ZigZag: automatically hardening web applications against client-side validation vulnerabilities
作者: Engin Kirda , Michael Weissbacher , Christopher Kruegel , Giovanni Vigna , William Robertson
DOI:
关键词: Client-side 、 Distributed computing 、 HTML5 、 JavaScript 、 Rendering (computer graphics) 、 Zigzag 、 Operating system 、 Program code 、 Web application 、 Computer science
摘要: Modern web applications are increasingly moving program code to the client in form of JavaScript. With growing adoption HTML5 APIs such as postMessage, client-side validation (CSV) vulnerabilities consequently becoming important address well. However, while detecting and preventing attacks against is a well-studied topic on server, considerably less work has been performed for client. Exacerbating this issue problem that defenses CSVs must, general case, fundamentally exist browser, rendering current server-side inadequate. In paper, we present ZigZag, system hardening JavaScript-based clientside attacks. ZigZag transparently instruments perform dynamic invariant detection security-sensitive code, generating models describe how - with whom components interact. capable handling templated JavaScript, avoiding full re-instrumentation when JavaScript programs structurally similar. Learned invariants then enforced through subsequent instrumentation step. Our evaluation demonstrates automatically both known previously-unknown vulnerabilities. Finally, show introduces acceptable overhead many cases, compatible popular websites drawn from Alexa Top 20 without developer or user intervention.
ucsb.edu参考文章(21)
Mario Heiderich, Tilman Frosch, Thorsten Holz, IceShield: Detection and Mitigation of Malicious Websites with a Frozen DOM Lecture Notes in Computer Science. pp. 281- 300 ,(2011) , 10.1007/978-3-642-23644-0_15
Haruka Kikuchi, Dachuan Yu, Ajay Chander, Hiroshi Inamura, Igor Serikov, JavaScript Instrumentation in Practice Programming Languages and Systems. pp. 326- 341 ,(2008) , 10.1007/978-3-540-89330-1_23
Marco Cova, Davide Balzarotti, Viktoria Felmetsger, Giovanni Vigna, Swaddler: an approach for the anomaly-based detection of state violations in web applications recent advances in intrusion detection. pp. 63- 86 ,(2007) , 10.1007/978-3-540-74320-0_4
Sid Stamm, Brandon Sterne, Gervase Markham, Reining in the web with content security policy the web conference. pp. 921- 930 ,(2010) , 10.1145/1772690.1772784
Inian Parameshwaran, Enrico Budianto, Shweta Shinde, Hung Dang, Atul Sadhu, Prateek Saxena, Auto-patching DOM-based XSS at scale foundations of software engineering. pp. 272- 283 ,(2015) , 10.1145/2786805.2786821
Dachuan Yu, Ajay Chander, Nayeem Islam, Igor Serikov, JavaScript instrumentation for browser security symposium on principles of programming languages. ,vol. 42, pp. 237- 249 ,(2007) , 10.1145/1190215.1190252
N. Jovanovic, C. Kruegel, E. Kirda, Pixy: a static analysis tool for detecting Web application vulnerabilities ieee symposium on security and privacy. pp. 258- 263 ,(2006) , 10.1109/SP.2006.29
Mike Samuel, Prateek Saxena, Dawn Song, Context-sensitive auto-sanitization in web templating languages using type qualifiers Proceedings of the 18th ACM conference on Computer and communications security - CCS '11. pp. 587- 600 ,(2011) , 10.1145/2046707.2046775
Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, Dawn Song, A Symbolic Execution Framework for JavaScript ieee symposium on security and privacy. pp. 513- 528 ,(2010) , 10.1109/SP.2010.38
Jeff H. Perkins, Greg Sullivan, Weng-Fai Wong, Yoav Zibin, Michael D. Ernst, Martin Rinard, Sunghun Kim, Sam Larsen, Saman Amarasinghe, Jonathan Bachrach, Michael Carbin, Carlos Pacheco, Frank Sherwood, Stelios Sidiroglou, Automatically patching errors in deployed software symposium on operating systems principles. pp. 87- 102 ,(2009) , 10.1145/1629575.1629585