Saving the World Wide Web

from Vulnerable JavaScript

International Symposium on Software Testing and Analysis (ISSTA 2011)

Omer TrippIBM Software

Groupomert@il.ibm.com

Marco PistoiaIBM T. J. Watson Research

Centerpistoia@us.ibm.com

Julian DolbyIBM T.J. Watson Research

Centerdolby@us.ibm.com

Stephen TeilhetIBM Software Groupsteilhet@us.ibm.com

Ryan BergIBM Software Groupryan.berg@us.ibm.co

m

www.research.ibm.com/labasec

Salvatore GuarnieriIBM Software Groupsguarni@us.ibm.com

JavaScript is present on many popular Web sites

2

3

Consequences of Taint Violations

• Read and write access to saved data in cookies and local data stores• Read and write access to data in the web page • Key loggers• Impersonation• Phishing via page modifications or redirects

4

var el1 = document.getElementById("d1");function foo() { var el2 = document.getElementById("d2"); function bar() { var el3 = new Element(); var s = encodeURIComponent(el2.innerText); document.write(s); el1.innerHTML = el2.innerText; document.location = el3.innerText; } bar();}foo();function baz(a, b) { a.f = document.URL; document.write(b.f); }var x = new Object();baz(x, x);

Getting data from the DOMGetting data from the DOM

Sanitizing some, but not all, of the data

Sanitizing some, but not all, of the data

Writing untrusted data into web page

Writing untrusted data into web page

Writing unchecked data to the web page

Writing unchecked data to the web page

5

MotivationSources, Sinks, and SanitizersTaint AnalysisResults

6

var el1 = document.getElementById("d1");function foo() { var el2 = document.getElementById("d2"); function bar() { var el3 = new Element(); var s = encodeURIComponent(el2.innerText); document.write(s); el1.innerHTML = el2.innerText; document.location = el3.innerText; } bar();}foo();function baz(a, b) { a.f = document.URL; document.write(b.f); }var x = new Object();baz(x, x);

7

var el1 = document.getElementById("d1");function foo() { var el2 = document.getElementById("d2"); function bar() { var el3 = new Element(); var s = encodeURIComponent(el2.innerText); document.write(s); el1.innerHTML = el2.innerText; document.location = el3.innerText; } bar();}foo();function baz(a, b) { a.f = document.URL; document.write(b.f); }var x = new Object();baz(x, x);

8

Rules

• A rule is a triple <Sources, Sinks, Sanitizers>• Not all sources are valid for all sinks, and not all

sanitizers are valid for all sinks

9

Rules

• A rule is a triple <Sources, Sinks, Sanitizers>• Not all sources are valid for all sinks, and not all

sanitizers are valid for all sinks

• Sources– Seeds of untrusted data– Field gets or returns of function calls– Ex: document.url

10

Rules

• A rule is a triple <Sources, Sinks, Sanitizers>• Not all sources are valid for all sinks, and not all

sanitizers are valid for all sinks

• Sources– Seeds of untrusted data– Field gets or returns of function calls– Ex: document.url

• Sinks– Security critical operations– Field puts or parameters to function calls– Ex: element.innerHTML

11

Rules

• A rule is a triple <Sources, Sinks, Sanitizers>• Not all sources are valid for all sinks, and not all

sanitizers are valid for all sinks

• Sources– Seeds of untrusted data– Field gets or returns of function calls– Ex: document.url

• Sinks– Security critical operations– Field puts or parameters to function calls– Ex: element.innerHTML

• Sanitizers– Marks flow as non-dangerous– Function calls– Ex: encodeURIComponent(str)

12

MotivationSources, Sinks, and SanitizersTaint AnalysisResults

13

var a = "foo" + "bar";var b = obj[a];function F() { this.bar = document.url;}

function G() {}

G.prototype = new F();var a = new G();write(g.bar);

function foo() { var y = 42; var bar = function() { write(y); }}

Complexities of JavaScript

• Reflective property access

• Prototype chain property lookup

• Lexical scoping• Function pointers• eval and its

relatives

var m = function() ...var k = function(f) { f();}k(m);

14

eval("document.write('evil')");

Demand Driven Taint Analysis

• The seeds are the assignments to sources or return values from sources

• The analysis proceeds by tainting variables

• Variables consist of triplets:– Static Single Assignment

(SSA) variable ID– Method where SSA

variable is defined– Access path– Ex: (v7, m, <f, g>)

15

Context Sensitive Taint Analysis

m1()

m2(p1, p2, p3)

m3(q1, q2)

16

Analysis Examplefunction foo(p1, p2) { p1.f = p2.f;}

var a = new Object();var b = new Object();b.f = window.location.toString();

var c = new Object();var d = new Object();d.f = "safe";

foo(a, b);foo(c, d);

document.write(a.f); // This is a taint violationdocument.write(c.f); // This is NOT a taint violation

Since d.f is not tainted, c.f will not be tainted

Since d.f is not tainted, c.f will not be tainted

Install taint summary for foo: p2.f -> p1.f Install taint summary for foo: p2.f -> p1.f

17

Taint variable: (v2, foo, <f, *>)Taint variable: (v2, foo, <f, *>)

MotivationSources, Sinks, and SanitizersTaint AnalysisResults

18

Data Sets

• Developed a micro-benchmark suite of about 150 test scripts

• Downloaded Web pages and ran Actarus on them

19

Real World Data Set

• Crawled portions of top Alexa Web sites and downloaded pages to disk

• Ran Actarus on a sample of the saved pages

• Ran on over 12,000 pages• Successfully analyzed over 9,000

pages• ~22% failure due to a 4 minute

timeout20

Findings

• Several vulnerable Web sites were found• Duplicates of vulnerabilities were found

on many pages from the same site• Some exploits were found in third party

code that was shared among several websites

• 40% true positive rate

• Vulnerabilities can be fixed with common sanitization routines

21

FindingsSite Unique True Positives Total True Positives

A 7 80

B 4 12

C 4 91

D 7 13

E 2 4

F 1 200

G 1 1

H 1 114

I 3 7

J 1 3

K 1 1

22

User Friendly Output

• Flows are highlighted and numbered in the source code

• JavaScript was pretty printed to improve readability and usefulness of line numbers

23

24

Future Work

• Using string analysis to reduce false positives

• Make analysis modular so library code does not have to be reanalyzed

25

Thank You

E-mail: sguarni@us.ibm.com 26