SlideShare ist ein Scribd-Unternehmen logo

Lightweight Self-Protecting JavaScript

Als PPTX, PDF herunterladen
Phú Phùng
Phú Phùng

Presented at the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS 2009, Sydney, Australia, March 2009 More detail: http://www.cs.uic.edu/~phu/

Software
1 von 20
ACM Symposium on Information, Computer Communication Security (ASIACCS 2009) 10 - 12 March 2009, Sydney, Australia Lightweight Self-Protecting JavaScript Phu H. Phung David Sands Chalmers University of Technology Gothenburg, Sweden Andrey Chudnov Stevens Institute of Technology New Jersey, USA
2/18 The problem • Injected (untrusted) JavaScript code – A malicious user (the attacker) injects potentially dangerous JavaScript code into a webpage via data entry in the webpage, e.g.: • blog • forum • web-mail • Third party scripts (e.g. advertisement, mashup web applications) • Buggy code Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
Yamanner (2006) • Exploiting the Javascript onload event handler (once the email is opened) Attack examples Samy (2005) • A malicious user injects executable code in a HTML tag <div style="BACKGROUND: url('java script:eval(……)')"> </div> Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 3/18
4/18 Previous solutions Server Filtering for Script Detection • detect and remove potential malicious scripts Problems • Parser mismatch problem: filter does not always parse in the same way as browser c.f. Samy / MySpace • Dynamic scripts problematic... Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
5/18 Previous solutions <script> document.write(‘<scr’); document.write(‘ipt> malic’); var i= 1; document.write(‘ious code; </sc’); document.write(‘ript>’); </script> Server Filtering for Script Detection detect and remove potential malicious scripts Problems Parser mismatch problem: filter does not always parse in the same way as browser c.f. Samy / MySpace, Yamanner / Yahoo Mail <script> malicious code; </script> • Dynamic scripts problematic... Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
6/18 Previous solutions Server Filtering for Script Detection Prevent dynamic scripts by safe language subsets (c.f. Facebook’s FBJS, Adsafe, CoreScript) • Limits functionality • Defeated by parser mismatch problem Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
• Dynamic code runtime transformation high overhead 7/18 Previous solutions Behavioural Control: Don’t try to detect bad scripts, just prevent bad behaviour • Modify browser with reference monitor • Transform code at runtime to make it safe • Requires browser modification • Limited policies e.g. BEEP • Parser mismatch problem Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
Our approach: Use an IRM • “inline” the policy into the JavaScript code so that the code becomes self-protecting • The policy enforcement is implemented in a lightweight manner – does not require browser modification – non invasive: the original code (and any dynamically generated code) is not syntactically modified – its implementation is a small and simple adaptation of an aspect-oriented programming library Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 8/18
The policy • The enforcement mechanism is security reference monitor-based • Ensure safety property of program execution • Examples: • Only allow URI in a whitelist when sending by XMLHttpRequest • Do not allow send after cookie read • Limit the number of alerts to 2 Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 9/18
Enforcement method • Intercepts JavaScript API method call by inlining policy into the call – control or modify the bad behaviour • Consider the behaviour of the code – Avoid the problems of dynamic feature of JavaScript Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 10/18
Execution point = Point cut in AOP 11/18 • Use aspect-oriented programming (AOP) to intercept JavaScript API method call before( {target: window, method: 'alert'}, function() { log('AOP test: window.alert is invoked'); } ); • No browser modification • No syntactical script code modification Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 Advice (additional code at an execution point) Lightweight Advice types: before, after, around
JavaScript execution environment (e.g. browsers) 12/18 Enforcement method Native implementations alert implementation code pointers User functions alert(..) window.alert unique alert wrapper (+policy code) Attacker code alert = function(){...}; alert wrapper Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
A realisation • Structure of a webpage containing policy enforcement code • Policies are located in the first script tag – Policy enforcement is applied for the rest of code Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 13/18
Effectiveness • Defend real-world exploits – phpBB 2.0.18 vulnerabilities – WebCal vulnerabilities • Can enforce application-specific policies – Using building blocks, i.e. security policy patterns Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 14/18
Security Policy Patterns • Preventing leakage of sensitive data – monitoring sensitive data read and data output e.g. write, redirect, XMLHttpRequest... • Preventing impersonation attacks – only allow URI in a defined white-list • Preventing forgery attacks, e.g. open a new window without the location bar – enforce corresponding invariants • Preventing resource abuse – limit or prohibit potential abuse functions Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 15/18
Overhead Weaving overhead 66,03 6,33 70 60 50 40 30 20 10 0 Self-Protecting BrowserShield Slowdown (times) Code transformation [Reis, C. et al, 2007] Render: 5.37% Weaving slowdown 6,33 times (We measure micro-benchmark with operations) Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 16/18
17/18 Limitations • Policies cannot span multiple pages – frame and iframe are separate pages! • Implementation Specific Solutions and Problems – Use of custom getter and setter (in Mozilla, but not in IE) – Problems handling Mozilla’s delete semantics Both problems solved in ECMA-262 v3.1 proposal Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
18/18 Conclusions • Our approach is to control and modify the behaviour of JavaScript by transforming the code to make it self-protecting – no browser modifications – non-invasive, avoiding the need for extensive runtime code transformation • The enforcement code can be deployed in any sides: server side, proxy or plug-in. Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
20/18 Previous solutions (cont.) • Code transformation: modifies JavaScript code before executing it Example of BrowserShield [Reis, C. et al, ACM Trans. Web, 1(3):11, 2007]

