research-article

Open access

Preventing Dynamic Library Compromise on Node.js via RWX-Based Privilege Reduction

Authors:

Nikos Vasilakis,

Cristian-Alexandru Staicu,

Grigoris Ntousakis,

Konstantinos Kallas,

Michael PradelAuthors Info & Claims

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages 1821 - 1838

https://doi.org/10.1145/3460120.3484535

Published: 13 November 2021 Publication History

Abstract

Third-party libraries ease the development of large-scale software systems. However, libraries often execute with significantly more privilege than needed to complete their task. Such additional privilege is sometimes exploited at runtime via inputs passed to a library, even when the library itself is not actively malicious. We present Mir, a system addressing dynamic compromise by introducing a fine-grained read-write-execute (RWX) permission model at the boundaries of libraries: every field of every free variable name in the context of an imported library is governed by a permission set. To help specify the permissions given to existing code, Mir's automated inference generates default permissions by analyzing how libraries are used by their clients. Applied to over 1,000 JavaScript libraries for Node.js, Mir shows practical security (61/63 attacks mitigated), performance (2.1s for static analysis and +1.93% for dynamic enforcement), and compatibility (99.09%) characteristics---and enables a novel quantification of privilege reduction.

References

[1]

Carmine Abate, Arthur Azevedo de Amorim, Roberto Blanco, Ana Nora Evans, Guglielmo Fachini, Catalin Hritcu, Théo Laurent, Benjamin C. Pierce, Marco Stronati, and Andrew Tolmach. 2018. When Good Components Go Bad: Formally Secure Compilation Despite Dynamic Compromise. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18). ACM, New York, NY, USA, 1351--1368. https://doi.org/10.1145/3243734.3243745

Digital Library

[2]

Ajin Abraham. 2017a. Snyk: Arbitrary Code Execution in node-serialize. https://snyk.io/vuln/npm:node-serialize:20170208. https://snyk.io/vuln/npm:node-serialize:20170208 Accessed: 2020-03--19.

[3]

Ajin Abraham. 2017b. Snyk: Arbitrary Code Execution in serialize-to-js. https://snyk.io/vuln/npm:serialize-to-js:20170208. https://snyk.io/vuln/npm:serialize-to-js:20170208 Accessed: 2020-03--19.

[4]

Mike Accetta, Robert Baron, William Bolosky, David Golub, Richard Rashid, Avadis Tevanian, and Michael Young. 1986. Mach: A New Kernel Foundation for UNIX Development. In USENIX Technical Conference .

[5]

Pieter Agten, Steven Van Acker, Yoran Brondsema, Phu H. Phung, Lieven Desmet, and Frank Piessens. 2012. JSand: Complete Client-side Sandboxing of Third-party JavaScript Without Browser Modifications. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC '12). ACM, New York, NY, USA, 1--10. https://doi.org/10.1145/2420950.2420952

Digital Library

[6]

Mark Aiken, Manuel F"ahndrich, Chris Hawblitzel, Galen Hunt, and James Larus. 2006. Deconstructing Process Isolation. In Proceedings of the 2006 Workshop on Memory System Performance and Correctness (MSPC '06). ACM, New York, NY, USA, 1--10. https://doi.org/10.1145/1178597.1178599

Digital Library

[7]

Devdatta Akhawe, Prateek Saxena, and Dawn Song. 2012. Privilege Separation in HTML5 Applications. In Proceedings of the 21th USENIX Security Symposium, Bellevue, WA, USA, August 8--10, 2012, Tadayoshi Kohno (Ed.). USENIX Association, 429--444. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/akhawe

[8]

Esben Andreasen, Liang Gong, Anders Møller, Michael Pradel, Marija Selakovic, Koushik Sen, and Cristian-Alexandru Staicu. 2017. A Survey of Dynamic Analysis and Test Generation for JavaScript. Comput. Surveys (2017).

[9]

Unknown Author. 2020. Snyk: Arbitrary Code Injection in serialize-javascript. https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062. https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062 Accessed: 2020-03--19.

[10]

Niels Avonds, Raoul Strackx, Pieter Agten, and Frank Piessens. 2013. Salus: Non-hierarchical memory access rights to enforce the principle of least privilege. In International Conference on Security and Privacy in Communication Systems. Springer, 252--269.

