SlideShare a Scribd company logo

Type-based Dependency Analysis for JavaScript

Matthias Keil
Matthias Keil

ACM SIGPLAN Eighth Workshop on Programming Languages and Analysis for Security, PLAS'13 Seattle, WA, USA, June 20, 2013

Technology
1 of 25
Download to read offline
Type-based Dependency Analysis for JavaScript PLAS’13 University of Freiburg Matthias Keil, Peter Thiemann Institute for Computer Science University of Freiburg Freiburg, Germany June 20, 2013, Seattle, WA, USA.
JavaScript University of Freiburg JavaScript is the most important language for web sites 92 % of all websites use JavaScript Web-developers rely on third-party libraries e.g. for calendars, maps, social networks 1 <s c r i p t type=" t e x t / j a v a s c r i p t " 2 s r c=" http :// example . org / a pi / j s /?ARGS"> 3 </ s c r i p t> Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 2 / 17
JavaScript (cont.) University of Freiburg Dynamic programming language e.g. eval, mashups JavaScript has no security awareness No namespace or encapsulation management Global scope for variables/functions All scripts have the same authority Security aspects of JavaScript received much attention Static or dynamic analysis techniques Guarantees by reducing the functionality Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 3 / 17
Security Scenarios University of Freiburg 1 Libraries may get access to sensitive data 2 User code may be prone to injection attacks Naive approach: detect information flow Pure information flow is too unflexible for investigating injection attacks Ignores sanitized values Our approach: dependency analysis Addresses both scenarios Sanitized values are acceptable Static Analysis Implemented as extension of a type analyzer Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 4 / 17
Examples University of Freiburg Information flow 1 var t = Cookie . get ( ’ access_token ’ ) ; 2 // processing 3 // ... 4 Ajax . r e q u e s t ( ’ example . org ’ , t ) ; Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 5 / 17
Examples University of Freiburg Information flow 1 var t = Cookie . get ( ’ access_token ’ ) ; 2 // processing 3 // ... 4 Ajax . r e q u e s t ( ’ example . org ’ , t ) ; Sanitization 1 var i nput = document . getElementById ( ’ id ’ ) ; 2 function s a n i t i z e r ( v a l ue ) { 3 // clean up value 4 } 5 // processing 6 // ... 7 Ajax . r e q u e s t ( ’ example . org ’ , s a n i t i z e r ( i nput ) ) ; Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 5 / 17
Design Principles University of Freiburg Dependency Analysis Information flow pioneered by Denning Determines potential data flow between program points Related to simple security types Flow-sensitive analysis Abstracts data tainting Stated as type-system Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 6 / 17
Tainting University of Freiburg Built-in traceℓ(e[, id]) and untrace(e, id) function ℓ – unique taint id – tag name Behaves like an identity function Implicit classes: UNSAFE, SAFE Policy-file For predefined values (e.g. DOM, JavaScript API) trace.policy 1 # Object Trace 2 t r a c e : HTMLDocument. cooki e ; Ajax . r e q u e s t ; 3 Array . prototy pe ; Math . abs ; Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 7 / 17
Application Scenario Sensitive Data University of Freiburg 1 var userH a ndl er = function ( uid ) { 2 var name = ’ ’ ; 3 var onSuccess = function ( response ) {name = response ; } ; 4 i f ( alreadyLoaded ) { 5 Cookie . r e q u e s t ( uid , onSuccess ) ; 6 } e l s e { 7 Ajax . r e q u e s t ( ’ example . org ’ , uid , onSuccess ) ; 8 } 9 return name ; 10 }; 11 var name = userH a ndl er ( trace (" uid " ) ) ; Security properties on a fine level of granularity Distinguish different sources Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 8 / 17
Application Scenario Sensitive Data University of Freiburg 1 var userH a ndl er = function ( uid ) { 2 var name = ’ ’ ; 3 var onSuccess = function ( response ) {name = response ; } ; 4 i f ( alreadyLoaded ) { // alreadyLoaded=true 5 Cookie . r e q u e s t ( uid , onSuccess ) ; 6 } e l s e { 7 Ajax . r e q u e s t ( ’ example . org ’ , uid , onSuccess ) ; 8 } 9 return name ; 10 }; 11 var name = userH a ndl er ( trace ( " uid " ) ) ; Security properties on a fine level of granularity Distinguish different sources Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 8 / 17
Application Scenario Sensitive Data University of Freiburg 1 var userH a ndl er = function ( uid ) { 2 var name = ’ ’ ; 3 var onSuccess = function ( response ) {name = response ; } ; 4 i f ( alreadyLoaded ) { // alreadyLoaded=( true|false ) 5 Cookie . r e q u e s t ( uid , onSuccess ) ; 6 } e l s e { 7 Ajax . r e q u e s t ( ’ example . org ’ , uid , onSuccess ) ; 8 } 9 return name ; 10 }; 11 var name = userH a ndl er ( trace ( " uid " ) ) ; Security properties on a fine level of granularity Distinguish different sources Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 8 / 17
