Automated cyber-attacks that exploit web applications have been on the rise throughout the past decade, growing in both frequency and variety. Many of these cyber-attacks have potentially devastating consequences. For instance, a recent automated attack modified banking transactions without using authentication credentials. Thus, defending against automated attacks is becoming an increasingly high priority for businesses with an online presence.
Implementing security countermeasures to prevent automated attacks generally comes at the cost of slowing down the operation of web applications. Because perceptible latency in interactions with such applications is unacceptable to users, increasing efficiency in the fight against cyber-attacks is, and will continue to be, an important objective.
According to various implementations, methods, apparatus, systems, and computer program products are provided for the detection of specific blocks of code within a larger body of source code. According to a particular class of implementations, source code is received from a server, responsive to a request from a client. A set of tokens based on the source code is generated. A first string of values representing a subset of the set of tokens is generated. It is determined whether any portion of the first string corresponds to any of a plurality of predetermined strings of values. The source code is processed responsive to determining whether any portion of the first string corresponds to any of the predetermined strings. The processed source code is provided to the client in response to the request.
In some implementations, each of the predetermined strings might correspond to a known library. In other implementations, each of the predetermined strings might correspond to previously processed code, and the processing of the source code might include use of processing results corresponding to the previously processed code.
According to some implementations, the source code might correspond to a web page and processing the source code might include recoding the source code to generate a polymorphic representation of the source code.
According to some implementations, where a first portion of the first string corresponds to one of the predetermined strings, a first portion of the source code corresponding to the first portion of the first string is excluded from at least a portion of the processing of the source code.
A further understanding of the nature and advantages of various implementations may be realized by reference to the remaining portions of the specification and the drawings.
This disclosure describes the automated, real-time detection of specific blocks of code within a larger body of source code. Specific implementations are described that involve the detection of known code libraries in web page code to improve the efficiency of the generation of polymorphic transformations of the web page code for the purpose of impeding automated cyber-attacks. However, it should be noted that these implementations are merely examples of a much broader class of applications contemplated by the inventors.
The polymorphic transformation of web page code involves dynamically altering the ordinarily static source code associated with a web page. This makes the source code more difficult to exploit from the perspective of an automated attacker while leaving web content viewable to the human user apparently unchanged. One challenge associated with such techniques is that, in order for a web page to remain functional, changes to its source code must be consistent across resources related to the web page. For instance, if a web page is associated with html source code further referencing JavaScript, any change made to the html code must be consistent with the internally referenced JavaScript and vice versa. Thus, changing the source code of a web page while maintaining its functionality requires identifying connections within and between components of the source code. Analyzing code for such connections can be computationally expensive, potentially introducing unacceptable latency in the delivery of web content and services to end users.
According to specific implementations described herein, blocks of code within source code that do not require processing are identified and excluded from processing, thereby reducing the latency associated with the processing of the source code. For example, detecting a known JavaScript library and excluding the library from unnecessary processing facilitates efficiency in the context of generating polymorphic transformations of web pages. In another example, gains in efficiency can be achieved by detecting code that has previously been analyzed for polymorphic transformation and excluding the analyzed code from potentially redundant processing and/or reusing the results of the previous processing.
A load balancer 116 acts as an intermediary between the servers 104 and the network 108, distributing source code (e.g., web pages served by servers 104) to one or more network appliances 120. The one or more network appliances 120 process at least a portion of the source code received, generating polymorphic representations of the source code. Ultimately, the one or more network appliances 120 provide the transformed source code to one or more client devices 112 via the load balancer 116 to the network 108.
A simplified block diagram of such a network appliance 120 is shown in
Appliance 120 also includes one or more network interfaces 208. The network interfaces 208 may be used to connect via wired or wireless connections to cellular networks, including the internet, public networks, private networks, local area networks, etc. For example, network interfaces 208 may include modules for a T-carrier such as a T1 or T3 line, an optical carrier line such as a line to a synchronous optical network or a fiber optic network, an Ethernet connection, a digital subscriber line, a telephone line, a coaxial cable, etc. Network interfaces 208 might also include radio frequency modules for a 3G or 4G cellular network, a WiFi local area network and a Bluetooth private network. Appliance 120 also includes one or more buses or other internal communications hardware or software (not shown) that allow for the transfer of data and instructions between the various modules and components of the appliance.
While appliance 120 might have many functions, this document focuses mainly on the use of appliance 120 to generate polymorphic representations of source code associated with a web page. In one implementation, appliance 120 receives Input Source Code 212 associated with a web page through one or more network interfaces 208. The Input Source Code 212 is processed by a series of modules. While the number and variety of modules will vary depending on the specific implementation, three modules relevant to the depicted implementation are discussed herein. It will be understood that these and other modules may be implemented by processor(s) 200 executing code in memory 204.
In the library detection module 216, appliance 120 detects blocks of source code within the Input Source Code 212. For instance, appliance 120 might be configured to detect known JavaScript libraries. In other examples, appliance 120 might be configured to detect known libraries associated with other languages such as JavaScript, CoffeeScript, TypeScript, Dart, Cascading Style Sheets (CSS), Hypertext Markup Language (html), C, C++, Python, PHP: Hypertext Preprocessor, Perl, Visual Basic Script, etc. In yet another example, appliance 120 could be configured to detect blocks of source code that have already been subject to some level processing in order to exclude those blocks of code from redundant processing. Library detection is discussed in more detail below.
At least a portion of the Input Source Code 212 is subject to processing at the Code Analysis Module 220. As discussed above, one challenge associated with modification of web page source code is that changes must be consistent across all resources related to the web page. Thus, in the context of generating polymorphic transformations of web page code, the Code Analysis Module 220 processes the code to identify connections between web page resources—e.g., between html source code and internally referenced JavaScript. For additional information regarding the processing of web page code in the context of generating polymorphic transformations of the code, please refer to U.S. patent application Ser. No. 14/055,704 for “Safe Intelligent Content Modification” filed on Oct. 16, 2013 (Attorney Docket No. 37109-0005001), the entire disclosure of which is incorporated herein by reference for all purposes.
According to some implementations, certain blocks of source code identified at the Library Detection Module 216 might be excluded from processing by the Code Analysis Module 220 to save computational resources. For instance, third party JavaScript libraries, such as jQuery, TeaLeaf, some jQuery plugins, etc., might be detected by the Library Detection Module 216 and, as a result, be excluded from processing by the Code Analysis Module 220. Along the same lines, if a block of source code is identified at the Library Detection Module 216 to be a block of source code that has been previously analyzed, the previously analyzed block of source code might also be excluded from processing by the Code Analysis Module 220.
A polymorphic representation of the Input Source Code 212 is generated at the Recoding Module 224. It should be noted that there are a number of ways to transform web page source code without changing the web page's appearance to a user. For instance, a variable (e.g., “user_name”) describing an inputted username could be changed from “user_name” to a random string (e.g., “n2qi87fpr3wr”). In another example, the layers of a field from which a username is gathered could be changed. Instead of taking all of the user name characters from a single field, the first and third characters might be entered in one field, the second character in another, etc. If the fields are overlaid in the user interface, a user cannot tell the difference between a representation of a website where all username characters are gathered from a single field and a representation where the characters are gathered from multiple overlaid fields. Ultimately, the recoding process can vary greatly from implementation to implementation. Further examples may be found with reference to U.S. application Ser. No. 14/055,704 incorporated herein by reference above.
After the source code is transformed in the Recoding Module 224, Output Source Code 228 comprising a polymorphic representation of the Input Source Code 212 is transmitted from the appliance 120 via the one or more network interfaces 208. In some implementations, the Output Source Code 228 is transmitted to a load balancer (e.g., load balancer 116 of
It should be noted that, despite references to specific computing paradigms and software tools in this disclosure, the computer program instructions on which implementations are based may correspond to any of a wide variety of programming languages, software tools and data formats, may be stored in any type of non-transitory computer-readable storage media or memory device(s), and may be executed according to a variety of computing models including, for example, a client/server model, a peer-to-peer model, on a stand-alone computing device, or according to a distributed computing model in which various functionalities may be effected or employed at different locations. In addition, references to particular protocols in this disclosure are merely by way of example. Suitable alternatives known to those of skill in the art may be employed as appropriate for particular implementations.
Referring now to
Source code is received from a server in response to a request from a client (300). The source code could include components in a wide variety of languages including, for example, JavaScript, CoffeeScript, TypeScript, Dart, Cascading Style Sheets (CSS), Hypertext Markup Language (html), C, C++, Python, PHP: Hypertext Preprocessor, Perl, Visual Basic Script, etc. The source code could also be associated with a number of objects including, for example, an executable program. For the sake of clarity and brevity, the specific implementations discussed in this document will focus on source code associated with a web page. However, it will be understood that the described techniques are not so limited.
A set of tokens is generated based on the source code (304). Tokenization is a broadly defined process. For instance, tokenization might include breaking up the source code into recognized words, whitespace, and punctuation, and including the whitespace and punctuation in the set of tokens. In another scenario, whitespace and punctuation may not be included. An example of tokenization is provided in
Any number of tokens, including zero, might be removed from the set of tokens to produce a subset of tokens (308). For example, in the context of web page code, some of the removed tokens might be associated with one or more portions of the source code that are unnecessary for processing of the source code by a browser. Tokens might also be removed such that the subset of tokens is sufficient, but no greater in size than necessary, to uniquely identify the various blocks of code within the source code. In other situations, a greater number of tokens may be removed such that various blocks within the source code may no longer be completely uniquely identifiable but are still sufficiently likely to be correctly identified based on the remaining subset of tokens.
In the example shown in
Referring again to
It is then determined whether any portion of the string corresponds to any of a plurality of predetermined strings of values, each of which corresponds to a known library or block of code (316).
In a particular implementation, the predetermined strings are included in a previously generated database of strings in which at least some of the strings represent known JavaScript libraries. The database could be generated offline using a process similar to that described above with reference to 304-312. That is, each known library or block of code to be included in the database could be tokenized (304), have tokens optionally removed (308), and a have a representative string generated based on the remaining tokens (312). Such a database might, for example, be stored in the memory of or be otherwise available to appliance 120.
According to various implementations, determining whether any portion of a string generated from received source code corresponds to any of the predetermined strings (316) can be done in a variety of ways. According to a particular class of implementations, the identification process is implemented as a finite state machine, which is pre-computed offline. Pre-computing the state machine offline, allows it to be loaded into the memory of a device, e.g., appliance 120. Advantageously, the state machine operates quickly, allowing the string matching process to operate with little or no perceptible latency.
An example of the operation of such a state machine, employing the Aho-Corasick algorithm, is illustrated in
As depicted in
To illustrate how the state machine works, it may be helpful to walk through a specific example. Assume that a string representing received source code comprising integers 138647 is inputted into the machine. Beginning at root state 604, the first character of the input string, 1, will change the state to 608. The next character, 3, will change the state to 612. There is no transition from state 612 associated with the next character of the input string, 8, leading to a failure. There is a failure transition leading from 612 to 620 because 3 is a prefix leading to both state 612 and 620; therefore, the state will change to 620. The next characters, 8, 6, and 4, trigger transitions leading to states 624, 628, and 632 respectively. State 632 is an endpoint corresponding to the Mootools library; therefore, the machine will output that the 3864 portion of the string matches the Mootools library. There is no transition from state 632 corresponding to 7; thus, the next character, 7, leads to back to root state 604. Again, there is no transition associated with 7, so the state will not change. At this point, there are no remaining elements in the inputted string; thus, the process will stop.
