Detection and mitigation of malicious JavaScript using information flow control

JavaScript is the main language used to provide the client-side functionality of the modern web. It is used in many applications that provide high interactivity with the end-user. These applications range from mapping applications to online games. In recent years, cyber-criminals started focusing on attacking the visitors of legitimate websites and social networks rather than attacking the websites themselves. The dynamic nature of the JavaScript language and its tangled usage with other web technologies in modern web applications makes it hard to reason about its code statically. This poses the need to develop effective mechanisms for detecting and mitigating malicious JavaScript code on the client-side of the web. In this paper, we address the above challenges by developing a framework that detects and mitigates the flow of sensitive information on the client-side to illegal channels. The proposed model uses information flow control dynamically at run-time to track sensitive information and prevents its leakage. In order to realize the model, we extend the operational semantics of JavaScript to enable the control of information flow inside web browsers.

[1]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[2]  Adam Barth,et al.  Preventing Capability Leaks in Secure JavaScript Subsets , 2010, NDSS.

[3]  Ankur Taly,et al.  An Operational Semantics for JavaScript , 2008, APLAS.

[4]  Joe Gibbs Politz,et al.  ADsafety: Type-Based Verification of JavaScript Sandboxing , 2011, USENIX Security Symposium.

[5]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[6]  Benjamin Livshits,et al.  Verified Security for Browser Extensions , 2011, 2011 IEEE Symposium on Security and Privacy.

[7]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[8]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[9]  Peter Thiemann Towards a Type System for Analyzing JavaScript Programs , 2005, ESOP.

[10]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[11]  Konstantin Beznosov,et al.  The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems , 2012, CCS.

[12]  Benjamin Livshits,et al.  ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection , 2011, USENIX Security Symposium.

[13]  Youki Kadobayashi,et al.  Term-Rewriting Deobfuscation for Static Client-Side Scripting Malware Detection , 2011, 2011 4th IFIP International Conference on New Technologies, Mobility and Security.

[14]  Youki Kadobayashi,et al.  A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[15]  Sophia Drossopoulou,et al.  Towards Type Inference for JavaScript , 2005, ECOOP.

[16]  Shriram Krishnamurthi,et al.  The Essence of JavaScript , 2010, ECOOP.

[17]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[18]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.

[19]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[20]  Eunjin Jung,et al.  Obfuscated malicious javascript detection using classification techniques , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[21]  Steven D. Gribble,et al.  A Crawler-based Study of Spyware in the Web , 2006, NDSS.

[22]  Damien Deville,et al.  SpyProxy: Execution-based Detection of Malicious Web Content , 2007, USENIX Security Symposium.

[23]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.