基于行为的跨站脚本攻击检测技术研究与实现
|
摘要
随着计算机技术和网络技术的快速发展,Internet已经将人们带入了一个更为精彩的虚拟世界里。很多网站为了丰富用户体验,充分地利用了动态脚本语言,如JavaScript,然而这种技术在增强了网页互动性的同时,也带来了用户敏感信息泄漏等安全隐患。目前,虽然安全服务商开发了各种工具来保护用户信息的安全,但这些工具大多是基于特征码扫描,并不能够及时地处理网络中的安全隐患。为了有效地保护互联网用户信息的安全,本文着重研究了目前整个网络中最为普遍的利用动态代码混淆(DCO)技术进行跨站脚本(XSS)攻击的原理和流程,并提出了基于行为的XSS检测技术。
XSS攻击的主要目的是盗取用户的敏感信息,由于其行为特征是未经用户的授权而将用户的敏感信息发送给第三方,那么通过客户端对当前页面所访问敏感信息的传输情况做相应分析,我们就可以得出XSS攻击检测结果,从而判定出哪些存在可疑攻击行为,然后采取相应的处理措施。本文所提出的检测技术采取了浏览器端保护方式的思路,在浏览器中通过污点追踪方法对当前页面所包含的敏感信息的行为进行分析,如果敏感信息流向未授权的第三方,则认为该行为为可疑行为,从而判定XSS攻击行为发生。在具体实现中,本文以开源的网络浏览器Mozilla Firefox作为实验平台。通过对该浏览器的JavaScript引擎进行分析,扩展了它的各个阶段的处理过程。该技术采用以动态追踪为主,静态分析为辅的方式分析当前页面中敏感信息的传输情况。通过对分析结果进行处理和判断来阻止可能的XSS攻击。一旦发现可疑的XSS攻击行为就警示用户,告知当前操作伴随敏感信息泄漏,并由用户来处理。经实验验证,本文所提出的基于行为的XSS检测技术在保护用户敏感数据方面是切实可行的。
With the rapid development of Computer and Network technology, Internet has brought people into a more wonderful virtual world. Many Web sites make extensive use of client-side script (mostly written in JavaScript) to enhance user experience. However, when this technology enhances the interaction of web pages, it also brings some security problems, such as user information leakage. At present, security service providers have developed various kinds of tools to protect the security of user information, but most of these tools are signature-based, which are not able to handle the security risks in a timely way. To protect the security of web users'information effectively, this paper emphasizes to discuss the theory and flow for attacking in cross-site scripting (XSS) with dynamic code obfuscation (DCO) technology, and proposes a behavior-based XSS detection technique.
The main purpose of XSS is to steal the user's sensitive information, as its behavior is to send user's sensitive information to a third party without the user's authorization, we can get the XSS attack detection results by analyzing the situation of user's accessing sensitive information in current page. The detection technique presented in this paper adopts the idea of protecting user information in client-side of the Web browser. It will analyze the behavior of current page's accessing sensitive information by tracking the flow of tainted data. If some tainted data will be transferred to a third party, the current operation will be assumed suspicious. In the implementation, this paper chooses the open-source Web browser Mozilla Firefox as its experimental platform. By analyzing its JavaScript engine, we extend its handle process in each phase. Our approach employs dynamic analysis techniques in general, and an auxiliary static analysis technique when necessary to analyze the situation of sensitive information in current page. By handling and judging the analysis result, we can prevent the suspicious XSS attack. If sensitive information is about to transferred to a third party, the user can decide if this should be permitted or not. The results of our experiment have demonstrated that the behavior-based XSS detection technique proposed in this paper is feasible in practice.
XSS攻击的主要目的是盗取用户的敏感信息,由于其行为特征是未经用户的授权而将用户的敏感信息发送给第三方,那么通过客户端对当前页面所访问敏感信息的传输情况做相应分析,我们就可以得出XSS攻击检测结果,从而判定出哪些存在可疑攻击行为,然后采取相应的处理措施。本文所提出的检测技术采取了浏览器端保护方式的思路,在浏览器中通过污点追踪方法对当前页面所包含的敏感信息的行为进行分析,如果敏感信息流向未授权的第三方,则认为该行为为可疑行为,从而判定XSS攻击行为发生。在具体实现中,本文以开源的网络浏览器Mozilla Firefox作为实验平台。通过对该浏览器的JavaScript引擎进行分析,扩展了它的各个阶段的处理过程。该技术采用以动态追踪为主,静态分析为辅的方式分析当前页面中敏感信息的传输情况。通过对分析结果进行处理和判断来阻止可能的XSS攻击。一旦发现可疑的XSS攻击行为就警示用户,告知当前操作伴随敏感信息泄漏,并由用户来处理。经实验验证,本文所提出的基于行为的XSS检测技术在保护用户敏感数据方面是切实可行的。
With the rapid development of Computer and Network technology, Internet has brought people into a more wonderful virtual world. Many Web sites make extensive use of client-side script (mostly written in JavaScript) to enhance user experience. However, when this technology enhances the interaction of web pages, it also brings some security problems, such as user information leakage. At present, security service providers have developed various kinds of tools to protect the security of user information, but most of these tools are signature-based, which are not able to handle the security risks in a timely way. To protect the security of web users'information effectively, this paper emphasizes to discuss the theory and flow for attacking in cross-site scripting (XSS) with dynamic code obfuscation (DCO) technology, and proposes a behavior-based XSS detection technique.
The main purpose of XSS is to steal the user's sensitive information, as its behavior is to send user's sensitive information to a third party without the user's authorization, we can get the XSS attack detection results by analyzing the situation of user's accessing sensitive information in current page. The detection technique presented in this paper adopts the idea of protecting user information in client-side of the Web browser. It will analyze the behavior of current page's accessing sensitive information by tracking the flow of tainted data. If some tainted data will be transferred to a third party, the current operation will be assumed suspicious. In the implementation, this paper chooses the open-source Web browser Mozilla Firefox as its experimental platform. By analyzing its JavaScript engine, we extend its handle process in each phase. Our approach employs dynamic analysis techniques in general, and an auxiliary static analysis technique when necessary to analyze the situation of sensitive information in current page. By handling and judging the analysis result, we can prevent the suspicious XSS attack. If sensitive information is about to transferred to a third party, the user can decide if this should be permitted or not. The results of our experiment have demonstrated that the behavior-based XSS detection technique proposed in this paper is feasible in practice.
引文
[1]OWASP:The ten most critical Web application security vulnerabilities[C].2007.
[2]张玉清,戴祖锋,谢崇斌著.安全扫描技术.北京:清华大学出版社.2004.
[3](美)斯普莱恩(Splaine,S.)著,李昂译.Web安全测试.北京:机械工业出版社.2003.5.
[4](美)Sunsan Young Dave Aitel著,吴世忠,郭涛,李斌,宋晓龙译.黑客防范手册.北京:机械工业出版社.2005.
[5]Mei-Chen Hsueh,Timothy K.Tsai,Ravishankar K.Iyer.Fault Injection Techniques and Tools[C].IEEE April 1997 75.
[6]Shreeraj Shah.Top 10 Web 2.0 attack vectors[C].Net Square.2006.
[7]Engin Kirda, Christopher Kruegel, Greg Banks, Giovanni Vigna, and Richard Kemmerer. Behavior-based spyware detection. In Proceedings of the 15th USENIX Security Symposium, Vancouver, BC, Canada, August 2006.
[8]Andrew Conry-Murray. Product focus:Behaviorblocking stops unknown malicious code. http://mirage.cs.ucr.edu/mobilecode/resources files/behavior.pdf, June 2002.
[9]James Newsome and Dawn Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 2005 Network and Distributed System Security Symposium (NDSS'05), San Diego, CA, February 2005.
[10]J. Allen. Perl Version 5.8.8 Documentation-Perlsec. http://perldoc.perl.org/perlsec.pdf,2006.