Returning to
According to some implementations, it may optionally be determined whether any portion of the string representing the received code corresponds to any of an additional set of predetermined strings, each of which corresponds to previously processed code (324). This allows for the re-use of the results of previous processing (328) after, for example, blocks of code have been processed and cached. For example, once a block of code has been processed, a string corresponding to that block of code can be saved as one of the predetermined strings. When a previously processed block of code is detected in newly received code, redundant processing steps can be avoided. For example, assume that a user accesses a web page that was accessed by another user. Also assume that at the time the first user accessed the web page, the source code associated with the web page was processed. Thus, when the second user accesses the same web page, a portion of the source code associated with the web page will have been previously processed. Because the portion of previously processed source code has already been subject to a level of processing, the results of the processing might be reused or redundant processing might be avoided altogether.
In some instances, data surrounding the processing of web page source code might be shared by multiple devices. For example, source code might be analyzed for connections by a first device (e.g., an appliance 120) when a web page is accessed by a first user. A string corresponding to the analyzed code could be shared with one or more additional devices (e.g., additional appliances 120). Thus, when future users access the previously analyzed web page, the analyzed code will be detected and redundant analysis skipped even if the first device is offline.
It should be noted that string processing for the detection of known libraries and the detection of previously processed code have been described as being performed separately for the purpose of clear illustration. However, it will be understood that these detections may be performed together as part of the same sequence of processing steps. That is, the predetermined strings corresponding to known libraries and those corresponding to previously processed code may be stored in the same database and be used to implement a single state machine against which received code is processed as described.
Returning to
It is important to note that the processing of the source code as represented in
Returning to
As mentioned above, the disclosed methods, apparatus, and computer-readable storage media for detecting specific blocks of code within a larger body of source code are not limited to the detection of known libraries. For example, they might be used purely for caching the results of previous processing as described above. For example, when a block of source code is analyzed, e.g., in the code analysis module 220 in appliance 120, a string representing the analyzed source code can be cached so as to prevent subsequent re-analysis of the same code. In another example, once source code has been through some level of processing (e.g., polymorphic transformation), the processed source code itself can be cached for later re-use. Alternatively, a result from the processing of a block of source code, e.g., whether or not the block of source code is transformable, can be cached and later re-used when that block of source code is identified.
Another useful implementation of detecting specific blocks of code within a larger body of source code might involve detecting malicious code that has been injected into web page source code. For example, a dynamically generated web page might receive an input containing a malicious script. A string representing the web page source code can be compared to a database of predetermined strings representing certain malicious scripts using the methods described herein. If a malicious script is detected, the malicious script can be removed before damage is done.
Yet another useful implementation of detecting specific blocks of code within a larger body of source code might involve source code scanning. For example, the detection methods disclosed herein could be used by developers to detect third party libraries in a source code repository.
While the subject matter of this application has been particularly shown and described with reference to specific implementations thereof, it will be understood by those skilled in the art that changes in the form and details of the disclosed implementations may be made without departing from the spirit or scope of the invention. Examples of some of these implementations are illustrated in the accompanying drawings, and specific details are set forth in order to provide a thorough understanding thereof. It should be noted that implementations may be practiced without some or all of these specific details. In addition, well known features may not have been described in detail to promote clarity. Finally, although various advantages have been discussed herein with reference to various implementations, it will be understood that the scope of the invention should not be limited by reference to such advantages. Rather, the scope of the invention should be determined with reference to the appended claims.
Number | Name | Date | Kind |
---|---|---|---|
6938170 | Kraft et al. | Aug 2005 | B1 |
7058699 | Chiou | Jun 2006 | B1 |
7117429 | Vedullapalli et al. | Oct 2006 | B2 |
7398553 | Li | Jul 2008 | B1 |
7464326 | Kawai et al. | Dec 2008 | B2 |
7480385 | Weber | Jan 2009 | B2 |
7636945 | Chandnani | Dec 2009 | B2 |
7707223 | Zubenko et al. | Apr 2010 | B2 |
7836425 | Rubin et al. | Nov 2010 | B2 |
7895653 | Calo et al. | Feb 2011 | B2 |
8020193 | Bhola et al. | Sep 2011 | B2 |
8086756 | Kamyshenko et al. | Dec 2011 | B2 |
8086957 | Bauchot et al. | Dec 2011 | B2 |
8170020 | Oliver et al. | May 2012 | B2 |
8200958 | Coppola et al. | Jun 2012 | B2 |
8266202 | Colton et al. | Sep 2012 | B1 |
8453126 | Ganelin | May 2013 | B1 |
8533480 | Pravetz et al. | Sep 2013 | B2 |
8555388 | Wang et al. | Oct 2013 | B1 |
8561193 | Srivastava et al. | Oct 2013 | B1 |
8589405 | Estan | Nov 2013 | B1 |
8621197 | Suryanarayana et al. | Dec 2013 | B2 |
8677481 | Lee | Mar 2014 | B1 |
8689330 | Sinn et al. | Apr 2014 | B2 |
8762962 | Ben-Artzi | Jun 2014 | B2 |
8914879 | Melnik et al. | Dec 2014 | B2 |
20020099827 | Shah et al. | Jul 2002 | A1 |
20020199116 | Hoene et al. | Dec 2002 | A1 |
20040088651 | McKnight | May 2004 | A1 |
20040162994 | Cohen et al. | Aug 2004 | A1 |
20050216770 | Rowett et al. | Sep 2005 | A1 |
20050240999 | Rubin | Oct 2005 | A1 |
20050251536 | Harik | Nov 2005 | A1 |
20060053295 | Madhusudan et al. | Mar 2006 | A1 |
20060288418 | Yang et al. | Dec 2006 | A1 |
20070011295 | Hansen | Jan 2007 | A1 |
20070064617 | Reves | Mar 2007 | A1 |
20070074227 | Naidu et al. | Mar 2007 | A1 |
20080222736 | Boodaei et al. | Sep 2008 | A1 |
20090070459 | Cho | Mar 2009 | A1 |
20090099988 | Stokes et al. | Apr 2009 | A1 |
20090144829 | Grigsby et al. | Jun 2009 | A1 |
20090193513 | Agarwal et al. | Jul 2009 | A1 |
20090241174 | Rajan et al. | Sep 2009 | A1 |
20090249310 | Meijer et al. | Oct 2009 | A1 |
20090282062 | Husic | Nov 2009 | A1 |
20090292984 | Bauchot et al. | Nov 2009 | A1 |
20100235637 | Lu et al. | Sep 2010 | A1 |
20100235910 | Ku et al. | Sep 2010 | A1 |
20100257354 | Johnston et al. | Oct 2010 | A1 |
20100262780 | Mahan et al. | Oct 2010 | A1 |
20100287132 | Hauser | Nov 2010 | A1 |
20110015917 | Wang et al. | Jan 2011 | A1 |
20110022846 | Ginter et al. | Jan 2011 | A1 |
20110047169 | Leighton et al. | Feb 2011 | A1 |
20110154308 | Lobo | Jun 2011 | A1 |
20110178973 | Lopez et al. | Jul 2011 | A1 |
20110185427 | Aciicmez | Jul 2011 | A1 |
20110296391 | Gass et al. | Dec 2011 | A1 |
20110320816 | Yao et al. | Dec 2011 | A1 |
20120022942 | Holloway et al. | Jan 2012 | A1 |
20120096116 | Mislove et al. | Apr 2012 | A1 |
20120124372 | Dilley et al. | May 2012 | A1 |
20120198528 | Baumhof | Aug 2012 | A1 |
20120216251 | Kumar et al. | Aug 2012 | A1 |
20130091582 | Chen et al. | Apr 2013 | A1 |
20130198607 | Mischook et al. | Aug 2013 | A1 |
20130219256 | Lloyd et al. | Aug 2013 | A1 |
20130227397 | Tvorun et al. | Aug 2013 | A1 |
20130232234 | Kapur et al. | Sep 2013 | A1 |
20130263264 | Klein et al. | Oct 2013 | A1 |
20130340043 | Zarei et al. | Dec 2013 | A1 |
20140040787 | Mills et al. | Feb 2014 | A1 |
20140089786 | Hashmi | Mar 2014 | A1 |
20140281535 | Kane et al. | Sep 2014 | A1 |
20150058992 | El-Moussa | Feb 2015 | A1 |
20150304337 | Nguyen-Tuong | Oct 2015 | A1 |
Number | Date | Country |
---|---|---|
101471818 | May 2011 | CN |
2443093 | Apr 2008 | GB |
WO0072119 | Nov 2000 | WO |
WO02093369 | Nov 2002 | WO |
WO2008095018 | Aug 2008 | WO |
WO2008095031 | Aug 2008 | WO |
WO2008130946 | Oct 2008 | WO |
WO2010046314 | Apr 2010 | WO |
WO2013091709 | Jun 2013 | WO |
Entry |
---|
Aho, A., et al. (Jun. 1975) “Efficient String Matching: An Aid to Bibliographic Search” In Communications of the ACM, vol. 18, issue 6, pp. 333-340. |
U.S. Appl. No. 14/055,704, filed Oct. 16, 2013, Call et al. |
Cova et al., “Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code,” World Wide Web Conference Committee, Apr. 26-30, 2010. Retrieved from the Internet <URL: http://www.cs.ucsb.edu/˜vigna/publications /2010—cova—kruegel—vigna—Wepawet.pdf>, 10 pages. |
Currie et al., “In-the-wire authentication: Protecting client-side critical data fields in secure network transactions,” 2nd International Conference on Adaptive Science and Technology, 2009, pp. 232-237. |
Egele et al., “Defending Browsers against Drive-by Downloads: Mitigating Heap-spraying Code Injection Attacks,” Detection of Intrusions and Malware, and Vulnerability Assessment Lecture Notes in Computer Science, 5587:88-106. Retrieved from the Internet: <URL: http://anubis.seclagb.tuwien.ac.at/papers/driveby.pdf>, 19 pages, 2009. |
Hofmeyr et al., Intrusion Detection using Sequence of System calls, Journal of Computer Security 6 (1998). |
Li et al., “WebShield: Enabling various web defense techniques without client side modifications,” In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS), 2011, 18 pages. |
Matsunaka et al., “Detecting and Preventing Drive-By Download Attack via Participative Monitoring of the Web,” in Information Security (Asia JCIS), 2013 Eighth Asia Joint Conference on Information Security, pp. 48-55. doi: 10.1109/ASIAJCIS.2013.15. |
Oh, “Recent Java exploitation trends and malware,” Black Hat USA 2012, Retrieved from the Internet; <URL: https://media.blackhat.com/bh-us12/Briefings/Oh/GBH—US—12—Oh—Recent—Java—Exploitation—Trends-and—Malware—WP.pdf>, 27 pages. |
Pattabiraman and Zorn, “DoDOM: Leveraging DOM Invariants for Web 2.0 Application Robustness Testing,” 2010 IEEE 21st International Symposium on Software Reliability Engineering, pp. 191-200. |
Rieck et al. “Cujo: Efficient Detection and Prevention of Drive-by-Download Attacks,” ACSAC 2010, Austin, Texas, Dec. 6-10, 9 pages. |
Sedaghat et al.; “On-the-fly web content integrity check boosts users' confidence”; Nov. 2002; Communications of the ACM , vol. 45 Issue 11; Publisher: ACM; pp. 33-37. |
Number | Date | Country | |
---|---|---|---|
20150347756 A1 | Dec 2015 | US |