Announcing the Shift JavaScript AST Specification

In time for the holidays, we are happy to release Shape Security’s first open source contributions: a new JavaScript AST specification named Shift, and a suite of tools to help you get started working with it.

What is an AST?

An Abstract Syntax Tree is simply a tree representation of a program’s source code. The nodes in an AST represent individual aspects of the language such as identifiers, statements, and literals. This structure is commonly the result of a successful parse of source code.

What can I do with it?

Having an easy to use data structure that represents a program’s source code allows you to write programs that treat code as they would any other piece of data. You can reliably generate new source, transform between languages, replace subtrees, analyze, lint, and auto-format code. ASTs are used by anything that needs to operate on code: IDEs, parsers, linters, analyzers, optimizers, compilers, and more. AST formats that are publicly standardized enable developers to centralize their efforts over a common structure, reducing duplicate work and allowing tools to be composed together.

This doesn’t exist already?

Mozilla exposed the SpiderMonkey Reflect.parse API in 2010 to encourage better tooling for JavaScript. This proved to be incredibly useful to the JavaScript community, enabling the creation of parsers like Esprima and Acorn and catalyzing a vast ecosystem of tools. Hundreds of projects rely upon these tools, including eslint, plato, istanbul, jscs, browserify, and many more.

However, the SpiderMonkey AST format was not specifically created for these tools. The SpiderMonkey AST originated as the internal representation of a JavaScript program in the SpiderMonkey engine, which was intended to be used only for interpretation. As tools were created and more use cases for a standard AST were recognized, many difficulties in dealing with SpiderMonkey format ASTs surfaced.

The SpiderMonkey AST and its ecosystem of tools and parsers is formidable and we don’t take deviation lightly. Our work at Shape Security has presented us with many problems that involve deep analysis and transformation of JavaScript. We have been forced to rethink what it means to represent and transform a JavaScript program, and in doing so developed this alternative AST format. The main advantages of using the Shift AST format are that it makes it much more difficult to accidentally perform a transformation that creates an invalid AST, and the nodes align more closely to the syntactic features they represent.

More than just the AST

An AST specification doesn’t have much value without a surrounding ecosystem. We’ve open-sourced JavaScript and Java implementations of the foundational tooling necessary to foster development of a supporting ecosystem around the Shift AST format. The following tools have been made available for both environments.

  • AST Node Constructors
  • Parser
  • Code Generator
  • Reducer
  • Validator
  • Scope Analyzer

In addition, we’ve released a tool for converting back and forth between the Shift and SpiderMonkey AST formats. All of these are available on the Shape Security Github account.

The road forward

We will continue to develop tooling based on the Shift AST format and will iterate on the existing libraries, optimize for performance, and add ECMAScript 6 support.

The Shift AST format was developed with ECMAScript 6 in mind. The es6 branches of both the specification and the JavaScript AST constructors already include full support for ECMAScript 6, and we plan to add support to all of the tooling we have released so far. Contributors

Some of the developers behind the Shift AST format and associated tools are active contributors and maintainers of JavaScript language tools that are popular in the JavaScript community. Work on those tools is not ending, nor does the work here immediately affect any future plans for those tools.

Windows XP End-of-Support Will Result In More Powerful Botnets

When Microsoft announced the official end-of-support date for Windows XP, media around the world signaled this event as the end of an era.

But to enterprise security professionals, the end-of-support for 25% of the market is a terrifying prospect. Botnets, which rely on infecting computers with weak defenses, will become more powerful as XP support drops off.

Today marks the official end-of-support for Windows XP, which means no more security updates for Windows XP installations. Non-supported Windows XP installations will not get updates and will overtime become less secure and easier to hijack.

As millions of XP machine become less secure, we will see more Windows XP machines usurped and zombified for malicious web attacks.  Now that Windows XP machines will be easier to hijack, more nodes will be available to botnets to make attacks on web servers. This will impact the day-to-day of CISOs and security professionals who’s job it is to protect web infrastructure from attacks.

While many organizations are focused on upgrading to more modern operating systems, it’s the devices that they have no control over that may end up doing the most damage. It boils down to this: while an enterprise may do everything right to upgrade and protect its own computers, they don’t control the millions of devices still running XP in the wild.

Vulnerable devices get compromised, and compromised devices become parts of a botnet. Botnets provide cybercriminals with a platform for everything from DDoS against websites to sophisticated account takeover and fraud. As official support for XP runs out, attackers will naturally rush in to take advantage of those left behind.

Here is a quick breakdown of the numbers to help quantify the significance.

Windows XP Usage Remains High

Industry statistics of operating system usage can vary wildly, and current estimates of XP usage range from 10% to 28% of the total operating systems used worldwide. With an estimated 2 billion PCs in world, that means that somewhere between 200 million to 580 million devices will be vulnerable by definition.

Source: NetMarketShare 2014

Windows XP Vulnerabilities Remain High 

2013 was a busy year for new Windows XP vulnerabilities, with a total of 88 new vulnerabilities reported. For comparison, this is twice as many vulnerabilities as were observed in 2012. The comparative view of Microsoft CVEs shows that while XP is not the leading source of vulnerabilities, it remains a very significant source of new vulnerabilities.

Source: CVEDetails.com

 Windows XP Infection Rates Remain High 

Microsoft’s latest Security Intelligence Report shows that while the popularity of XP is on par with other Windows operating systems, the infection rate is almost double that of more modern operating systems.

Source: Microsoft Security intelligence Report Volume 15

These statistics certainly favor the attackers. Even if enterprises manage the Windows XP end-of-life perfectly, all of the unprotected XP devices in the wild remain. This is why deflecting bots and automated threats has become so important for virtually any organization with an Internet-facing site or application.

Clarification: Wade Williamson wrote this article.

How Heartbleed Bug Affects Web Security

The news has been reeling with the announcement of the Heartbleed Bug. Want to know how the vulnerability works? Curious about how adversely this affects you or your organization? Our director of product security Michael Coates explains below.

HTTPS is layered on top of Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to enable a user to securely communicate with a website without tampering or monitoring from intermediate parties.

However, on April 7, 2014 a serious vulnerability (CVE-2014-0160 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160) was uncovered within the TLS heartbeat extension in versions of OpenSSL that places the encrypted communication at risk. Attackers can leverage this bug to obtain the private keys from the webserver and use this information to decrypt and monitor communications that are taking place over SSL/TLS, exposing any sensitive data communicated by the user.

Scope of the vulnerability

1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

Apache, which uses OpenSSL for HTTPS, is used by 66% of all websites according to netcraft.com (http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html). A study of the TLS heartbeat extension by Netcraft also identified that 17.5% of SSL sites may be vulnerable to the Heartbleed bug (http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html).

Is a patch available?

Yes – OpenSSL 1.0.1g was released on April 7, 2014 (https://www.openssl.org/source/). Impact of the vulnerability This vulnerability allows an attacker to extract memory contents from the webserver through the vulnerability in the heartbeat. As a result an attacker may be able to access sensitive information such as the private keys used for SSL/TLS.

  • Active Attack – Equipped with the private key, an attacker can silently monitor and decrypt communications between the user and the web server. As a result, an attacker could view private data such as passwords, credit card data, medical records and any other sensitive data the user exchanges with the website. In addition, the attacker could impersonate the target website to deliver fake, inaccurate or malicious data to the user.
  • Offline Attack – Some well funded attackers gather large amounts of encrypted data and store this data in the event they can later decrypt the information. Using the Heartbleed vulnerability the attackers could decrypt this information if it was obtained when passed between a user and a vulnerable website. This means that sensitive data exchanged up to two years ago could also now be at risk for exposure to attackers. Note: sites implementing Perfect Forward Secrecy are protected against this particular attack.

Who might exploit this vulnerability?

In order to decrypt data exchanged between a user and a website, the attacker must have access to network devices along the communication path. This attack could most easily be launched by state actors or criminal enterprises operating in collusion with network operators. In addition, individual attackers could leverage this vulnerability to attack individuals using a shared wifi hotspot.

Can attacks be detected?

Unfortunately, no. An attacker exploiting this vulnerability will leave no trace within the webserver logs. As a result it is not possible to determine if vulnerable web sites have been exploited.

What should website owners do?

  1. Verify if you are using a vulnerable version of OpenSSL.
  2. Upgrade OpenSSL as soon as possible.
  3. Reissue your security certificates for SSL/TLS. The vulnerability has been present for two years and there is no way to verify if your private key has been compromised as a result of this vulnerability. In addition, a compromised key would be used to silently monitor communications from your users and the attack would be undetectable. It is prudent to assume a breach and proactively reissue security certificates.
  4. Implement Perfect Forward Secrecy. This additional layer of security protects encrypted data from several potential attacks by using a per session random keys.

What should users do?

Unfortunately there’s not much a user can do. If you have an account at one of the many large websites that may have been affected, you can proactively change your password just to be safe.

Which large websites were impacted?

A partial lists of large websites that are impacted can be found here. This list includes websites such as yahoo.com, stackexchange.com, eventbrite.com, okcupid.com, suning.com, and squidoo.com.

What other concerns are there with this vulnerability?

The Heartbleed vulnerability allows an attacker to extract information within the webserver’s memory. As a result, a wide variety of information could be at risk including sensitive user or system data. In addition to placing webservers at risk, OpenSSL is also used by a variety of network appliances. These devices could be subjected to attack to extract sensitive information within memory.

Additional information

http://heartbleed.com

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Clarification: Michael Coates wrote this article.