A systematic analysis of the event-stream incident
Authors: 
Iosif Arvanitis, 
Grigoris Ntousakis, Sotiris Ioannidis, 
Nikos VasilakisAuthors Info & Claims
Iosif Arvanitis, Grigoris Ntousakis, Sotiris Ioannidis, Nikos VasilakisAuthors Info & ClaimsPages 22 - 28
Abstract
On October 5, 2018, a GitHub user announced a critical security vulnerability in event-stream, a JavaScript package meant to simplify working with data-streams. The vulnerability, was introduced by a new maintainer, by including code designed to harvest account details from select Bitcoin wallets when executing as part of the Copay wallet. At the time of the incident, event-stream was used by hundreds of applications and averaged about two million downloads per week. This paper reports on the results of an independent analysis of the event-steam incident. A series of steps allowed the attacker to take control of important account functions, while the attack was designed to activate only on select few environments---only when part of a specific dependency tree, only on specific wallets, and only on the live Bitcoin network. Conventional program analysis techniques would have likely missed the attack, and manual vetting proved to be inadequate given the scale and complexity of dependencies typical of in modern applications. The event-stream incident provides an important case study of the risks associated with long and convoluted chains of third-party components, calling the research community to arms.
References
[1]
Pieter Agten, Steven Van Acker, Yoran Brondsema, Phu H. Phung, Lieven Desmet, and Frank Piessens. 2012. JSand: Complete Client-side Sandboxing of Third-party JavaScript Without Browser Modifications. In Proceedings of the 28th Annual Computer Security Applications Conference (Orlando, Florida, USA) (ACSAC '12). ACM, New York, NY, USA, 1--10.
[2]
Babak Amin Azad, Pierre Laperdrix, and Nick Nikiforakis. 2019. Less is more: quantifying the security benefits of debloating web applications. In 28th {USENIX} Security Symposium ({USENIX} Security 19). 1697--1714.
[3]
BITPAY INC. 2015. Copay. https://github.com/bitpay/copay/ Accessed: 2021-09-09.
[4]
Andrea Bittau, Petr Marchenko, Mark Handley, and Brad Karp. 2008. Wedge: Splitting Applications into Reduced-privilege Compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation (San Francisco, California) (NSDI'08). USENIX Association, Berkeley, CA, USA, 309--322. http://dl.acm.org/citation.cfm?id=1387589.1387611
[5]
David Brumley and Dawn Song. 2004. Privtrans: Automatically Partitioning Programs for Privilege Separation. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13 (San Diego, CA) (SSYM'04). USENIX Association, Berkeley, CA, USA, 5--5. http://dl.acm.org/citation.cfm?id=1251375.1251380
[6]
Majid Burney et al. 2014. Event-Stream, GitHub Issue 73: flatMap? https://github.com/dominictarr/event-stream/issues/73 Accessed: 2022-01-26.
[7]
Laurent Christophe, Coen De Roover, and Wolfgang De Meuter. 2015. Poster: Dynamic Analysis Using JavaScript Proxies. In Proceedings of the 37th International Conference on Software Engineering - Volume 2 (Florence, Italy) (ICSE '15). IEEE Press, Piscataway, NJ, USA, 813--814. http://dl.acm.org/citation.cfm?id=2819009.2819180
[8]
Dominic Tarr. 2011. Event-Stream. https://www.npmjs.com/package/event-stream Accessed: 2021-09-09.
[9]
Cormac Flanagan and Stephen N. Freund. 2010. The RoadRunner Dynamic Analysis Framework for Concurrent Programs. In Proceedings of the 9th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (Toronto, Ontario, Canada) (PASTE '10). Association for Computing Machinery, New York, NY, USA, 1--8.
[10]
Khilan Gudka, Robert NM Watson, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Ilias Marinos, Peter G Neumann, and Alex Richardson. 2015. Clean application compartmentalization with SOAAP. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 1016--1031.
[11]
Daniel Hedin, Arnar Birgisson, Luciano Bello, and Andrei Sabelfeld. 2014. JSFlow: Tracking information flow in JavaScript and its APIs. In Proceedings of the 29th Annual ACM Symposium on Applied Computing. 1663--1671.
[12]
Kihong Heo, Woosuk Lee, Pardis Pashakhanloo, and Mayur Naik. 2018. Effective program debloating via reinforcement learning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 380--394.
[13]
hugeglass. 2018. Flatmap-Stream. https://www.npmjs.com/package/flatmap-stream Accessed: 2021-09-09.
[14]
Konrad Jamrozik, Philipp von Styp-Rekowsky, and Andreas Zeller. 2016. Mining sandboxes. In Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14--22, 2016, Laura K. Dillon, Willem Visser, and Laurie A. Williams (Eds.). ACM, 37--48.
[15]
Matthias Keil and Peter Thiemann. 2013. Efficient Dynamic Access Analysis Using JavaScript Proxies. In Proceedings of the 9th Symposium on Dynamic Languages (Indianapolis, Indiana, USA) (DLS '13). ACM, New York, NY, USA, 49--60.
[16]
Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the Attack Surface of Node.js Applications. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2020).
[17]
Hyungjoon Koo, Seyedhamed Ghavamnia, and Michalis Polychronakis. 2019. Configuration-Driven Software Debloating. In Proceedings of the 12th European Workshop on Systems Security. 1--6.
[18]
Larry Koved, Marco Pistoia, and Aaron Kershenbaum. 2002. Access rights analysis for Java. In Proceedings of the 2002 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages and Applications, OOPSLA 2002, Seattle, Washington, USA, November 4--8, 2002, Mamdouh Ibrahim and Satoshi Matsuoka (Eds.). ACM, 359--372.
[19]
Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. (2017).
[20]
Leo A Meyerovich and Benjamin Livshits. 2010. ConScript: Specifying and enforcing fine-grained security policies for Javascript in the browser. In 2010 IEEE Symposium on Security and Privacy. IEEE, 481--496.
[21]
James Mickens. 2014. Pivot: Fast, synchronous mashup isolation using generator chains. In 2014 IEEE Symposium on Security and Privacy. IEEE, 261--275.
[22]
Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2012. You are what you include: large-scale evaluation of remote javascript inclusions. In Proceedings of the 2012 ACM conference on Computer and communications security. 736--747.
[23]
NPM. [n.d.]. Semantic versioning from npm. https://docs.npmjs.com/files/package.json Accessed: 2021-09-09.
[24]
npm, Inc. 2012. npm-shrinkwrap: Lock down dependency versions. https://docs.npmjs.com/cli/shrinkwrap
[25]
npm, Inc. 2018. Details about the event-stream incident. https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident Accessed: 2018-12-18.
[26]
Grigoris Ntousakis, Sotiris Ioannidis, and Nikos Vasilakis. 2021. Demo: Detecting Third-Party Library Problems with Combined Program Analysis. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, Republic of Korea) (CCS '21). Association for Computing Machinery, New York, NY, USA, 2429--2431.
[27]
Erlend Oftedal et al. 2016. RetireJS. http://retirejs.github.io/retire.js/
[28]
Martin Rinard. 2011. Manipulating program functionality to eliminate security vulnerabilities. In Moving target defense. Springer, 109--115.
[29]
José Fragoso Santos and Tamara Rezk. 2014. An information flow monitor-inlining compiler for securing a core of javascript. In IFIP International Information Security Conference. Springer, 278--292.
[30]
Node Security. 2016. Continuous Security monitoring for your node apps. https://nodesecurity.io/
[31]
Koushik Sen, Swaroop Kalasapur, Tasneem Brutch, and Simon Gibbs. 2013. Jalangi: A Selective Record-replay and Dynamic Analysis Framework for JavaScript. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (Saint Petersburg, Russia) (ESEC/FSE 2013). ACM, New York, NY, USA, 488--498.
[32]
Jayden Seric et al. 2018. Event-Stream, GitHub Issue 1442: Deprecation warning at start. https://github.com/remy/nodemon/issues/1442 Accessed: 2022-01-26.
[33]
Snyk. 2016. Find, fix and monitor for known vulnerabilities in Node.js and Ruby packages. https://snyk.io/
[34]
Ayrton Sparling et al. 2018. Event-Stream, GitHub Issue 116: I don't know what to say. https://github.com/dominictarr/event-stream/issues/116 Accessed: 2018-12-18.