[11]W. Xu, S. Bhatkar, and R. Sekar. Taint-Enhanced Policy Enforcement:A Practical Approach to Defeat aWide Range of Attacks. In 15th Usenix Security Symposium,2006
[12]S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and R. Iyer. Defeating Memory Corruption Attacks via Pointer maintedness Detection. In IEEE International Conference on Dependable Systems and Networks (DSN),2004.
[13]G. Suh, J. Lee, and S. Devadas. Secure Program Execution via Dynamic Information Flow Tracking. In International Conference on Architectural Support for Programming Languages and Operating Systems,2004.
[14]G. D. Lucca, A. Fasolino, M. Mastroianni, and P. Tramontana. Identifying Cross Site Scripting Vulnerabilities in Web Applications. In Sixth IEEE International Workshop on Web Site Evolution (WSE'04), pages 71-80, September 2004.
[15]N. Jovanovic, C. Kruegel, and E. Kirda. Pixy:A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In IEEE Symposium on Security and Privacy,2006.
[16]O. Ismail, M. Etoh, Y. Kadobayashi, and S. Yamaguchi. A Proposal and Implementation of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability. In Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA04), March 2004.
[17]Mike Shema著,谢文亮,马睿倩译.Web安全手册.北京:清华大学出版社.2005.
[18]SPI Dynamics.Blind SQL Injection[C].2007.
[19]SPI Dynamics.Hybrid Analysis:An Approach to Testing Web Application Security[C].2006.
[20]D. E. Denning. A Lattice Model of Secure Information Flow. In Communications of the ACM, 1976.
[21]A. Sabelfeld and A. Myers. Language-Based Information-Flow Security. In IEEE Journal on Selected Areas in Communications, pages 5-19, January 2003.
[22]Netscape. Using data tainting for security, http://wp.netscape.com/eng/mozilla/3.0/handbook /javascript/advtopic.htm,2006.
[23]David Flanagan著,李强等译JavaScript权威指南.北京:机械工业出版社.2007.8
[24]F. Nielson, H. Nielson, and C. Hankin. Principles of Program Analysis. Springer-Verlag New York, Inc., Secaucus, NJ, USA,1999.
[25]Mozilla Foundation. JavaScript Security:Same Origin, http://www.mozilla.org/projects/ security/components/same-origin.html, February 2006.
[26]O. Hallaraker and G. Vigna. Detecting Malicious JavaScript Code in Mozilla. In 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS05),2005.
[27]V. Haldar, D. Chandra, and M. Franz. Dynamic Taint Propagation for Java. In Twenty-First Annual Computer Security Applications Conference (ACSAC),2005.
[28]E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes:A Client-Side Solution for Mitigating Cross-Site Scripting Attacks. In The 21 st ACM Symposium on Applied Computing (SAC 2006),2006.
[29]W3C-World Wide Web Consortium. Document Object Model (DOM) Level 3 Core Specification. http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/DOM3-Core.pdf, April 2004.
[30]P. Vogt, F. Nentwich, N. Jovanovic, C. Kruegel, E. Kirda, and G. Vigna. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In 14th Annual Network and Distributed System Security Symposium (NDSS 2007), San Diego, CA, February 2007.
[31]J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Network and Distributed System Security Symposium (NDSS),2005.
[32]http://www.allfacebook.com/2008/05
[2]张玉清,戴祖锋,谢崇斌著.安全扫描技术.北京:清华大学出版社.2004.
[3](美)斯普莱恩(Splaine,S.)著,李昂译.Web安全测试.北京:机械工业出版社.2003.5.
[4](美)Sunsan Young Dave Aitel著,吴世忠,郭涛,李斌,宋晓龙译.黑客防范手册.北京:机械工业出版社.2005.
[5]Mei-Chen Hsueh,Timothy K.Tsai,Ravishankar K.Iyer.Fault Injection Techniques and Tools[C].IEEE April 1997 75.
[6]Shreeraj Shah.Top 10 Web 2.0 attack vectors[C].Net Square.2006.
