demonstration

Public Access

Demo: Detecting Third-Party Library Problems with Combined Program Analysis

Authors:

Grigoris Ntousakis,

Sotiris Ioannidis,

Nikos VasilakisAuthors Info & Claims

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages 2429 - 2431

https://doi.org/10.1145/3460120.3485351

Published: 13 November 2021 Publication History

Abstract

Third-party libraries ease the software development process and thus have become an integral part of modern software engineering. Unfortunately, they are not usually vetted by human developers and thus are often responsible for introducing bugs, vulnerabilities, or attacks to programs that will eventually reach end-users. In this demonstration, we present a combined static and dynamic program analysis for inferring and enforcing third-party library permissions in server-side JavaScript. This analysis is centered around a RWX permission system across library boundaries. We demonstrate that our tools can detect zero-day vulnerabilities injected into popular libraries and often missed by state-of-the-art tools such as snyk test and npm audit.

References

[1]

Esben Andreasen, Liang Gong, Anders Møller, Michael Pradel, Marija Selakovic, Koushik Sen, and Cristian-Alexandru Staicu. 2017. A Survey of Dynamic Analysis and Test Generation for JavaScript. ACM Comput. Surv., Vol. 50, 5 (2017), 66:1--66:36. https://doi.org/10.1145/3106739

Digital Library

[2]

Michael D Ernst. 2003. Static and dynamic analysis: Synergy and duality.

[3]

Chris Hawblitzel and Thorsten Von Eicken. 1998. A case for language-based protection. Technical Report. Cornell University.

[4]

Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the Attack Surface of Node.js Applications. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020) .

[5]

Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. (2017).

[6]

Magnus Madsen, Frank Tip, and Ondvr ej Lhoták. 2015. Static analysis of event-driven Node. js JavaScript applications. ACM SIGPLAN Notices, Vol. 50, 10 (2015), 505--519.

Digital Library

[7]

Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2012. You are what you include: large-scale evaluation of remote javascript inclusions. In Proceedings of the 2012 ACM conference on Computer and communications security. 736--747.

Digital Library

[8]

npm. 2016. Run a security audit. https://docs.npmjs.com/cli/v7/commands/npm-audit/. https://docs.npmjs.com/cli/v7/commands/npm-audit

[9]

Koushik Sen, Swaroop Kalasapur, Tasneem Brutch, and Simon Gibbs. 2013. Jalangi: A Selective Record-replay and Dynamic Analysis Framework for JavaScript. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2013). ACM, New York, NY, USA, 488--498. https://doi.org/10.1145/2491411.2491447

Digital Library

[10]

Snyk. 2016. Find, fix and monitor for known vulnerabilities in Node.js and Ruby packages. https://snyk.io/. https://snyk.io/

[11]

Deian Stefan. 2015. Principled and Practical Web Application Security .Stanford University.

[12]

Deian Stefan, Edward Z Yang, Petr Marchenko, Alejandro Russo, Dave Herman, Brad Karp, and David Mazieres. 2014. Protecting Users by Confining JavaScript with COWL. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). 131--146.

Digital Library

[13]

Haiyang Sun, Daniele Bonetta, Christian Humer, and Walter Binder. 2018. Efficient Dynamic Analysis for Node.Js. In Proceedings of the 27th International Conference on Compiler Construction (CC 2018). ACM, New York, NY, USA, 196--206. https://doi.org/10.1145/3178372.3179527

Digital Library

[14]

Nikos Vasilakis, Achilles Benetopoulos, Shivam Handa, Alizee Schoen, Jiasi Shen, and Martin C. Rinard. 2021 a. Supply-Chain Vulnerability Elimination via Active Learning and Regeneration. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS '21). Association for Computing Machinery, New York, NY, USA, 16. https://doi.org/10.1145/3460120.3484736

Digital Library

[15]

Nikos Vasilakis, Ben Karel, Nick Roessler, Nathan Dautenhahn, André DeHon, and Jonathan M. Smith. 2018. BreakApp: Automated, Flexible Application Compartmentalization. In Networked and Distributed Systems Security (NDSS'18). https://doi.org/10.14722/ndss.2018.23131

[16]

Nikos Vasilakis, Grigoris Ntousakis, Veit Heller, and Martin C. Rinard. 2021 b. Efficient Module-Level Dynamic Analysis for Dynamic Languages with Module Recontextualization. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2021). Association for Computing Machinery, New York, NY, USA, 1202--1213. https://doi.org/10.1145/3468264.3468574

