staged information flow for javascript ravi chugh, jeff meister, ranjit jhala, sorin lerner uc san...
Post on 21-Dec-2015
217 views
TRANSCRIPT
![Page 1: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/1.jpg)
Staged Information Flowfor JavaScript
Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner
UC San Diego
![Page 2: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/2.jpg)
2
wsj.com
<textbox id=“SearchBox”><button onclick=“doSearch(SearchBox.value)”>
<script type=“javascript”>
searchUrl = “wsj.com/search?”;
doSearch = function(s) { var u = searchUrl + s; document.location = u;}
</script>
z = get(“a.com/ad.js”);eval(z);
![Page 3: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/3.jpg)
3
wsj.com
<textbox id=“SearchBox”><button onclick=“doSearch(SearchBox.value)”>
a.com/ad.js
<script type=“javascript”>
searchUrl = “wsj.com/search?”;
doSearch = function(s) { var u = searchUrl + s; document.location = u;}
</script>
displayAd = function() { ...}displayAd();
![Page 4: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/4.jpg)
4
wsj.com
<textbox id=“SearchBox”><button onclick=“doSearch(SearchBox.value)”>
a.com/ad.js
<script type=“javascript”>
searchUrl = “wsj.com/search?”;
doSearch = function(s) { var u = searchUrl + s; document.location = u;}
</script>
displayAd = function() { ...}displayAd();searchUrl = “evil.com/”;
![Page 5: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/5.jpg)
5
evil.com
• Script navigates to malicious page• Exploits browser vulnerability
![Page 6: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/6.jpg)
6
The Problem, Part 1• Third-party code may affect sensitive data
– e.g. writing doc.location– e.g. reading doc.cookie
• Information flow policies– e.g. integrity of doc.location– e.g. confidentiality of doc.cookie
• JavaScript difficulties– dynamic typing– first-class functions– objects, but no classes– prototypes
server code
third-party code
var doc = ...;
doc.location = “evil”;steal(doc.cookie);
![Page 7: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/7.jpg)
7
The Problem, Part 2• Entire code not available until runtime
• Arrives in stages
third-party code
server code
var doc = ...;
doc.location = “evil”;steal(doc.cookie);
![Page 8: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/8.jpg)
8
Our Staged Approach: Server
context
policy
Information Flow Policies
Confidentiality policy:x should not be read
Integrity policy:x should not be written
![Page 9: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/9.jpg)
9
• Summarizes how loaded code must behave• Syntactically enforceable for speed
Our Staged Approach: Server
context
policy
JavaScriptStagingAnalysis
residual policy
No Read
must-not-read vars
No Write
must-not-write vars
![Page 10: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/10.jpg)
10
Our Staged Approach: Client
Browser
JavaScript Engine
Residual Policy
Checker
✓
✗hole
context
residual policy
![Page 11: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/11.jpg)
11
wsj.com
<textbox id=“SearchBox”><button onclick=“doSearch(SearchBox.value)”>
<script type=“javascript”>
searchUrl = “wsj.com/search?”;
doSearch = function(s) { var u = searchUrl + s; document.location = u;}
</script>
No Read
No Write
searchUrl
doSearch
s
SearchBox.value
document.location
✕
![Page 12: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/12.jpg)
12
wsj.com
<textbox id=“SearchBox”><button onclick=“doSearch(SearchBox.value)”>
<script type=“javascript”>
searchUrl = “wsj.com/search?”;
doSearch = function(s) { var u = searchUrl + s; document.location = u;}
</script>
No Read
doSearch
No Write
searchUrl
SearchBox.value
document.location
![Page 13: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/13.jpg)
13
wsj.com
<textbox id=“SearchBox”><button onclick=“doSearch(SearchBox.value)”>
<script type=“javascript”>
searchUrl = “wsj.com/search?”;
doSearch = function(s) { var u = searchUrl + s; document.location = u;}
</script>
No Read
doSearch
a.com/ad1.jsdisplayAd = function() { if (version < 7) { ... } else { ... } }displayAd();
No Write
searchUrl
SearchBox.value
document.location
✓
![Page 14: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/14.jpg)
14
wsj.com
<textbox id=“SearchBox”><button onclick=“doSearch(SearchBox.value)”>
<script type=“javascript”>
searchUrl = “wsj.com/search?”;
doSearch = function(s) { var u = searchUrl + s; document.location = u;}
</script>
No Read
doSearch
a.com/ad2.js
searchUrl = “evil.com/”;
No Write
searchUrl
SearchBox.value
document.location
✗
![Page 15: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/15.jpg)
15
wsj.com
<textbox id=“SearchBox”><button onclick=“doSearch(SearchBox.value)”>
<script type=“javascript”>
searchUrl = “wsj.com/search?”;
doSearch = function(s) { var u = searchUrl + s; document.location = u;}
</script>
No Read
doSearch
a.com/ad3.js
doSearch(“foo”);
No Write
searchUrl
SearchBox.value
document.location
✗
![Page 16: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/16.jpg)
16
Outline• Overview• JavaScript Static Analysis• Computing Residual Policies• Additional Challenges• Evaluation
![Page 17: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/17.jpg)
17
Information Flow Graph• Analysis tracks information flow in program• Flow-insensitive, set constraint-based• Graph representation:– program constants, variables, edges
– special nodes for function declarations and calls
Fun
x0
![Page 18: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/18.jpg)
18
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
/* a.com/ad1.js */displayAd = function() { ... };displayAd();
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
![Page 19: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/19.jpg)
19
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
/* a.com/ad1.js */displayAd = function() { ... };displayAd();
searchUrl
“wsj.com/search?”
![Page 20: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/20.jpg)
20
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
/* a.com/ad1.js */displayAd = function() { ... };displayAd();
searchUrl
“wsj.com/search?”
Fun s
doSearch
![Page 21: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/21.jpg)
21
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
/* a.com/ad1.js */displayAd = function() { ... };displayAd();
searchUrl
“wsj.com/search?”
Fun s
doSearch
u
![Page 22: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/22.jpg)
22
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
/* a.com/ad1.js */displayAd = function() { ... };displayAd();
searchUrl
“wsj.com/search?”
Fun s
doSearch
u
document.location
![Page 23: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/23.jpg)
23
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
/* a.com/ad1.js */displayAd = function() { ... };displayAd();
searchUrl
“wsj.com/search?”
Fun s
doSearch
u
document.location
Fun SearchBox.value
![Page 24: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/24.jpg)
24
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
/* a.com/ad1.js */displayAd = function() { ... };displayAd(); Fun s
doSearch
u
searchUrl
document.location
Fun SearchBox.value
“wsj.com/search?”
![Page 25: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/25.jpg)
25
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
/* a.com/ad1.js */displayAd = function() { ... };displayAd(); Fun s
doSearch
u
searchUrl
document.location
Fun SearchBox.value
“wsj.com/search?”
Fun
displayAd
![Page 26: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/26.jpg)
26
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
/* a.com/ad1.js */displayAd = function() { ... };displayAd(); Fun s
doSearch
u
searchUrl
document.location
Fun SearchBox.value
“wsj.com/search?”
Fun
displayAd
Fun
![Page 27: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/27.jpg)
27
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
/* a.com/ad1.js */displayAd = function() { ... };displayAd(); Fun s
doSearch
u
searchUrl
document.location
Fun SearchBox.value
“wsj.com/search?”
Fun
displayAd
Fun
✓
![Page 28: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/28.jpg)
28
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
/* a.com/ad1.js */displayAd = function() { ... };displayAd();
Fun
displayAd
Fun
✓
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
Fun s
doSearch
u
searchUrl
document.location
Fun SearchBox.value
“wsj.com/search?”
![Page 29: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/29.jpg)
29
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
/* a.com/ad2.js */searchUrl = “evil.com”;
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
Fun s
doSearch
u
searchUrl
document.location
Fun SearchBox.value
“wsj.com/search?”
“evil.com/”
✗
![Page 30: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/30.jpg)
30
Fun s
doSearch
u
searchUrl
document.location
Fun SearchBox.value
“wsj.com/search?”searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
/* a.com/ad2.js */searchUrl = “evil.com”;
“evil.com/”
✗
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
![Page 31: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/31.jpg)
31
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
/* a.com/ad3.js */doSearch(“foo”);
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
Fun s
doSearch
u
searchUrl
document.location
Fun SearchBox.value
“wsj.com/search?”
Fun “foo”
![Page 32: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/32.jpg)
32
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
/* a.com/ad3.js */doSearch(“foo”);
Fun s
doSearch
u
searchUrl
document.location
Fun SearchBox.value
“wsj.com/search?”
Fun “foo”
✗
![Page 33: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/33.jpg)
33
Outline• Overview• JavaScript Static Analysis• Computing Residual Policies• Additional Challenges• Evaluation
![Page 34: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/34.jpg)
34
Fun
searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);
doSearch
Fun
u
searchUrl
document.location
Fun SearchBox.value
“wsj.com/search?”
No Write
No Read
document.location
u
searchUrl
SearchBox.value
doSearch
doSearch
searchUrl
SearchBox.value
document.location
ss
Add taint to sensitive data and propagate
![Page 35: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/35.jpg)
35
Residual Policies• Difficulties:– Aliasing– First-class functions– Don’t want flow analysis in browser
• Solution:– Conservatively taint functions– Conservatively taint fields
![Page 36: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/36.jpg)
36
• Transfer taints from parameters to functions
• Transfer taints from return values to functions
Fun
Fun
Tainted Functions
No Writeto
No Read
Fun
foofoo
No Read to
No Write foo(document.cookie);
// hole redefines foo foo = function(t) { // reads t, hence cookie }
foofoo
Fun
No Write Taint
No Read Taint
![Page 37: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/37.jpg)
37
Aliasing and Tainted Fields
• Residual policy misses future aliasing• Conservative approach:
if field f is tainted for some object, f tainted for all
z = tmp.cookie;
No Write
No Readdocument.cookie
tmp.cookie
z
tmp = document;
// reads z
![Page 38: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/38.jpg)
38
Outline• Overview• JavaScript Static Analysis• Computing Residual Policies• Additional Challenges• Evaluation
![Page 39: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/39.jpg)
39
Objects• Used pervasively in JavaScript• Hence, analysis must be field-sensitive• Encode “setter” and “getter” for field f using
• Fields can be dynamically added• Initially assume no fields• Iteratively add constraints until fixpoint
Fldf
x = { f:1 };x.g = 2;
![Page 40: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/40.jpg)
40
Prototypes• JavaScript uses prototype-based inheritance• Intuitively, each object x– has a link to its parent– inherits parent’s fields
• Ensures each object has fields of its ancestors
x.parent x
![Page 41: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/41.jpg)
41
Indirect Flows
if (document.cookie == “foo”) {
y = 1;}
document.cookie y 1
• Propagate taints along indirect flow edges• But not program values
INDIRECT
![Page 42: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/42.jpg)
42
Outline• Overview• JavaScript Static Analysis• Computing Residual Policies• Additional Challenges• Evaluation
![Page 43: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/43.jpg)
43
Implementation• Flow analysis and residual policy generator– parse JavaScript (JSure)– generate set constraints (6,000 lines of OCaml)– solve constraints (Banshee + 400 lines of C)
• Stand-alone residual policy checker– not yet incorporated into browser
• JavaScript collector– Firefox extension (500 lines of JavaScript)
![Page 44: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/44.jpg)
44
Experimental Setup• Collect JavaScript for Alexa top 100 web sites
third-party code
server code
97/100 have JavaScript
63/97 have holes
Context:all server code
Hole:all third-party
code
![Page 45: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/45.jpg)
45
Experimental Setup• Information flow analysis on context + hole
• Compute residual policy, check it on hole
✓/✗
✓/✗
cookie confidentiality
location integrity
![Page 46: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/46.jpg)
46
0 5000 10000 15000 20000 25000 30000 35000 40000 450000
10
20
30
40
50
60
70
80
90
Lines of code (thousands)
Runn
ing
time
(sec
onds
)
80% run in <12 sec
Average: 9.9 sec
Scalability of Full Analysis
![Page 47: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/47.jpg)
47
Average Running Times
✓/✗
✓/✗
Full Analysis
9.9 sec
Staged Analysis
14.0 sec 0.13 sec
![Page 48: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/48.jpg)
48
Results of Analysis: Full
3032
• Hole satisfies cookie policy? ✓ 30 ✗ 32
![Page 49: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/49.jpg)
49
Results of Analysis: Staged
26
4
32
• Hole satisfies cookie policy? ✓ 30 ✗ 32
Residual checker:
• 26/30 safe• Imprecision:
4 false positives
![Page 50: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/50.jpg)
50
Future Work• Context-sensitivity
• Dynamically-constructed field names
• Test more complicated policies
• Embed residual policy checker in browser
![Page 51: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/51.jpg)
51
Related Work• Information flow– type systems– dynamic instrumentation
• JavaScript analysis– types [Thiemann 05, Anderson et al. 05]– dynamic policies [Chander et al. 07]– static analysis [Guarnieri/Livshits 09]
• Browser security– finer-grained interaction between scripts [Howell et al. 07]
![Page 52: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/52.jpg)
52
Summary• JavaScript static analysis is scalable
• Residual checks are fast enough for client
• Residual policies precisely capture information flow
![Page 53: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/53.jpg)
53
Thanks!
![Page 54: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/54.jpg)
Extra Slides
![Page 55: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/55.jpg)
55
Information Flow Policies
if (x) { holeVar = 1 };
Confidentiality of x:x should not affect hole variables
indirectlyorholeVar = x;
directly
if (holeVar) { x = 1 };
Integrity of x:hole variables should not affect x
indirectlyorx = holeVar;
directly
![Page 56: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/56.jpg)
56
Fields
![Page 57: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/57.jpg)
57
Running Times
• Full analysis too slow to run on client• Quick to compute residual policy on server• Small run-time overhead to check– running time includes parsing time– parser is not optimized for speed
cookie policy location policyFlow analysis on context + hole
Computing residual policyChecking residual policy
9.9 10.7
14.0 28.4
0.13 0.12
![Page 58: Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d5f5503460f94a40144/html5/thumbnails/58.jpg)
58
Results of Staged Analysis
• Residual policy usually agrees with full information flow analysis
• Imprecision from tainted functions/fields• No false negatives
Full:Policy Satisfied?
Staged:Policy Satisfied? cookie policy location policy
✓✓ 26 49
✗ 4 8
✗✗ 32 5
✓ 0 0
imprecision
soundness