[7]Engin Kirda, Christopher Kruegel, Greg Banks, Giovanni Vigna, and Richard Kemmerer. Behavior-based spyware detection. In Proceedings of the 15th USENIX Security Symposium, Vancouver, BC, Canada, August 2006.
[8]Andrew Conry-Murray. Product focus:Behaviorblocking stops unknown malicious code. http://mirage.cs.ucr.edu/mobilecode/resources files/behavior.pdf, June 2002.
[9]James Newsome and Dawn Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 2005 Network and Distributed System Security Symposium (NDSS'05), San Diego, CA, February 2005.
[10]J. Allen. Perl Version 5.8.8 Documentation-Perlsec. http://perldoc.perl.org/perlsec.pdf,2006.
[11]W. Xu, S. Bhatkar, and R. Sekar. Taint-Enhanced Policy Enforcement:A Practical Approach to Defeat aWide Range of Attacks. In 15th Usenix Security Symposium,2006
[12]S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and R. Iyer. Defeating Memory Corruption Attacks via Pointer maintedness Detection. In IEEE International Conference on Dependable Systems and Networks (DSN),2004.
[13]G. Suh, J. Lee, and S. Devadas. Secure Program Execution via Dynamic Information Flow Tracking. In International Conference on Architectural Support for Programming Languages and Operating Systems,2004.
[14]G. D. Lucca, A. Fasolino, M. Mastroianni, and P. Tramontana. Identifying Cross Site Scripting Vulnerabilities in Web Applications. In Sixth IEEE International Workshop on Web Site Evolution (WSE'04), pages 71-80, September 2004.
[15]N. Jovanovic, C. Kruegel, and E. Kirda. Pixy:A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In IEEE Symposium on Security and Privacy,2006.
[16]O. Ismail, M. Etoh, Y. Kadobayashi, and S. Yamaguchi. A Proposal and Implementation of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability. In Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA04), March 2004.
[17]Mike Shema著,谢文亮,马睿倩译.Web安全手册.北京:清华大学出版社.2005.
[18]SPI Dynamics.Blind SQL Injection[C].2007.
[19]SPI Dynamics.Hybrid Analysis:An Approach to Testing Web Application Security[C].2006.
[20]D. E. Denning. A Lattice Model of Secure Information Flow. In Communications of the ACM, 1976.
[21]A. Sabelfeld and A. Myers. Language-Based Information-Flow Security. In IEEE Journal on Selected Areas in Communications, pages 5-19, January 2003.
[22]Netscape. Using data tainting for security, http://wp.netscape.com/eng/mozilla/3.0/handbook /javascript/advtopic.htm,2006.
[23]David Flanagan著,李强等译JavaScript权威指南.北京:机械工业出版社.2007.8
[24]F. Nielson, H. Nielson, and C. Hankin. Principles of Program Analysis. Springer-Verlag New York, Inc., Secaucus, NJ, USA,1999.
[25]Mozilla Foundation. JavaScript Security:Same Origin, http://www.mozilla.org/projects/ security/components/same-origin.html, February 2006.
[26]O. Hallaraker and G. Vigna. Detecting Malicious JavaScript Code in Mozilla. In 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS05),2005.
[27]V. Haldar, D. Chandra, and M. Franz. Dynamic Taint Propagation for Java. In Twenty-First Annual Computer Security Applications Conference (ACSAC),2005.
[28]E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes:A Client-Side Solution for Mitigating Cross-Site Scripting Attacks. In The 21 st ACM Symposium on Applied Computing (SAC 2006),2006.
[29]W3C-World Wide Web Consortium. Document Object Model (DOM) Level 3 Core Specification. http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/DOM3-Core.pdf, April 2004.
[30]P. Vogt, F. Nentwich, N. Jovanovic, C. Kruegel, E. Kirda, and G. Vigna. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In 14th Annual Network and Distributed System Security Symposium (NDSS 2007), San Diego, CA, February 2007.
[31]J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Network and Distributed System Security Symposium (NDSS),2005.
[32]http://www.allfacebook.com/2008/05