Digital Library

[17]

Nikos Vasilakis, Cristian-Alexandru Staicu, Grigoris Ntousakis, Konstantinos Kallas, Ben Karel, André DeHon, and Michael Pradel. 2021 c. Preventing Dynamic Library Compromise on Node.js via RWX-Based Privilege Reduction. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS '21). Association for Computing Machinery, New York, NY, USA, 18. https://doi.org/10.1145/3460120.3484535

Digital Library

[18]

Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Smallworld with High Risks: A Study of Security Threats in the Npm Ecosystem. In Proceedings of the 28th USENIX Conference on Security Symposium (SEC'19). USENIX Association, USA, 995--1010.

Cited By

Apata OBokoro PSharma G(2023)The Risks and Challenges of Electric Vehicle Integration into Smart CitiesEnergies10.3390/en1614527416:14(5274)Online publication date: 10-Jul-2023
https://doi.org/10.3390/en16145274
Muhammad ZAnwar ZSaleem BShahid J(2023)Emerging Cybersecurity and Privacy Threats to Electric Vehicles and Their Impact on Human and Environmental SustainabilityEnergies10.3390/en1603111316:3(1113)Online publication date: 19-Jan-2023
https://doi.org/10.3390/en16031113
Abbadini MFacchinetti DOldani GRossi MParaboschi S(2023)NatiSand: Native Code Sandboxing for JavaScript RuntimesProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607233(639-653)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607233
Show More Cited By

Index Terms

Demo: Detecting Third-Party Library Problems with Combined Program Analysis
1. Security and privacy
  1. Software and application security
2. Software and its engineering
  1. Software notations and tools
    1. Context specific languages
      1. Scripting languages
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Automated static analysis
        Dynamic analysis

Recommendations

Detecting repackaged smartphone applications in third-party android marketplaces
CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and Privacy

Recent years have witnessed incredible popularity and adoption of smartphones and mobile devices, which is accompanied by large amount and wide variety of feature-rich smartphone applications. These smartphone applications (or apps), typically organized ...
Reliable Third-Party Library Detection in Android and its Security Applications
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Third-party libraries on Android have been shown to be security and privacy hazards by adding security vulnerabilities to their host apps or by misusing inherited access rights. Correctly attributing improper app behavior either to app or library ...
Understanding third-party libraries in mobile app analysis
ICSE-C '17: Proceedings of the 39th International Conference on Software Engineering Companion

Third-party libraries are widely used in mobile apps. Recent studies showed that third-party libraries account for more than 60% of the code in Android apps on average. As a result, program analysis on Android apps typically requires detecting or ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

November 2021

3558 pages

ISBN:9781450384544

DOI:10.1145/3460120

General Chairs:
Yongdae Kim
KAIST, Republic of Korea
,
Jong Kim
POSTECH, Republic of Korea
,
Program Chairs:
Giovanni Vigna
University of California, Santa Barbara / VMware, USA
,
Elaine Shi
Carnegie Mellon University, USA

Copyright © 2021 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2021

Check for updates

Author Tags

Qualifiers

Demonstration

Funding Sources

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 15 - 19, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
491
Total Downloads

Downloads (Last 12 months)199
Downloads (Last 6 weeks)20

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Apata OBokoro PSharma G(2023)The Risks and Challenges of Electric Vehicle Integration into Smart CitiesEnergies10.3390/en1614527416:14(5274)Online publication date: 10-Jul-2023
https://doi.org/10.3390/en16145274
Muhammad ZAnwar ZSaleem BShahid J(2023)Emerging Cybersecurity and Privacy Threats to Electric Vehicles and Their Impact on Human and Environmental SustainabilityEnergies10.3390/en1603111316:3(1113)Online publication date: 19-Jan-2023
https://doi.org/10.3390/en16031113
Abbadini MFacchinetti DOldani GRossi MParaboschi S(2023)NatiSand: Native Code Sandboxing for JavaScript RuntimesProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607233(639-653)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607233
Abbadini MFacchinetti DOldani GRossi MParaboschi S(2023)Cage4Deno: A Fine-Grained Sandbox for Deno SubprocessesProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3595799(149-162)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3595799

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents