type-based dependency analysis for javascript
TRANSCRIPT
![Page 1: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/1.jpg)
Type-based Dependency Analysis for JavaScriptPLAS’13
University of Freiburg
Matthias Keil, Peter ThiemannInstitute for Computer ScienceUniversity of FreiburgFreiburg, Germany
June 20, 2013, Seattle, WA, USA.
![Page 2: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/2.jpg)
JavaScriptUniversity of Freiburg
JavaScript is the most important language for web sites
92 % of all websites use JavaScript
Web-developers rely on third-party libraries
e.g. for calendars, maps, social networks
1 <s c r i p t type=" t e x t / j a v a s c r i p t "2 s r c=" http : // example . org / ap i / j s /?ARGS">3 </ s c r i p t>
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 2 / 17
![Page 3: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/3.jpg)
JavaScript (cont.)University of Freiburg
Dynamic programming language
e.g. eval, mashups
JavaScript has no security awareness
No namespace or encapsulation managementGlobal scope for variables/functionsAll scripts have the same authority
Security aspects of JavaScript received much attention
Static or dynamic analysis techniquesGuarantees by reducing the functionality
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 3 / 17
![Page 4: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/4.jpg)
Security ScenariosUniversity of Freiburg
1 Libraries may get access to sensitive data
2 User code may be prone to injection attacks
Naive approach: detect information flow
Pure information flow is too unflexible for investigatinginjection attacksIgnores sanitized values
Our approach: dependency analysis
Addresses both scenariosSanitized values are acceptableStatic AnalysisImplemented as extension of a type analyzer
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 4 / 17
![Page 5: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/5.jpg)
ExamplesUniversity of Freiburg
Information flow
1 var t = Cookie . ge t ( ’ access_token ’ ) ;2 // processing
3 // ...
4 Ajax . r e q u e s t ( ’ example . org ’ , t ) ;
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 5 / 17
![Page 6: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/6.jpg)
ExamplesUniversity of Freiburg
Information flow
1 var t = Cookie . ge t ( ’ access_token ’ ) ;2 // processing
3 // ...
4 Ajax . r e q u e s t ( ’ example . org ’ , t ) ;
Sanitization
1 var i n pu t = document . getElementBy Id ( ’ id ’ ) ;2 func t ion s a n i t i z e r ( v a l u e ) {3 // clean up value
4 }5 // processing
6 // ...
7 Ajax . r e q u e s t ( ’ example . org ’ , s a n i t i z e r ( i npu t ) ) ;
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 5 / 17
![Page 7: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/7.jpg)
Design PrinciplesUniversity of Freiburg
Dependency Analysis
Information flow pioneered by DenningDetermines potential data flow between program pointsRelated to simple security types
Flow-sensitive analysis
Abstracts data taintingStated as type-system
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 6 / 17
![Page 8: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/8.jpg)
TaintingUniversity of Freiburg
Built-in traceℓ(e[, id]) and untrace(e, id) function
ℓ – unique taintid – tag nameBehaves like an identity function
Implicit classes: UNSAFE, SAFE
Policy-file
For predefined values (e.g. DOM, JavaScript API)
trace.policy
1 # Object Trace2 t r a c e : HTMLDocument . c ook i e ; Ajax . r e q u e s t ;3 Array . p r o to t y pe ; Math . abs ;
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 7 / 17
![Page 9: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/9.jpg)
Application ScenarioSensitive DataUniversity of Freiburg
1 var u s e rHand l e r = func t ion ( u i d ) {2 var name = ’ ’ ;3 var onSucces s = func t ion ( r e s pon s e ) {name = re spon s e ; } ;4 i f ( a l r eadyLoaded ) {5 Cookie . r e q u e s t ( uid , onSucces s ) ;6 } e l s e {7 Ajax . r e q u e s t ( ’ example . org ’ , uid , onSucces s ) ;8 }9 r e turn name ;
10 } ;11 var name = us e rHand l e r ( t r ace (" u id " ) ) ;
Security properties on a fine level of granularity
Distinguish different sources
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 8 / 17
![Page 10: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/10.jpg)
Application ScenarioSensitive DataUniversity of Freiburg
1 var u s e rHand l e r = func t ion ( u i d ) {2 var name = ’ ’ ;3 var onSucces s = func t ion ( r e s pon s e ) {name = re spon s e ; } ;4 i f ( a l r eadyLoaded ) { // alreadyLoaded=true
5 Cookie . r e q u e s t ( uid , onSucces s ) ;6 } e l s e {7 Ajax . r e q u e s t ( ’ example . org ’ , uid , onSucces s ) ;8 }9 r e turn name ;
10 } ;11 var name = us e rHand l e r ( t r ace ( " u id " ) ) ;
Security properties on a fine level of granularity
Distinguish different sources
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 8 / 17
![Page 11: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/11.jpg)
Application ScenarioSensitive DataUniversity of Freiburg
1 var u s e rHand l e r = func t ion ( u i d ) {2 var name = ’ ’ ;3 var onSucces s = func t ion ( r e s pon s e ) {name = re spon s e ; } ;4 i f ( a l r eadyLoaded ) { // alreadyLoaded=( true|false )
5 Cookie . r e q u e s t ( uid , onSucces s ) ;6 } e l s e {7 Ajax . r e q u e s t ( ’ example . org ’ , uid , onSucces s ) ;8 }9 r e turn name ;
10 } ;11 var name = us e rHand l e r ( t r ace ( " u id " ) ) ;
Security properties on a fine level of granularity
Distinguish different sources
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 8 / 17
![Page 12: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/12.jpg)
Application ScenarioForeign CodeUniversity of Freiburg
1 l oadFore i gnCode = t r ace ( func t ion ( ) {2 Array . p r o to t y pe . f o r e a ch = func t ion ( c a l l b a c k ) {3 // do something
4 } ;5 } ) ;6 l oadFore i gnCode ( ) ;7 // do something
8 a r r a y . f o r e a ch ( func t ion ( k , v ) {9 r e s u l t = k + v ;
10 } ) ;
Protect code from being compromised
Encapsulation of foreign code
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 9 / 17
![Page 13: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/13.jpg)
Application ScenarioSanitizationUniversity of Freiburg
1 $ = func t ion ( i d ) {2 r e turn t race ( document . getElementBy Id ( i d ) . v a l ue , "#DOM") ;3 }4 func t ion s a n i t i z e r ( v a l u e ) {5 // escape value
6 r e turn untrace ( va l ue , "#DOM") ;7 }8 // do something
9 var i n pu t = $(" t e x t " ) ;10 var s a n i t i z e d I n p u t = s a n i t i z e r ( i npu t ) ;11 consumer ( s a n i t i z e d I n p u t ) ;
Avoid injection attacks
e.g. only escaped values used
Change taint classes
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 10 / 17
![Page 14: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/14.jpg)
Application ScenarioSanitization (cont)University of Freiburg
var s a n i t i z e d I n p u t =i_know_what_i_do ? s a n i t i z e r ( i npu t ) : i npu t ;
Mixture of sanitized and unsanitized taints
Flagged as an error
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 11 / 17
![Page 15: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/15.jpg)
Dependency Tracking SemanticsUniversity of Freiburg
v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’);
var input
sanitized = untrace(input, ’#DOM’);
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 12 / 17
![Page 16: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/16.jpg)
Dependency Tracking SemanticsUniversity of Freiburg
v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’);
var input
sanitized = untrace(input, ’#DOM’);
v : ℓ#DOM,UNSAFE v ′ : ℓ′#ANOTHER,UNSAFE
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 12 / 17
![Page 17: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/17.jpg)
Dependency Tracking SemanticsUniversity of Freiburg
v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’);
var input
sanitized = untrace(input, ’#DOM’);
v : ℓ#DOM,UNSAFE v ′ : ℓ′#ANOTHER,UNSAFE
input : ℓ#DOM,UNSAFE, ℓ′#ANOTHER,UNSAFE
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 12 / 17
![Page 18: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/18.jpg)
Dependency Tracking SemanticsUniversity of Freiburg
v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’);
var input
sanitized = untrace(input, ’#DOM’);
v : ℓ#DOM,UNSAFE v ′ : ℓ′#ANOTHER,UNSAFE
input : ℓ#DOM,UNSAFE, ℓ′#ANOTHER,UNSAFE
sanitized : ℓ#DOM,SAFE, ℓ′#ANOTHER,UNSAFE
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 12 / 17
![Page 19: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/19.jpg)
Dependency Tracking SemanticsUniversity of Freiburg
input = trace(value, ’#DOM’);
if
input = untrace(input, ’#DOM’);
fi
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 13 / 17
![Page 20: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/20.jpg)
Dependency Tracking SemanticsUniversity of Freiburg
input = trace(value, ’#DOM’);
if
input = untrace(input, ’#DOM’);
fi
input : ℓ#DOM,UNSAFE
input : ℓ#DOM,UNSAFE
input : ℓ#DOM,SAFE
input : ℓ#DOM,SAFE
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 13 / 17
![Page 21: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/21.jpg)
Dependency Tracking SemanticsUniversity of Freiburg
input = trace(value, ’#DOM’);
if
input = untrace(input, ’#DOM’);
fi
input : ℓ#DOM,UNSAFE
input : ℓ#DOM,UNSAFE
input : ℓ#DOM,SAFE
input : ℓ#DOM,UNSAFE
input : ℓ#DOM,SAFE, ℓ#DOM,UNSAFE
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 13 / 17
![Page 22: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/22.jpg)
Technical ContributionUniversity of Freiburg
Formalization based on a typed JavaScript Core calculus
Dependency Tracking Semantics
Marker propagation for upcoming valuesNot meant to perform a dynamic analysis
Static analysis based on the type system for dependencytracking
Termination-insensitive noninterference based on the typesCorrect abstraction of the tracking semanticsTermination of the abstract analysis
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 14 / 17
![Page 23: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/23.jpg)
ImplementationUniversity of Freiburg
Implementation extends TAJS, a Type Analyzer for
JavaScript developed by Anders Møller and others
Abstract values and states are extended with abstract taints
The control flow graph is extended by special nodes for
implicit flows
traceℓ and untrace implemented as built-in functions
Policy file for pre-labeling of built-in objects
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 15 / 17
![Page 24: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/24.jpg)
ConclusionUniversity of Freiburg
Designed and implemented a type-based dependency analysisfor JavaScript
Analysis of information flowEncapsulation of foreign codeDeclassification of values (by changing taint-classes)
Dependency analysis is not a security analysis
Investigate noninterferenceEnsure confidentialityVerify correct sanitizer placement
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 16 / 17
![Page 25: Type-based Dependency Analysis for JavaScript](https://reader033.vdocuments.site/reader033/viewer/2022051000/55d03535bb61ebd3698b4669/html5/thumbnails/25.jpg)
Type-based Dependency Analysis for JavaScriptUniversity of Freiburg
Questions?
Thank you for your attention.
Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 17 / 17