Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San...

Staged Information Flowfor JavaScript

Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner

UC San Diego

wsj.com

searchUrl = “wsj.com/search?”;

doSearch = function(s) { var u = searchUrl + s; document.location = u;}

</script>

z = get(“a.com/ad.js”);eval(z);

wsj.com

a.com/ad.js

</script>

displayAd = function() { ...}displayAd();

wsj.com

a.com/ad.js

</script>

displayAd = function() { ...}displayAd();searchUrl = “evil.com/”;

evil.com

• Script navigates to malicious page• Exploits browser vulnerability

The Problem, Part 1• Third-party code may affect sensitive data

– e.g. writing doc.location– e.g. reading doc.cookie

• Information flow policies– e.g. integrity of doc.location– e.g. confidentiality of doc.cookie

• JavaScript difficulties– dynamic typing– first-class functions– objects, but no classes– prototypes

server code

third-party code

var doc = ...;

doc.location = “evil”;steal(doc.cookie);

The Problem, Part 2• Entire code not available until runtime

• Arrives in stages

third-party code

server code

var doc = ...;

doc.location = “evil”;steal(doc.cookie);

Our Staged Approach: Server

context

policy

Information Flow Policies

Confidentiality policy:x should not be read

Integrity policy:x should not be written

• Summarizes how loaded code must behave• Syntactically enforceable for speed

Our Staged Approach: Server

context

policy

JavaScriptStagingAnalysis

residual policy

No Read

must-not-read vars

No Write

must-not-write vars

Our Staged Approach: Client

Browser

JavaScript Engine

Residual Policy

Checker

✗hole

context

residual policy

wsj.com

</script>

No Read

No Write

searchUrl

doSearch

SearchBox.value

document.location

wsj.com

</script>

No Read

doSearch

No Write

searchUrl

SearchBox.value

document.location

wsj.com

</script>

No Read

doSearch

a.com/ad1.jsdisplayAd = function() { if (version < 7) { ... } else { ... } }displayAd();

No Write

searchUrl

SearchBox.value

document.location

wsj.com

</script>

No Read

doSearch

a.com/ad2.js

searchUrl = “evil.com/”;

No Write

searchUrl

SearchBox.value

document.location

wsj.com

</script>

No Read

doSearch

a.com/ad3.js

doSearch(“foo”);

No Write

searchUrl

SearchBox.value

document.location

Outline• Overview• JavaScript Static Analysis• Computing Residual Policies• Additional Challenges• Evaluation

Information Flow Graph• Analysis tracks information flow in program• Flow-insensitive, set constraint-based• Graph representation:– program constants, variables, edges

– special nodes for function declarations and calls

searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);

/* a.com/ad1.js */displayAd = function() { ... };displayAd();

searchUrl

“wsj.com/search?”

searchUrl

doSearch

searchUrl

doSearch

searchUrl

doSearch

document.location

searchUrl

doSearch

document.location

Fun SearchBox.value

/* a.com/ad1.js */displayAd = function() { ... };displayAd(); Fun s

doSearch

searchUrl

document.location

Fun SearchBox.value

doSearch

searchUrl

document.location

Fun SearchBox.value

displayAd

doSearch

searchUrl

document.location

Fun SearchBox.value

displayAd

doSearch

searchUrl

document.location

Fun SearchBox.value

displayAd

doSearch

searchUrl

document.location

Fun SearchBox.value

/* a.com/ad2.js */searchUrl = “evil.com”;

doSearch

searchUrl

document.location

Fun SearchBox.value

“evil.com/”

doSearch

searchUrl

document.location

Fun SearchBox.value

“wsj.com/search?”searchUrl = “wsj.com/search?”;doSearch = function(s) { var u = searchUrl + s; document.location = u;}doSearch(SearchBox.value);

/* a.com/ad2.js */searchUrl = “evil.com”;

“evil.com/”

/* a.com/ad3.js */doSearch(“foo”);

doSearch

searchUrl

document.location

Fun SearchBox.value

Fun “foo”

/* a.com/ad3.js */doSearch(“foo”);

doSearch

searchUrl

document.location

Fun SearchBox.value

Fun “foo”

doSearch

searchUrl

document.location

Fun SearchBox.value

No Write

No Read

document.location

searchUrl

SearchBox.value

doSearch

searchUrl

SearchBox.value

document.location

Add taint to sensitive data and propagate

Residual Policies• Difficulties:– Aliasing– First-class functions– Don’t want flow analysis in browser

• Solution:– Conservatively taint functions– Conservatively taint fields

• Transfer taints from parameters to functions

• Transfer taints from return values to functions

Tainted Functions

No Writeto

No Read

foofoo

No Read to

No Write foo(document.cookie);

// hole redefines foo foo = function(t) { // reads t, hence cookie }

foofoo

No Write Taint

No Read Taint

Aliasing and Tainted Fields

• Residual policy misses future aliasing• Conservative approach:

if field f is tainted for some object, f tainted for all

z = tmp.cookie;

No Write

No Readdocument.cookie

tmp.cookie

tmp = document;

// reads z

Objects• Used pervasively in JavaScript• Hence, analysis must be field-sensitive• Encode “setter” and “getter” for field f using

• Fields can be dynamically added• Initially assume no fields• Iteratively add constraints until fixpoint

x = { f:1 };x.g = 2;

