|
|
- 2016
基于代码改写的JavaScript动态污点跟踪
|
Abstract:
随着Web技术的飞速发展,JavaScript的使用越来越常见,尤其是在追求快速及时响应的Web应用中,这也导致了众多安全问题的产生。该文提出了一种基于代码改写的JavaScript动态污点跟踪方法JSTA,通过JavaScript代码的改写,让改写后的代码在执行过程中对敏感数据进行污点标记和跟踪,可及时发现敏感数据泄露行为并给出告警。与以往的研究不同的是,JSTA是独立于JavaScript引擎实现的,可以适用于多种浏览器。测试结果表明,JSTA可有效地跟踪敏感数据并检测敏感数据泄露行为。
Abstract:The rapid development of the web has led to increasing use of JavaScript, especially in websites requiring rapid responses between the web server and the client, which has led to many security problems. This paper presents a dynamic taint tracking method based on a revised JavaScript code. The revised code can mark and track sensitive data transmission paths during JavaScript execution and warn the user of possible leakage of the marked sensitive data. This implementation is independent of the JavaScript engine and can be used in a variety of browsers. Tests show that this method can effectively track sensitive data and detect abnormal behavior.
| [1] | International Secure Systems Lab. NoMoXSS. (2006-3-29).[2015-04-07]. http://seclab.tuwien.ac.at/projects/jstaint/files/testing.zi |
| [2] | OWASP. Cross-site scripting (XSS).(2014-04-22).[2015-04-07]. https://www.owasp.org/index.php/XSS. |
| [3] | Meyerovich L A, Livshits B. Conscript: Specifying and enforcing fine-grained security policies for JavaScript in the browser [C]//Proceedings of the 31st IEEE Symposium on Security and Privacy (SP). Piscataway, NJ, USA: IEEE Press, 2010: 481-496. |
| [4] | Weinberger J, Barth A, Song D. Towards client-side HTML security policies [C]//Proceedings of the 6th USENIX Conference on Hot Topics in Security. Berkeley, CA, USA: USENIX Association, 2011. |
| [5] | Saxena P, Molnar D, Livshits B. SCRIPTGARD: Automatic context-sensitive sanitization for large-scale legacy web applications [C]//Proceedings of the 18th ACM Conference on Computer and Communications Security. New York, NY, USA: ACM, 2011: 601-614. |
| [6] | Vogt P, Nentwich F, Jovanovic N, et al. Cross site scripting prevention with dynamic data tainting and static analysis [C]//Proceedings of the 14th Annual Network and Distributed System Security Symposium. San Diego, CA, USA: Internet Society, 2007. |
| [7] | Minded Security. DOMinatorPro: Securing next generation of Web applications. (2012-09-30).[2015-04-07]. https://dominator.mindedsecurity.com. |
| [8] | Lekies S, Stock B, Johns M. 25 million flows later: Large-scale detection of DOM-based XSS [C]//Proceedings of the 20th ACM Conference on Computer and Communications Security. New York, NY, USA: ACM, 2013: 1193-1204. |
| [9] | Saxena P, Hanna S, Poosankam P, et al. FLAX: Systematic discovery of client-side validation vulnerabilities in rich Web applications [C]//Proceedings of the 17th Annual Network and Distributed System Security Symposium. San Diego, CA, USA: Internet Society, 2010. |
| [10] | Phung P H, Sands D, Chudnov A. Lightweight self- protecting JavaScript [C]//Proceedings of the 4th International Symposium on Information, Computer, and Communications Security. New York, NY, USA: ACM, 2009: 47-60. |
