67 research outputs found
A Practical Blended Analysis for Dynamic Features in JavaScript
The JavaScript Blended Analysis Framework is designed to
perform a general-purpose, practical combined static/dynamic
analysis of JavaScript programs, while handling dynamic
features such as run-time generated code and variadic func-
tions. The idea of blended analysis is to focus static anal-
ysis on a dynamic calling structure collected at runtime in
a lightweight manner, and to rene the static analysis us-
ing additional dynamic information. We perform blended
points-to analysis of JavaScript with our framework and
compare results with those computed by a pure static points-
to analysis. Using JavaScript codes from actual webpages
as benchmarks, we show that optimized blended analysis
for JavaScript obtains good coverage (86.6% on average per
website) of the pure static analysis solution and nds ad-
ditional points-to pairs (7.0% on average per website) con-
tributed by dynamically generated/loaded code
Static Taint Analysis via Type-checking in TypeScript
With the widespread use of web applications across the globe, and the ad- vancements in web technologies in recent years, these applications have grown more ubiquitous and sophisticated than ever before. Modern web applications face the constant threat of numerous web security risks given their presence on the internet and the massive influx of data from external sources. This paper presents a novel method for analyzing taint through type-checking and applies it to web applications in the context of preventing online security threats. The taint analysis technique is implemented in TypeScript using its built-in type-checking features, and then integrated into a web application developed using the React web framework. This web application is then validated against different types of injection attacks.
The results of the validation show that taint analysis is an effective means to prevent pervasive online attacks, such as eval injection, cross-site scripting (XSS), and SQL injection in web applications. Considering that our proposed taint analysis technique can be implemented using existing type-checking features of TypeScript, it can be quickly adopted by developers to add taint analysis into their applications with no performance overhead. With the large number of web applications developed in TypeScript, the widespread adoption of our technique can help prevent cyberattacks and protect the online community from potential harm. By combining taint analysis with other secure web practices, such as input validation, application developers can strengthen the overall security of web applications
Data-flow Analysis of Programs with Associative Arrays
Dynamic programming languages, such as PHP, JavaScript, and Python, provide
built-in data structures including associative arrays and objects with similar
semantics-object properties can be created at run-time and accessed via
arbitrary expressions. While a high level of security and safety of
applications written in these languages can be of a particular importance
(consider a web application storing sensitive data and providing its
functionality worldwide), dynamic data structures pose significant challenges
for data-flow analysis making traditional static verification methods both
unsound and imprecise. In this paper, we propose a sound and precise approach
for value and points-to analysis of programs with associative arrays-like data
structures, upon which data-flow analyses can be built. We implemented our
approach in a web-application domain-in an analyzer of PHP code.Comment: In Proceedings ESSS 2014, arXiv:1405.055
Framework for Static Analysis of PHP Applications
Dynamic languages, such as PHP and JavaScript, are widespread and heavily used. They provide dynamic features such as dynamic type system, virtual and dynamic method calls, dynamic includes, and built-in dynamic data structures. This makes it hard to create static analyses, e.g., for automatic error discovery. Yet exploiting errors in such programs, especially in web applications, can have significant impacts. In this paper, we present static analysis framework for PHP, automatically resolving features common to dynamic languages and thus reducing the complexity of defining new static analyses. In particular, the framework enables defining value and heap analyses for dynamic languages independently and composing them automatically and soundly. We used the framework to implement static taint analysis for finding security vulnerabilities. The analysis has revealed previously unknown security problems in real application. Comparing to existing state-of-the-art analysis tools for PHP, it has found more real problems with a lower false-positive rate
Implementing Dynamic Coarse & Fine Grained Taint Analysis for Rhino JavaScript
Web application systems today are at great risk from attackers. They use methods like cross-site scripting, SQL injection, and format string attacks to exploit vulnerabilities in an application. Standard techniques like static analysis, code audits seem to be inadequate in successfully combating attacks like these. Both the techniques point out the vulnerabilities before an application is run. However, static analysis may result in a higher rate of false positives, and code audits are time-consuming and costly. Hence, there is a need for reliable detection mechanisms.
Dynamic taint analysis offers an alternate solution — it marks the incoming data from the untrusted source as ‘tainted.’’ The flow of tainted data is tracked during the program execution. Whenever tainted data is used in a security-sensitive context, a proper action is taken. The execution may also be suspended depending upon the severity of the operation.
This project implements dynamic taint analysis in Rhino JavaScript. The focus is on adding support for coarse-grained and fine-grained string tainting. Coarse-grained tainting works at the granularity level of a string while fine-grained tainting works at the granularity level of a character in a string. Both approaches are discussed in further detail in the paper. I have also written a SQL library to leverage my implementation of taint analysis in Rhino and conducted performance tests to contrast the overhead of coarse & fine grained taint analysis. My test results show that fine-grained taint analysis in general incurs more overhead than coarse-grained taint analysis
Detecting DOM based XSS vulnerabilities using debug API of the modern web-browser
Рассматривается решение задачи поиска уязвимостей класса DOM-based XSS через последовательную комбинацию методов динамического анализа и fuzz-тести-рования. Для создания поддерживаемого динамического анализатора JavaScript-кода используется современный веб-обозреватель Firefox без модификации его исходного кода. Приводится обзор существующих методов поиска уязвимостей класса DOM-based XSS
Implementing Dynamic Coarse & Fine Grained Taint Analysis for Rhino JavaScript
Web application systems today are at great risk from attackers. They use methods like cross-site scripting, SQL injection, and format string attacks to exploit vulnerabilities in an application. Standard techniques like static analysis, code audits seem to be inadequate in successfully combating attacks like these. Both the techniques point out the vulnerabilities before an application is run. However, static analysis may result in a higher rate of false positives, and code audits are time-consuming and costly. Hence, there is a need for reliable detection mechanisms.