Empfohlen

Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...ThreatReel Podcast
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Node Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseNode Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseAdam Baldwin
 
Intelligent Spaces - The future of experiences
Intelligent Spaces - The future of experiencesIntelligent Spaces - The future of experiences
Intelligent Spaces - The future of experiencesKatie Streten
 
Qadyani masla by Syed Abu Aala Mududi R.A
Qadyani masla by Syed Abu Aala Mududi R.AQadyani masla by Syed Abu Aala Mududi R.A
Qadyani masla by Syed Abu Aala Mududi R.AFahad Javed
 
Mutaliya brailviat jilad 1
Mutaliya brailviat jilad 1Mutaliya brailviat jilad 1
Mutaliya brailviat jilad 1Fahad Javed
 
Fiqh Hanafi k Usool o Zawabat
Fiqh Hanafi k Usool o ZawabatFiqh Hanafi k Usool o Zawabat
Fiqh Hanafi k Usool o ZawabatFahad Javed
 

Empfohlen

Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...ThreatReel Podcast
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Node Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseNode Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseAdam Baldwin
 
Intelligent Spaces - The future of experiences
Intelligent Spaces - The future of experiencesIntelligent Spaces - The future of experiences
Intelligent Spaces - The future of experiencesKatie Streten
 
Qadyani masla by Syed Abu Aala Mududi R.A
Qadyani masla by Syed Abu Aala Mududi R.AQadyani masla by Syed Abu Aala Mududi R.A
Qadyani masla by Syed Abu Aala Mududi R.AFahad Javed
 
Mutaliya brailviat jilad 1
Mutaliya brailviat jilad 1Mutaliya brailviat jilad 1
Mutaliya brailviat jilad 1Fahad Javed
 
Fiqh Hanafi k Usool o Zawabat
Fiqh Hanafi k Usool o ZawabatFiqh Hanafi k Usool o Zawabat
Fiqh Hanafi k Usool o ZawabatFahad Javed
 
Mutaliya brailviat jilad 2
Mutaliya brailviat jilad 2Mutaliya brailviat jilad 2
Mutaliya brailviat jilad 2Fahad Javed
 
Safe Wrappers and Sane Policies for Self Protecting JavaScript
Safe Wrappers and Sane Policies for Self Protecting JavaScript�Safe Wrappers and Sane Policies for Self Protecting JavaScript�
Safe Wrappers and Sane Policies for Self Protecting JavaScriptPhú Phùng
 
Class6 Atmosphere
Class6 AtmosphereClass6 Atmosphere
Class6 AtmospherePratibha Singh
 
Instructions replacing-lcd-display
Instructions replacing-lcd-displayInstructions replacing-lcd-display
Instructions replacing-lcd-displaySantiago Martinez
 
khatme nabuwwat by Dr Israr Ahmed
khatme nabuwwat by Dr Israr Ahmedkhatme nabuwwat by Dr Israr Ahmed
khatme nabuwwat by Dr Israr AhmedFahad Javed
 
Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...
Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...
Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...Phú Phùng
 
01 curriculum planning
01 curriculum planning01 curriculum planning
01 curriculum planningisabel peroso
 
Class3 Water Pollution
Class3 Water PollutionClass3 Water Pollution
Class3 Water PollutionPratibha Singh
 
Class6 Human Respiratory System
Class6 Human Respiratory SystemClass6 Human Respiratory System
Class6 Human Respiratory SystemPratibha Singh
 
Class6 Self Governing Bodies
Class6 Self Governing BodiesClass6 Self Governing Bodies
Class6 Self Governing BodiesPratibha Singh
 
Class3 Food Chain
Class3 Food ChainClass3 Food Chain
Class3 Food ChainPratibha Singh
 
Class6 Earth Rotation And Revolution
Class6 Earth Rotation And RevolutionClass6 Earth Rotation And Revolution
Class6 Earth Rotation And RevolutionPratibha Singh
 
Tebak Ukuran
Tebak UkuranTebak Ukuran
Tebak Ukuranguestf90549c
 
Calder Academy - Introduction & Overview
Calder Academy - Introduction & OverviewCalder Academy - Introduction & Overview
Calder Academy - Introduction & Overviewcalderacademy
 
Lightweight Self-Protecting JavaScript
Lightweight Self-Protecting JavaScriptLightweight Self-Protecting JavaScript
Lightweight Self-Protecting JavaScriptPhú Phùng
 
Browser Security – Issues and Best Practices1Outli
Browser Security – Issues and Best Practices1OutliBrowser Security – Issues and Best Practices1Outli
Browser Security – Issues and Best Practices1OutliVannaSchrader3
 
Fine-grained policy enforcement for untrusted software
Fine-grained policy enforcement for untrusted softwareFine-grained policy enforcement for untrusted software
Fine-grained policy enforcement for untrusted softwarePhú Phùng
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Introduction to Serverless through Architectural Patterns
Introduction to Serverless through Architectural PatternsIntroduction to Serverless through Architectural Patterns
Introduction to Serverless through Architectural PatternsMathieu Mailhos
 
HCL Info Portal Report
HCL Info Portal ReportHCL Info Portal Report
HCL Info Portal ReportSathish Gp
 
Tuenti teams - Php Conference
Tuenti teams - Php ConferenceTuenti teams - Php Conference
Tuenti teams - Php ConferenceGuille -bisho-
 
Smart India Hackathon Idea Submission
Smart India Hackathon Idea SubmissionSmart India Hackathon Idea Submission
Smart India Hackathon Idea SubmissionGaurav Ganna
 

Weitere ähnliche Inhalte

Andere mochten auch

Mutaliya brailviat jilad 2
Mutaliya brailviat jilad 2Mutaliya brailviat jilad 2
Mutaliya brailviat jilad 2Fahad Javed
 
Safe Wrappers and Sane Policies for Self Protecting JavaScript
Safe Wrappers and Sane Policies for Self Protecting JavaScript�Safe Wrappers and Sane Policies for Self Protecting JavaScript�
Safe Wrappers and Sane Policies for Self Protecting JavaScriptPhú Phùng
 
Instructions replacing-lcd-display
Instructions replacing-lcd-displayInstructions replacing-lcd-display
Instructions replacing-lcd-displaySantiago Martinez
 
khatme nabuwwat by Dr Israr Ahmed
khatme nabuwwat by Dr Israr Ahmedkhatme nabuwwat by Dr Israr Ahmed
khatme nabuwwat by Dr Israr AhmedFahad Javed
 
Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...
Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...
Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...Phú Phùng
 
01 curriculum planning
01 curriculum planning01 curriculum planning
01 curriculum planningisabel peroso
 
Class3 Water Pollution
Class3 Water PollutionClass3 Water Pollution
Class3 Water PollutionPratibha Singh
 
Class6 Human Respiratory System
Class6 Human Respiratory SystemClass6 Human Respiratory System
Class6 Human Respiratory SystemPratibha Singh
 
Class6 Self Governing Bodies
Class6 Self Governing BodiesClass6 Self Governing Bodies
Class6 Self Governing BodiesPratibha Singh
 
