Detecção de Vazamentos de Dados em Aplicativos Javascript em Dispositivos Móveis
Abstract
The development of applications with HTML5 and JavaScript that can be executed in multiple mobile devices like smartphones, tablets and others provided the appearance of multi-platform operating systems and increased the use of these languages. However most of these devices store sensitive information about the users and have become potential targets of attacks. One of the biggest concerns from companies that develop applications to these devices is the leakage or exposure of sensitive data. In this work we are addressing this problem by modifying the Tizen Web Runtime to add dynamic taint tracking, with that we can track sensitive information that is being leaked, even if the information is obfuscated, and warn the users. From our knowledge this is the first prototype that adds this kind of technique to Tizen and is the first prototype that tracks web applications in mobile devices. The results show that Dynamic Taint Tracking is a promising approach that can be improved and used to detect data leakage in mobile devices.
References
Abhishek Bichhawat, Vineet Rajani, Deepak Garg e Christian Hammer “Information Flow in WebKits JavaScript Bytecode” Disponível em: http://www.mpi-sws.org/~dg/papers/post2014.pdf, Janeiro 2016.
Alexa “Alexa – Top Sites by Category: Computers/Performance and Capacity/Benchmark” Disponível em: [link], Janeiro 2016.
Base64. “Base64 encoding and decoding – Web APIs | MDN”. Disponível em: [link]. Janeiro 2016.
Bassam Sayed, Issa Traoré and Amany Abdelhalim (2014) “Detection and Mitigation of Malicious JavaScript Using Information Flow Control”. Proceedings of the Twelfth Annual International Conference on Privacy, Security and Trust, páginas 264-273.
Daniel Hedin and Andrei Sabelfeld (2012) “Information-flow security for a core of JavaScript”. Proceedings of 25th IEEE Computer Security Foundations Symposium, páginas 3–18.
Dongseok Jang, Ranjit Jhala, Sorin Lerner (2015). Disponível em: [link], Dezembro 2015.
ECMA-262 “Standard ECMA-262” Disponível em: [link], Janeiro 2016.
Firefox OS “Firefox OS – Just what you need – Great smartphone features, apps and more - Mozzila” Disponível em: https://www.mozilla.org/en-US/firefox/os/, Janeiro 2016.
HTML5 “HTML5” Disponível em: https://www.w3.org/TR/html5/, Janeiro 2016.
JASMINE “Jasmine: Behavior-Driven Javascript” Disponível em: http://jasmine.github.io/, Janeiro 2016.
Jaygarl Hojun, Luo Cheng, Kim YooSoo, Choi Eunyoung, Bradwick Kevin, Lansdell Jon “Professional Tizen Application Development” Disponível em: https://goo.gl/uWIpvn, Janeiro 2016.
Jedidiah McClurg, Jonathan Friedman and William Ng “Android Privacy Leak Detection via Dynamic Taint Analysis”. Disponível em: [link] Fevereiro 2016.
Manuel Egele, Christopher Kruegel, Engin Kirda and Giovanni Vigna (2011) “PiOS: Detecting Privacy Leaks in iOS Applications”. Proceedings of the International Secure Systems Lab.
Minh Tran, Xinshu Dong, Zhenkai Liang and Xuxian Jiang (2012) “Tracking the trackers: fast and scalable dynamic analysis of web content for privacy violations”. Proceedings of the 10th International Conference on Applied Cryptography and Network Security, páginas 418-435.
ODROID. “ODROID | Hardkernel”. Disponível em: http://www.hardkernel.com/main/main.php. Janeiro 2016.
PS. “PS man page”. Disponível em: http://www.petefreitag.com/tools/man-pages/ps.html. Janeiro 2016.
Rick Lehrbaum “Slides from Intels Tizen talk at IDF2013 Beijing” Disponível em: http://hackerboards.com/intel-tizen-talk-slides-idf2013/, Fevereiro 2016.
Seth Just, Alan Cleary, Brandon Shirley e Christian Hammer (2011) “Information flow analysis for javascript”. Proceedings of the 1st ACM SIGPLAN international workshop on Programming language and system technologies for internet clients, páginas 9-18.
SungGyeong Bae, Hyunghun Cho, Inho Lim e Sukyoung Ryu (2014) “SAFEWAPI: web API misuse detector for web applications”. Proceedings of the 22nd ACM SIGSOFT international symposium on Foundations of Software Engineering, páginas 507-517.
SunSpider “SunSpider 1.0.2 JavaScript Benchmark” Disponível em: https://webkit.org/perf/sunspider/sunspider.html, Janeiro 2016.
Tizen. “Tizen | An open source, standards-based software platform for multiple devices categories”. Disponível em: https://www.tizen.org. Janeiro 2016.
Tonin, G., “Tendências em computação móvel” Disponível em: [link], Janeiro 2016.
Vineeth Kashyap, Kyle Dewey, Ethan A. Kuefner, John Wagner, Kevin Gibbons, John Sarracino,Ben Wiedermann e Ben Hardekopf (2014) “JSAI: a static analysis platform for JavaScript”. Proceedings of the 22nd ACM SIGSOFT international symposium on Foundations of Software Engineering, páginas 121-132.
Wei Zheng, Lie David (2014) “LazyTainter: Memory-Efficient Taint Tracking in Manager Runtimes”, ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, páginas 27-38.
webOS “Open webOS” Disponível em: http://www.openwebosproject.org/, Janeiro 2016.
WebKit “WebKit” Disponível em: https://webkit.org/, Janeiro 2016.
William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel and Anmol N. Sheth (2014) “TaintDroid: An Information Flow Tracking System for Real-Time Privacy Monitoring on Smartphones”, ACM transaction on Computer Systems (TOCS), páginas 99-106.
Zhibo Zhao and Fernando C. Colon Osorio (2012) "TrustDroid™": Preventing the use of SmartPhones for information leaking in corporate networks through the use of static analysis taint tracking”, International Conference on Malicious and Unwanted Software, páginas 135-143.
Zhemin Yang and Min Yang (2012) “Leakminer: Detect Information Leakage on Android with static taint analysis”, World Congress on Software Engineering (WCSE), páginas 101-104.
Alexa “Alexa – Top Sites by Category: Computers/Performance and Capacity/Benchmark” Disponível em: [link], Janeiro 2016.
Base64. “Base64 encoding and decoding – Web APIs | MDN”. Disponível em: [link]. Janeiro 2016.
Bassam Sayed, Issa Traoré and Amany Abdelhalim (2014) “Detection and Mitigation of Malicious JavaScript Using Information Flow Control”. Proceedings of the Twelfth Annual International Conference on Privacy, Security and Trust, páginas 264-273.
Daniel Hedin and Andrei Sabelfeld (2012) “Information-flow security for a core of JavaScript”. Proceedings of 25th IEEE Computer Security Foundations Symposium, páginas 3–18.
Dongseok Jang, Ranjit Jhala, Sorin Lerner (2015). Disponível em: [link], Dezembro 2015.
ECMA-262 “Standard ECMA-262” Disponível em: [link], Janeiro 2016.
Firefox OS “Firefox OS – Just what you need – Great smartphone features, apps and more - Mozzila” Disponível em: https://www.mozilla.org/en-US/firefox/os/, Janeiro 2016.
HTML5 “HTML5” Disponível em: https://www.w3.org/TR/html5/, Janeiro 2016.
JASMINE “Jasmine: Behavior-Driven Javascript” Disponível em: http://jasmine.github.io/, Janeiro 2016.
Jaygarl Hojun, Luo Cheng, Kim YooSoo, Choi Eunyoung, Bradwick Kevin, Lansdell Jon “Professional Tizen Application Development” Disponível em: https://goo.gl/uWIpvn, Janeiro 2016.
