protecting javascript source code in web runtime€¦ · protecting javascript source code in web...
TRANSCRIPT
![Page 1: Protecting JavaScript Source Code in Web Runtime€¦ · Protecting JavaScript Source Code in Web Runtime Roger Wang Tizen Developer; node-webkit creator Intel Open Source Technology](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f729d52e551c34a0011cc6a/html5/thumbnails/1.jpg)
Protecting JavaScript Source Code in Web Runtime
Roger WangTizen Developer; node-webkit creatorIntel Open Source Technology Center
![Page 2: Protecting JavaScript Source Code in Web Runtime€¦ · Protecting JavaScript Source Code in Web Runtime Roger Wang Tizen Developer; node-webkit creator Intel Open Source Technology](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f729d52e551c34a0011cc6a/html5/thumbnails/2.jpg)
2
Agenda
● Problem statement● Existing solutions● Proposed solution● Internals and considerations
![Page 3: Protecting JavaScript Source Code in Web Runtime€¦ · Protecting JavaScript Source Code in Web Runtime Roger Wang Tizen Developer; node-webkit creator Intel Open Source Technology](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f729d52e551c34a0011cc6a/html5/thumbnails/3.jpg)
3
Problem statement
● Application is written in JS● JS programmers need a way to protect their code
![Page 4: Protecting JavaScript Source Code in Web Runtime€¦ · Protecting JavaScript Source Code in Web Runtime Roger Wang Tizen Developer; node-webkit creator Intel Open Source Technology](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f729d52e551c34a0011cc6a/html5/thumbnails/4.jpg)
Obfuscation / Minifying
YUI Compressor
Google Closure Compiler
UglifyJS
![Page 5: Protecting JavaScript Source Code in Web Runtime€¦ · Protecting JavaScript Source Code in Web Runtime Roger Wang Tizen Developer; node-webkit creator Intel Open Source Technology](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f729d52e551c34a0011cc6a/html5/thumbnails/5.jpg)
5
Bubble Sort in JS
function bubbleSort(a)
{
var swapped;
do {
swapped = false;
for (var i=0; i < a.length-1; i++) {
if (a[i] > a[i+1]) {
var temp = a[i];
a[i] = a[i+1];
a[i+1] = temp;
swapped = true;
}
}
} while (swapped);
}
window.bubbleSort=function(b){var c;do{c=!1;for(var a=0;a<b.length-1;a++)b[a]>b[a+1]&&(c=b[a],b[a]=b[a+1],b[a+1]=c,c=!0)}while(c)};
![Page 6: Protecting JavaScript Source Code in Web Runtime€¦ · Protecting JavaScript Source Code in Web Runtime Roger Wang Tizen Developer; node-webkit creator Intel Open Source Technology](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f729d52e551c34a0011cc6a/html5/thumbnails/6.jpg)
6
Bubble Sort in JS (2)
function bubbleSort(a)
{
var swapped;
do {
swapped = false;
for (var i=0; i < a.length-1; i++) {
if (a[i] > a[i+1]) {
var temp = a[i];
a[i] = a[i+1];
a[i+1] = temp;
swapped = true;
}
}
} while (swapped);
}
window.bubbleSort = function(b) {
var c;
do {
c = !1;
for(var a = 0;a < b.length - 1;a++) {
b[a] > b[a + 1] && (
c = b[a],
b[a] = b[a + 1],
b[a + 1] = c,
c = !0)
}
}while(c)
};
![Page 7: Protecting JavaScript Source Code in Web Runtime€¦ · Protecting JavaScript Source Code in Web Runtime Roger Wang Tizen Developer; node-webkit creator Intel Open Source Technology](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f729d52e551c34a0011cc6a/html5/thumbnails/7.jpg)
On-disk encryption
![Page 8: Protecting JavaScript Source Code in Web Runtime€¦ · Protecting JavaScript Source Code in Web Runtime Roger Wang Tizen Developer; node-webkit creator Intel Open Source Technology](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f729d52e551c34a0011cc6a/html5/thumbnails/8.jpg)
8
On-disk Encryption
● Increase the time to hack● Weakness
● Encrypting on installation● HTTP(s) MITM w/ private certificate
● Function.toString()● Hook on JS engine calls● Memory dumping
![Page 9: Protecting JavaScript Source Code in Web Runtime€¦ · Protecting JavaScript Source Code in Web Runtime Roger Wang Tizen Developer; node-webkit creator Intel Open Source Technology](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f729d52e551c34a0011cc6a/html5/thumbnails/9.jpg)
Other SolutionsPut logic on server
Compile to JS
License & Lawyer
![Page 10: Protecting JavaScript Source Code in Web Runtime€¦ · Protecting JavaScript Source Code in Web Runtime Roger Wang Tizen Developer; node-webkit creator Intel Open Source Technology](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f729d52e551c34a0011cc6a/html5/thumbnails/10.jpg)
Compile JS to Machine Code
![Page 11: Protecting JavaScript Source Code in Web Runtime€¦ · Protecting JavaScript Source Code in Web Runtime Roger Wang Tizen Developer; node-webkit creator Intel Open Source Technology](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f729d52e551c34a0011cc6a/html5/thumbnails/11.jpg)
11
Compiling and Distribution
● Development phase● Compiler● Minimal changes to application manifest and <script> tag
● Distribution with the binary only● Application store
● Leveraging the difference between Web Runtime & Browser● Experimental feature in node-webkit
![Page 12: Protecting JavaScript Source Code in Web Runtime€¦ · Protecting JavaScript Source Code in Web Runtime Roger Wang Tizen Developer; node-webkit creator Intel Open Source Technology](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f729d52e551c34a0011cc6a/html5/thumbnails/12.jpg)
12
Details of Implementation
● Heap dumping● Objects● Functions (JITed)
● V8 Snapshot● Size● Peformance: full-codegen & crankshaft
● JSC API shim layer● Plan on JSC
![Page 13: Protecting JavaScript Source Code in Web Runtime€¦ · Protecting JavaScript Source Code in Web Runtime Roger Wang Tizen Developer; node-webkit creator Intel Open Source Technology](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f729d52e551c34a0011cc6a/html5/thumbnails/13.jpg)
13
JSC API Shim Layer
● JSC public API wrapper on v8● Derivative work based on qtwebkit-v8● Switch to v8 DOM binding in WebKit● Components accessing JSC public API
● Injected Bundle● Plugin
![Page 14: Protecting JavaScript Source Code in Web Runtime€¦ · Protecting JavaScript Source Code in Web Runtime Roger Wang Tizen Developer; node-webkit creator Intel Open Source Technology](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f729d52e551c34a0011cc6a/html5/thumbnails/14.jpg)
Q/A
![Page 15: Protecting JavaScript Source Code in Web Runtime€¦ · Protecting JavaScript Source Code in Web Runtime Roger Wang Tizen Developer; node-webkit creator Intel Open Source Technology](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f729d52e551c34a0011cc6a/html5/thumbnails/15.jpg)
![Page 16: Protecting JavaScript Source Code in Web Runtime€¦ · Protecting JavaScript Source Code in Web Runtime Roger Wang Tizen Developer; node-webkit creator Intel Open Source Technology](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f729d52e551c34a0011cc6a/html5/thumbnails/16.jpg)
16
Solutions
● Obfuscation / Minifying● YUI Compressor● Google Closure Compiler● UglifyJS
● On-disk encryption● Less JavaScript
● Put logic on server● Compile to JS
● License & Lawyer