Application Scenario Foreign Code University of Freiburg 1 loadForeignCode = trace ( function () { 2 Array . prototy pe . f orea ch = function ( c a l l b a c k ) { 3 // do something 4 }; 5 } ) ; 6 loadForeignCode ( ) ; 7 // do something 8 a r r a y . f orea ch ( function ( k , v ) { 9 r e s u l t = k + v ; 10 } ) ; Protect code from being compromised Encapsulation of foreign code Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 9 / 17
Application Scenario Sanitization University of Freiburg 1 $ = function ( i d ) { 2 return trace ( document . getElementById ( i d ) . value , "#DOM" ) ; 3 } 4 function s a n i t i z e r ( v a l ue ) { 5 // escape value 6 return untrace ( value , "#DOM" ) ; 7 } 8 // do something 9 var i nput = $(" t e x t " ) ; 10 var s a n i t i z e d I n p u t = s a n i t i z e r ( i nput ) ; 11 consumer ( s a n i t i z e d I n p u t ) ; Avoid injection attacks e.g. only escaped values used Change taint classes Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 10 / 17
Application Scenario Sanitization (cont) University of Freiburg var s a n i t i z e d I n p u t = i_know_what_i_do ? s a n i t i z e r ( i nput ) : i nput ; Mixture of sanitized and unsanitized taints Flagged as an error Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 11 / 17
Dependency Tracking Semantics University of Freiburg v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’); var input sanitized = untrace(input, ’#DOM’); Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 12 / 17
Dependency Tracking Semantics University of Freiburg v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’); var input sanitized = untrace(input, ’#DOM’); v : ℓ#DOM,UNSAFE v′ : ℓ′#ANOTHER,UNSAFE Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 12 / 17
Dependency Tracking Semantics University of Freiburg v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’); var input sanitized = untrace(input, ’#DOM’); v : ℓ#DOM,UNSAFE v′ : ℓ′#ANOTHER,UNSAFE input : ℓ#DOM,UNSAFE , ℓ′#ANOTHER,UNSAFE Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 12 / 17
Dependency Tracking Semantics University of Freiburg v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’); var input sanitized = untrace(input, ’#DOM’); v : ℓ#DOM,UNSAFE v′ : ℓ′#ANOTHER,UNSAFE input : ℓ#DOM,UNSAFE , ℓ′#ANOTHER,UNSAFE sanitized : ℓ#DOM,SAFE , ℓ′#ANOTHER,UNSAFE Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 12 / 17
Dependency Tracking Semantics University of Freiburg input = trace(value, ’#DOM’); if input = untrace(input, ’#DOM’); fi Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 13 / 17
Dependency Tracking Semantics University of Freiburg input = trace(value, ’#DOM’); if input = untrace(input, ’#DOM’); fi input : ℓ#DOM,UNSAFE input : ℓ#DOM,UNSAFE input : ℓ#DOM,SAFE input : ℓ#DOM,SAFE Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 13 / 17
Dependency Tracking Semantics University of Freiburg input = trace(value, ’#DOM’); if input = untrace(input, ’#DOM’); fi input : ℓ#DOM,UNSAFE input : ℓ#DOM,UNSAFE input : ℓ#DOM,SAFE input : ℓ#DOM,UNSAFE input : ℓ#DOM,SAFE , ℓ#DOM,UNSAFE Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 13 / 17
Technical Contribution University of Freiburg Formalization based on a typed JavaScript Core calculus Dependency Tracking Semantics Marker propagation for upcoming values Not meant to perform a dynamic analysis Static analysis based on the type system for dependency tracking Termination-insensitive noninterference based on the types Correct abstraction of the tracking semantics Termination of the abstract analysis Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 14 / 17
Implementation University of Freiburg Implementation extends TAJS, a Type Analyzer for JavaScript developed by Anders Møller and others Abstract values and states are extended with abstract taints The control flow graph is extended by special nodes for implicit flows traceℓ and untrace implemented as built-in functions Policy file for pre-labeling of built-in objects Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 15 / 17
Conclusion University of Freiburg Designed and implemented a type-based dependency analysis for JavaScript Analysis of information flow Encapsulation of foreign code Declassification of values (by changing taint-classes) Dependency analysis is not a security analysis Investigate noninterference Ensure confidentiality Verify correct sanitizer placement Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 16 / 17
Type-based Dependency Analysis for JavaScript University of Freiburg Questions? Thank you for your attention. Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 17 / 17

Recommended

IEEE SCAM 2017 Revisiting Exception Handling Practices with Exception Flow An...
IEEE SCAM 2017 Revisiting Exception Handling Practices with Exception Flow An...IEEE SCAM 2017 Revisiting Exception Handling Practices with Exception Flow An...
IEEE SCAM 2017 Revisiting Exception Handling Practices with Exception Flow An...Gui Padua
 
