OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protections really secure?

Are your JavaScript-based
protections really secure?
Pedro Fortuna
W a r s a w , 1 0 . 1 0 . 2 0 1 8
OWASP
Poland Day 2018

A b o u t m e
Pedro Fortuna
Co-Founder & CTO @ JSCRAMBLER
OWASP Member
SECURITY, JAVASCRIPT
@pedrofortuna
Are your JavaScript-based protections really secure? 2

A g e n d a
1
What is Code Protection?
2
Testing Protection Resilience
3
Demos
4
JavaScript Software
Protections Checklist Project
5
Conclusions
6
Q & A

I nt e l l e c t u a l P ro p e r t y P ro te c t i o n
Alice
Software Developer
Sells her software over the Internet
Bob
Reverse Engineer
Wants algorithms and data structures
Does not need to revert back to original source code
Legal or Technical
Protection?

I nt e l l e c t u a l P ro p e r t y P ro te c t i o n
IP Protection
Legal Technical
Encryption
Trusted Computing
Server-Side Execution
Obfuscation
?

C o d e O bf u s cat i o n
Obfuscation
“transforms a program into a form that is more difficult for an adversary to understand or change than the original code” [1]
More Difficult
“requires more human time, more money, or more computing power to analyze than the original program.”
[1] in Collberg, C., and Nagra, J., “Surreptitious software: obfuscation, watermarking, and tamperproofing for software
protection.”, Addison-Wesley Professional, 2010.

Q u i c k E xa m p l e
Source
http://plnkr.co/edit/osF9YRih8ucblO98VqXI
Obfuscated
http://plnkr.co/edit/lyVeqhOZmjCR7Pd24A5r
Beautified
http://plnkr.co/edit/xF9ZOm4NhaRA7ocBdLwv

C o d e P ro te c t i o n i s n o t j u st
O bf u s cat i o n
Obfuscation Code Locks
Runtime Integrity/
Tamper detection
Data Integrity
Anti-debugging
Emulation
detection
Jailbreak/Root
detection
Code signing
Data Encryption Device binding File Integrity Whitebox Crypto

M e a s u r i n g O bf u s cat i o n
Collberg, C., Thomborson, C. and Low, D., 1997. A taxonomy of obfuscating transformations.
Department of Computer Science, The University of Auckland, New Zealand.
• Obfuscation quality
• Potency - How much more difficult to read and understand (for a human)
• Resilience – Resistance to automated deobfuscation techniques
• Cost – Execution time/space penalty
• Stealthiness
• How hard is to spot?
• Obfuscation usually not stealthy
• Need to avoid telltales (eval, unescape, …)
• Diversity
• Increases attack complexity
• Polymorphic & Metamorphic code
• Passive defense technique

D e o bf u s cat i o n Te c h n i q u e s
• Static analysis
• Constant Folding & Propagation, Dead code Elimination, Abstract Interpretation, Heap Serialization
• Partial Evaluation
• Classify expressions as static or dynamic in a program
• Precompute all static input at compile time (i.e. deobfuscation time)
• "Residual program" is a faster program (i.e. less computations, not necessarily less code)
• Symbolic Execution
• Unfolds a control-flow graph intro a tree
• Can be used to find values and flows which lead to a certain program states
• Program Slicing
• Dynamic analysis
• Concrete execution using interpreters e.g. Node.js VM module

C o n c re te E xe c u t i o n
• Executes the code to replace it with a simpler form
• Ideally this is done with a sandboxed / restricted / virtualized environment
• Example: obfuscation usually seen in malware to hide the attack
function decode (a) {
return unescape(decodeURIComponent(atob(a)));
}
eval(decode("MSs0")); //1+4
//Jstillery
function decode (a) {
return unescape(decodeURIComponent(atob(a)));
}
5

C o n c re te E xe c u t i o n ( 2 )
Another example
// From JStillery
function w(d) {
var z = 23,
u = '', c = this,
g = 'frKvdrCode'.replace('Kvd', 'omCha'),
f = 'cqJUjCodeAt' ['ZdPce'.replace('ZdP', 'repla')]('qJUj', 'har'),
k = 'UNmNth' ['reQMgZnace'.replace('QMgZn', 'pl')]('UNmN', 'leng'),
j = 'SlzbJcg'.replace('lzbJc', 'trin'),
t = c[j], v = t[g], r, l, s;
for (s = 0; s < d[k]; s++) {
r = d[f](s); l = r ^ z; u += v(l);
}
return u;
};
w("test")
function w(d)
/*Scope Closed:false | writes:false*/
{
var z = 23,
u = '', c = this,
g = 'fromCharCode',
f = 'charCodeAt',
k = 'length',
j = 'String',
t = c.String, v = t.fromCharCode, r, l, s;
for (s = 0; s < d[k]; s++) {
r = d[f](s); l = r ^ z; u += t.fromCharCode(l);
}
return u;
};
'crdc’;

P ro g ra m S l i c i n g
From Wikipedia “program slicing is the computation of the set of program statements, the program
slice, that may affect the values at some point of interest, referred to as a slicing criterion”
var i;
var sum = 0;
var product = 1;
var w = 7;
for(i = 1; i < N; ++i) {
sum = sum + i + w;
product = product * i;
}
console.log(sum);
console.log(product);
var i;
var sum = 0;
var w = 7;
for(i = 1; i < N; ++i) {
sum = sum + i + w;
}
console.log(sum);
var i;
var product = 1;
for(i = 1; i < N; ++i) {
product = product * i;
}
console.log(product);

H e a p S e r i a l i zat i o n
var arr = [];
for (var i = 0; i < 10; i++) {
arr[i] = i * 2;
}
var i, arr;
arr = [0, 2, 4, 6, 8, 10, 12, 14, 16, 18];
i = 0;
i = 1;
...
i = 8;
i = 9;
i = 10;
• Optimization technique (prepack.io)
• Walks the heap in order, generating fresh straightforward JavaScript code that creates and links all objects
reachable in the initialized heap

H e a p S e r i a l i zat i o n ( 2 )
• Another example
• A multi-dimension array with infinite number of subscripts
// mda.js
var createMDA = function(len, shift) {
var mda = [];
for (var k = 0; k < len; k++) {
mda[(k + shift) % len] = [];
}
for (var i = 0; i < len; i++) {
for (var j = len - 1; j >= 0; j--) {
mda[i][(j + shift * i) % len] = mda[j];
}
}
return mda;
};
var mda = createMDA(24, 7);
// Generated by prepack.io
var m;
(function() {
var _4 = [, , , , , , , , , , , , , , , , , , , , , , , , ];
_4[0] = _4;
var _7 = [, , , _4, , , , , , , , , , , , , , , , , , , , , ];
_4[21] = _7;
_7[0] = _7;
var _a = [, , , _7, , , _4, , , , , , , , , , , , , , , , , , ];
_4[18] = _a;
...
_m[14] = _o;
_8[23] = _o;
_n[7] = _o;
_o[0] = _o;
m = [_o, _n, _m, _l, _k, _j, _i, _1, _h, _g, _f, _e, _d, _c, _b, _a, _9, _8, _7, _6, _5, _4,
_3, _2];
}());

D e o bf u s cat i o n To o l s
JavaScript Malware Analysis: JStillery, JSDetox
JavaScript DeObfuscation: JStillery, JSDetox, JSNice
JavaScript Optimization: Prepack.io, Closure compiler, jsbeautifier
JavaScript Engines: V8, SpiderMonkey, Nodejs's VM module

D e o bf u s cat i o n To o l s &
Te c h n i q u e s
Constant
Folding
Constant
Propagation
Dead Code
Elimination
Symbolic
Execution
Concrete
Execution
JS Interpreter / engine /
emulation
JStillery Node VM
JSDetox
JSNice
Prepack.io Interpreter
Closure Compiler
SpiderMonkey Engine
V8 Engine

S a m p l e # 1 : M i n i f i e d C o d e
// s1_A_original.js
;(function() {
var mda = [];
for (var k = 0; k < len; k++) {
}
for (var i = 0; i < len; i++) {
for (var j = len - 1; j >= 0; j--) {
}
}
return mda;
};
…
else if (ref === mda[17][21]) {
console.log("There is no spoon.");
}
}());
// Minified with UglifyJS2 (s1_B_uflifyjs.js)
!function(){var o=function(o,n){for(var r=[],e=0;o>e;e++)r[(e+n)%o]=[]
for(var t=0;o>t;t++)for(var a=o-1;a>=0;a--)r[t][(a+n*t)%o]=r[a]
return r},n=o(24,7),r=n[15][13][22][4]
r===n[12][2]?console.log("Do not try and bend the
spoon."):r===n[17][21]&&console.log("There is no spoon.")}()
// Deobfuscated with prepack.io (s1_C_prepackio.js)
console.log("There is no spoon.”)
<or> Using a minifier to obfuscate doesn’t work!

