Lab Worms, worms & worms. Class Turbellaria planaria dugesia.
Spectator: Detection and Containment of JavaScript Worms
description
Transcript of Spectator: Detection and Containment of JavaScript Worms
![Page 1: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/1.jpg)
Spectator: Detection and Containment of JavaScript Worms
By Livshits & Cui
Presented by Colin
![Page 2: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/2.jpg)
The Problem
• AJAX gives JS an environment nearly as flexible as a C/asm on a desktop OS– Buffer overruns allow asm code injection– Tainted string propagation allows JS code injection
• Now worms can propagate through JS as well
![Page 3: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/3.jpg)
Example: Samy
One guy figures out how to embed Javascript in CSS, which MySpace doesn’t filter
![Page 4: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/4.jpg)
Samy (cont.)
• Visitors to his profile run the JS on page load• The script “friends” the author, then adds the
same source to their profile.• Now anyone who visits that profile would also
get infected, and so on…
![Page 5: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/5.jpg)
It Gets Worse…
• This could potentially work on a site like GMail...
• Windows Scripting Engine understands JS…• Sophos lists over 380 JS worms• All known static analyses for finding these
bugs are either unsound, or sound for a narrow class of bugs, so we really can’t just find them all statically
![Page 6: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/6.jpg)
Idea for a Solution
• Monitor the interactions of many users, and watch the propagation of information– If the same information propagates across, say
100 users, this is probably a worm.
![Page 7: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/7.jpg)
Overall DesignSe
rver
App
licati
on
Spectator Proxy
Site Domain (e.g. myspace.com)
Clie
nt
requesttag
pagetag
pageid
requestid
id
![Page 8: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/8.jpg)
Server-Side Tag Flow
• Server Interactions– Proxy tags requests containing HTML/JS– Proxy checks for tags in pages pulled from the
server
<div spectator_tag=134><a onclick=“javascript:…”>…</a>
</div>
![Page 9: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/9.jpg)
Client-Side Tag Flow
• Client Interactions– Proxy issues HTTP-only cookie w/ ID for the set of
tags in the current page– Browser sends ID back to proxy w/ each request
![Page 10: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/10.jpg)
Tracking Causality
• A tag present on a page is assumed to cause the subsequent request
• Consider a propagation graph:
![Page 11: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/11.jpg)
Propagation Graphs
• Record propagation of tags on upload• Track IPs along with tags• Heuristic: If the # of unique IPs along a path
exceeds a threshold d, flag a worm• Accurately modeling the graph is exponential
Accurate Graph Approximate Graph
Time to insert O(2n) O(1) on average
Space to track path length O(n) O(n)
Blocking futher propagation O(n) O(n)
![Page 12: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/12.jpg)
Simulations
• Used a MySpace clone to test scaling• Three propagation models– Random– Linear– Biased
• Tested scalability of graph tracking
![Page 13: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/13.jpg)
Graph Insertion Time
![Page 14: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/14.jpg)
Graph Diameter
![Page 15: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/15.jpg)
Proof-of-Concept Exploit
• Used AJAX blog• Implemented a manual-propagation worm• Spectator detected and stopped the worm
![Page 16: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/16.jpg)
Discussion
• Where do false negatives come from? Can a worm trick Spectator by hiding propagation behind legitimate user activity?
• What assumptions does Spectator make about interactions of individual users (think about multiple windows, tabs…)
• Is this a good match for Gmail’s HTTPS-only connections?
![Page 17: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/17.jpg)
Static Detection of Security Vulnerabilities in Scripting Languages
By Xie & Aiken
Presented by Colin
![Page 18: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/18.jpg)
The Problem
• SQL Injection• PHP makes it difficult to do a traditional static
analysis– include – extract– dynamic typing– implicit casts everywhere– scoping & uninitialized variables
![Page 19: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/19.jpg)
A Solution
• A 3-tier static analysis– Symbolic execution to summarize basic blocks• Well-chosen symbolic domain
– Block summaries make function summaries– Function summaries build a program summary
![Page 20: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/20.jpg)
Symbolic Execution for Basic Blocks
• Novel choice of symbolic values– Strings modeled as concatenations of literals and
non-deterministic containment<β1,…,βn> where β=…|contains(σ)|…
– Booleans include an ultra-lightweight use of dependent types:
untaint(σ0,σ1)
![Page 21: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/21.jpg)
Block Summaries
• E: must be sanitized on entry• D: locations defined by the block• F: value flow• T: true if the block exits the program• R: return value if not a termination block• U: locations untainted by this block
![Page 22: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/22.jpg)
Example Block & Summaryvalidate($q);$r = db_query($q.$a);return $r;
• E: {$a}• D: {$r}• F: {}• T: false• R: { _|_ }• U: {$q}
![Page 23: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/23.jpg)
Using Block Summaries
• Paper hand-waves with “well-known techniques”– Backward propagation of sanitization req.s– Forward propagation of sanitized values, returns, with
intersection or union at join points• Dealing with untaint:
if (<untaint(σ0,σ1)>) {<check with σ1 sanitized>} else { <check with σ0 sanitized>}
![Page 24: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/24.jpg)
Function Summaries
• E: must be sanitized on entry• R: values that may propagate to the return val• S: values always sanitized by the function• X: whether the function always exits the
program
![Page 25: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/25.jpg)
Example Function & Summaryfunctionrunq($q, $a) {validate($q);$r = db_query($q.$a);return $r;
}
• E: {$a}• R: contains($q, $a)• S: {$q}• X: false
![Page 26: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/26.jpg)
Using Function Summaries
• Replace formal arguments with actual arguments in the summary
• Cut successors if the function always exits
![Page 27: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/27.jpg)
Checking Mainfunctionrunq($q, $a) {validate($q);$r = db_query($q.$a);return $r;
}
runq($q,$a);
• E: {$a}• R: contains($q, $a)• S: {$q}• X: false
E is the set of unsanitized program inputs!
![Page 28: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/28.jpg)
EvaluationApp (KLOC) Errors Bugs (FP) Warnings
News Pro (6.5) 8 8 (0) 8
myBloggie (9.2) 16 16 (0) 23
PHP Webthings (38.3) 20 20 (0) 6
DCP Portal (121) 39 39 (0) 55
e107 (126) 16 16 (0) 23
Total 99 99 (0) 115
•Only errors were investigated, warnings may contain more bugs.•Hand-waving on the vulnerability and bug verification details.
![Page 29: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/29.jpg)
PHP Fusion• Uses extract($_POST,
EXTR_OVERWRITE)• Allows exploits by
adding extra POST parameters for variables uninitialized in the source
• Example: $new_pass is uninitialized
for ($i=0;$i<7;$i++)$new_pass .= chr(rand(97,122));
…$result = dbquery(“UPDATE ”.$db_prefix.“users
SET user_password=md5(‘$new_pass’)WHERE user_id=‘ ”.$data[‘user_id’].” ‘ “);
![Page 30: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/30.jpg)
PHP Fusion• Uses extract($_POST,
EXTR_OVERWRITE)• Allows exploits by adding
extra POST parameters for variables uninitialized in the source
• Example: $new_pass is uninitialized
for ($i=0;$i<7;$i++)$new_pass .= chr(rand(97,122));
…$result = dbquery(“UPDATE ”.$db_prefix.“users
SET user_password=md5(‘$new_pass’)WHERE user_id=‘ ”.$data[‘user_id’].” ‘ “);
Exploit parameter:&new_pass=abc%27%29%2cuser_level=%27103%27%2cuser_aim=%28%27
Produces $result:UPDATE users SET user_password=md5(‘abc’), user_level=‘103’, user_aim=‘?????’)
WHERE user_id=‘userid’
![Page 31: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/31.jpg)
Comparing to PQL
Xie & Aiken (PHP)• Tailored to PHP’s built-in
string concatenation• Infers sanitization functions
from a base set• Handles relation between
return values and sanitized values
• Unsound (specialized to strings and booleans)
• Effective, few FP• Roughly, taint inference
Livshits & Lam (Java)• Requires specifying the
propagation relation• Sanitizers must be omitted
from derivation function• Cannot handle sanitization
checkers, only producers of new sanitized values
• Sound
• Effective, few FP• Roughly, taint flow analysis
![Page 32: Spectator: Detection and Containment of JavaScript Worms](https://reader036.fdocuments.in/reader036/viewer/2022062323/56816360550346895dd42b62/html5/thumbnails/32.jpg)
Discussion
• How much would need to change to track other sorts of properties?
• What makes this system unsound?• Where exactly does this system lose
precision?