Irpb workshop
Irpb workshopIrpb workshop
Irpb workshopKhalid Belhajjame
 
Privacy-Preserving Data Analysis, Adria Gascon
Privacy-Preserving Data Analysis, Adria GasconPrivacy-Preserving Data Analysis, Adria Gascon
Privacy-Preserving Data Analysis, Adria GasconUlrik Lyngs
 
Usability of developed multiple file encryption using rijndael algorithm
Usability of developed multiple file encryption using rijndael algorithm Usability of developed multiple file encryption using rijndael algorithm
Usability of developed multiple file encryption using rijndael algorithm Bryan Guibijar
 
CNSM 2022 - An Online Framework for Adapting Security Policies in Dynamic IT ...
CNSM 2022 - An Online Framework for Adapting Security Policies in Dynamic IT ...CNSM 2022 - An Online Framework for Adapting Security Policies in Dynamic IT ...
CNSM 2022 - An Online Framework for Adapting Security Policies in Dynamic IT ...Kim Hammar
 
Predictive Maintenance at the Dutch Railways with Ivo Everts
Predictive Maintenance at the Dutch Railways with Ivo EvertsPredictive Maintenance at the Dutch Railways with Ivo Everts
Predictive Maintenance at the Dutch Railways with Ivo EvertsDatabricks
 
Rijndael Algorithm for Multiple File Encryption Development
Rijndael Algorithm for Multiple File Encryption DevelopmentRijndael Algorithm for Multiple File Encryption Development
Rijndael Algorithm for Multiple File Encryption Developmentijtsrd
 
How i learned to stop worrying and love the logs
How i learned to stop worrying and love the logsHow i learned to stop worrying and love the logs
How i learned to stop worrying and love the logsHanokh Aloni
 

Recommended

IEEE SCAM 2017 Revisiting Exception Handling Practices with Exception Flow An...
IEEE SCAM 2017 Revisiting Exception Handling Practices with Exception Flow An...IEEE SCAM 2017 Revisiting Exception Handling Practices with Exception Flow An...
IEEE SCAM 2017 Revisiting Exception Handling Practices with Exception Flow An...Gui Padua
 
Irpb workshop
Irpb workshopIrpb workshop
Irpb workshopKhalid Belhajjame
 
Privacy-Preserving Data Analysis, Adria Gascon
Privacy-Preserving Data Analysis, Adria GasconPrivacy-Preserving Data Analysis, Adria Gascon
Privacy-Preserving Data Analysis, Adria GasconUlrik Lyngs
 
Usability of developed multiple file encryption using rijndael algorithm
Usability of developed multiple file encryption using rijndael algorithm Usability of developed multiple file encryption using rijndael algorithm
Usability of developed multiple file encryption using rijndael algorithm Bryan Guibijar
 
CNSM 2022 - An Online Framework for Adapting Security Policies in Dynamic IT ...
CNSM 2022 - An Online Framework for Adapting Security Policies in Dynamic IT ...CNSM 2022 - An Online Framework for Adapting Security Policies in Dynamic IT ...
CNSM 2022 - An Online Framework for Adapting Security Policies in Dynamic IT ...Kim Hammar
 
Predictive Maintenance at the Dutch Railways with Ivo Everts
Predictive Maintenance at the Dutch Railways with Ivo EvertsPredictive Maintenance at the Dutch Railways with Ivo Everts
Predictive Maintenance at the Dutch Railways with Ivo EvertsDatabricks
 
Rijndael Algorithm for Multiple File Encryption Development
Rijndael Algorithm for Multiple File Encryption DevelopmentRijndael Algorithm for Multiple File Encryption Development
Rijndael Algorithm for Multiple File Encryption Developmentijtsrd
 
How i learned to stop worrying and love the logs
How i learned to stop worrying and love the logsHow i learned to stop worrying and love the logs
How i learned to stop worrying and love the logsHanokh Aloni
 
Self-Learning Systems for Cyber Security
Self-Learning Systems for Cyber SecuritySelf-Learning Systems for Cyber Security
Self-Learning Systems for Cyber SecurityKim Hammar
 
Self-Learning Systems for Cyber Security
Self-Learning Systems for Cyber SecuritySelf-Learning Systems for Cyber Security
Self-Learning Systems for Cyber SecurityKim Hammar
 
Resilience by Usable Security
Resilience by Usable SecurityResilience by Usable Security
Resilience by Usable SecuritySven Wohlgemuth
 
OpenStack in Action 4! Susheel Varma - VPH-Share: Patient-Centred Multi-scale...
OpenStack in Action 4! Susheel Varma - VPH-Share: Patient-Centred Multi-scale...OpenStack in Action 4! Susheel Varma - VPH-Share: Patient-Centred Multi-scale...
OpenStack in Action 4! Susheel Varma - VPH-Share: Patient-Centred Multi-scale...eNovance
 
P2P Security
P2P SecurityP2P Security
P2P SecurityChittaranjan Hota
 
Hota iitd
Hota iitdHota iitd
Hota iitdPratik Narang
 
4182020 Originality Reporthttpsucumberlands.blackboar.docx
4182020 Originality Reporthttpsucumberlands.blackboar.docx4182020 Originality Reporthttpsucumberlands.blackboar.docx
4182020 Originality Reporthttpsucumberlands.blackboar.docxblondellchancy
 
FEATURE EXTRACTION AND FEATURE SELECTION: REDUCING DATA COMPLEXITY WITH APACH...
FEATURE EXTRACTION AND FEATURE SELECTION: REDUCING DATA COMPLEXITY WITH APACH...FEATURE EXTRACTION AND FEATURE SELECTION: REDUCING DATA COMPLEXITY WITH APACH...
FEATURE EXTRACTION AND FEATURE SELECTION: REDUCING DATA COMPLEXITY WITH APACH...IJNSA Journal
 
Amm Icict 12 2005
Amm Icict 12 2005Amm Icict 12 2005
Amm Icict 12 2005Mervat AbuElkheir
 
Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...
Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...
Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...ijtsrd
 
ITD BSides PDX Slides
ITD BSides PDX SlidesITD BSides PDX Slides
ITD BSides PDX SlidesEricGoldstrom
 
Splunk for cyber_threat
Splunk for cyber_threatSplunk for cyber_threat
Splunk for cyber_threatGreg Hanchin
 
Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...
Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...
Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...Gilles Fedak
 
Sample CS Senior Capstone Projects
Sample CS Senior Capstone ProjectsSample CS Senior Capstone Projects
Sample CS Senior Capstone ProjectsFred Annexstein
 
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGEDATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGEIJTRET-International Journal of Trendy Research in Engineering and Technology
 
Cheminformatics Software Development: Case Studies
Cheminformatics Software Development: Case StudiesCheminformatics Software Development: Case Studies
Cheminformatics Software Development: Case StudiesJeremy Yang
 
Preservation Metadata, CARLI Metadata Matters series, December 2010
Preservation Metadata, CARLI Metadata Matters series, December 2010Preservation Metadata, CARLI Metadata Matters series, December 2010
Preservation Metadata, CARLI Metadata Matters series, December 2010Claire Stewart
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...Achim D. Brucker
 
RuleML2015: Using PSL to Extend and Evaluate Event Ontologies
RuleML2015: Using PSL to Extend and Evaluate Event OntologiesRuleML2015: Using PSL to Extend and Evaluate Event Ontologies
RuleML2015: Using PSL to Extend and Evaluate Event OntologiesRuleML
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Transparent Object Proxies for JavaScript
Transparent Object Proxies for JavaScriptTransparent Object Proxies for JavaScript
Transparent Object Proxies for JavaScriptMatthias Keil
 
On Contracts, Sandboxes, and Proxies for JavaScript
On Contracts, Sandboxes, and Proxies for JavaScriptOn Contracts, Sandboxes, and Proxies for JavaScript
On Contracts, Sandboxes, and Proxies for JavaScriptMatthias Keil
 

More Related Content

Similar to Type-based Dependency Analysis for JavaScript

Self-Learning Systems for Cyber Security
Self-Learning Systems for Cyber SecuritySelf-Learning Systems for Cyber Security
Self-Learning Systems for Cyber SecurityKim Hammar
 
Self-Learning Systems for Cyber Security
Self-Learning Systems for Cyber SecuritySelf-Learning Systems for Cyber Security
Self-Learning Systems for Cyber SecurityKim Hammar
 
Resilience by Usable Security
Resilience by Usable SecurityResilience by Usable Security
Resilience by Usable SecuritySven Wohlgemuth
 
OpenStack in Action 4! Susheel Varma - VPH-Share: Patient-Centred Multi-scale...
OpenStack in Action 4! Susheel Varma - VPH-Share: Patient-Centred Multi-scale...OpenStack in Action 4! Susheel Varma - VPH-Share: Patient-Centred Multi-scale...
OpenStack in Action 4! Susheel Varma - VPH-Share: Patient-Centred Multi-scale...eNovance
 
4182020 Originality Reporthttpsucumberlands.blackboar.docx
4182020 Originality Reporthttpsucumberlands.blackboar.docx4182020 Originality Reporthttpsucumberlands.blackboar.docx
4182020 Originality Reporthttpsucumberlands.blackboar.docxblondellchancy
 
FEATURE EXTRACTION AND FEATURE SELECTION: REDUCING DATA COMPLEXITY WITH APACH...
FEATURE EXTRACTION AND FEATURE SELECTION: REDUCING DATA COMPLEXITY WITH APACH...FEATURE EXTRACTION AND FEATURE SELECTION: REDUCING DATA COMPLEXITY WITH APACH...
FEATURE EXTRACTION AND FEATURE SELECTION: REDUCING DATA COMPLEXITY WITH APACH...IJNSA Journal
 
Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...
Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...
Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...ijtsrd
 
ITD BSides PDX Slides
ITD BSides PDX SlidesITD BSides PDX Slides
ITD BSides PDX SlidesEricGoldstrom
 
Splunk for cyber_threat
Splunk for cyber_threatSplunk for cyber_threat
Splunk for cyber_threatGreg Hanchin
 
Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...
Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...
Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...Gilles Fedak
 
Sample CS Senior Capstone Projects
Sample CS Senior Capstone ProjectsSample CS Senior Capstone Projects
Sample CS Senior Capstone ProjectsFred Annexstein
 
Cheminformatics Software Development: Case Studies
Cheminformatics Software Development: Case StudiesCheminformatics Software Development: Case Studies
Cheminformatics Software Development: Case StudiesJeremy Yang
 
Preservation Metadata, CARLI Metadata Matters series, December 2010
Preservation Metadata, CARLI Metadata Matters series, December 2010Preservation Metadata, CARLI Metadata Matters series, December 2010
Preservation Metadata, CARLI Metadata Matters series, December 2010Claire Stewart
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...Achim D. Brucker
 
RuleML2015: Using PSL to Extend and Evaluate Event Ontologies
RuleML2015: Using PSL to Extend and Evaluate Event OntologiesRuleML2015: Using PSL to Extend and Evaluate Event Ontologies
RuleML2015: Using PSL to Extend and Evaluate Event OntologiesRuleML
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 

Similar to Type-based Dependency Analysis for JavaScript (20)

Self-Learning Systems for Cyber Security
Self-Learning Systems for Cyber SecuritySelf-Learning Systems for Cyber Security
Self-Learning Systems for Cyber Security
 
Self-Learning Systems for Cyber Security
Self-Learning Systems for Cyber SecuritySelf-Learning Systems for Cyber Security
Self-Learning Systems for Cyber Security
 
Resilience by Usable Security
Resilience by Usable SecurityResilience by Usable Security
Resilience by Usable Security
 
OpenStack in Action 4! Susheel Varma - VPH-Share: Patient-Centred Multi-scale...
OpenStack in Action 4! Susheel Varma - VPH-Share: Patient-Centred Multi-scale...OpenStack in Action 4! Susheel Varma - VPH-Share: Patient-Centred Multi-scale...
OpenStack in Action 4! Susheel Varma - VPH-Share: Patient-Centred Multi-scale...
 
P2P Security
P2P SecurityP2P Security
P2P Security
 
Hota iitd
Hota iitdHota iitd
Hota iitd
 
4182020 Originality Reporthttpsucumberlands.blackboar.docx
4182020 Originality Reporthttpsucumberlands.blackboar.docx4182020 Originality Reporthttpsucumberlands.blackboar.docx
4182020 Originality Reporthttpsucumberlands.blackboar.docx
 
FEATURE EXTRACTION AND FEATURE SELECTION: REDUCING DATA COMPLEXITY WITH APACH...
FEATURE EXTRACTION AND FEATURE SELECTION: REDUCING DATA COMPLEXITY WITH APACH...FEATURE EXTRACTION AND FEATURE SELECTION: REDUCING DATA COMPLEXITY WITH APACH...
FEATURE EXTRACTION AND FEATURE SELECTION: REDUCING DATA COMPLEXITY WITH APACH...
 
Amm Icict 12 2005
Amm Icict 12 2005Amm Icict 12 2005
Amm Icict 12 2005
 
Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...
Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...
Study of Software Defect Prediction using Forward Pass RNN with Hyperbolic Ta...
 
ITD BSides PDX Slides
ITD BSides PDX SlidesITD BSides PDX Slides
ITD BSides PDX Slides
 
Splunk for cyber_threat
Splunk for cyber_threatSplunk for cyber_threat
Splunk for cyber_threat
 
Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...
Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...
Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...
 
Sample CS Senior Capstone Projects
Sample CS Senior Capstone ProjectsSample CS Senior Capstone Projects
Sample CS Senior Capstone Projects
 
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGEDATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
 
Cheminformatics Software Development: Case Studies
Cheminformatics Software Development: Case StudiesCheminformatics Software Development: Case Studies
Cheminformatics Software Development: Case Studies
 
Preservation Metadata, CARLI Metadata Matters series, December 2010
Preservation Metadata, CARLI Metadata Matters series, December 2010Preservation Metadata, CARLI Metadata Matters series, December 2010
Preservation Metadata, CARLI Metadata Matters series, December 2010
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
 
RuleML2015: Using PSL to Extend and Evaluate Event Ontologies
RuleML2015: Using PSL to Extend and Evaluate Event OntologiesRuleML2015: Using PSL to Extend and Evaluate Event Ontologies
RuleML2015: Using PSL to Extend and Evaluate Event Ontologies
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 

More from Matthias Keil

Transparent Object Proxies for JavaScript
Transparent Object Proxies for JavaScriptTransparent Object Proxies for JavaScript
Transparent Object Proxies for JavaScriptMatthias Keil
 
On Contracts, Sandboxes, and Proxies for JavaScript
On Contracts, Sandboxes, and Proxies for JavaScriptOn Contracts, Sandboxes, and Proxies for JavaScript
On Contracts, Sandboxes, and Proxies for JavaScriptMatthias Keil
 
Blame Assignment for Higher-Order Contracts with Intersection and Union
Blame Assignment for Higher-Order Contracts with Intersection and UnionBlame Assignment for Higher-Order Contracts with Intersection and Union
Blame Assignment for Higher-Order Contracts with Intersection and UnionMatthias Keil
 
On Contracts and Sandboxes for JavaScript
On Contracts and Sandboxes for JavaScriptOn Contracts and Sandboxes for JavaScript
On Contracts and Sandboxes for JavaScriptMatthias Keil
 
TreatJS: Higher-Order Contracts for JavaScripts
TreatJS: Higher-Order Contracts for JavaScriptsTreatJS: Higher-Order Contracts for JavaScripts
TreatJS: Higher-Order Contracts for JavaScriptsMatthias Keil
 
Symbolic Solving of Extended Regular Expression Inequalities
Symbolic Solving of Extended Regular Expression InequalitiesSymbolic Solving of Extended Regular Expression Inequalities
Symbolic Solving of Extended Regular Expression InequalitiesMatthias Keil
 
TreatJS: Higher-Order Contracts for JavaScript
TreatJS: Higher-Order Contracts for JavaScriptTreatJS: Higher-Order Contracts for JavaScript
TreatJS: Higher-Order Contracts for JavaScriptMatthias Keil
 
Efficient Dynamic Access Analysis Using JavaScript Proxies
Efficient Dynamic Access Analysis Using JavaScript ProxiesEfficient Dynamic Access Analysis Using JavaScript Proxies
Efficient Dynamic Access Analysis Using JavaScript ProxiesMatthias Keil
 
Type-based Dependency Analysis
Type-based Dependency AnalysisType-based Dependency Analysis
Type-based Dependency AnalysisMatthias Keil
 

More from Matthias Keil (9)

Transparent Object Proxies for JavaScript
Transparent Object Proxies for JavaScriptTransparent Object Proxies for JavaScript
Transparent Object Proxies for JavaScript
 
On Contracts, Sandboxes, and Proxies for JavaScript
On Contracts, Sandboxes, and Proxies for JavaScriptOn Contracts, Sandboxes, and Proxies for JavaScript
On Contracts, Sandboxes, and Proxies for JavaScript
 
Blame Assignment for Higher-Order Contracts with Intersection and Union
Blame Assignment for Higher-Order Contracts with Intersection and UnionBlame Assignment for Higher-Order Contracts with Intersection and Union
Blame Assignment for Higher-Order Contracts with Intersection and Union
 
On Contracts and Sandboxes for JavaScript
On Contracts and Sandboxes for JavaScriptOn Contracts and Sandboxes for JavaScript
On Contracts and Sandboxes for JavaScript
 
TreatJS: Higher-Order Contracts for JavaScripts
TreatJS: Higher-Order Contracts for JavaScriptsTreatJS: Higher-Order Contracts for JavaScripts
TreatJS: Higher-Order Contracts for JavaScripts
 
Symbolic Solving of Extended Regular Expression Inequalities
Symbolic Solving of Extended Regular Expression InequalitiesSymbolic Solving of Extended Regular Expression Inequalities
Symbolic Solving of Extended Regular Expression Inequalities
 
TreatJS: Higher-Order Contracts for JavaScript
TreatJS: Higher-Order Contracts for JavaScriptTreatJS: Higher-Order Contracts for JavaScript
TreatJS: Higher-Order Contracts for JavaScript
 
Efficient Dynamic Access Analysis Using JavaScript Proxies
Efficient Dynamic Access Analysis Using JavaScript ProxiesEfficient Dynamic Access Analysis Using JavaScript Proxies
Efficient Dynamic Access Analysis Using JavaScript Proxies
 
Type-based Dependency Analysis
Type-based Dependency AnalysisType-based Dependency Analysis
Type-based Dependency Analysis
 

Recently uploaded

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 

Recently uploaded (20)

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 

Type-based Dependency Analysis for JavaScript

  • 1. Type-based Dependency Analysis for JavaScript PLAS’13 University of Freiburg Matthias Keil, Peter Thiemann Institute for Computer Science University of Freiburg Freiburg, Germany June 20, 2013, Seattle, WA, USA.
  • 2. JavaScript University of Freiburg JavaScript is the most important language for web sites 92 % of all websites use JavaScript Web-developers rely on third-party libraries e.g. for calendars, maps, social networks 1 <s c r i p t type=" t e x t / j a v a s c r i p t " 2 s r c=" http :// example . org / a pi / j s /?ARGS"> 3 </ s c r i p t> Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 2 / 17
  • 3. JavaScript (cont.) University of Freiburg Dynamic programming language e.g. eval, mashups JavaScript has no security awareness No namespace or encapsulation management Global scope for variables/functions All scripts have the same authority Security aspects of JavaScript received much attention Static or dynamic analysis techniques Guarantees by reducing the functionality Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 3 / 17
  • 4. Security Scenarios University of Freiburg 1 Libraries may get access to sensitive data 2 User code may be prone to injection attacks Naive approach: detect information flow Pure information flow is too unflexible for investigating injection attacks Ignores sanitized values Our approach: dependency analysis Addresses both scenarios Sanitized values are acceptable Static Analysis Implemented as extension of a type analyzer Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 4 / 17
  • 5. Examples University of Freiburg Information flow 1 var t = Cookie . get ( ’ access_token ’ ) ; 2 // processing 3 // ... 4 Ajax . r e q u e s t ( ’ example . org ’ , t ) ; Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 5 / 17
  • 6. Examples University of Freiburg Information flow 1 var t = Cookie . get ( ’ access_token ’ ) ; 2 // processing 3 // ... 4 Ajax . r e q u e s t ( ’ example . org ’ , t ) ; Sanitization 1 var i nput = document . getElementById ( ’ id ’ ) ; 2 function s a n i t i z e r ( v a l ue ) { 3 // clean up value 4 } 5 // processing 6 // ... 7 Ajax . r e q u e s t ( ’ example . org ’ , s a n i t i z e r ( i nput ) ) ; Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 5 / 17
  • 7. Design Principles University of Freiburg Dependency Analysis Information flow pioneered by Denning Determines potential data flow between program points Related to simple security types Flow-sensitive analysis Abstracts data tainting Stated as type-system Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 6 / 17
  • 8. Tainting University of Freiburg Built-in traceℓ(e[, id]) and untrace(e, id) function ℓ – unique taint id – tag name Behaves like an identity function Implicit classes: UNSAFE, SAFE Policy-file For predefined values (e.g. DOM, JavaScript API) trace.policy 1 # Object Trace 2 t r a c e : HTMLDocument. cooki e ; Ajax . r e q u e s t ; 3 Array . prototy pe ; Math . abs ; Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 7 / 17
  • 9. Application Scenario Sensitive Data University of Freiburg 1 var userH a ndl er = function ( uid ) { 2 var name = ’ ’ ; 3 var onSuccess = function ( response ) {name = response ; } ; 4 i f ( alreadyLoaded ) { 5 Cookie . r e q u e s t ( uid , onSuccess ) ; 6 } e l s e { 7 Ajax . r e q u e s t ( ’ example . org ’ , uid , onSuccess ) ; 8 } 9 return name ; 10 }; 11 var name = userH a ndl er ( trace (" uid " ) ) ; Security properties on a fine level of granularity Distinguish different sources Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 8 / 17
  • 10. Application Scenario Sensitive Data University of Freiburg 1 var userH a ndl er = function ( uid ) { 2 var name = ’ ’ ; 3 var onSuccess = function ( response ) {name = response ; } ; 4 i f ( alreadyLoaded ) { // alreadyLoaded=true 5 Cookie . r e q u e s t ( uid , onSuccess ) ; 6 } e l s e { 7 Ajax . r e q u e s t ( ’ example . org ’ , uid , onSuccess ) ; 8 } 9 return name ; 10 }; 11 var name = userH a ndl er ( trace ( " uid " ) ) ; Security properties on a fine level of granularity Distinguish different sources Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 8 / 17
  • 11. Application Scenario Sensitive Data University of Freiburg 1 var userH a ndl er = function ( uid ) { 2 var name = ’ ’ ; 3 var onSuccess = function ( response ) {name = response ; } ; 4 i f ( alreadyLoaded ) { // alreadyLoaded=( true|false ) 5 Cookie . r e q u e s t ( uid , onSuccess ) ; 6 } e l s e { 7 Ajax . r e q u e s t ( ’ example . org ’ , uid , onSuccess ) ; 8 } 9 return name ; 10 }; 11 var name = userH a ndl er ( trace ( " uid " ) ) ; Security properties on a fine level of granularity Distinguish different sources Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 8 / 17
  • 12. Application Scenario Foreign Code University of Freiburg 1 loadForeignCode = trace ( function () { 2 Array . prototy pe . f orea ch = function ( c a l l b a c k ) { 3 // do something 4 }; 5 } ) ; 6 loadForeignCode ( ) ; 7 // do something 8 a r r a y . f orea ch ( function ( k , v ) { 9 r e s u l t = k + v ; 10 } ) ; Protect code from being compromised Encapsulation of foreign code Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 9 / 17
  • 13. Application Scenario Sanitization University of Freiburg 1 $ = function ( i d ) { 2 return trace ( document . getElementById ( i d ) . value , "#DOM" ) ; 3 } 4 function s a n i t i z e r ( v a l ue ) { 5 // escape value 6 return untrace ( value , "#DOM" ) ; 7 } 8 // do something 9 var i nput = $(" t e x t " ) ; 10 var s a n i t i z e d I n p u t = s a n i t i z e r ( i nput ) ; 11 consumer ( s a n i t i z e d I n p u t ) ; Avoid injection attacks e.g. only escaped values used Change taint classes Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 10 / 17
  • 14. Application Scenario Sanitization (cont) University of Freiburg var s a n i t i z e d I n p u t = i_know_what_i_do ? s a n i t i z e r ( i nput ) : i nput ; Mixture of sanitized and unsanitized taints Flagged as an error Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 11 / 17
  • 15. Dependency Tracking Semantics University of Freiburg v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’); var input sanitized = untrace(input, ’#DOM’); Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 12 / 17
  • 16. Dependency Tracking Semantics University of Freiburg v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’); var input sanitized = untrace(input, ’#DOM’); v : ℓ#DOM,UNSAFE v′ : ℓ′#ANOTHER,UNSAFE Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 12 / 17
  • 17. Dependency Tracking Semantics University of Freiburg v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’); var input sanitized = untrace(input, ’#DOM’); v : ℓ#DOM,UNSAFE v′ : ℓ′#ANOTHER,UNSAFE input : ℓ#DOM,UNSAFE , ℓ′#ANOTHER,UNSAFE Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 12 / 17
  • 18. Dependency Tracking Semantics University of Freiburg v = trace(value, ’#DOM’); v’ = trace(another, ’#ANOTHER’); var input sanitized = untrace(input, ’#DOM’); v : ℓ#DOM,UNSAFE v′ : ℓ′#ANOTHER,UNSAFE input : ℓ#DOM,UNSAFE , ℓ′#ANOTHER,UNSAFE sanitized : ℓ#DOM,SAFE , ℓ′#ANOTHER,UNSAFE Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 12 / 17
  • 19. Dependency Tracking Semantics University of Freiburg input = trace(value, ’#DOM’); if input = untrace(input, ’#DOM’); fi Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 13 / 17
  • 20. Dependency Tracking Semantics University of Freiburg input = trace(value, ’#DOM’); if input = untrace(input, ’#DOM’); fi input : ℓ#DOM,UNSAFE input : ℓ#DOM,UNSAFE input : ℓ#DOM,SAFE input : ℓ#DOM,SAFE Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 13 / 17
  • 21. Dependency Tracking Semantics University of Freiburg input = trace(value, ’#DOM’); if input = untrace(input, ’#DOM’); fi input : ℓ#DOM,UNSAFE input : ℓ#DOM,UNSAFE input : ℓ#DOM,SAFE input : ℓ#DOM,UNSAFE input : ℓ#DOM,SAFE , ℓ#DOM,UNSAFE Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 13 / 17
  • 22. Technical Contribution University of Freiburg Formalization based on a typed JavaScript Core calculus Dependency Tracking Semantics Marker propagation for upcoming values Not meant to perform a dynamic analysis Static analysis based on the type system for dependency tracking Termination-insensitive noninterference based on the types Correct abstraction of the tracking semantics Termination of the abstract analysis Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 14 / 17
  • 23. Implementation University of Freiburg Implementation extends TAJS, a Type Analyzer for JavaScript developed by Anders Møller and others Abstract values and states are extended with abstract taints The control flow graph is extended by special nodes for implicit flows traceℓ and untrace implemented as built-in functions Policy file for pre-labeling of built-in objects Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 15 / 17
  • 24. Conclusion University of Freiburg Designed and implemented a type-based dependency analysis for JavaScript Analysis of information flow Encapsulation of foreign code Declassification of values (by changing taint-classes) Dependency analysis is not a security analysis Investigate noninterference Ensure confidentiality Verify correct sanitizer placement Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 16 / 17
  • 25. Type-based Dependency Analysis for JavaScript University of Freiburg Questions? Thank you for your attention. Matthias Keil, Peter Thiemann Type-based Dependency Analysis June 20, 2013 17 / 17