[35]
Deian Stefan, Edward Z. Yang, Petr Marchenko, Alejandro Russo, Dave Herman, Brad Karp, and David Mazières. 2014. Protecting Users by Confining JavaScript with COWL. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). USENIX Association, Broomfield, CO, 131--146. https://www.usenix.org/conference/osdi14/technical-sessions/presentation/stefan
[36]
Haiyang Sun, Daniele Bonetta, Christian Humer, and Walter Binder. 2018. Efficient Dynamic Analysis for Node.Js. In Proceedings of the 27th International Conference on Compiler Construction (Vienna, Austria) (CC 2018). ACM, New York, NY, USA, 196--206.
[37]
Jeff Terrace, Stephen R Beard, and Naga Praveen Kumar Katta. 2012. JavaScript in JavaScript (js. js): sandboxing third-party scripts. In Presented as part of the 3rd USENIX Conference on Web Application Development (WebApps 12). 95--100.
[38]
Nikos Vasilakis, Achilles Benetopoulos, Shivam Handa, Alizee Schoen, Jiasi Shen, and Martin C. Rinard. 2021. Supply-Chain Vulnerability Elimination via Active Learning and Regeneration. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, Republic of Korea) (CCS '21). Association for Computing Machinery, New York, NY, USA, 1755--1770.
[39]
Nikos Vasilakis, Ben Karel, Nick Roessler, Nathan Dautenhahn, André DeHon, and Jonathan M. Smith. 2018. BreakApp: Automated, Flexible Application Compartmentalization. In Networked and Distributed Systems Security (San Diego, California) (NDSS'18).
[40]
Nikos Vasilakis, Grigoris Ntousakis, Veit Heller, and Martin C Rinard. 2021. Efficient module-level dynamic analysis for dynamic languages with module recontextualization. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 1202--1213.
[41]
Nikos Vasilakis, Cristian-Alexandru Staicu, Grigoris Ntousakis, Konstantinos Kallas, Ben Karel, André DeHon, and Michael Pradel. 2021. Preventing Dynamic Library Compromise on Node.Js via RWX-Based Privilege Reduction. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, Republic of Korea) (CCS '21). Association for Computing Machinery, New York, NY, USA, 1821--1838.
[42]
Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Smallworld with High Risks: A Study of Security Threats in the Npm Ecosystem. In Proceedings of the 28th USENIX Conference on Security Symposium (Santa Clara, CA, USA) (SEC'19). USENIX Association, USA, 995--1010.
Index Terms
- A systematic analysis of the event-stream incident
Recommendations
Understanding third-party libraries in mobile app analysis
ICSE-C '17: Proceedings of the 39th International Conference on Software Engineering CompanionThird-party libraries are widely used in mobile apps. Recent studies showed that third-party libraries account for more than 60% of the code in Android apps on average. As a result, program analysis on Android apps typically requires detecting or ...
REAPER: Real-time App Analysis for Augmenting the Android Permission System
CODASPY '19: Proceedings of the Ninth ACM Conference on Data and Application Security and PrivacyAndroid's app ecosystem relies heavily on third-party libraries as they facilitate code development and provide a steady stream of revenue for developers. However, while Android has moved towards a more fine-grained run time permission system, users ...
Adoption of third-party libraries in mobile apps: a case study on open-source Android applications
MOBILESoft '22: Proceedings of the 9th IEEE/ACM International Conference on Mobile Software Engineering and SystemsThird-party libraries are frequently adopted in open-source Android applications (apps). These libraries are essential to the Android app development ecosystem as they often provide vital functionality that would take significant development time to ...
Comments
Information & Contributors
Information
Published In
April 2022
70 pages
Copyright © 2022 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 05 April 2022
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
EuroSys '22
Sponsor:
Acceptance Rates
Overall Acceptance Rate 241 of 1,308 submissions, 18%
Upcoming Conference
EuroSys '25
- Sponsor:
- sigops
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 431Total Downloads
- Downloads (Last 12 months)267
- Downloads (Last 6 weeks)42
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
Cited By
View allView Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in