Security Signature Inference for JavaScript-based Browser...
Transcript of Security Signature Inference for JavaScript-based Browser...
![Page 1: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/1.jpg)
Security Signature Inference for JavaScript-based Browser Addons
Vineeth Kashyap, Ben HardekopfUniversity of California Santa Barbara
!CGO 2014
�1
![Page 2: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/2.jpg)
JavaScript-based Browser Addons
�2
![Page 3: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/3.jpg)
Addons: JavaScript with High Privileges
�3
![Page 4: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/4.jpg)
Urging Security Concern
• Proof of concept exploits
• FFSniff, a configurable password stealer
• Unintentional vulnerabilities
• Wikipedia Toolbar allowed arbitrary privileged code execution
• Intentionally malicious
• Key loggers
�4
![Page 5: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/5.jpg)
Curated Repositories
�5
![Page 6: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/6.jpg)
�6
![Page 7: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/7.jpg)
�7
![Page 8: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/8.jpg)
�8
![Page 9: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/9.jpg)
�9
![Page 10: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/10.jpg)
�10
![Page 11: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/11.jpg)
Manual JavaScript Addon Vetting is Difficult
• Ad-hoc
• Tedious
• Error-prone
�11
![Page 12: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/12.jpg)
Our Goal: Help Automate the Vetting Process
• Automatically infer security signatures
• Summarize interesting information flows and critical API usages
�12
![Page 13: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/13.jpg)
Our Goal: Help Automate the Vetting Process
• Automatically infer security signatures
• Summarize interesting information flows and critical API usages
�12
![Page 14: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/14.jpg)
Our Goal: Help Automate the Vetting Process
• Automatically infer security signatures
• Summarize interesting information flows and critical API usages
�12
![Page 15: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/15.jpg)
Our Goal: Help Automate the Vetting Process
• Automatically infer security signatures
• Summarize interesting information flows and critical API usages
�12
url send (www.evil.com)amplified local control flow
![Page 16: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/16.jpg)
Key Challenges
• Flexible security policies
• No single policy applies for all addons
• Classifying Information Flows
• Binary result (secure or insecure) is not enough
• Inferring Network Domains
• Critical to reason about addon’s network communication
�13
![Page 17: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/17.jpg)
Our Solution
• Construct annotated Program Dependence Graphs (PDG)
• Use annotated PDGs to generate security signatures
• Use prefix string analysis to infer network domains communicated with
�14
![Page 18: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/18.jpg)
Our Solution
• Construct annotated Program Dependence Graphs (PDG)
• Use annotated PDGs to generate security signatures
• Use prefix string analysis to infer network domains communicated with
�14
![Page 19: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/19.jpg)
Our Solution
• Construct annotated Program Dependence Graphs (PDG)
• Use annotated PDGs to generate security signatures
• Use prefix string analysis to infer network domains communicated with
�14
![Page 20: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/20.jpg)
Our Solution
• Construct annotated Program Dependence Graphs (PDG)
• Use annotated PDGs to generate security signatures
• Use prefix string analysis to infer network domains communicated with
�14
Automatically summarize API usages, interesting information flows (classified based on the type of flow)
![Page 21: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/21.jpg)
Annotated Program Dependence Graph
• Use JSAI† to construct a PDG
• Annotate the edges of PDG with the type of dependency
�15
† JSAI is a sound and efficient JavaScript abstract interpreter we developed.