Class6 Earth Rotation And Revolution
Class6 Earth Rotation And RevolutionClass6 Earth Rotation And Revolution
Class6 Earth Rotation And RevolutionPratibha Singh
 
Calder Academy - Introduction & Overview
Calder Academy - Introduction & OverviewCalder Academy - Introduction & Overview
Calder Academy - Introduction & Overviewcalderacademy
 

Andere mochten auch (14)

Mutaliya brailviat jilad 2
Mutaliya brailviat jilad 2Mutaliya brailviat jilad 2
Mutaliya brailviat jilad 2
 
Safe Wrappers and Sane Policies for Self Protecting JavaScript
Safe Wrappers and Sane Policies for Self Protecting JavaScript�Safe Wrappers and Sane Policies for Self Protecting JavaScript�
Safe Wrappers and Sane Policies for Self Protecting JavaScript
 
Class6 Atmosphere
Class6 AtmosphereClass6 Atmosphere
Class6 Atmosphere
 
Instructions replacing-lcd-display
Instructions replacing-lcd-displayInstructions replacing-lcd-display
Instructions replacing-lcd-display
 
khatme nabuwwat by Dr Israr Ahmed
khatme nabuwwat by Dr Israr Ahmedkhatme nabuwwat by Dr Israr Ahmed
khatme nabuwwat by Dr Israr Ahmed
 
Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...
Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...
Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...
 
01 curriculum planning
01 curriculum planning01 curriculum planning
01 curriculum planning
 
Class3 Water Pollution
Class3 Water PollutionClass3 Water Pollution
Class3 Water Pollution
 
Class6 Human Respiratory System
Class6 Human Respiratory SystemClass6 Human Respiratory System
Class6 Human Respiratory System
 
Class6 Self Governing Bodies
Class6 Self Governing BodiesClass6 Self Governing Bodies
Class6 Self Governing Bodies
 
Class3 Food Chain
Class3 Food ChainClass3 Food Chain
Class3 Food Chain
 
Class6 Earth Rotation And Revolution
Class6 Earth Rotation And RevolutionClass6 Earth Rotation And Revolution
Class6 Earth Rotation And Revolution
 
Tebak Ukuran
Tebak UkuranTebak Ukuran
Tebak Ukuran
 
Calder Academy - Introduction & Overview
Calder Academy - Introduction & OverviewCalder Academy - Introduction & Overview
Calder Academy - Introduction & Overview
 

Ähnlich wie Lightweight Self-Protecting JavaScript

Lightweight Self-Protecting JavaScript
Lightweight Self-Protecting JavaScriptLightweight Self-Protecting JavaScript
Lightweight Self-Protecting JavaScriptPhú Phùng
 
Browser Security – Issues and Best Practices1Outli
Browser Security – Issues and Best Practices1OutliBrowser Security – Issues and Best Practices1Outli
Browser Security – Issues and Best Practices1OutliVannaSchrader3
 
Fine-grained policy enforcement for untrusted software
Fine-grained policy enforcement for untrusted softwareFine-grained policy enforcement for untrusted software
Fine-grained policy enforcement for untrusted softwarePhú Phùng
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Introduction to Serverless through Architectural Patterns
Introduction to Serverless through Architectural PatternsIntroduction to Serverless through Architectural Patterns
Introduction to Serverless through Architectural PatternsMathieu Mailhos
 
HCL Info Portal Report
HCL Info Portal ReportHCL Info Portal Report
HCL Info Portal ReportSathish Gp
 
Tuenti teams - Php Conference
Tuenti teams - Php ConferenceTuenti teams - Php Conference
Tuenti teams - Php ConferenceGuille -bisho-
 
Smart India Hackathon Idea Submission
Smart India Hackathon Idea SubmissionSmart India Hackathon Idea Submission
Smart India Hackathon Idea SubmissionGaurav Ganna
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemEditor IJCATR
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Javascript issues and tools in production for developers
Javascript issues and tools in production for developersJavascript issues and tools in production for developers
Javascript issues and tools in production for developersMichael Haberman
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Neha Arora_Resume
Neha Arora_ResumeNeha Arora_Resume
Neha Arora_ResumeNeha Arora
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersPhú Phùng
 