S a m p l e # 2 : J S F u c k
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]
+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+
(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+
[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]
+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+
!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[
+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!
+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
// Deobfuscated with JStillery
[].filter.constructor('alert(1)')();
// Deobfuscated with Prepack
ReferenceError: alert is not defined
// Source code
alert(1)

S a m p l e # 3 : J ava s c r i pt 2 i mg
// Source code
alert(1)
vc167ceaa2357dd0f98caf9a7514f1ea5=[function(v7c646b50cc88f596bb622e66bb6a6617){return"0159a99ed28b0581890608d24ada9decc48741
970ca1f991bf30dd786c7d46f3c4c6bd7e"},function(v7c646b50cc88f596bb622e66bb6a6617){return
v4a30630c14033738ffde5e5aee6844aa.createElement(v7c646b50cc88f596bb622e66bb6a6617)},function(v7c646b50cc88f596bb622e66bb6a66
17){return
v7c646b50cc88f596bb622e66bb6a6617[0].getContext(v7c646b50cc88f596bb622e66bb6a6617[1])},function(v7c646b50cc88f596bb622e66bb6a6
617){return
v7c646b50cc88f596bb622e66bb6a6617[0].text=v7c646b50cc88f596bb622e66bb6a6617[1]},function(v7c646b50cc88f596bb622e66bb6a6617){ret
urn
null},function(v7c646b50cc88f596bb622e66bb6a6617){"ff1eb8bd6cb17940ab78c0eeecf66268772f206117131af045e227576bc98bfec16f75d2"},fu
nction(v7c646b50cc88f596bb622e66bb6a6617){return"8d8ebea7b076c177ecd21e2d0d7e52fa74c48f3c0df27f78a9339990332cf02c05677579"},fu
nction(v7c646b50cc88f596bb622e66bb6a6617){v7c646b50cc88f596bb622e66bb6a6617.style.display="none";return
d1794f6c2a974ee78c23dbf=vc167ceaa2357dd0f98caf9a7514f1ea5[4](v24fcc9be09909ff7ccd7c146dfa2d493);v1341746e3d58a8c0d7ce43b877b
6beb1=vc167ceaa2357dd0f98caf9a7514f1ea5[4](v24fcc9be09909ff7ccd7c146dfa2d493);v7c646b50cc88f596bb622e66bb6a6617=vc167ceaa235
7dd0f98caf9a7514f1ea5[4](v24fcc9be09909ff7ccd7c146dfa2d493);v7c646b50cc88f596bb622e66bb6a6617=vc167ceaa2357dd0f98caf9a7514f1e
a5[4]);
// Deofuscated with PoisonJS
alert(1)
// continues...

S a m p l e # 3 : J ava s c r i pt 2 i mg ( 2 )
• Each line is the result of a monkey patched function that has executed and logged to the console
• The last line is the input code, everything else is boilerplate added by the obfuscator
Log: return unescape(decodeURIComponent(window.atob(v7c646b50cc88f596bb622e66bb6a6617)))
Log: return document
Log: return v4a30630c14033738ffde5e5aee6844aa.getElementById(v7c646b50cc88f596bb622e66bb6a6617);
Log: return new Image();
Log: return 'data:image/png;base64,';
Log: return 'canvas';
Log: return 'none';
Log: return '2d';
Log: return String.fromCharCode(v7c646b50cc88f596bb622e66bb6a6617);
Log: for (ve324453514c7a3860e25f62a14b2a43a = v1341746e3d58a8c0d7ce43b877b6beb1[2]; ve324453514c7a3860e25f62a14b2a43a <
v624188683b10d830edc64001e2ffd806.data.length; ve324453514c7a3860e25f62a14b2a43a += 4) vbe62785667f315dd97269f898bad0fe6 +=
(v624188683b10d830edc64001e2ffd806.data[ve324453514c7a3860e25f62a14b2a43a] != v1341746e3d58a8c0d7ce43b877b6beb1[1]) ?
v28cde49dfe1e98499bf428e006ab8f11(v624188683b10d830edc64001e2ffd806.data[ve324453514c7a3860e25f62a14b2a43a]) :
vbca103416d1794f6c2a974ee78c23dbf[4];
vbe62785667f315dd97269f898bad0fe6 = vbe62785667f315dd97269f898bad0fe6.trim();
Log: alert(1)

S a m p l e # 4 C o nt ro l F l o w
O bf u s cat i o n
Control-flow obfuscation techniques can have a hard time deterring interpreters that do control-flow analysis and
are able to remove dead code and control-flow obfuscation overhead
// s4_A_original.js
;(function() {
var mda = [];
for (var k = 0; k < len; k++) {
}
for (var i = 0; i < len; i++) {
for (var j = len - 1; j >= 0; j--) {
}
}
return mda;
};
…
else if (ref === mda[17][21]) {
}
}());
// s4_B_cfo.js
… var createMDA = function (len, shift) {
var o = 2;
while (o !== 10) {
switch (o) {
case 13:
j--;
o = 6;
break;
case 14:
o = 13;
break;
case 6:
o = j >= 0 ? 14 : 12;
break;
case 9:
…

S a m p l e # 4 C o nt ro l F l o w
O bf u s cat i o n ( 2 )
Prepack.io was able to de-obfuscate this. JStillery wasn’t.
// s4_C_jstillery.js
…
var createMDA = function (len, shift) {
var o = 2;
while (o !== 10) {
switch (o) {
case 13:
j--;
o = 6;
break;
case 14:
o = 13;
break;
case 6:
o = j >= 0 ? 14 : 12;
break;
case 9:
…
// s4_D_prepackio.js
var O3ffff;
O3ffff = 2;
O3ffff = 1;

D e te c t I nt e r p re te rs /
E m u l ato rs
• Detect limited environments: no DOM, no WebGL, Nodejs's VM module
• Just exit
• Return alternative / dead code
• Keep process busy / drain resources

E m u l ato rs ( 2 )
Detect emulators and interpreters:
• DOM objects and properties: `document.location`, `navigator.plugins`
• WebGL computations: make the next execution depend on result of a WebGL computation
// Enumerate functions, objects, and properties available
in `this`
for (var i in this) {}
// Document object is not present in prepack.io
var i;
i = "self";
i = "window";
i = "setTimeout";
i = "clearTimeout";
i = "setInterval";
i = "clearInterval";
i = "i";

E m u l ato rs ( 3 )
//Detects emulator
(function() {
var b;
// Look for document in `this`
for (var i in this) {
if (i === 'document') b = this[i];
}
if (b + '' !== '[object HTMLDocument]') {
return 'Emulator detected.';
}
return 'Running on a Browser';
}());
//Keep process busy just draining resources
(function fn () {
if (detected) {
while (true) {
setTimeout(fn, 0);
}
}
// never reaches this part of the code
}());

S a m p l e # 5 : I nt e r p re t e r
D e te c t i o n
This time let's try to combine it with interpreter detection
code
// s5_A_interpreterdetection.js
runtime
// interpreter is just stuck running

JavaScript Software Protection
Checklist Project

M o t i vat i o n
• Sven Schleier, Bernhard Mueller, OWASP Mobile Security
Testing Guide (MSTG) [1]
• Anti-Tampering, Anti Reverse-Engineering mechanisms,
and Obfuscation
• Android & iOS
[1] https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide

M o b i l e A p p l i cat i o n
S e c u r i t y C h e c k l i st
[1] https://github.com/OWASP/owasp-mstg/raw/master/Checklists/Mobile_App_Security_Checklist.xlsx
Anti-Reverse Engineering – Android & iOS

G o a l s
• Propose a methodology and checklist for assessing Code Protection mechanisms
• Built upon good ideas from MSTG & MASVS
• Make it specific to JavaScript
• Make it broader (not only Mobile, not only Browser, but any JavaScript-based application)
Available here:
https://github.com/pfortuna/javascript-software-protections-checklist

V 1 – Sy m b o l Re n a m i n g

V 2 – C o nt ro l F l o w

V 3 – D a ta O bf u s cat i o n

V 4 - C o d e I nte g r i t y

V 5 – R u nt i me D e fe n s e s

V 6 - D i ve rs i t y

V 7 - Re s i l i e n c e

C o n c l u s i o n s
Software Protections is a complex subject!
How can a security practitioner know the strength of the JavaScript software protection?
JavaScript is very complex and its very tricky to know this
Lots of deobfuscation and optimization techniques to master
Intuitively we judge a protection strength based on its potency, not its resilience
Where should we start?

C o n c l u s i o n s ( 2 )
We are proposing a methodology to measure it
Inspired by the MSTG and MASVS
Specific to JavaScript
Outcomes: checklist, talks
Where should we take this? Feedback needed!
https://github.com/pfortuna/javascript-software-protections-checklist
Don’t forget Cost, Diversity, Compliance, Support, ...

Any questions?
Pedro Fortuna
pedro.fortuna@jscrambler.com
Twitter: @pedrofortuna

OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protections really secure?

More Related Content

What's hot (19)

Similar to OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protections really secure? (20)

More from OWASP (20)

Recently uploaded (20)

OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protections really secure?

Editor's Notes