Towards revealing JavaScript program intents using abstract interpretation

Everyday, millions of Internet users access AJAX-powered web applications. However, such richness is prone to security issues. In particular, Web 2.0 attacks are difficult to detect and block since it is similar to legitimate traffic. As a ground for our research, we review past related works and explain what might be missing to tackle Web 2.0 security issues. Especially, we show that tackling AJAX-based attacks often lacks a context that can only be conveyed during real-time analysis. In our research, we advocate the usage of abstract interpretation of JavaScript code to provide maximum coverage and to ensure completeness. Besides, we introduce a proxy-based proposal to provide analysis of JavaScript malware.

[1]  Somesh Jha,et al.  A semantics-based approach to malware detection , 2007, POPL '07.

[2]  Ankur Taly,et al.  Language-Based Isolation of Untrusted JavaScript , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[3]  David Sands,et al.  Lightweight self-protecting JavaScript , 2009, ASIACCS '09.

[4]  Martin Johns,et al.  On JavaScript Malware and related threats , 2008, Journal in Computer Virology.

[5]  David Leon,et al.  Dex: a semantic-graph differencing tool for studying changes in large code bases , 2004, 20th IEEE International Conference on Software Maintenance, 2004. Proceedings..

[6]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[7]  Jan Willem Klop,et al.  Term Rewriting Systems: From Church-Rosser to Knuth-Bendix and Beyond , 1990, ICALP.

[8]  Dawn Xiaodong Song,et al.  Towards a Formal Foundation of Web Security , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[9]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[10]  Wei Lu,et al.  Supervised Categorization of JavaScriptTM Using Program Analysis Features , 2005, AIRS.

[11]  Patrick Cousot,et al.  Abstract interpretation , 1996, CSUR.

[12]  Patrick Cousot,et al.  Systematic design of program transformation frameworks by abstract interpretation , 2002, POPL '02.

[13]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[14]  Damien Deville,et al.  SpyProxy: Execution-based Detection of Malicious Web Content , 2007, USENIX Security Symposium.

[15]  Yoseba K. Penya,et al.  Idea: Opcode-Sequence-Based Malware Detection , 2010, ESSoS.

[16]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[17]  Wouter Joosen,et al.  CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests , 2010, ESSoS.

[18]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).