« The Evolution of Tech Companies’ Logos

Google Plays to Microsoft’s Weaknesses »

JavaScript Global Namespace Pollution

JavaScript Global Namespace Pollution: “

If you are reading this you are probably thinking what does this post has to do with . Well, let me explain. One of the ways to detect malware is to check for namespace pollutions symptoms. Simply put, if the execution container contains more objects then the expected, something wrong is going on. This post will briefly walk through some ideas currently circulating in my head.

Pilsen and Pollution

Namespace pollution checks are very trivial to perform. The check should be performed from a safer location such as outside of the execution sandbox or somewhere on the top before and after the user input is taken into consideration. The check is very simple really. All that needs to be done is to compare the list of registered objects with the expected list of objects. If they defer, the namespace has been polluted by something. The check can be performed by a function similar to the one discussed by the Atom database over here:

function walkJSON(j, c) {
    for (var i in j) {
        c(i, j[i]);

        if (j[i] instanceof Array || typeof(j[i]) == 'object') {
            arguments.callee(j[i], c);
        }
    }
}

The function is very simple as you can see, though you have to be careful when used from chrome privileged code. As you can see the if statement comparisons can be used in order to escalate access, something known as chrome execution attack. Never the less, the function is sufficient enough to walk any object. You can even make it recursive if you want to go several levels down the tree. By using this function, we can compare the namespace before and after and as such detect and locate malicious code.

This is what I believe will be one of the techniques used by anti-malware software to prevent, but mostly to detect and locate, malicious code. Nevertheless, there are always methods that can be used to overcome namespace pollution problems. One of them is to use closures. Here is an example:

(function (window, document) {
    // [evil code here]
})(window, document);

This technique will safely execute malicious code without the need to worry about polluting the whichever namespace, as long as the evil code that is enclosed within the closure does not modify the window or the document objects. DOM manipulation is acceptable since no one is crazy enough to check for DOM changes. The document object is far more complicated and walking its is hard.

As you can see closures can be used to hide evil code. Another way for obscuring evil code is to make use of the prototype functionalities of the interpreter. The prototype object, and several other special objects, that are enclosed within every object instance can be used to hide facilities which cannot be easily spotted by malware detection engines. Simply put, synthetic sugar, something has plenty of, is a perfect place for storing evil code without polluting the namespace for triggering any other canary that might be there.

Take this post and put it aside until you need it.

(Via GNUCITIZEN.)

Related Posts




Hits for this post:409
Categories: coding
Tags: , ,

Tiny URL: http://r-echos.net/lk/12004
Friday, February 8th, 2008 at 4:20 pm
You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply

R-Echos

Since 2004, R-Echos is an experimental online magazine dedicated to republication; topics vary from biology to graphic design, from ecology to business. It agglomerates anything which is about art, computing, science. His form is made out of collages of texts, links, images, references, videos and sounds - choosen with care to take part to this very personnal publication.

* Electronest

websites and White Cubes

websites and White Cubes

Dumb sign, originally uploaded by blackbeltjones.
Been asked to work on the nominations for designs of the year again at the Design Museum, which is very nice.But it leads me back to this hoary old question – how should interactive work best be shown in a museum or gallery context? Should it be [...]

 Continue your reading of websites and White Cubes

August 22nd, 2008
Categories: Feature, interaction design
R-Echos issue 1 - AMP001

R-Echos issue 1

An experiment in the economics of production: how can we shift focus from consumption of a finished product to investment in the processes of design, print & production?

This is a poster and a text: an analog R-Echos
Would you be interested in investing in the tangible production of this work?
1. You can download the digital archive
and [...]

 Continue your reading of R-Echos issue 1

July 23rd, 2008
Categories: Feature, Offline Products, edition, electronic culture, magazines

What if, VACANT LOT, Hoxton, London

What if, VACANT LOT, Hoxton, London

Related PostsBuilding and designing Digitalism’s IdealisticThe best CNC project machines - Hack a Daygreenpix zero-energy massive LED displayDIY Blubber BotBotanicalls Twitter DIYBuild Your Own War Bot - Wired How-To WikiHOW TO - Embroider digital imagesThe Shipyard ReturnsBottoms Up DoorbellThey were flexible in the fifties tooThe Magic Roundabout, SwindonPrintBot [...]

 Continue your reading of What if, VACANT LOT, Hoxton, London

June 23rd, 2008
Categories: Feature, architecture, quick inspiration

  • About
  • Articles
  • Beta version
  • Categories
  • Defragmentation
  • Index
  • Monthly Archives
  • R-Echos issue 1
  • Somewhere else
  • Tags
  • Visual Index
  • Visualisation

    • Collections

  • Displaying
  • un-Realisation
  • Physical Interface
  • Augmented Reality
  • Publishing
  • Geometry
  • Visualisation

    • Subscribe in a reader

    Enter your email address:

    Delivered by FeedBurner