research-article

Identification of Dependency-based Attacks on Node.js

Authors:

Brian Pfretzschner,

Lotfi ben OthmaneAuthors Info & Claims

ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security

Article No.: 68, Pages 1 - 6

https://doi.org/10.1145/3098954.3120928

Published: 29 August 2017 Publication History

Abstract

Node.js executes server-side JavaScript-based code. By design Node.js and JavaScript support global variables, monkey-patching, and shared cache of loaded modules. This paper discusses four attacks that exploit these weaknesses, which are: leakage of global variables, manipulation of global variables, manipulation of local variables, and manipulation of the dependency tree. In addition, it describes the static code analysis that we implemented for T.J. Watson Libraries for Analysis (WALA) to detect the identified attacks and the evaluation of the analysis. The analysis is integrated into OpenWhisk, an open source serverless cloud platform.

References

[1]

{n. d.}. Node.js. https://nodejs.org/en/. ({n. d.}). Online; accessed on May 2017.

[2]

{n. d.}. Node.js v4.8.3 Documentation. https://nodejs.org/dist/latest-v4.x/docs/api/modules.html#modules_caching. ({n. d.}). Online;accessed on May 2017.

[3]

{n. d.}. npm. https://www.npmjs.com/browse/keyword/repository. ({n. d.}). Online; accessed May, 2017.

[4]

{n. d.}. OpenWhisk. https://developer.ibm.com/openwhisk. ({n. d.}). Online; accessed on May 2017.

[5]

{n. d.}. T.J. Watson Libraries for Analysis. http://wala.sourceforge.net/wiki/index.php/Main_Page. ({n. d.}). accessed in May 2017.

[6]

2016. Package install scripts vulnerability. http://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability. (march 2016). Online; accessed on May 2017.

[7]

Amazon Web Services, Inc 2016. Amazon Web Services: General Reference (Version 1.0 ed.). Amazon Web Services, Inc, http://docs.aws.amazon.com/general/latest/gr/aws-general.pdf.

[8]

"ChALkeR". {n. d.}. Do not underestimate credentials leaks. https://github.com/ChALkeR/notes/blob/master/Do-not-underestimate-credentials-leaks.md. ({n. d.}). Online; accessed on May 2017.

[9]

B. Chess and J. West. 2007. Secure Programming with Static Analysis (first ed.). Addison-Wesley Professional.

Digital Library

[10]

J. Hejderup. 2015. In Dependencies We Trust: How vulnerable are dependencies in software modules? Master's thesis. Delft University of Technology, Delft, the Netherlands.

[11]

M. Jensen, J. Schwenk, N. Gruschka, and L. Iacono. 2009. On Technical Security Issues in Cloud Computing. In Proc. of the 2009 IEEE International Conference on Cloud Computing (CLOUD '09). Bangalore, India, 109--116.

Digital Library

[12]

U. Khedker, A. Sanyal, and B. Karkare. 2009. Data Flow Analysis: Theory and Practice (1st ed.). CRC Press, Inc., Boca Raton, FL, USA.

Digital Library

[13]

P. Krill. 2016. The battle for Node.js security has only begun. http://www.infoworld.com/article/3029218/javascript/battle-for-nodejs-security-has-only-begun.html. (Feb. 2016).

[14]

R. Parkhe. 2013. Global Variables Are Bad. http://c2.com/cgi/wiki?GlobalVariablesAreBad. (2013). Online; accessed in June 2016.

[15]

B. Pfretzschner. 2016. Detection of dependency-based attacks on Node JS envirnment. Master's thesis. TU Darmstadt, Darmstadt, Germany.

[16]

B. Pfretzschner and L. b. Othmane. 2016. Dependency-Based Attacks on Node.js. In 2016 IEEE Cybersecurity Development (SecDev). 66--66.

[17]

H. Plate, S. E. Ponta, and A. Sabetta. 2015. Impact assessment for vulnerabilities in open-source software libraries. In 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME). 411--420.

