A Practical Blended Analysis for Dynamic Features in JavaScript

The JavaScript Blended Analysis Framework is designed to perform a general-purpose, practical combined static/dynamic analysis of JavaScript programs, while handling dynamic features such as run-time generated code and variadic func- tions. The idea of blended analysis is to focus static anal- ysis on a dynamic calling structure collected at runtime in a lightweight manner, and to rene the static analysis us- ing additional dynamic information. We perform blended points-to analysis of JavaScript with our framework and compare results with those computed by a pure static points- to analysis. Using JavaScript codes from actual webpages as benchmarks, we show that optimized blended analysis for JavaScript obtains good coverage (86.6% on average per website) of the pure static analysis solution and nds ad- ditional points-to pairs (7.0% on average per website) con- tributed by dynamically generated/loaded code

Static Taint Analysis via Type-checking in TypeScript

With the widespread use of web applications across the globe, and the ad- vancements in web technologies in recent years, these applications have grown more ubiquitous and sophisticated than ever before. Modern web applications face the constant threat of numerous web security risks given their presence on the internet and the massive influx of data from external sources. This paper presents a novel method for analyzing taint through type-checking and applies it to web applications in the context of preventing online security threats. The taint analysis technique is implemented in TypeScript using its built-in type-checking features, and then integrated into a web application developed using the React web framework. This web application is then validated against different types of injection attacks. The results of the validation show that taint analysis is an effective means to prevent pervasive online attacks, such as eval injection, cross-site scripting (XSS), and SQL injection in web applications. Considering that our proposed taint analysis technique can be implemented using existing type-checking features of TypeScript, it can be quickly adopted by developers to add taint analysis into their applications with no performance overhead. With the large number of web applications developed in TypeScript, the widespread adoption of our technique can help prevent cyberattacks and protect the online community from potential harm. By combining taint analysis with other secure web practices, such as input validation, application developers can strengthen the overall security of web applications

Data-flow Analysis of Programs with Associative Arrays

Dynamic programming languages, such as PHP, JavaScript, and Python, provide built-in data structures including associative arrays and objects with similar semantics-object properties can be created at run-time and accessed via arbitrary expressions. While a high level of security and safety of applications written in these languages can be of a particular importance (consider a web application storing sensitive data and providing its functionality worldwide), dynamic data structures pose significant challenges for data-flow analysis making traditional static verification methods both unsound and imprecise. In this paper, we propose a sound and precise approach for value and points-to analysis of programs with associative arrays-like data structures, upon which data-flow analyses can be built. We implemented our approach in a web-application domain-in an analyzer of PHP code.Comment: In Proceedings ESSS 2014, arXiv:1405.055

Framework for Static Analysis of PHP Applications

Dynamic languages, such as PHP and JavaScript, are widespread and heavily used. They provide dynamic features such as dynamic type system, virtual and dynamic method calls, dynamic includes, and built-in dynamic data structures. This makes it hard to create static analyses, e.g., for automatic error discovery. Yet exploiting errors in such programs, especially in web applications, can have significant impacts. In this paper, we present static analysis framework for PHP, automatically resolving features common to dynamic languages and thus reducing the complexity of defining new static analyses. In particular, the framework enables defining value and heap analyses for dynamic languages independently and composing them automatically and soundly. We used the framework to implement static taint analysis for finding security vulnerabilities. The analysis has revealed previously unknown security problems in real application. Comparing to existing state-of-the-art analysis tools for PHP, it has found more real problems with a lower false-positive rate

Implementing Dynamic Coarse & Fine Grained Taint Analysis for Rhino JavaScript

Web application systems today are at great risk from attackers. They use methods like cross-site scripting, SQL injection, and format string attacks to exploit vulnerabilities in an application. Standard techniques like static analysis, code audits seem to be inadequate in successfully combating attacks like these. Both the techniques point out the vulnerabilities before an application is run. However, static analysis may result in a higher rate of false positives, and code audits are time-consuming and costly. Hence, there is a need for reliable detection mechanisms. Dynamic taint analysis offers an alternate solution — it marks the incoming data from the untrusted source as ‘tainted.’’ The flow of tainted data is tracked during the program execution. Whenever tainted data is used in a security-sensitive context, a proper action is taken. The execution may also be suspended depending upon the severity of the operation. This project implements dynamic taint analysis in Rhino JavaScript. The focus is on adding support for coarse-grained and fine-grained string tainting. Coarse-grained tainting works at the granularity level of a string while fine-grained tainting works at the granularity level of a character in a string. Both approaches are discussed in further detail in the paper. I have also written a SQL library to leverage my implementation of taint analysis in Rhino and conducted performance tests to contrast the overhead of coarse & fine grained taint analysis. My test results show that fine-grained taint analysis in general incurs more overhead than coarse-grained taint analysis

Detecting DOM based XSS vulnerabilities using debug API of the modern web-browser

Рассматривается решение задачи поиска уязвимостей класса DOM-based XSS через последовательную комбинацию методов динамического анализа и fuzz-тести-рования. Для создания поддерживаемого динамического анализатора JavaScript-кода используется современный веб-обозреватель Firefox без модификации его исходного кода. Приводится обзор существующих методов поиска уязвимостей класса DOM-based XSS

