h) .
BuiltinObject(h) :- PointsTo("global", h1), HeapPointsTo(h1, "Math", h) .
BuiltinObject(h) :- PointsTo("global", h1), HeapPointsTo(h1, "Function", h) .
BuiltinObject(h) :- PointsTo("global", h1), HeapPointsTo(h1, "Document", h) .
BuiltinObject(h) :- PointsTo("global", h1), HeapPointsTo(h1, "Window", h) .
Reaches(h1, f, h2) :- HeapPointsTo(h1, f, h2) .
Reaches(h1, f, h2) :- HeapPointsTo(h1, _, h), Reaches(h, f, h2) .
FrozenViolation(v, h1) :- Store(v, _, _), PointsTo(v, h1), BuiltinObject(h1) .
FrozenViolation(v, h1) :- Store(v, _, _), PointsTo(v, h1), BuiltinObject(h2), Reaches(h2, f, h1) .
LocationObject(h) :- PointsTo("global", h1), HeapPointsTo(h1, "location", h) .
WindowObject(h) :- PointsTo("global", h1), HeapPointsTo(h1, "window", h) .
StoreToLocationObject(h) :- PointsTo("global", h1), HeapPointsTo(h1, "window", h2), DirectHeapStoreTo(h2, "location", h) .
StoreToLocationObject(h) :- PointsTo("global", h1), HeapPointsTo(h1, "document", h2), DirectHeapStoreTo(h2, "location", h) .
StoreToLocationObject(h) :- PointsTo("global", h1), DirectHeapStoreTo(h1, "location", h) .
StoreInLocationObject(h) :- LocationObject(h1), DirectHeapStoreTo(h1, _, h) .
CallLocationMethod(i) :- LocationObject(h), HeapPointsTo(h, "assign", h1), Calls(i, h1) .
CallLocationMethod(i) :- LocationObject(h), HeapPointsTo(h, "reload", h1), Calls(i, h1) .
CallLocationMethod(i) :- LocationObject(h), HeapPointsTo(h, "replace", h1), Calls(i, h1) .
WindowOpenMethodCall(i) :- WindowObject(h1), HeapPointsTo(h1, "open", h2), Calls(i, h2) .
36 lines
![Page 30: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/30.jpg)
Policy Checking Results
Warnings
• 1,341 warnings found total
• Span 684 widgets
False positives
• 113 false positives
• 2 widgets
Manual inspection effort
• Took us about 12 hours to check these
![Page 31: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/31.jpg)
False Positives
• Why not more false
positives?
– Most violations are local
– But this is policy-specific
– a global taint policy
might produce other
results
31
common.js:
function MM_preloadImages() {
var d=m_Doc;
if(d.images){
if(!d.MM_p) d.MM_p=new Array();
var i,j=d.MM_p.length,
a=MM_preloadImages.arguments;
for(i=0; i<a.length; i++)
if (a[i].indexOf("#")!=0){
d.MM_p[j]=new Image;
d.MM_p[j++].src=a[i];
}
}
}
![Page 32: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/32.jpg)
Conclusions
Gatekeeper: Static analysis for
JavaScript
Technique: points-to analysis
Focus: analyzing widgets
Results:
• 1,341 policy violations
• false positives affect 2 widgets
32
![Page 33: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/33.jpg)
33
Question of the day What is the difference between
browser extensions and browser plugins?
![Page 34: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/34.jpg)
Browser Plugins 34
Plugins
Flash
Adobe PDF reader
On their way out?
Come in different flavors
ActiveX
Firefox extensions
Chrome extensions
![Page 35: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/35.jpg)
Plugin Security 35
Plugins are often worst offenders when it comes to security True of malware
Of use of DEP/ASLR
Isolation technologies proposed Run plugins in their own processes
Low privilege processes if possible
Sandboxing techniques Native client
XAX
![Page 36: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/36.jpg)
Plugin Security 36
![Page 37: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/37.jpg)
Extension Space: an Overview 37
Mozilla Firefox
Dominates this space with 1,000s of extensions available
Millions of downloads
Security is not great: rogue extensions, buggy extensions
Relies on a community review process to ensure quality
Google Chrome
Extension manifests
Runtime enforcement of manifests within the browser
![Page 38: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/38.jpg)
Chrome Access Control Manifest 38
"content_scripts": [ { "all_frames": true, "js": ["blocker.js"],
"matches": ["http://*/*", "https://*/*"], "run_at": "document_start" }, { "all_frames": true, "js": ["scanner.js"],
"matches": ["http://*/*", "https://*/*"], "run_at": "document_idle" } ],
311 of 1,137 featured / popular extensions have access to “your data on all websites”.
Question: What do extensions really do?
![Page 39: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/39.jpg)
similar to InPrivate Filtering (IE8), but available on other browsers
39
![Page 40: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/40.jpg)
40
311 of 1,137 featured / popular extensions have access to “your data on all websites”.
![Page 41: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/41.jpg)
Verified Security for Browser Extensions
Nikhil Swamy
With Arjun Guha, Matthew Fredrikson, and Ben Livshits
[Oakland S&P, 2011]
41
![Page 42: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/42.jpg)
42
Users
submit reject
Curator
Developer
accept
arbitrary (Apple) too permissive (Mozilla)
cross-platform extensions are hard
![Page 43: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/43.jpg)
43
Users
submit reject
Curator
Developer
accept
1. No runtime security checks (fast)
2. No security exceptions (robust)
precise policy +
1. Automate policy compliance checking
2. Tools to understand policies
predictable, reliable
make this easier
![Page 44: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/44.jpg)
44
ext.f9 policy.f9
fine.exe violation
.NET JavaScript
F# variant first-order logic
JavaScript
![Page 45: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/45.jpg)
45
https://api.del.icio.us/v1/posts/add?url=http://people.csail.mit.edu/jeanyang&description=Jean+Yang
![Page 46: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/46.jpg)
46
let name = document.getName() in let website = document.getWebsites()[0] in ...
getName and getWebsites
do not exist. ..
![Page 47: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/47.jpg)
47
Policy: Can read <td class="data"> tags
![Page 48: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/48.jpg)
48
Policy: can read <td class="data"> tags, which have a sibling <td class="label">Website:</td>
typical, application-
specific policy
![Page 49: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/49.jpg)
49
![Page 50: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/50.jpg)
50
![Page 51: CLIENT-SIDE STATIC ANALYSIScss.csail.mit.edu/6.858/2011/slides/LEC8.pdf · 2016. 1. 29. · Policies for Widget Security & Reliability 1 •Alert calls 2 •Frozen violations 3BuiltinObject•Document.write](https://reader034.vdocuments.site/reader034/viewer/2022051823/5fed4ed57d45633fbd6b0283/html5/thumbnails/51.jpg)
Summary Client-side JavaScript
Analysis of JavaScript
eval and code obfuscation
Need for runtime enforcement
Gatekeeper as illustration
Browser Plugins
Extensions Firefox extension model
Chrome extension model
Looking forward
51