Dynamic taint analysis offers an alternate solution — it marks the incoming data from the untrusted source as ‘tainted.’’ The flow of tainted data is tracked during the program execution. Whenever tainted data is used in a security-sensitive context, a proper action is taken. The execution may also be suspended depending upon the severity of the operation.
This project implements dynamic taint analysis in Rhino JavaScript. The focus is on adding support for coarse-grained and fine-grained string tainting. Coarse-grained tainting works at the granularity level of a string while fine-grained tainting works at the granularity level of a character in a string. Both approaches are discussed in further detail in the paper. I have also written a SQL library to leverage my implementation of taint analysis in Rhino and conducted performance tests to contrast the overhead of coarse & fine grained taint analysis. My test results show that fine-grained taint analysis in general incurs more overhead than coarse-grained taint analysis
Taming the Static Analysis Beast
While industrial-strength static analysis over large, real-world codebases has become commonplace, so too have difficult-to-analyze language constructs, large libraries, and popular frameworks. These features make constructing and evaluating a novel, sound analysis painful, error-prone, and tedious. We motivate the need for research to address these issues by highlighting some of the many challenges faced by static analysis developers in today\u27s software ecosystem. We then propose our short- and long-term research agenda to make static analysis over modern software less burdensome
Evaluating Taint Analysis Tools for JavaScript
Η παρούσα μελέτη που διεξήχθη μέσα στα πλαίσια Πτυχιακής Εργασίας περιλαμβάνει
την καταγραφή επιστημονικών εργαλείων που πραγματοποιούν taint analysis στην
προγραμματιστική γλώσσα JavaScript.
Το taint analysis ορίζεται ως ένα είδος ανάλυσης, το οποίο συμπεραίνει αν τα σημεία
του προγράμματος που ενεργούν ως σημεία εισαγωγής ευαίσθητων δεδομένων
αποτελούν κίνδυνο για την εφαρμογή, παρατηρώντας τη ροή τέτοιων δεδομένων μέσα
στο πρόγραμμα. Τέτοια σημεία ονομάζονται πηγές (taint sources).
Συγκεκριμένα, ένα taint analysis χαρακτηρίζει ως «στιγματισμένες» (tainted) τις
μεταβλητές που έχουν επηρεαστεί από δεδομένα που εισάγει ο χρήστης και τις
ιχνηλατεί μέχρι να δει αν φτάνουν σε κάποια ευπαθή μέθοδο, που ονομάζεται
καταβόθρα (sink). Αν μία αμαυρωμένη μεταβλητή εισέλθει σε ένα τέτοιο σημείο, χωρίς
να έχει εξαγνιστεί (sanitize) πρώτα, τότε χαρακτηρίζεται ως ευπαθής. Ο στιγματισμός
(tainting) είναι η συσχέτιση κάποιου είδους σημαδιού ή ετικέτας στα ευαίσθητα
δεδομένα που επιτρέπει την ανίχνευση της ροής τους μέσα στο πρόγραμμα καθώς και
την διάδοση της μόλυνσης (taint) σε μεταβλητές που συναντούν.
Ο σκοπός αυτής της έρευνας είναι η διεξοδική έρευνα επιστημονικών εργαλείων που
εκτελούν τέτοιου είδους αναλύσεις σε προγράμματα γραμμένα σε JavaScript.
Παρουσιάζουμε μία συλλογή εργαλείων και προσεγγίσεων, που προγραμματιστές ή
οργανισμοί μπορούν να ενσωματώσουν στο αμυντικό οπλοστάσιο τους για την
επιθεώρηση του κώδικα της πλευράς πελάτη των διαδικτυακών εφαρμογών τους,
αντικρούοντας, έτσι, πιθανές διαδικτυακές επιθέσεις.In the context of this BSc thesis, we have examined a number of scientific tools that
perform taint analysis for programs written in the JavaScript programming language.
Taint analysis is defined as a type of analysis which concludes if points of the program
that act as entry points for sensitive data are dangerous for the application, by tracking
the flow of such data throughout the program. Such points are called taint sources.
Specifically, taint analysis marks as tainted the variables which have been affected by
user input and tracks them until they reach a sensitive method, called sink. If a tainted
variable reaches such a point, without being properly sanitized first, a vulnerability is
reported. Tainting is the association of some kind of label or mark to sensitive data that
allows the tracking of their flow throughout the program as well as the propagation of
taint to the variables they come across.
The purpose of this research is the thorough research of scientific tools that perform
such kind of analyses for programs written in JavaScript. We hereby present a
collection of frameworks and approaches, which developers and enterprises may
incorporate to their defense arsenal, for the inspection of the client-side code of their
web applications, thus negating possible web attacks
- …