Nicolas B. Pierron [:nbp]
var pwd = $('#password').val();
xhr("/msg/" + pwd);
var pwd = $('#password').val();
var hash = hasher(challenge, pwd);
xhr("/msg/?hash=" + hash);
var url;
var pwd = $('#password').val();
if (predicate(pwd))
url = "/msg/" + pwd;
else
url = "/msg/?hash=" + hasher(challenge, pwd);
xhr(url);
Taint String only:
Pros:
Cons:
Taint all Values:
Pros:
Cons:
Can we do better?
Dynamic analysis framework:
Dynamic analysis? framework:
Rewrite the code and emulate the operators
var y = …;
function f(x) {
return x + y;
}
var y = …;
function f(x) {
return Binary('+', x, y);
}
Dynamic analysis? framework:
Emulate the code and box & unbox values
function Binary(op, x, y) {
if (op == "+")
return box(unbox(x) + unbox(y),
tainted(x) | tainted(y));
…
}
Pros:
Cons:
function f(x) {
return x + y;
}
Bytecode (overview) of
function f(x) {
let _x = x, _y = y;
let _ctx = %probe.getContext();
%probe.Plus(_x, _y, _ctx);
let _r = _x + _y;
%probe.PlusResult(_r, _ctx);
return _r;
}
function Plus(x, y, ctx) {
ctx.taint = tainted(x) | tainted(y);
}
function PlusResult(res, ctx) {
return setTaint(res, ctx.taint);
}
Proxies → Shadow object by default, no more plain values.
typedef bool (*EmitFuncProto)(ExclusiveContext *cx,
BytecodeEmitter *bce,
ParseNode *pn);
static bool
EmitFuncWithProbes(ExclusiveContext *cx,
BytecodeEmitter *bce,
ParseNode *pn)
{
… // Wrap and delegate.
class BytecodeEmitter
{
EmitFuncProto EmitFunc_;
// Initialization of the BytecodeEmitter
if (hasFuncProbes()) {
EmitFunc_ = EmitFuncWithProbes;
→ Cons: performance impact (?), when not used.
Pros:
Cons:
Pros:
Cons: