Static analysis of JS to find malicious obfuscation

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Static analysis of JS to find malicious obfuscation

tofumatt
Hi there Security folks!

I’m tofumatt, I'm working with Stuart Colville on the new add-ons validator, written in JS.

One of the things we’d like to improve in this validator is the ability to detect rule bypassing via code obfuscation. For example, mozIndexedDB is a deprecated identifier and that is easy to find with a custom ESLint rule. But if someone types:


var badDB = ‘m’;
badDB += ‘oz’
badDB = badDB + ‘IndexedDB’;
var myDeprecatedDB = window[badDB];


The existing validator and our scans for an identifier with AST (using ESLint/ESPrima) don’t catch it.

Are there any tools (especially JS ones!) that can be used to at least detect this kind of obfuscation? Without it the validator remains more an advisory/helpful tool than something we could use to automate security validation.

Apologies if this is the wrong list; didn’t know exactly who to turn to for this (I’ve also asked static analysis and spidermonkey folks). If I should check with someone specific, please let me know.

Cheers,

- tofumatt
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Static analysis of JS to find malicious obfuscation

Paul Theriault
Not that I am aware of, and I spent a lot of time looking last year. I was looking from the perspective of finding vulnerabilities though, not maliciousness. The only thing I know of that is close is a tool called “semmle” which is an eclipse based tool for static analysis. They added support for javascript, and I was working with one of their engineers to look at a taint based approach to find vulnerabilities. (In the end, we took a different approach : https://bugzilla.mozilla.org/show_bug.cgi?id=1155131 <https://bugzilla.mozilla.org/show_bug.cgi?id=1155131>)

My conclusion was that static analysis alone for detecting maliciousness wasn’t feasible (for me at least!). It seems like the options for obfuscation (even legitimate ones, asm.js?) are too enumerable to develop a tool that would cover more than just basic obfuscation. But I’d love to hear about it if anyone knows of anything.

Maybe we need to invest in dynamic analysis based tooling as well if we want to make progress towards automated/semi-automated verification though? Again keen to hear anyones experiences in this area.


> On 8 Oct 2015, at 7:32 pm, tofumatt <[hidden email]> wrote:
>
> Hi there Security folks!
>
> I’m tofumatt, I'm working with Stuart Colville on the new add-ons validator, written in JS.
>
> One of the things we’d like to improve in this validator is the ability to detect rule bypassing via code obfuscation. For example, mozIndexedDB is a deprecated identifier and that is easy to find with a custom ESLint rule. But if someone types:
>
>
> var badDB = ‘m’;
> badDB += ‘oz’
> badDB = badDB + ‘IndexedDB’;
> var myDeprecatedDB = window[badDB];
>
>
> The existing validator and our scans for an identifier with AST (using ESLint/ESPrima) don’t catch it.
>
> Are there any tools (especially JS ones!) that can be used to at least detect this kind of obfuscation? Without it the validator remains more an advisory/helpful tool than something we could use to automate security validation.
>
> Apologies if this is the wrong list; didn’t know exactly who to turn to for this (I’ve also asked static analysis and spidermonkey folks). If I should check with someone specific, please let me know.
>
> Cheers,
>
> - tofumatt
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security