Digital Library

[18]

J. Tellnes. 2013. Dependencies: No Software is an Island. Master's thesis. University of Bergen, Bergen, the Netherlands.

Cited By

Shen YGao XSun HGuo Y(2025)Understanding vulnerabilities in software supply chainsEmpirical Software Engineering10.1007/s10664-024-10581-230:1Online publication date: 1-Feb-2025
https://dl.acm.org/doi/10.1007/s10664-024-10581-2
Huang YWang RZheng WZhou ZWu SKe SChen BGao SPeng XFilkov VRay BZhou M(2024)SpiderScan: Practical Detection of Malicious NPM Packages Based on Graph-Based Behavior Modeling and MatchingProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695492(1146-1158)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695492
Tiwari DToady TMonperrus MBaudry BRoychoudhury PPaiva AAbreu RStorey MSharif BXia X(2024)With Great Humor Comes Great Developer EngagementProceedings of the 46th International Conference on Software Engineering: Software Engineering in Society10.1145/3639475.3640099(1-11)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3639475.3640099
Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security

August 2017

853 pages

ISBN:9781450352574

DOI:10.1145/3098954

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 August 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES '17

ARES '17: International Conference on Availability, Reliability and Security

August 29 - September 1, 2017

Reggio Calabria, Italy

Acceptance Rates

ARES '17 Paper Acceptance Rate 100 of 191 submissions, 52%;

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
479
Total Downloads

Downloads (Last 12 months)53
Downloads (Last 6 weeks)5

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Shen YGao XSun HGuo Y(2025)Understanding vulnerabilities in software supply chainsEmpirical Software Engineering10.1007/s10664-024-10581-230:1Online publication date: 1-Feb-2025
https://dl.acm.org/doi/10.1007/s10664-024-10581-2
Huang YWang RZheng WZhou ZWu SKe SChen BGao SPeng XFilkov VRay BZhou M(2024)SpiderScan: Practical Detection of Malicious NPM Packages Based on Graph-Based Behavior Modeling and MatchingProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695492(1146-1158)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695492
Tiwari DToady TMonperrus MBaudry BRoychoudhury PPaiva AAbreu RStorey MSharif BXia X(2024)With Great Humor Comes Great Developer EngagementProceedings of the 46th International Conference on Software Engineering: Software Engineering in Society10.1145/3639475.3640099(1-11)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3639475.3640099
Sun JChen JXing ZLu QXu XZhu LRoychoudhury APaiva AAbreu RStorey M(2024)Where is it? Tracing the Vulnerability-relevant Files from Vulnerability ReportsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639202(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639202
Halder SBewong MMahboubi AJiang YIslam MIslam MIp RAhmed MRamachandran GAli Babar MChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Malicious Package Detection using Metadata InformationProceedings of the ACM Web Conference 202410.1145/3589334.3645543(1779-1789)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645543
Ladisa PPonta SRonzoni NMartinez MBarais O(2023)On the Feasibility of Cross-Language Detection of Malicious Packages in npm and PyPIProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627138(71-82)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627138
Ladisa PSahin MPonta SRosa MMartinez MBarais OTorres-Arias SMelara MSimon LVasilakis NMoriarty K(2023)The Hitchhiker's Guide to Malicious Third-Party DependenciesProceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3605770.3625212(65-74)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3605770.3625212
Ohm MStuke C(2023)SoK: Practical Detection of Software Supply Chain AttacksProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3600162(1-11)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3600162
Ladisa PPlate HMartinez MBarais O(2023)SoK: Taxonomy of Attacks on Open-Source Software Supply Chains2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179304(1509-1526)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179304
Ohm MBoes FBungartz CMeier M(2022)On the Feasibility of Supervised Machine Learning for the Detection of Malicious Software PackagesProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3544415(1-10)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3544415
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents