21 research outputs found
Detecting DOM based XSS vulnerabilities using debug API of the modern web-browser
Рассматривается решение задачи поиска уязвимостей класса DOM-based XSS через последовательную комбинацию методов динамического анализа и fuzz-тести-рования. Для создания поддерживаемого динамического анализатора JavaScript-кода используется современный веб-обозреватель Firefox без модификации его исходного кода. Приводится обзор существующих методов поиска уязвимостей класса DOM-based XSS
A Practical Blended Analysis for Dynamic Features in JavaScript
The JavaScript Blended Analysis Framework is designed to
perform a general-purpose, practical combined static/dynamic
analysis of JavaScript programs, while handling dynamic
features such as run-time generated code and variadic func-
tions. The idea of blended analysis is to focus static anal-
ysis on a dynamic calling structure collected at runtime in
a lightweight manner, and to rene the static analysis us-
ing additional dynamic information. We perform blended
points-to analysis of JavaScript with our framework and
compare results with those computed by a pure static points-
to analysis. Using JavaScript codes from actual webpages
as benchmarks, we show that optimized blended analysis
for JavaScript obtains good coverage (86.6% on average per
website) of the pure static analysis solution and nds ad-
ditional points-to pairs (7.0% on average per website) con-
tributed by dynamically generated/loaded code
Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis
Preventing implicit information flows by dynamic program analysis requires
coarse approximations that result in false positives, because a dynamic monitor
sees only the executed trace of the program. One widely deployed method is the
no-sensitive-upgrade check, which terminates a program whenever a variable's
taint is upgraded (made more sensitive) due to a control dependence on tainted
data. Although sound, this method is restrictive, e.g., it terminates the
program even if the upgraded variable is never used subsequently. To counter
this, Austin and Flanagan introduced the permissive-upgrade check, which allows
a variable upgrade due to control dependence, but marks the variable
"partially-leaked". The program is stopped later if it tries to use the
partially-leaked variable. Permissive-upgrade handles the dead-variable
assignment problem and remains sound. However, Austin and Flanagan develop
permissive-upgrade only for a two-point (low-high) security lattice and
indicate a generalization to pointwise products of such lattices. In this
paper, we develop a non-trivial and non-obvious generalization of
permissive-upgrade to arbitrary lattices. The key difficulty lies in finding a
suitable notion of partial leaks that is both sound and permissive and in
developing a suitable definition of memory equivalence that allows an inductive
proof of soundness
Automatic Root Cause Quantification for Missing Edges in JavaScript Call Graphs (Extended Version)
Building sound and precise static call graphs for real-world JavaScript
applications poses an enormous challenge, due to many hard-to-analyze language
features. Further, the relative importance of these features may vary depending
on the call graph algorithm being used and the class of applications being
analyzed. In this paper, we present a technique to automatically quantify the
relative importance of different root causes of call graph unsoundness for a
set of target applications. The technique works by identifying the dynamic
function data flows relevant to each call edge missed by the static analysis,
correctly handling cases with multiple root causes and inter-dependent calls.
We apply our approach to perform a detailed study of the recall of a
state-of-the-art call graph construction technique on a set of framework-based
web applications. The study yielded a number of useful insights. We found that
while dynamic property accesses were the most common root cause of missed edges
across the benchmarks, other root causes varied in importance depending on the
benchmark, potentially useful information for an analysis designer. Further,
with our approach, we could quickly identify and fix a recall issue in the call
graph builder we studied, and also quickly assess whether a recent analysis
technique for Node.js-based applications would be helpful for browser-based
code. All of our code and data is publicly available, and many components of
our technique can be re-used to facilitate future studies.Comment: Extended version of ECOOP'22 paper (with appendix
Information Flow Control in WebKit's JavaScript Bytecode
Websites today routinely combine JavaScript from multiple sources, both
trusted and untrusted. Hence, JavaScript security is of paramount importance. A
specific interesting problem is information flow control (IFC) for JavaScript.
In this paper, we develop, formalize and implement a dynamic IFC mechanism for
the JavaScript engine of a production Web browser (specifically, Safari's
WebKit engine). Our IFC mechanism works at the level of JavaScript bytecode and
hence leverages years of industrial effort on optimizing both the source to
bytecode compiler and the bytecode interpreter. We track both explicit and
implicit flows and observe only moderate overhead. Working with bytecode
results in new challenges including the extensive use of unstructured control
flow in bytecode (which complicates lowering of program context taints),
unstructured exceptions (which complicate the matter further) and the need to
make IFC analysis permissive. We explain how we address these challenges,
formally model the JavaScript bytecode semantics and our instrumentation, prove
the standard property of termination-insensitive non-interference, and present
experimental results on an optimized prototype
A Hybrid Approach for Proving Noninterference of Java Programs
Several tools and approaches for proving noninterference properties for Java and other languages exist. Some of them have a high degree of automation or are even fully automatic, but overapproximate the actual information flow, and hence, may produce false positives. Other tools, such as those based on theorem proving, are precise, but may need interaction, and hence, analysis is time-consuming.
In this paper, we propose a hybrid approach that aims at obtaining the best of both approaches:
We want to use fully automatic analysis as much as possible and only at places in a program where, due to overapproximation, the automatic approaches fail, we resort to more precise, but interactive analysis, where the latter involves only the verification of specific functional properties in certain parts of the program, rather than checking more intricate noninterference properties for the whole program.
To illustrate the hybrid approach, in a case study we use the hybrid approach–along with the fully automatic tool Joana for checking noninterference properties for Java programs and the theorem prover KeY for the verification of Java programs–and the CVJ framework proposed by Küsters, Truderung, and Graf to establish cryptographic privacy properties for a non-trivial Java program, namely an e-voting system. The CVJ framework allows one to establish cryptographic indistinguishability properties for Java programs by checking (standard) noninterference properties for such programs
Detecting Redundant CSS Rules in HTML5 Applications: A Tree-Rewriting Approach
HTML5 applications normally have a large set of CSS (Cascading Style Sheets)
rules for data display. Each CSS rule consists of a node selector (given in an
XPath-like query language) and a declaration block (assigning values to
selected nodes' display attributes). As web applications evolve, maintaining
CSS files can easily become problematic. Some CSS rules will be replaced by new
ones, but these obsolete (hence redundant) CSS rules often remain in the
applications. Not only does this "bloat" the applications, but it also
significantly increases web browsers' processing time. Most works on detecting
redundant CSS rules in HTML5 applications do not consider the dynamic behaviors
of HTML5 (specified in JavaScript); in fact, the only proposed method that
takes these into account is dynamic analysis (a.k.a. testing), which cannot
soundly prove redundancy of CSS rules. In this paper, we introduce an
abstraction of HTML5 applications based on monotonic tree-rewriting and study
its "redundancy problem". We establish the precise complexity of the problem
and various subproblems of practical importance (ranging from P to EXP). In
particular, our algorithm relies on an efficient reduction to an analysis of
symbolic pushdown systems (for which highly optimised solvers are available),
which yields a fast method for checking redundancy in practice. We implemented
our algorithm and demonstrated its efficacy in detecting redundant CSS rules in
HTML5 applications.Comment: 50 page