Prototypes• JavaScript uses prototype-based inheritance• Intuitively, each object x– has a link to its parent– inherits parent’s fields

• Ensures each object has fields of its ancestors

x.parent x

Indirect Flows

if (document.cookie == “foo”) {

y = 1;}

document.cookie y 1

• Propagate taints along indirect flow edges• But not program values

INDIRECT

Implementation• Flow analysis and residual policy generator– parse JavaScript (JSure)– generate set constraints (6,000 lines of OCaml)– solve constraints (Banshee + 400 lines of C)

• Stand-alone residual policy checker– not yet incorporated into browser

• JavaScript collector– Firefox extension (500 lines of JavaScript)

Experimental Setup• Collect JavaScript for Alexa top 100 web sites

third-party code

server code

97/100 have JavaScript

63/97 have holes

Context:all server code

Hole:all third-party

Experimental Setup• Information flow analysis on context + hole

• Compute residual policy, check it on hole

✓/✗

cookie confidentiality

location integrity

0 5000 10000 15000 20000 25000 30000 35000 40000 450000

Lines of code (thousands)

80% run in <12 sec

Average: 9.9 sec

Scalability of Full Analysis

Average Running Times

✓/✗

Full Analysis

9.9 sec

Staged Analysis

14.0 sec 0.13 sec

Results of Analysis: Full

• Hole satisfies cookie policy? ✓ 30 ✗ 32

Results of Analysis: Staged

• Hole satisfies cookie policy? ✓ 30 ✗ 32

Residual checker:

• 26/30 safe• Imprecision:

4 false positives

Future Work• Context-sensitivity

• Dynamically-constructed field names

• Test more complicated policies

• Embed residual policy checker in browser

Related Work• Information flow– type systems– dynamic instrumentation

• JavaScript analysis– types [Thiemann 05, Anderson et al. 05]– dynamic policies [Chander et al. 07]– static analysis [Guarnieri/Livshits 09]

• Browser security– finer-grained interaction between scripts [Howell et al. 07]

Summary• JavaScript static analysis is scalable

• Residual checks are fast enough for client

• Residual policies precisely capture information flow

Thanks!

Extra Slides

Information Flow Policies

if (x) { holeVar = 1 };

Confidentiality of x:x should not affect hole variables

indirectlyorholeVar = x;

directly

if (holeVar) { x = 1 };

Integrity of x:hole variables should not affect x

indirectlyorx = holeVar;

directly

Fields

Running Times

• Full analysis too slow to run on client• Quick to compute residual policy on server• Small run-time overhead to check– running time includes parsing time– parser is not optimized for speed

cookie policy location policyFlow analysis on context + hole

Computing residual policyChecking residual policy

9.9 10.7

14.0 28.4

0.13 0.12

Results of Staged Analysis

• Residual policy usually agrees with full information flow analysis

• Imprecision from tainted functions/fields• No false negatives

Full:Policy Satisfied?

Staged:Policy Satisfied? cookie policy location policy

✓✓ 26 49

✗ 4 8

✗✗ 32 5

✓ 0 0

imprecision

soundness

Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San...

Documents

CHEDDARS - Meister Cheese

Dss nitin chugh

Manya Chugh, Deerwood Elementary - DISTRICT 196public.district196.org/.../Departments/Finance/2015-16/FinalBudget.pdfHanna Leuck, , Deerwood Elementary Manya Chugh, Deerwood Elementary

Dataflow Analysis for Concurrent Programs using Datarace Detection Ravi Chugh, Jan W. Voung, Ranjit Jhala, Sorin Lerner LBA Reading Group Michelle Goodstein

Compaction 転圧管理システムCompaction Meister Meister CCV …

OPEN SEATS Pre-School Admission 2018-19 List of Eligible ...rohini.ths.ac.in/wp-content/uploads/sites/9/2018/02/List-Of... · chugh deepak chugh ankita chugh 80 20 thsr18app1217 thsr18reg2878

Landslides (2005) 00 Ashok K. Chugh Timothy D. Stark DOI ...tstark.net/wp-content/uploads/2012/11/59-Chugh-SeismicLandslide... · these 32 slides is given in Chugh and Stark 2005

Meister Pride Day

Meister Erwinnfant

Fujipla Automatic Laminator Product Catalogue · Fujipla Automatic Laminator Product Catalogue AL-MEISTER PLS3310 PLUSTER AL-MEISTER PLS3311 PLUSTER AL-MEISTER PLS3312 PLUSTER AL-MEISTER

Project report-binny chugh

Prinzipien Meister-Kurs

NOVEMBER 5, 2013 - Sanjay K. Chugh

Permissive Interfaces Tom Henzinger Ranjit Jhala Rupak Majumdar

Gemälde Alter Meister

CSE 130 [Spring 2014] Programming Languages · CSE 130 [Spring 2014] Programming Languages Ravi Chugh! Course Introduction! Apr 01 Filling in today for Ranjit Jhala

Nested Refinements: A Logic for Duck Typing Ravi Chugh, Pat Rondon, Ranjit Jhala (UCSD) ::

Transformation Meister-Kurs

Presentation by Dr. TD CHUGH

RADAR: Dataflow Analysis for Concurrent Programs using Datarace Detection Ravi Chugh, Jan Voung, Ranjit Jhala, Sorin Lerner {rchugh, jvoung, jhala, lerner}