1 / 10

Workshop in compile-time techniques for detecting Javascript exploits

Workshop in compile-time techniques for detecting Javascript exploits. Shir Landau- Feibish , Shmulik Regev , Noam Rinetzky http://www.cs.tau.ac.il/~maon/teaching/2013-2014/workshop/ workshop1314b.html Semester B. Monday, 16:00-18:00. Kaplun 319. Scope.

kaemon
Download Presentation

Workshop in compile-time techniques for detecting Javascript exploits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Workshop in compile-time techniques for detecting Javascript exploits Shir Landau-Feibish, ShmulikRegev, Noam Rinetzky http://www.cs.tau.ac.il/~maon/teaching/2013-2014/workshop/workshop1314b.html Semester B. Monday, 16:00-18:00. Kaplun 319

  2. Scope • Automatic tools for analyzing Javascripts • Detecting malicious code • Static tools: Compile-time • Dynamic tools: Run-time

  3. Admin • Projects in groups of 2-3 • Talking and helping is OK • Copying is not • All members should participate • Hands-off guidance

  4. Goals • Learn Javascript • Implement a simple analyzer (mini-project) • Implement a sophisticated analyzer • Choose a vulnerability • Find tell-tale signs • Implement a detector • Compile-time analysis • Can have a runtime component • Experimental evaluation • Presentation of tools & results

  5. Short term schedule • Today: Problem description • Next week: • Review of existing tools/techniques • Mini-project description

  6. Long Term Schedule(Tentative) • 17/02/2014: Problem description • 24/02/2014: Mini-project description • 07/04/2014: Progress report (mini project) • 09/06/2014: Progress report • Mini project submission • Presenting chosen project • 02/09/2014: Project submission • ~15/September/2014: Project presentation

  7. Javascript • Self study • Next lecture in Programming Languages • Next Monday (24/2/14), 10:00-12:00 • Dan David 001

  8. Next week: Review of Techniques&Tools • Heap feng shui • Address disclosure • Pointer inference + integer sieve sections • JIT spray • JIT spry Section • ROP • Sections 1-2 • Zozzle

  9. Text links • Heap fengshui • https://www.usenix.org/legacy/events/woot08/tech/full_papers/daniel/daniel_html/woot08.html • Address disclosure • http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf • Pointer inference + integer sieve sections • JIT spray • http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf • JIT spray section • ROP • http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf • Only sections 1 & 2 • Zozzle • http://research.microsoft.com/apps/pubs/?id=141930

More Related