info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Static analysis of JS to find malicious obfuscation
49 views
Skip to first unread message
tofumatt
Oct 8, 2015, 4:32:24 AM10/8/15
to dev-se...@lists.mozilla.org
Hi there Security folks!
I’m tofumatt, I'm working with Stuart Colville on the new add-ons validator, written in JS.
One of the things we’d like to improve in this validator is the ability to detect rule bypassing via code obfuscation. For example, mozIndexedDB is a deprecated identifier and that is easy to find with a custom ESLint rule. But if someone types:
var badDB = ‘m’;
badDB += ‘oz’
badDB = badDB + ‘IndexedDB’;
var myDeprecatedDB = window[badDB];
The existing validator and our scans for an identifier with AST (using ESLint/ESPrima) don’t catch it.
Are there any tools (especially JS ones!) that can be used to at least detect this kind of obfuscation? Without it the validator remains more an advisory/helpful tool than something we could use to automate security validation.
Apologies if this is the wrong list; didn’t know exactly who to turn to for this (I’ve also asked static analysis and spidermonkey folks). If I should check with someone specific, please let me know.
Cheers,
- tofumatt
I’m tofumatt, I'm working with Stuart Colville on the new add-ons validator, written in JS.
One of the things we’d like to improve in this validator is the ability to detect rule bypassing via code obfuscation. For example, mozIndexedDB is a deprecated identifier and that is easy to find with a custom ESLint rule. But if someone types:
var badDB = ‘m’;
badDB += ‘oz’
badDB = badDB + ‘IndexedDB’;
var myDeprecatedDB = window[badDB];
The existing validator and our scans for an identifier with AST (using ESLint/ESPrima) don’t catch it.
Are there any tools (especially JS ones!) that can be used to at least detect this kind of obfuscation? Without it the validator remains more an advisory/helpful tool than something we could use to automate security validation.
Apologies if this is the wrong list; didn’t know exactly who to turn to for this (I’ve also asked static analysis and spidermonkey folks). If I should check with someone specific, please let me know.
Cheers,
- tofumatt
Paul Theriault
Oct 8, 2015, 5:20:27 AM10/8/15
to tofumatt, dev-se...@lists.mozilla.org, Frederik Braun
Not that I am aware of, and I spent a lot of time looking last year. I was looking from the perspective of finding vulnerabilities though, not maliciousness. The only thing I know of that is close is a tool called “semmle” which is an eclipse based tool for static analysis. They added support for javascript, and I was working with one of their engineers to look at a taint based approach to find vulnerabilities. (In the end, we took a different approach : https://bugzilla.mozilla.org/show_bug.cgi?id=1155131 <https://bugzilla.mozilla.org/show_bug.cgi?id=1155131>)
My conclusion was that static analysis alone for detecting maliciousness wasn’t feasible (for me at least!). It seems like the options for obfuscation (even legitimate ones, asm.js?) are too enumerable to develop a tool that would cover more than just basic obfuscation. But I’d love to hear about it if anyone knows of anything.
Maybe we need to invest in dynamic analysis based tooling as well if we want to make progress towards automated/semi-automated verification though? Again keen to hear anyones experiences in this area.
> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
My conclusion was that static analysis alone for detecting maliciousness wasn’t feasible (for me at least!). It seems like the options for obfuscation (even legitimate ones, asm.js?) are too enumerable to develop a tool that would cover more than just basic obfuscation. But I’d love to hear about it if anyone knows of anything.
Maybe we need to invest in dynamic analysis based tooling as well if we want to make progress towards automated/semi-automated verification though? Again keen to hear anyones experiences in this area.
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
0 new messages