[11]

Babak Amin Azad, Pierre Laperdrix, and Nick Nikiforakis. 2019. Less is more: quantifying the security benefits of debloating web applications. In 28th $$USENIX$$ Security Symposium ($$USENIX$$ Security 19). 1697--1714.

[12]

Andrew Berman, Virgil Bourassa, and Erik Selberg. 1995. TRON: Process-specific File Protection for the UNIX Operating System. In Proceedings of the USENIX 1995 Technical Conference Proceedings (TCON'95). USENIX Association, Berkeley, CA, USA, 14--14. http://dl.acm.org/citation.cfm?id=1267411.1267425

[13]

Nataliia Bielova and Tamara Rezk. 2016. A taxonomy of information flow monitors. In International Conference on Principles of Security and Trust. Springer, 46--67.

[14]

Prithvi Bisht and V. N. Venkatakrishnan. 2008. XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, 5th International Conference, DIMVA 2008, Paris, France, July 10--11, 2008. Proceedings. 23--43.

[15]

Andrea Bittau, Petr Marchenko, Mark Handley, and Brad Karp. 2008. Wedge: Splitting Applications into Reduced-privilege Compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation (NSDI'08). USENIX Association, Berkeley, CA, USA, 309--322. http://dl.acm.org/citation.cfm?id=1387589.1387611

Digital Library

[16]

David Brumley and Dawn Song. 2004. Privtrans: Automatically Partitioning Programs for Privilege Separation. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13 (SSYM'04). USENIX Association, Berkeley, CA, USA, 5--5. http://dl.acm.org/citation.cfm?id=1251375.1251380

Digital Library

[17]

Stefano Calzavara, Michele Bugliesi, Silvia Crafa, and Enrico Steffinlongo. 2015. Fine-Grained Detection of Privilege Escalation Attacks on Browser Extensions. In Programming Languages and Systems - 24th European Symposium on Programming, ESOP 2015, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2015, London, UK, April 11--18, 2015. Proceedings (Lecture Notes in Computer Science), Jan Vitek (Ed.), Vol. 9032. Springer, 510--534. https://doi.org/10.1007/978--3--662--46669--8_21

[18]

Alvin Cheung, Owen Arden, Samuel Madden, and Andrew C Myers. 2012. Automatic partitioning of database applications. arXiv preprint arXiv:1208.0271 (2012).

[19]

Ryan Dahl and the Deno Contributors. 2019. Deno. https://deno.land/manual/getting_started/permissions. https://deno.land/manual/getting_started/permissions Accessed: 2020-06--11.

[20]

Willem De Groef, Fabio Massacci, and Frank Piessens. 2014. NodeSentry: Least-privilege Library Integration for Server-side JavaScript. In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC '14). ACM, New York, NY, USA, 446--455. https://doi.org/10.1145/2664243.2664276

Digital Library

[21]

Christos Dimoulas, Scott Moore, Aslan Askarov, and Stephen Chong. 2014. Declarative policies for capability control. In 2014 IEEE 27th Computer Security Foundations Symposium. IEEE, 3--17.

Digital Library

[22]

Sophia Drossopoulou and James Noble. 2013. The Need for Capability Policies. In Proceedings of the 15th Workshop on Formal Techniques for Java-like Programs (FTfJP '13). ACM, New York, NY, USA, Article 6, 7 pages. https://doi.org/10.1145/2489804.2489811

Digital Library

[23]

Sophia Drossopoulou, James Noble, Mark S. Miller, and Toby Murray. 2016. Permission and Authority Revisited, Towards a Formalisation. In Proceedings of the 18th Workshop on Formal Techniques for Java-like Programs (FTfJP'16). Association for Computing Machinery, New York, NY, USA, Article 10, 6 pages. https://doi.org/10.1145/2955811.2955821

Digital Library

[24]

Asger Feldthaus, Max Sch"a fer, Manu Sridharan, Julian Dolby, and Frank Tip. 2013. Efficient construction of approximate call graphs for JavaScript IDE services. In 35th International Conference on Software Engineering, ICSE '13, San Francisco, CA, USA, May 18--26, 2013 .

Digital Library

[25]

Robert Bruce Findler and Matthias Felleisen. 2002. Contracts for Higher-order Functions. In Proceedings of the Seventh ACM SIGPLAN International Conference on Functional Programming (ICFP '02). ACM, New York, NY, USA, 48--59. https://doi.org/10.1145/581478.581484

Digital Library

[26]

Inc Google. 2009. Closure. https://developers.google.com/closure/. https://developers.google.com/closure/ Accessed: 2019-06--11.

[27]

Khilan Gudka, Robert NM Watson, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Ilias Marinos, Peter G Neumann, and Alex Richardson. 2015. Clean application compartmentalization with SOAAP. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 1016--1031.

Digital Library

[28]

Jordan Harband and Kevin Smith. 2021. ECMAScript® 2020 Language Specification. https://262.ecma-international.org/11.0/#sec-code-realms. https://262.ecma-international.org/11.0/#sec-code-realms Accessed: 2021-04--14.

[29]

Daniel Hedin, Arnar Birgisson, Luciano Bello, and Andrei Sabelfeld. 2014. JSFlow: Tracking information flow in JavaScript and its APIs. In Proceedings of the 29th Annual ACM Symposium on Applied Computing. 1663--1671.

Digital Library

[30]

Kihong Heo, Woosuk Lee, Pardis Pashakhanloo, and Mayur Naik. 2018. Effective program debloating via reinforcement learning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 380--394.

Digital Library

[31]

Konrad Jamrozik, Philipp von Styp-Rekowsky, and Andreas Zeller. 2016. Mining sandboxes. In Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14--22, 2016, Laura K. Dillon, Willem Visser, and Laurie A. Williams (Eds.). ACM, 37--48. https://doi.org/10.1145/2884781.2884782

Digital Library

[32]

Douglas Kilpatrick. 2003. Privman: A Library for Partitioning Applications. In USENIX Annual Technical Conference, FREENIX Track. 273--284.

[33]

Yoonseok Ko, Tamara Rezk, and Manuel Serrano. [n. d.]. SecureJS Compiler: Portable Memory Isolation in JavaScript. In SAC 2021-The 36th ACM/SIGAPP Symposium On Applied Computing .

[34]

Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the Attack Surface of Node.js Applications. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses ($$RAID$$ 2020) .

[35]

Hyungjoon Koo, Seyedhamed Ghavamnia, and Michalis Polychronakis. 2019. Configuration-Driven Software Debloating. In Proceedings of the 12th European Workshop on Systems Security. 1--6.

Digital Library

[36]

Larry Koved, Marco Pistoia, and Aaron Kershenbaum. 2002. Access rights analysis for Java. In Proceedings of the 2002 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages and Applications, OOPSLA 2002, Seattle, Washington, USA, November 4--8, 2002, Mamdouh Ibrahim and Satoshi Matsuoka (Eds.). ACM, 359--372. https://doi.org/10.1145/582419.582452

Digital Library

[37]

Benjamin Lamowski, Carsten Weinhold, Adam Lackorzynski, and Hermann H"artig. 2017. Sandcrust: Automatic Sandboxing of Unsafe Components in Rust. In Proceedings of the 9th Workshop on Programming Languages and Operating Systems (PLOS'17). ACM, New York, NY, USA, 51--57. https://doi.org/10.1145/3144555.3144562

Digital Library

[38]

Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. (2017).

[39]

R. Levin, E. Cohen, W. Corwin, F. Pollack, and W. Wulf. 1975. Policy/Mechanism Separation in Hydra. In Proceedings of the Fifth ACM Symposium on Operating Systems Principles (SOSP '75). ACM, New York, NY, USA, 132--140. https://doi.org/10.1145/800213.806531

Digital Library

[40]

H. M. Levy. 1984. Capability Based Computer Systems .Digital Press. http://www.cs.washington.edu/homes/levy/capabook/

[41]

Shen Liu, Dongrui Zeng, Yongzhe Huang, Frank Capobianco, Stephen McCamant, Trent Jaeger, and Gang Tan. 2019. Program-mandering: Quantitative Privilege Separation. (2019).

Digital Library

[42]

Marcela S Melara, Michael J Freedman, and Mic Bowman. 2019 a. EnclaveDom: Privilege separation for large-TCB applications in trusted execution environments. arXiv preprint arXiv:1907.13245 (2019).

[43]

Marcela S Melara, David H Liu, and Michael J Freedman. 2019 b. Pyronia: Redesigning Least Privilege and Isolation for the Age of IoT. arXiv preprint arXiv:1903.01950 (2019).

[44]

Darya Melicher. [n. d.]. Controlling Module Authority Using Programming Language Design. Ph.D. Dissertation. Carnegie Mellon University.