Jedidiah McClurg, Jonathan Friedman and William Ng “Android Privacy Leak Detection via Dynamic Taint Analysis”. Disponível em: [link] Fevereiro 2016.
Manuel Egele, Christopher Kruegel, Engin Kirda and Giovanni Vigna (2011) “PiOS: Detecting Privacy Leaks in iOS Applications”. Proceedings of the International Secure Systems Lab.
Minh Tran, Xinshu Dong, Zhenkai Liang and Xuxian Jiang (2012) “Tracking the trackers: fast and scalable dynamic analysis of web content for privacy violations”. Proceedings of the 10th International Conference on Applied Cryptography and Network Security, páginas 418-435.
ODROID. “ODROID | Hardkernel”. Disponível em: http://www.hardkernel.com/main/main.php. Janeiro 2016.
PS. “PS man page”. Disponível em: http://www.petefreitag.com/tools/man-pages/ps.html. Janeiro 2016.
Rick Lehrbaum “Slides from Intels Tizen talk at IDF2013 Beijing” Disponível em: http://hackerboards.com/intel-tizen-talk-slides-idf2013/, Fevereiro 2016.
Seth Just, Alan Cleary, Brandon Shirley e Christian Hammer (2011) “Information flow analysis for javascript”. Proceedings of the 1st ACM SIGPLAN international workshop on Programming language and system technologies for internet clients, páginas 9-18.
SungGyeong Bae, Hyunghun Cho, Inho Lim e Sukyoung Ryu (2014) “SAFEWAPI: web API misuse detector for web applications”. Proceedings of the 22nd ACM SIGSOFT international symposium on Foundations of Software Engineering, páginas 507-517.
SunSpider “SunSpider 1.0.2 JavaScript Benchmark” Disponível em: https://webkit.org/perf/sunspider/sunspider.html, Janeiro 2016.
Tizen. “Tizen | An open source, standards-based software platform for multiple devices categories”. Disponível em: https://www.tizen.org. Janeiro 2016.
Tonin, G., “Tendências em computação móvel” Disponível em: [link], Janeiro 2016.
Vineeth Kashyap, Kyle Dewey, Ethan A. Kuefner, John Wagner, Kevin Gibbons, John Sarracino,Ben Wiedermann e Ben Hardekopf (2014) “JSAI: a static analysis platform for JavaScript”. Proceedings of the 22nd ACM SIGSOFT international symposium on Foundations of Software Engineering, páginas 121-132.
Wei Zheng, Lie David (2014) “LazyTainter: Memory-Efficient Taint Tracking in Manager Runtimes”, ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, páginas 27-38.
webOS “Open webOS” Disponível em: http://www.openwebosproject.org/, Janeiro 2016.
WebKit “WebKit” Disponível em: https://webkit.org/, Janeiro 2016.
William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel and Anmol N. Sheth (2014) “TaintDroid: An Information Flow Tracking System for Real-Time Privacy Monitoring on Smartphones”, ACM transaction on Computer Systems (TOCS), páginas 99-106.
Zhibo Zhao and Fernando C. Colon Osorio (2012) "TrustDroid™": Preventing the use of SmartPhones for information leaking in corporate networks through the use of static analysis taint tracking”, International Conference on Malicious and Unwanted Software, páginas 135-143.
Zhemin Yang and Min Yang (2012) “Leakminer: Detect Information Leakage on Android with static taint analysis”, World Congress on Software Engineering (WCSE), páginas 101-104.
Published
2016-11-07
How to Cite
ROCHA, Thiago de Souza; SOUTO, Eduardo; AZULAY, Diego; CÁSSIO, Brandell; MONTEIRO, Alex; MINATEL, Pedro; SILVA, Breno; BOEIRA, Felipe.
Detecção de Vazamentos de Dados em Aplicativos Javascript em Dispositivos Móveis. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 16. , 2016, Niterói.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2016
.
p. 310-323.
DOI: https://doi.org/10.5753/sbseg.2016.19316.
