190 likes | 331 Views
Sep 2011. Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group. Why JavaScript Analysis?. According to an IBM study performed in 2010. Why JavaScript Analysis? (cont.). 15 %.
E N D
Sep 2011 Hybrid Analysis for JavaScript Security AssessmentOmer TrippOmri WeismanSalvatore GuarnieriIBM Software Group
Why JavaScript Analysis? According to an IBM study performed in 2010
Why JavaScript Analysis? (cont.) 15% of Fortune 500 websites have exploitable security issues in JavaScript. According to an IBM study performed in 2010 DOM-based XSS document.write(document.URL.substring( pos,document.URL.length)); Open Redirect var pos = document.location.href.indexOf("name="); var val = document.location.href.substring(pos); document.location.href = "http://" + val;
Complexities of JavaScript function sum() { if (arguments.length > 3) { eval(arguments[1]); } } sum(1, "...”, 3) • Reflective property access • Prototype chain property lookup • Lexical scoping • Function pointers • Arguments array • eval and its relatives function foo() { var y = 42; var bar = function() { write(y); } } function F() { this.bar = document.url; } function G() { } G.prototype = new F(); var a = new G(); write(g.bar); eval("document.write('evil')"); var a = "foo" + "bar"; var b = obj[a]; var m = function() ... var k = function(f) { f(); } k(m);
Analysis Example Taint variable: (v2, foo, <f, *>) function foo(p1, p2) { p1.f = p2.f; } var a = new Object(); var b = new Object(); b.f = window.location.toString(); var c = new Object(); var d = new Object(); d.f = "safe"; foo(a, b); foo(c, d); document.write(a.f); // This is a taint violation document.write(c.f); // This is NOT a taint violation Install taint summary for foo: p2.f -> p1.f Since d.fis not tainted, c.fwill not be tainted
Why Hybrid Analysis? + Performance + Soundness + Coverage + Dynamic Behavior + Performance + Soundness + Coverage - Frameworks - Dynamic loading + Dynamic behavior - Coverage Hybrid analysis Dynamic analysis Static analysis
Static Analysis • Typically applied to server-side JavaScript content • Misses dynamically generated JavaScript! <scripttype="text/javascript"> document.write('<scr'+'ipt '); document.write('src="http://affinity-numerology.com/cgibin/ EmailThisLink.cgi?g'+Email_This_Link+'"'); document.write(' type="text/javascript">'); document.write('</scr'+'ipt>'); </script>
Evil script not sent to server WebApplication Attacker’s evil scriptexecuted using victim’s credentials link embedded withevil script Attacker Victim Traditional Black-box Testing • Sends test payload in HTTP request • Checks response for reflected payload • Does not work for DOM-based XSS!
Sandboxed JavaScript Execution http://mysite/search.aspx?search=<script>alert('hacked')</script> Black-boxScanner
Dynamic Taint Analysis Source document.URL execution flow Sink document.write()
Our Hybrid Architecture HTML/JavaScript, concrete URLs, … Black-boxScanner DOMmodeling Reduce scope Taintanalysis Find issues Stringanalysis Eliminatefalse positives issues
Hybrid Elimination of False Reports • Specialized string analysis using dynamic pieces of information (e.g., concrete URL) • Part controlled by attacker is unknown, but known prefix modeled precisely "https://some-site/release/jsp/sso/login.html?..." var str = document.URL; var url_check = str.indexOf('login.html'); if (url_check > -1) { result = str.substring(0,url_check); result = result + 'login.jsp' + str.substring((url_check+search_term.length), str.length); document.URL = result; } URL as Source http://www.mysite.com/folder/page?a=1&b=2#anchor NOT CONTROLLED BY ATTACKER CONTROLLED BY ATTACKER
String Analysis: Example Stringvariable Integervariable
Hybrid DOM Modeling • The HTML DOM is an important channel of data propagation, but often too big (>105 lines of text) for the analysis to model! • In the hybrid setting • the analysis operates on a fully resolved DOM • the analysis can thus “reduce” the DOM BEFORE DOMreduction AFTER
Implementation & Evaluation • Algorithm featured in IBM Rational AppScan Standard Edition, a black-box security-scanning product • Experimental hypotheses: • (1st experiment) The DOM-modeling and string-analysis specialization features have significant impact on the quality of the static security scanner • (2nd experiment) The hybrid solution is significantly better than the baseline security scanner, which performs sandboxed JavaScript execution
1st Experiment: Results Total number of JavaScript security vulnerabilities detected for 675 websites • 200-500 pages from each site • 4 configurations: with/without DOM modeling, string analysis • Results: • Without DOM modeling: too many crashes! • String analysis highly effective
2nd Experiment: Results Client-side vulnerabilities found by black-box scanner with and without hybrid capabilities • Sites selected at random (out of 675 sites used for 1st experiment) • False reports due to infeasible/rare path conditions
Summary • Hybrid JavaScript security analysis is a powerful approach • Allows new and exciting specialization techniques • Transcends inherent weaknesses of static and dynamic analyses • Thousands of real vulnerabilities discovered using our tool when applied to highly popular sites (Fortune 500, top 100 sites list, etc.) • Very low rate of false reports (thanks to string analysis) • Scales to real-world JavaScript and HTML (thanks to DOM modeling)