[45]

Darya Melicher, Yangqingwei Shi, Valerie Zhao, Alex Potanin, and Jonathan Aldrich. 2018. Using Object Capabilities and Effects to Build an Authority-safe Module System: Poster. In Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security (HoTSoS '18). ACM, New York, NY, USA, Article 29, 1 pages. https://doi.org/10.1145/3190619.3191691

Digital Library

[46]

Adrian Mettler, David Wagner, and Tyler Close. 2010. Joe-E: A Security-Oriented Subset of Java. In Networked and Distributed Systems Security (NDSS'10), Vol. 10. 357--374.

[47]

Leo A Meyerovich and Benjamin Livshits. 2010. ConScript: Specifying and enforcing fine-grained security policies for Javascript in the browser. In 2010 IEEE Symposium on Security and Privacy. IEEE, 481--496.

Digital Library

[48]

James Mickens. 2014. Pivot: Fast, synchronous mashup isolation using generator chains. In 2014 IEEE Symposium on Security and Privacy. IEEE, 261--275.

Digital Library

[49]

Mark Samuel Miller. 2006. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. Ph.D. Dissertation. Baltimore, MD, USA. Advisor(s) Shapiro, Jonathan S. AAI3245526.

[50]

Mark S Miller, Mike Samuel, Ben Laurie, Ihab Awad, and Mike Stay. 2009. Caja: Safe active content in sanitized JavaScript, 2008. Google white paper (2009).

[51]

Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2012. You are what you include: large-scale evaluation of remote javascript inclusions. In Proceedings of the 2012 ACM conference on Computer and communications security. 736--747.

Digital Library

[52]

npm, Inc. 2012. npm-shrinkwrap: Lock down dependency versions. https://docs.npmjs.com/cli/shrinkwrap. https://docs.npmjs.com/cli/shrinkwrap

[53]

Erlend Oftedal et al. 2016. RetireJS. http://retirejs.github.io/retire.js/

[54]

Shankara Pailoor, Xinyu Wang, Hovav Shacham, and Isil Dillig. 2020. Automated policy synthesis for system call sandboxing. Proc. ACM Program. Lang., Vol. 4, OOPSLA (2020), 135:1--135:26. https://doi.org/10.1145/3428203

Digital Library

[55]

Andrea Parodi. 2009. Awesome Micro npm Packages (latest commit: Oct 5, 2020; a302e14). https://git.io/JUpA4. https://git.io/JUpA4 Accessed: 2020--10-07.

[56]

Open Web Application Security Project. 2018. OWASP Top Ten Project'17. https://www.owasp.org/index.php/Top_10--2017_Top_10. https://www.owasp.org/index.php/Top_10--2017_Top_10 Accessed: 2018-09--27.

[57]

Niels Provos, Markus Friedl, and Peter Honeyman. 2003. Preventing Privilege Escalation. In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12 (SSYM'03). USENIX Association, Berkeley, CA, USA, 16--16. http://dl.acm.org/citation.cfm?id=1251353.1251369

Digital Library

[58]

Martin Rinard. 2011. Manipulating program functionality to eliminate security vulnerabilities. In Moving target defense. Springer, 109--115.

[59]

J. M. Rushby. 1981. Design and Verification of Secure Systems. In Proceedings of the Eighth ACM Symposium on Operating Systems Principles (SOSP '81). ACM, New York, NY, USA, 12--21. https://doi.org/10.1145/800216.806586

Digital Library

[60]

Jerome H Saltzer. 1974. Protection and the control of information sharing in Multics. Commun. ACM, Vol. 17, 7 (1974), 388--402.

Digital Library

[61]

José Fragoso Santos, Thomas Jensen, Tamara Rezk, and Alan Schmitt. 2015. Hybrid typing of secure information flow in a JavaScript-like language. In Trustworthy Global Computing. Springer, 63--78.

[62]

José Fragoso Santos and Tamara Rezk. 2014. An information flow monitor-inlining compiler for securing a core of javascript. In IFIP International Information Security Conference. Springer, 278--292.

[63]

Node Security. 2016. Continuous Security monitoring for your node apps. https://nodesecurity.io/

[64]

Jonathan S Shapiro, Jonathan M Smith, and David J Farber. 1999. EROS: a fast capability system. Vol. 33. ACM.