![Page 22: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/22.jpg)
�16
1 var data = {loc: url, other: 1} 2 send(data[“loc”]); 3 send(data[getString()]);
Strong vs. Weak Data Dependency
![Page 23: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/23.jpg)
�16
1 var data = {loc: url, other: 1} 2 send(data[“loc”]); 3 send(data[getString()]);
Strong vs. Weak Data Dependency
![Page 24: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/24.jpg)
�16
1 var data = {loc: url, other: 1} 2 send(data[“loc”]); 3 send(data[getString()]);
Strong vs. Weak Data Dependency
![Page 25: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/25.jpg)
�17
5 if (url == "secret.com") 6 send(null);
Local Control Dependency
![Page 26: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/26.jpg)
�17
5 if (url == "secret.com") 6 send(null);
Local Control Dependency
![Page 27: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/27.jpg)
�18
13 try { 14 if (url != "hush-hush.com") 15 throw "irrelevant"; 16 send(null); 17 } catch(x) {};
Syntax-obvious Non-local Control Dependency
14
![Page 28: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/28.jpg)
�18
13 try { 14 if (url != "hush-hush.com") 15 throw "irrelevant"; 16 send(null); 17 } catch(x) {};
Syntax-obvious Non-local Control Dependency
14
![Page 29: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/29.jpg)
�19
18 try { 19 if (url != "mystic.com") 20 obj.prop = 1; 21 send(null); 22 } catch(x) {}
Non-obvious Non-local Control Dependency
![Page 30: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/30.jpg)
�19
18 try { 19 if (url != "mystic.com") 20 obj.prop = 1; 21 send(null); 22 } catch(x) {}
Non-obvious Non-local Control Dependency
![Page 31: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/31.jpg)
�20
7 var arr = ["covert.com", "priv.com"/*,..*/]; 8 var i=0, count=0; 9 while (arr[i] && url != arr[i]) { 10 i++; 11 count++; } // end while 12 send(count);
Amplified vs. Simple Control Dependencies
![Page 32: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/32.jpg)
�20
7 var arr = ["covert.com", "priv.com"/*,..*/]; 8 var i=0, count=0; 9 while (arr[i] && url != arr[i]) { 10 i++; 11 count++; } // end while 12 send(count);
Amplified vs. Simple Control Dependencies
![Page 33: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/33.jpg)
Lattice of Perceived Flow Strength
�21
Stronger!Flow
![Page 34: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/34.jpg)
Lattice of Perceived Flow Strength
�22
Stronger!Flow
data
control
![Page 35: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/35.jpg)
Lattice of Perceived Flow Strength
�23
Stronger!Flow
amplified
not amplified
![Page 36: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/36.jpg)
Lattice of Perceived Flow Strength
�24
Stronger!Flow local
non local
![Page 37: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/37.jpg)
Lattice of Perceived Flow Strength
�25
Stronger!Flow syntax obvious
non obvious
![Page 38: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/38.jpg)
Generating Security Signatures
• Use the PDG to reason about information flow in addons
• Use PDG annotations to classify flows
• Output a signature summarizing relevant flows
�26
![Page 39: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/39.jpg)
Generating Security Signatures
• Use the PDG to reason about information flow in addons
• Use PDG annotations to classify flows
• Output a signature summarizing relevant flows
�26
url send (www.evil.com)amplified local control flow
![Page 40: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/40.jpg)
Generating Security Signatures
�27
![Page 41: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/41.jpg)
Generating Security Signatures
�27
![Page 42: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/42.jpg)
Generating Security Signatures
�27
![Page 43: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/43.jpg)
Generating Security Signatures
�28
![Page 44: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/44.jpg)
Generating Security Signatures
�29
![Page 45: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/45.jpg)
Generating Security Signatures
�29
![Page 46: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/46.jpg)
Generating Security Signatures
�30
![Page 47: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/47.jpg)
Generating Security Signatures
�31
![Page 48: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/48.jpg)
Generating Security Signatures
�32
![Page 49: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/49.jpg)
Generating Security Signatures
�33
![Page 50: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/50.jpg)
Generating Security Signatures
�33
![Page 51: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/51.jpg)
Generating Security Signatures
�33
url send (www.evil.com)amplified local control flow
![Page 52: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/52.jpg)
Evaluation
• Evaluated analysis on 10 real addons from Mozilla repository
• Manually created security signatures based on submitted addon description
• Ran the analysis to get inferred signature, compared against our manual signature
• Possible experimental outcomes:
• pass (no unexpected information flow)
• fail (false unexpected information flow)
• leak (true unexpected information flow)
�34
![Page 53: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/53.jpg)
Results
�35
††
†In all these cases, the failure was due to insufficient precision in the string domain.
![Page 54: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/54.jpg)
Conclusion
• Browser addon vetting is hard, needs automation
• Security signatures are useful to understand security behavior of addons
�36
Implementation available under the Downloads link at !http://www.cs.ucsb.edu/~pllab
![Page 55: Security Signature Inference for JavaScript-based Browser ...cgo.org/.../wp-content/uploads/2013/05/Security_Signature_Javascrip… · url send () amplified local control flow.](https://reader035.fdocuments.net/reader035/viewer/2022071214/60438f75be79c562bc2a5402/html5/thumbnails/55.jpg)
Acknowledgements
• Tommy Ashmore and Ben Wiedermann (Harvey Mudd College)
• Dave Herman (Mozilla Research)
• Mozilla Addon Vetting Team
�37