TaintJSec: Um Método de Análise Estática de Marcação em Código JavaScript para Detecção de Vazamento de Dados Sensíveis
Abstract
JavaScript is one of the most widely used programming languages in the world because it is highly dynamic. However, the same feature that makes JavaScript a successful programming language makes it difficult to perform static code analysis to identify the presence of malicious code. This article introduces TaintJSec, an approach that uses static JavaScript markup parsing to detect leakage of sensitive information. The TaintJSec analyze the flow of implicit codes, performs the propagation of the taint tag in the eval function and identifies the information leakage in obfuscated codes. The tests realized demonstrated that the approach is effective in detecting information leakage and more efficient than other methods of the state of the art.
References
Electron. (2018). Build Cross Platform Desktop Apps with JavaScript, HTML and CSS. Retrieved from [link]
Fard, A. M., & Mesbah, A. (2013, 9). JSNOSE: Detecting JavaScript Code Smells. 2013 IEEE 13th International Working Conference on Source Code Analysis and Manipulation (SCAM), (pp. 116-125). DOI: 10.1109/SCAM.2013.6648192
Fard, A. M., & Mesbah, A. (2017, 3). JavaScript: The (Un)Covered Parts. pp. 230-240. DOI: 10.1109/ICST.2017.28
Gibler, C., Crussell, J., Erickson, J., & Chen, H. (2012). AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. Proceedings of the 5th International Conference on Trust and Trustworthy Computing (pp. 291-307). Berlin: Springer-Verlag. DOI: 10.1007/978-3-642-30921-2_17
Google, L. L. (2018). What Are Extensions? Retrieved from [link]
Hsiao, S. W., Hung, S.-H., Chien, R., & Yeh, C. W. (2014). PasDroid: Real-Time Security Enhancement for Android. 2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, 229-235.
Kashyap, V., Dewey, K., Kuefner, E. A., Wagner, J., Gibbons, K., Sarracino, J., . . . Hardekopf, B. (2014). JSAI: A Static Analysis Platform for JavaScript. Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (pp. 121-132). New York, NY, USA: ACM. DOI: 10.1145/2635868.2635904
Kuzuno, H., & Tonami, S. (2013, 4). Signature Generation for Sensitive Information Leakage in Android Applications. 2013 IEEE 29th International Conference on Data Engineering Workshops (ICDEW), (pp. 112-119). DOI: 10.1109/ICDEW.2013.6547438
Monteiro, D., Patnaik, N. D., & Theriault, P. (2013). JSpwn - JavaScript Static Code Analysis.
Mozilla. (2018). WebExtensions | MDN. Retrieved from [link]
Node.js. (2018). Linux Foundation. Retrieved from [link]
Ocariza, F., Bajaj, K., Pattabiraman, K., & Mesbah, A. (2013, 10). An Empirical Study of Client-Side JavaScript Bugs. 2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement, (pp. 55-64). DOI: 10.1109/ESEM.2013.18
Patnaik, N. D., & Sahoo, S. S. (2015). JSPrime - A JavaScript Static Security Analysis Tool.
Peneti, S., & Rani, B. P. (2016, 2). Data leakage Prevention System with Time Stamp. 2016 International Conference on Information Communication and Embedded Systems (ICICES), (pp. 1-4). DOI: 10.1109/ICICES.2016.7518934
Pinto, B. S., Boeira, F. C., Minatel, P., Pires, P. C., Souza, I., Silva, A., & Shin, J. (2016). Mobile Data Leakage Prevention using Packet Inspection Approach.
Theriault, P. (2013). ScanJS - Static Analysis Tool for JavaScript Code.
Tizen. (2018). An Open Source, Standards-based Software Platform for Multiple Device Categories. Retrieved from [link]
Wang, D., Jin, G., He, J., Jiang, X., & Xie, Z. (2014). A Grey List-Based Privacy Protection for Android. JSW, 9, 1525-1531.
WinJS. (2018). WinJS - A Windows Library for JavaScript. Retrieved from [link]
Fard, A. M., & Mesbah, A. (2013, 9). JSNOSE: Detecting JavaScript Code Smells. 2013 IEEE 13th International Working Conference on Source Code Analysis and Manipulation (SCAM), (pp. 116-125). DOI: 10.1109/SCAM.2013.6648192
Fard, A. M., & Mesbah, A. (2017, 3). JavaScript: The (Un)Covered Parts. pp. 230-240. DOI: 10.1109/ICST.2017.28
Gibler, C., Crussell, J., Erickson, J., & Chen, H. (2012). AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. Proceedings of the 5th International Conference on Trust and Trustworthy Computing (pp. 291-307). Berlin: Springer-Verlag. DOI: 10.1007/978-3-642-30921-2_17
Google, L. L. (2018). What Are Extensions? Retrieved from [link]
Hsiao, S. W., Hung, S.-H., Chien, R., & Yeh, C. W. (2014). PasDroid: Real-Time Security Enhancement for Android. 2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, 229-235.
Kashyap, V., Dewey, K., Kuefner, E. A., Wagner, J., Gibbons, K., Sarracino, J., . . . Hardekopf, B. (2014). JSAI: A Static Analysis Platform for JavaScript. Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (pp. 121-132). New York, NY, USA: ACM. DOI: 10.1145/2635868.2635904
Kuzuno, H., & Tonami, S. (2013, 4). Signature Generation for Sensitive Information Leakage in Android Applications. 2013 IEEE 29th International Conference on Data Engineering Workshops (ICDEW), (pp. 112-119). DOI: 10.1109/ICDEW.2013.6547438
Monteiro, D., Patnaik, N. D., & Theriault, P. (2013). JSpwn - JavaScript Static Code Analysis.
Mozilla. (2018). WebExtensions | MDN. Retrieved from [link]
Node.js. (2018). Linux Foundation. Retrieved from [link]
Ocariza, F., Bajaj, K., Pattabiraman, K., & Mesbah, A. (2013, 10). An Empirical Study of Client-Side JavaScript Bugs. 2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement, (pp. 55-64). DOI: 10.1109/ESEM.2013.18
Patnaik, N. D., & Sahoo, S. S. (2015). JSPrime - A JavaScript Static Security Analysis Tool.
Peneti, S., & Rani, B. P. (2016, 2). Data leakage Prevention System with Time Stamp. 2016 International Conference on Information Communication and Embedded Systems (ICICES), (pp. 1-4). DOI: 10.1109/ICICES.2016.7518934
Pinto, B. S., Boeira, F. C., Minatel, P., Pires, P. C., Souza, I., Silva, A., & Shin, J. (2016). Mobile Data Leakage Prevention using Packet Inspection Approach.
Theriault, P. (2013). ScanJS - Static Analysis Tool for JavaScript Code.
Tizen. (2018). An Open Source, Standards-based Software Platform for Multiple Device Categories. Retrieved from [link]
Wang, D., Jin, G., He, J., Jiang, X., & Xie, Z. (2014). A Grey List-Based Privacy Protection for Android. JSW, 9, 1525-1531.
WinJS. (2018). WinJS - A Windows Library for JavaScript. Retrieved from [link]
Published
2018-10-25
How to Cite
DAMASCENO, Alexandre; ROCHA, Thiago; SOUTO, Eduardo.
TaintJSec: Um Método de Análise Estática de Marcação em Código JavaScript para Detecção de Vazamento de Dados Sensíveis. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 18. , 2018, Natal.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2018
.
p. 196-209.
DOI: https://doi.org/10.5753/sbseg.2018.4253.