[65]

Snyk. 2021. Snyk Vulnerability Database. https://snyk.io/vuln?type=npm

[66]

Manu Sridharan, Julian Dolby, Satish Chandra, Max Sch"a fer, and Frank Tip. 2012. Correlation Tracking for Points-To Analysis of JavaScript. In ECOOP 2012 - Object-Oriented Programming - 26th European Conference, Beijing, China, June 11--16, 2012. Proceedings. 435--458.

[67]

Cristian-Alexandru Staicu, Martin Toldam Torp, Max Sch"a fer, Anders Møller, and Michael Pradel. 2020. Extracting taint specifications for JavaScript libraries. In ICSE '20: 42nd International Conference on Software Engineering, Seoul, South Korea, 27 June - 19 July, 2020, Gregg Rothermel and Doo-Hwan Bae (Eds.). ACM, 198--209. https://doi.org/10.1145/3377811.3380390

Digital Library

[68]

Cristian-Alexandru Staicu, Michael Pradel, and Benjamin Livshits. 2018. Synode: Understanding and Automatically Preventing Injection Attacks on Node. js. In Networked and Distributed Systems Security (NDSS'18). https://doi.org/10.14722/ndss.2018.23071

[69]

Deian Stefan, Edward Z. Yang, Petr Marchenko, Alejandro Russo, Dave Herman, Brad Karp, and David Mazières. 2014. Protecting Users by Confining JavaScript with COWL. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). USENIX Association, Broomfield, CO, 131--146. https://www.usenix.org/conference/osdi14/technical-sessions/presentation/stefan

Digital Library

[70]

Michael Stepankin. 2016a. [demo.paypal.com] Node.js code injection (RCE). http://artsploit.blogspot.com/2016/08/pprce2.html. http://artsploit.blogspot.com/2016/08/pprce2.html Accessed: 2018--10-05.

[71]

Michael Stepankin. 2016b. Snyk: Code Injection in dustjs-linkedin. https://snyk.io/vuln/npm:dustjs-linkedin:20160819. https://snyk.io/vuln/npm:dustjs-linkedin:20160819 Accessed: 2019-03--19.

[72]

TC39. 2021. Draft Proposal for SES (Secure EcmaScript). https://github.com/tc39/proposal-ses. https://github.com/tc39/proposal-ses Accessed: 2021-04--20.

[73]

Mike Ter Louw, Phu H Phung, Rohini Krishnamurti, and Venkat N Venkatakrishnan. 2013. SafeScript: JavaScript transformation for policy enforcement. In Nordic Conference on Secure IT Systems. Springer, 67--83.

Digital Library

[74]

Jeff Terrace, Stephen R Beard, and Naga Praveen Kumar Katta. 2012. JavaScript in JavaScript (js. js): sandboxing third-party scripts. In Presented as part of the 3rd USENIX Conference on Web Application Development (WebApps 12). 95--100.

[75]

Neline van Ginkel, Willem De Groef, Fabio Massacci, and Frank Piessens. 2019. A Server-Side JavaScript Security Architecture for Secure Integration of Third-Party Libraries. Security and Communication Networks, Vol. 2019 (2019).

[76]

Nikos Vasilakis, Achilles Benetopoulos, Shivam Handa, Alizee Schoen, and Martin C. Rinard. 2021 a. Supply-Chain Vulnerability Elimination via Active Learning and Regeneration. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS '21). Association for Computing Machinery, New York, NY, USA.

Digital Library

[77]

Nikos Vasilakis, Ben Karel, Nick Roessler, Nathan Dautenhahn, André DeHon, and Jonathan M. Smith. 2018. BreakApp: Automated, Flexible Application Compartmentalization. In Networked and Distributed Systems Security (NDSS'18). https://doi.org/10.14722/ndss.2018.23131

[78]

Nikos Vasilakis, Grigoris Ntousakis, Veit Heller, and Martin C. Rinard. 2021 b. Efficient Module-Level Dynamic Analysis for Dynamic Languages with Module Recontextualization. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2021). Association for Computing Machinery, New York, NY, USA, 1202--1213. https://doi.org/10.1145/3468264.3468574

Digital Library

[79]

Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. 1993. Efficient Software-based Fault Isolation. In Proceedings of the Fourteenth ACM Symposium on Operating Systems Principles (SOSP '93). ACM, New York, NY, USA, 203--216. https://doi.org/10.1145/168619.168635

Digital Library

[80]

Michael Weissbacher, William K. Robertson, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2015. ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities. In 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12--14, 2015, Jaeyeon Jung and Thorsten Holz (Eds.). USENIX Association, 737--752. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/weissbacher

[81]

Yongzheng Wu, Sai Sathyanarayan, Roland HC Yap, and Zhenkai Liang. 2012. Codejail: Application-transparent isolation of libraries with tight program interactions. In European Symposium on Research in Computer Security. Springer, 859--876.

[82]

Nicholas C. Zakas and ESLint contributors. 2013. ESLint--Pluggable JavaScript linter. https://eslint.org/. https://eslint.org/ Accessed: 2018-07--12.

[83]

Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small world with High Risks: A Study of Security Threats in the Npm Ecosystem. In Proceedings of the 28th USENIX Conference on Security Symposium (SEC'19). USENIX Association, USA, 995--1010.

Cited By

Liu ZAn KCao Y(2024)Undefined-oriented Programming: Detecting and Chaining Prototype Pollution Gadgets in Node.js Template Engines for Malicious Consequences2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00121(4015-4033)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00121
Shcherbakov MBalliu MStaicu CCalandrino JTroncoso C(2023)Silent springProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620546(5521-5538)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620546
Abbadini MFacchinetti DOldani GRossi MParaboschi S(2023)NatiSand: Native Code Sandboxing for JavaScript RuntimesProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607233(639-653)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607233
Show More Cited By

Index Terms

Preventing Dynamic Library Compromise on Node.js via RWX-Based Privilege Reduction
1. Security and privacy
  1. Software and application security
2. Software and its engineering
  1. Software notations and tools
    1. Context specific languages
      1. Scripting languages
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Automated static analysis
        Dynamic analysis

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

November 2021

3558 pages

ISBN:9781450384544

DOI:10.1145/3460120

General Chairs:
Yongdae Kim
KAIST, Republic of Korea
,
Jong Kim
POSTECH, Republic of Korea
,
Program Chairs:
Giovanni Vigna
University of California, Santa Barbara / VMware, USA
,
Elaine Shi
Carnegie Mellon University, USA

Copyright © 2021 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2021

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

German Research Foundation
DARPA
NSF
European Research Council

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 15 - 19, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
1,207
Total Downloads

Downloads (Last 12 months)385
Downloads (Last 6 weeks)50

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Liu ZAn KCao Y(2024)Undefined-oriented Programming: Detecting and Chaining Prototype Pollution Gadgets in Node.js Template Engines for Malicious Consequences2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00121(4015-4033)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00121
Shcherbakov MBalliu MStaicu CCalandrino JTroncoso C(2023)Silent springProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620546(5521-5538)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620546
Abbadini MFacchinetti DOldani GRossi MParaboschi S(2023)NatiSand: Native Code Sandboxing for JavaScript RuntimesProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607233(639-653)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607233
Abbadini MFacchinetti DOldani GRossi MParaboschi S(2023)Cage4Deno: A Fine-Grained Sandbox for Deno SubprocessesProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3595799(149-162)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3595799
Christou GNtousakis GLahtinen EIoannidis SKemerlis VVasilakis N(2023)BinWrap: Hybrid Protection against Native Node.js Add-onsProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590330(429-442)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3590330
Wang WLin XWang JGao WGu DLv WWang JMeng WJensen CCremers CKirda E(2023)HODOR: Shrinking Attack Surface on Node.js via System Call LimitationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616609(2800-2814)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616609
Kang MXu YLi SGjomemo RHou JVenkatakrishnan VCao Y(2023)Scaling JavaScript Abstract Interpretation to Detect and Exploit Node.js Taint-style Vulnerability2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179352(1059-1076)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179352
Scull Pupo ANicolay JBoix E(2023)Brigadier: A Datalog-based IAST framework for Node.js Applications2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER56733.2023.00054(509-521)Online publication date: Mar-2023
https://doi.org/10.1109/SANER56733.2023.00054
Cassel DWong WJia L(2023)NodeMedic: End-to-End Analysis of Node.js Vulnerabilities with Provenance Graphs2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00068(1101-1127)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00068
Turcotte AArteca EMishra AAlimadadi STip F(2022)Stubbifier: debloating dynamic server-side JavaScript applicationsEmpirical Software Engineering10.1007/s10664-022-10195-627:7Online publication date: 1-Dec-2022
https://dl.acm.org/doi/10.1007/s10664-022-10195-6
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents