JavaScript is a browser scripting language that was designed to create sophisticated and interactive web pages. However, JavaScript also provides an entry point for an attacker to exploit bugs and vulnerabilities in web pages and browser extensions. In practice, an attacker can leverage both malicious and vulnerable JavaScript code to compromise the security and privacy of Web users.
In this talk, I will approach these issues by proposing several systems to statically analyze real-world JavaScript code.
First, I will focus on _malicious JavaScript_. I will briefly introduce static detectors, which leverage machine learning techniques to detect malicious JavaScript samples. Then, I will evaluate the robustness of such static detectors in an adversarial setting. In particular, I will introduce HideNoSeek, our generic camouflage attack that consists of rewriting malicious JavaScript samples so that they have the same syntactic structure as existing benign scripts.
Finally, I will focus on _vulnerable JavaScript_ code from browser extensions. I will present DoubleX, our open-source static analyzer that detects vulnerable data flows in browser extensions with high precision (89%) and recall (93%).
Through this talk, I aim to raise awareness about the risks posed by malicious and vulnerable JavaScript code, and to discuss strategies for mitigating such threats.
Aurore Fass is a Tenure-Track Faculty at CISPA Helmholtz Center for Information Security. She got her Ph.D. from CISPA & Saarland University in 2021. From 2021 to 2023, she was a Visiting Assistant Professor of Computer Science at Stanford University. Aurore’s research broadly focuses on Web Security & Privacy and Web Measurements. Specifically, she designs practical approaches to protect the security and privacy of Web users. She builds systems to proactively detect malicious JavaScript code and suspicious browser extensions.
Aurore co-chaired the MADWeb 2024 & 2023 workshop, co-located with NDSS, and she is ACM CCS 2024 workshop co-chair. In addition, she has served on the program committees of the leading security conferences and has received Distinguished Reviewer Awards at ACM CCS 2023 & 2022, ACSAC 2023, and TheWebConf 2022.
