Hybrid security analysis of web JavaScript code via dynamic partial evaluation

This paper addresses the problem of detecting JavaScript security vulnerabilities in the client side of Web applications. Such vulnerabilities are becoming a source of growing concern due to the rapid migration of server-side business logic to the client side, combined with new JavaScript-backed Web technologies, such as AJAX and HTML5. Detection of client-side vulnerabilities is challenging given the dynamic and event-driven nature of JavaScript. We present a hybrid form of JavaScript analysis, which augments static analysis with (semi-)concrete information by applying partial evaluation to JavaScript functions according to dynamic data recorded by the Web crawler. The dynamic component rewrites the program per the enclosing HTML environment, and the static component then explores all possible behaviors of the partially evaluated program (while treating user-controlled aspects of the environment conservatively). We have implemented this hybrid architecture as the JSA analysis tool, which is integrated into the IBM AppScan Standard Edition product. We formalize the static analysis and prove useful properties over it. We also tested the system across a set of 170,000 Web pages, comparing it with purely static and dynamic alternatives. The results provide conclusive evidence in favor of our hybrid approach. Only 10% of the reports by JSA are false alarms compared to 63% of the alarms flagged by its purely static counterpart, while not a single true warning is lost. This represents a reduction of 94% in false alarms. Compared with a commercial testing algorithm, JSA detects vulnerabilities in >4x more Web sites with only 4 false alarms.

[1]  Barbara G. Ryder,et al.  Practical blended taint analysis for JavaScript , 2013, ISSTA.

[2]  Frank Tip,et al.  Correlation Tracking for Points-To Analysis of JavaScript , 2012, ECOOP.

[3]  Marco Pistoia,et al.  Saving the world wide web from vulnerable JavaScript , 2011, ISSTA '11.

[4]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[5]  Emma Renold,et al.  Close encounters of the third kind: Researching children's sexual cultures in the primary school , 2002 .

[6]  Frank Tip,et al.  Efficient construction of approximate call graphs for JavaScript IDE services , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[7]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[8]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[9]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[10]  Jan Wen Voung,et al.  Dataflow analysis for concurrent programs using datarace detection , 2008, PLDI '08.

[11]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[12]  Shriram Krishnamurthi,et al.  Using static analysis for Ajax intrusion detection , 2009, WWW '09.

[13]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[14]  Patrick Cousot,et al.  Andromeda: Accurate and Scalable Security Analysis of Web Applications , 2013, FASE.

[15]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[16]  Ankur Taly,et al.  Isolating JavaScript with Filters, Rewriting, and Wrappers , 2009, ESORICS.

[17]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[18]  Patrick Cousot,et al.  Abstract Interpretation and Application to Logic Programs , 1992, J. Log. Program..

[19]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.