Implementing Dynamic Coarse & Fine Grained Taint Analysis for Rhino JavaScript

Web application systems today are at great risk from attackers. They use methods like cross-site scripting, SQL injection, and format string attacks to exploit vulnerabilities in an application. Standard techniques like static analysis, code audits seem to be inadequate in successfully combating attacks like these. Both the techniques point out the vulnerabilities before an application is run. However, static analysis may result in a higher rate of false positives, and code audits are time-consuming and costly. Hence, there is a need for reliable detection mechanisms. Dynamic taint analysis offers an alternate solution — it marks the incoming data from the untrusted source as ‘tainted.’’ The flow of tainted data is tracked during the program execution. Whenever tainted data is used in a security-sensitive context, a proper action is taken. The execution may also be suspended depending upon the severity of the operation. This project implements dynamic taint analysis in Rhino JavaScript. The focus is on adding support for coarse-grained and fine-grained string tainting. Coarse-grained tainting works at the granularity level of a string while fine-grained tainting works at the granularity level of a character in a string. Both approaches are discussed in further detail in the paper. I have also written a SQL library to leverage my implementation of taint analysis in Rhino and conducted performance tests to contrast the overhead of coarse & fine grained taint analysis. My test results show that fine-grained taint analysis in general incurs more overhead than coarse-grained taint analysis

Taming the Static Analysis Beast

While industrial-strength static analysis over large, real-world codebases has become commonplace, so too have difficult-to-analyze language constructs, large libraries, and popular frameworks. These features make constructing and evaluating a novel, sound analysis painful, error-prone, and tedious. We motivate the need for research to address these issues by highlighting some of the many challenges faced by static analysis developers in today\u27s software ecosystem. We then propose our short- and long-term research agenda to make static analysis over modern software less burdensome

Evaluating Taint Analysis Tools for JavaScript

Η παρούσα μελέτη που διεξήχθη μέσα στα πλαίσια Πτυχιακής Εργασίας περιλαμβάνει την καταγραφή επιστημονικών εργαλείων που πραγματοποιούν taint analysis στην προγραμματιστική γλώσσα JavaScript. Το taint analysis ορίζεται ως ένα είδος ανάλυσης, το οποίο συμπεραίνει αν τα σημεία του προγράμματος που ενεργούν ως σημεία εισαγωγής ευαίσθητων δεδομένων αποτελούν κίνδυνο για την εφαρμογή, παρατηρώντας τη ροή τέτοιων δεδομένων μέσα στο πρόγραμμα. Τέτοια σημεία ονομάζονται πηγές (taint sources). Συγκεκριμένα, ένα taint analysis χαρακτηρίζει ως «στιγματισμένες» (tainted) τις μεταβλητές που έχουν επηρεαστεί από δεδομένα που εισάγει ο χρήστης και τις ιχνηλατεί μέχρι να δει αν φτάνουν σε κάποια ευπαθή μέθοδο, που ονομάζεται καταβόθρα (sink). Αν μία αμαυρωμένη μεταβλητή εισέλθει σε ένα τέτοιο σημείο, χωρίς να έχει εξαγνιστεί (sanitize) πρώτα, τότε χαρακτηρίζεται ως ευπαθής. Ο στιγματισμός (tainting) είναι η συσχέτιση κάποιου είδους σημαδιού ή ετικέτας στα ευαίσθητα δεδομένα που επιτρέπει την ανίχνευση της ροής τους μέσα στο πρόγραμμα καθώς και την διάδοση της μόλυνσης (taint) σε μεταβλητές που συναντούν. Ο σκοπός αυτής της έρευνας είναι η διεξοδική έρευνα επιστημονικών εργαλείων που εκτελούν τέτοιου είδους αναλύσεις σε προγράμματα γραμμένα σε JavaScript. Παρουσιάζουμε μία συλλογή εργαλείων και προσεγγίσεων, που προγραμματιστές ή οργανισμοί μπορούν να ενσωματώσουν στο αμυντικό οπλοστάσιο τους για την επιθεώρηση του κώδικα της πλευράς πελάτη των διαδικτυακών εφαρμογών τους, αντικρούοντας, έτσι, πιθανές διαδικτυακές επιθέσεις.In the context of this BSc thesis, we have examined a number of scientific tools that perform taint analysis for programs written in the JavaScript programming language. Taint analysis is defined as a type of analysis which concludes if points of the program that act as entry points for sensitive data are dangerous for the application, by tracking the flow of such data throughout the program. Such points are called taint sources. Specifically, taint analysis marks as tainted the variables which have been affected by user input and tracks them until they reach a sensitive method, called sink. If a tainted variable reaches such a point, without being properly sanitized first, a vulnerability is reported. Tainting is the association of some kind of label or mark to sensitive data that allows the tracking of their flow throughout the program as well as the propagation of taint to the variables they come across. The purpose of this research is the thorough research of scientific tools that perform such kind of analyses for programs written in JavaScript. We hereby present a collection of frameworks and approaches, which developers and enterprises may incorporate to their defense arsenal, for the inspection of the client-side code of their web applications, thus negating possible web attacks