Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Computer Security class project
JavaScript
branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
chrome/content
test
.gitignore
Makefile
README.md
chrome.manifest
install.rdf

README.md

PURPOSE

Beepbop is a Firefox extension that attempts to strip malicious JavaScript code before the browser parses a page.

USAGE

Build and install Beepbop:

$ make
$ make install

RATIONALE

Malicious JavaScript can come in many forms. Quite often, it will fit into one of four categories:

  1. Shell code that is executed by exploiting vulnerable plugins.
  2. Infinite alerts or other infinite loops.
  3. Re-opening a window after the user closes it.
  4. Malicious code delivered through (typically) invisible iframes.

Beepbop prevents the first form by detecting sequences of unicode characters that get passed to unescape calls. In JavaScript, strings are implemented as consecutive sequences of UTF-16 characters. Therefore, any shell code (assembly code) can be directly encoded and loaded into memory via an unescape call. For an example, look at test/shellcode.js. Therefore, if the proxy sees a certain number of encoded UTF-16 characters and a certain number of unescape calls, the script is marked as malicious and removed.

The other three cases are detected and removed through simple regular expressions.

SHORTCOMINGS

JavaScript is an interpreted language. Because of this, static analysis on JavaScript code is VERY difficult. While Beepbop can detect simple cases through regular expressions or parse trees, it is useless against obfuscated code. Often, malicious code will be obfuscated in several layers, so it has to be unrolled through multiple passes of the JavaScript engine. The only way to prevent code like this is through much more advanced dynamic analysis techniques. Anti-virus vendors already do this through costly methods such as virtual machine based honeypots that have to be reloaded after every execution.

A more operational version of this project was implemented as a proxy. This browser extension attempts to examine JavaScript before and during execution to determine whether it is malicious. However, the authors found this to be extremely difficult to implement through published APIs. A more feasible option would be to build such detection into the JavaScript engine, but this would result in a custom browser, which the authors did not want.

AUTHORS

Something went wrong with that request. Please try again.