BEST PRACTICES FOR IOS AND ANDROID APP DEVELOPMENT -TECHGROPSE-MALAYSIA APP D...
BEST PRACTICES FOR IOS AND ANDROID APP DEVELOPMENT -TECHGROPSE-MALAYSIA APP D...BEST PRACTICES FOR IOS AND ANDROID APP DEVELOPMENT -TECHGROPSE-MALAYSIA APP D...
BEST PRACTICES FOR IOS AND ANDROID APP DEVELOPMENT -TECHGROPSE-MALAYSIA APP D...sandeepsrivastav17
 

Ähnlich wie Lightweight Self-Protecting JavaScript (20)

Lightweight Self-Protecting JavaScript
Lightweight Self-Protecting JavaScriptLightweight Self-Protecting JavaScript
Lightweight Self-Protecting JavaScript
 
Browser Security – Issues and Best Practices1Outli
Browser Security – Issues and Best Practices1OutliBrowser Security – Issues and Best Practices1Outli
Browser Security – Issues and Best Practices1Outli
 
Fine-grained policy enforcement for untrusted software
Fine-grained policy enforcement for untrusted softwareFine-grained policy enforcement for untrusted software
Fine-grained policy enforcement for untrusted software
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Introduction to Serverless through Architectural Patterns
Introduction to Serverless through Architectural PatternsIntroduction to Serverless through Architectural Patterns
Introduction to Serverless through Architectural Patterns
 
HCL Info Portal Report
HCL Info Portal ReportHCL Info Portal Report
HCL Info Portal Report
 
Tuenti teams - Php Conference
Tuenti teams - Php ConferenceTuenti teams - Php Conference
Tuenti teams - Php Conference
 
Smart India Hackathon Idea Submission
Smart India Hackathon Idea SubmissionSmart India Hackathon Idea Submission
Smart India Hackathon Idea Submission
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer System
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
Javascript issues and tools in production for developers
Javascript issues and tools in production for developersJavascript issues and tools in production for developers
Javascript issues and tools in production for developers
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
Node.js security tour
Node.js security tourNode.js security tour
Node.js security tour
 
Neha Arora_Resume
Neha Arora_ResumeNeha Arora_Resume
Neha Arora_Resume
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
 
BEST PRACTICES FOR IOS AND ANDROID APP DEVELOPMENT -TECHGROPSE-MALAYSIA APP D...
BEST PRACTICES FOR IOS AND ANDROID APP DEVELOPMENT -TECHGROPSE-MALAYSIA APP D...BEST PRACTICES FOR IOS AND ANDROID APP DEVELOPMENT -TECHGROPSE-MALAYSIA APP D...
BEST PRACTICES FOR IOS AND ANDROID APP DEVELOPMENT -TECHGROPSE-MALAYSIA APP D...
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 

Kürzlich hochgeladen

WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...chiefasafspells
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in sowetomasabamasaba
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2
 

Kürzlich hochgeladen (20)

WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 

Lightweight Self-Protecting JavaScript

  • 1. ACM Symposium on Information, Computer Communication Security (ASIACCS 2009) 10 - 12 March 2009, Sydney, Australia Lightweight Self-Protecting JavaScript Phu H. Phung David Sands Chalmers University of Technology Gothenburg, Sweden Andrey Chudnov Stevens Institute of Technology New Jersey, USA
  • 2. 2/18 The problem • Injected (untrusted) JavaScript code – A malicious user (the attacker) injects potentially dangerous JavaScript code into a webpage via data entry in the webpage, e.g.: • blog • forum • web-mail • Third party scripts (e.g. advertisement, mashup web applications) • Buggy code Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
  • 3. Yamanner (2006) • Exploiting the Javascript onload event handler (once the email is opened) Attack examples Samy (2005) • A malicious user injects executable code in a HTML tag <div style="BACKGROUND: url('java script:eval(……)')"> </div> Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 3/18
  • 4. 4/18 Previous solutions Server Filtering for Script Detection • detect and remove potential malicious scripts Problems • Parser mismatch problem: filter does not always parse in the same way as browser c.f. Samy / MySpace • Dynamic scripts problematic... Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
  • 5. 5/18 Previous solutions <script> document.write(‘<scr’); document.write(‘ipt> malic’); var i= 1; document.write(‘ious code; </sc’); document.write(‘ript>’); </script> Server Filtering for Script Detection detect and remove potential malicious scripts Problems Parser mismatch problem: filter does not always parse in the same way as browser c.f. Samy / MySpace, Yamanner / Yahoo Mail <script> malicious code; </script> • Dynamic scripts problematic... Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
  • 6. 6/18 Previous solutions Server Filtering for Script Detection Prevent dynamic scripts by safe language subsets (c.f. Facebook’s FBJS, Adsafe, CoreScript) • Limits functionality • Defeated by parser mismatch problem Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
  • 7. • Dynamic code runtime transformation high overhead 7/18 Previous solutions Behavioural Control: Don’t try to detect bad scripts, just prevent bad behaviour • Modify browser with reference monitor • Transform code at runtime to make it safe • Requires browser modification • Limited policies e.g. BEEP • Parser mismatch problem Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
  • 8. Our approach: Use an IRM • “inline” the policy into the JavaScript code so that the code becomes self-protecting • The policy enforcement is implemented in a lightweight manner – does not require browser modification – non invasive: the original code (and any dynamically generated code) is not syntactically modified – its implementation is a small and simple adaptation of an aspect-oriented programming library Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 8/18
  • 9. The policy • The enforcement mechanism is security reference monitor-based • Ensure safety property of program execution • Examples: • Only allow URI in a whitelist when sending by XMLHttpRequest • Do not allow send after cookie read • Limit the number of alerts to 2 Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 9/18
  • 10. Enforcement method • Intercepts JavaScript API method call by inlining policy into the call – control or modify the bad behaviour • Consider the behaviour of the code – Avoid the problems of dynamic feature of JavaScript Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 10/18
  • 11. Execution point = Point cut in AOP 11/18 • Use aspect-oriented programming (AOP) to intercept JavaScript API method call before( {target: window, method: 'alert'}, function() { log('AOP test: window.alert is invoked'); } ); • No browser modification • No syntactical script code modification Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 Advice (additional code at an execution point) Lightweight Advice types: before, after, around
  • 12. JavaScript execution environment (e.g. browsers) 12/18 Enforcement method Native implementations alert implementation code pointers User functions alert(..) window.alert unique alert wrapper (+policy code) Attacker code alert = function(){...}; alert wrapper Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
  • 13. A realisation • Structure of a webpage containing policy enforcement code • Policies are located in the first script tag – Policy enforcement is applied for the rest of code Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 13/18
  • 14. Effectiveness • Defend real-world exploits – phpBB 2.0.18 vulnerabilities – WebCal vulnerabilities • Can enforce application-specific policies – Using building blocks, i.e. security policy patterns Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 14/18
  • 15. Security Policy Patterns • Preventing leakage of sensitive data – monitoring sensitive data read and data output e.g. write, redirect, XMLHttpRequest... • Preventing impersonation attacks – only allow URI in a defined white-list • Preventing forgery attacks, e.g. open a new window without the location bar – enforce corresponding invariants • Preventing resource abuse – limit or prohibit potential abuse functions Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 15/18
  • 16. Overhead Weaving overhead 66,03 6,33 70 60 50 40 30 20 10 0 Self-Protecting BrowserShield Slowdown (times) Code transformation [Reis, C. et al, 2007] Render: 5.37% Weaving slowdown 6,33 times (We measure micro-benchmark with operations) Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009 16/18
  • 17. 17/18 Limitations • Policies cannot span multiple pages – frame and iframe are separate pages! • Implementation Specific Solutions and Problems – Use of custom getter and setter (in Mozilla, but not in IE) – Problems handling Mozilla’s delete semantics Both problems solved in ECMA-262 v3.1 proposal Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
  • 18. 18/18 Conclusions • Our approach is to control and modify the behaviour of JavaScript by transforming the code to make it self-protecting – no browser modifications – non-invasive, avoiding the need for extensive runtime code transformation • The enforcement code can be deployed in any sides: server side, proxy or plug-in. Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
  • 19. Phu H. Phung, David Sands, Andrey Chudnov – cse.chalmers.se ASIACCS'09, 10 March 2009
  • 20. 20/18 Previous solutions (cont.) • Code transformation: modifies JavaScript code before executing it Example of BrowserShield [Reis, C. et al, ACM Trans. Web, 1(3):11, 2007]