TaintJSec: Um Método de Análise Estática de Marcação em Código JavaScript para Detecção de Vazamento de Dados Sensíveis
Resumo
JavaScript é uma das linguagens de programação mais utilizadas no mundo por ser altamente dinâmica. Porém, essa mesma característica que a torna uma linguagem de sucesso torna difícil a realização de análise estática de código para identificar a presença de códigos maliciosos. Este artigo apresenta o TaintJSec, uma abordagem que usa análise estática de marcação de código JavaScript para detectar o vazamento de informação sensível. O TaintJSec analisa o fluxo de códigos implícitos, propaga a taint tag na função eval e identifica o vazamento de informação em códigos ofuscados. Os testes realizados demonstraram que a abordagem é eficaz na detecção do vazamento de informação e mais eficiente que outros métodos do estado da arte.
Referências
Electron. (2018). Build Cross Platform Desktop Apps with JavaScript, HTML and CSS. Retrieved from [link]
Fard, A. M., & Mesbah, A. (2013, 9). JSNOSE: Detecting JavaScript Code Smells. 2013 IEEE 13th International Working Conference on Source Code Analysis and Manipulation (SCAM), (pp. 116-125). DOI: 10.1109/SCAM.2013.6648192
Fard, A. M., & Mesbah, A. (2017, 3). JavaScript: The (Un)Covered Parts. pp. 230-240. DOI: 10.1109/ICST.2017.28
Gibler, C., Crussell, J., Erickson, J., & Chen, H. (2012). AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. Proceedings of the 5th International Conference on Trust and Trustworthy Computing (pp. 291-307). Berlin: Springer-Verlag. DOI: 10.1007/978-3-642-30921-2_17
Google, L. L. (2018). What Are Extensions? Retrieved from [link]
Hsiao, S. W., Hung, S.-H., Chien, R., & Yeh, C. W. (2014). PasDroid: Real-Time Security Enhancement for Android. 2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, 229-235.
Kashyap, V., Dewey, K., Kuefner, E. A., Wagner, J., Gibbons, K., Sarracino, J., . . . Hardekopf, B. (2014). JSAI: A Static Analysis Platform for JavaScript. Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (pp. 121-132). New York, NY, USA: ACM. DOI: 10.1145/2635868.2635904
Kuzuno, H., & Tonami, S. (2013, 4). Signature Generation for Sensitive Information Leakage in Android Applications. 2013 IEEE 29th International Conference on Data Engineering Workshops (ICDEW), (pp. 112-119). DOI: 10.1109/ICDEW.2013.6547438
Monteiro, D., Patnaik, N. D., & Theriault, P. (2013). JSpwn - JavaScript Static Code Analysis.
Mozilla. (2018). WebExtensions | MDN. Retrieved from [link]
Node.js. (2018). Linux Foundation. Retrieved from [link]
Ocariza, F., Bajaj, K., Pattabiraman, K., & Mesbah, A. (2013, 10). An Empirical Study of Client-Side JavaScript Bugs. 2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement, (pp. 55-64). DOI: 10.1109/ESEM.2013.18
Patnaik, N. D., & Sahoo, S. S. (2015). JSPrime - A JavaScript Static Security Analysis Tool.
Peneti, S., & Rani, B. P. (2016, 2). Data leakage Prevention System with Time Stamp. 2016 International Conference on Information Communication and Embedded Systems (ICICES), (pp. 1-4). DOI: 10.1109/ICICES.2016.7518934
Pinto, B. S., Boeira, F. C., Minatel, P., Pires, P. C., Souza, I., Silva, A., & Shin, J. (2016). Mobile Data Leakage Prevention using Packet Inspection Approach.
Theriault, P. (2013). ScanJS - Static Analysis Tool for JavaScript Code.
Tizen. (2018). An Open Source, Standards-based Software Platform for Multiple Device Categories. Retrieved from [link]
Wang, D., Jin, G., He, J., Jiang, X., & Xie, Z. (2014). A Grey List-Based Privacy Protection for Android. JSW, 9, 1525-1531.
WinJS. (2018). WinJS - A Windows Library for JavaScript. Retrieved from [link]
Fard, A. M., & Mesbah, A. (2013, 9). JSNOSE: Detecting JavaScript Code Smells. 2013 IEEE 13th International Working Conference on Source Code Analysis and Manipulation (SCAM), (pp. 116-125). DOI: 10.1109/SCAM.2013.6648192
Fard, A. M., & Mesbah, A. (2017, 3). JavaScript: The (Un)Covered Parts. pp. 230-240. DOI: 10.1109/ICST.2017.28
Gibler, C., Crussell, J., Erickson, J., & Chen, H. (2012). AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. Proceedings of the 5th International Conference on Trust and Trustworthy Computing (pp. 291-307). Berlin: Springer-Verlag. DOI: 10.1007/978-3-642-30921-2_17
Google, L. L. (2018). What Are Extensions? Retrieved from [link]
Hsiao, S. W., Hung, S.-H., Chien, R., & Yeh, C. W. (2014). PasDroid: Real-Time Security Enhancement for Android. 2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, 229-235.
Kashyap, V., Dewey, K., Kuefner, E. A., Wagner, J., Gibbons, K., Sarracino, J., . . . Hardekopf, B. (2014). JSAI: A Static Analysis Platform for JavaScript. Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (pp. 121-132). New York, NY, USA: ACM. DOI: 10.1145/2635868.2635904
Kuzuno, H., & Tonami, S. (2013, 4). Signature Generation for Sensitive Information Leakage in Android Applications. 2013 IEEE 29th International Conference on Data Engineering Workshops (ICDEW), (pp. 112-119). DOI: 10.1109/ICDEW.2013.6547438
Monteiro, D., Patnaik, N. D., & Theriault, P. (2013). JSpwn - JavaScript Static Code Analysis.
Mozilla. (2018). WebExtensions | MDN. Retrieved from [link]
Node.js. (2018). Linux Foundation. Retrieved from [link]
Ocariza, F., Bajaj, K., Pattabiraman, K., & Mesbah, A. (2013, 10). An Empirical Study of Client-Side JavaScript Bugs. 2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement, (pp. 55-64). DOI: 10.1109/ESEM.2013.18
Patnaik, N. D., & Sahoo, S. S. (2015). JSPrime - A JavaScript Static Security Analysis Tool.
Peneti, S., & Rani, B. P. (2016, 2). Data leakage Prevention System with Time Stamp. 2016 International Conference on Information Communication and Embedded Systems (ICICES), (pp. 1-4). DOI: 10.1109/ICICES.2016.7518934
Pinto, B. S., Boeira, F. C., Minatel, P., Pires, P. C., Souza, I., Silva, A., & Shin, J. (2016). Mobile Data Leakage Prevention using Packet Inspection Approach.
Theriault, P. (2013). ScanJS - Static Analysis Tool for JavaScript Code.
Tizen. (2018). An Open Source, Standards-based Software Platform for Multiple Device Categories. Retrieved from [link]
Wang, D., Jin, G., He, J., Jiang, X., & Xie, Z. (2014). A Grey List-Based Privacy Protection for Android. JSW, 9, 1525-1531.
WinJS. (2018). WinJS - A Windows Library for JavaScript. Retrieved from [link]
Publicado
25/10/2018
Como Citar
DAMASCENO, Alexandre; ROCHA, Thiago; SOUTO, Eduardo.
TaintJSec: Um Método de Análise Estática de Marcação em Código JavaScript para Detecção de Vazamento de Dados Sensíveis. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 18. , 2018, Natal.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2018
.
p. 196-209.
DOI: https://doi.org/10.5753/sbseg.2018.4253.
