synode understanding and automatically preventing
play

Synode: Understanding and Automatically Preventing Injection Attacks - PowerPoint PPT Presentation

Sep 03, 2022 •22 likes •492 views

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu 1 Michael Pradel 1 Ben Livshits 2 1 TU Darmstadt 2 Imperial College London, Brave Software February 20, 2018 This Talk Node.JS and

  1. Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu 1 Michael Pradel 1 Ben Livshits 2 1 TU Darmstadt 2 Imperial College London, Brave Software February 20, 2018

  2. This Talk Node.JS and Empirical Synode Evaluation Injections Study 0

  3. This Talk Node.JS and Empirical Synode Evaluation Injections Study 0

  4. Node.js 101 JS application JS engine 1

  5. Node.js 101 JS application fs, exec JS engine Node.JS bindings OS 1

  6. Node.js 101 JS application fs, exec JS engine Node.JS bindings OS Node Package Manager 1

  7. Node.js 101 JS application fs, exec JS engine Node.JS bindings OS Node Package Manager Node Security Project 1

  8. Typical Node.JS Application ... vulnerable ... templates module engine strings utility Node.JS application headers ... parser DB access 2

  9. Running Example function backupFile(name, ext) { var cmd = []; cmd.push( "cp" ); cmd.push(name + "." + ext); cmd.push( "˜/.localBackup/" ); exec (cmd.join( " " )); } 3

  10. Running Example function backupFile(name, ext) { var cmd = []; cmd.push( "cp" ); cmd.push(name + "." + ext); cmd.push( "˜/.localBackup/" ); exec (cmd.join( " " )); } Malicious Payload backupFile( "-h && rm -rf * && echo " , "" ) 3

  11. This Talk Node.JS and Empirical Synode Evaluation Injections Study 4

  12. npm Codebase 2.471 236,337 average number of packages package dependences 816,840,082 > 40,000 lines of JavaScript code C files 7,685 9,110 number of packages number of packages containing exec containing eval February 2016 5

  13. Dependences on Injection APIs Percentage of npm modules 20 15 10 5 0 e e e e e e t x v x v x v o t e a e a e a a c c c l l l - - - - l l l - l l e e e e l e v v v v v e e e e e l l l l - - - - l 1 2 - 1 2 2 6

  14. Data Passed to Injection APIs Manual inspection of 150 call sites eval exec 0% 10% 20% 30% 0% 20% 40% 60% code loading simple OS command JSON piped commands higher-order fct. local script property read 7

  15. Data Passed to Injection APIs Manual inspection of 150 call sites eval exec 0% 10% 20% 30% 0% 20% 40% 60% code loading simple OS command JSON piped commands higher-order fct. local script property read 58% contain user-controlled data, out of which: 90% perform no check on this data 9% use regular expressions 7

  16. Submitted Bug Reports Affected module Confirmed Time until fixed mixin-pro yes 1 day no – modulify yes 155 days* proto yes 73 days mongoosify yes – summit yes – microservicebus.node mobile-icon-resizer yes 2 days – – m-log – – mongo-edit yes – mongo-parse – – mock2easy – – mongui – – m2m-supervisor – – nd-validator 180 days – – nameless-cli node-mypeople – – after – – mongoosemask reporting – – kmc – – mod growl yes – – indicates a lack response and * an incomplete fix 8

  17. Lessons Learned multiple dependences on average each module has 2.5 direct dependences no sanitization only 9% use sanitization, often broken unresponsive developers within six months only 25% of the issues were fixed 9

  18. This Talk Node.JS and Empirical Synode Evaluation Injections Study 10

  19. Safe Use of Modules with Synode ... vulnerable ... templates module engine strings utility Node.JS application headers ... parser DB access 11

  20. Overview of Synode npm Static analysis module 12

  21. Overview of Synode npm Static analysis module Statically safe programs Safe behavior 12

  22. Overview of Synode npm Static analysis module Templates Statically Program List of safe programs rewriting safe nodes Safe behavior 12

  23. Overview of Synode npm Static analysis module Templates Statically Program List of safe programs rewriting safe nodes Runtime Dynamic policy Safe behavior inputs enforcement 12

  24. Static Phase 1. Intra-procedural backward data flow analysis: Over-approximates strings passed to injection APIs Unknown parts to be filled at runtime 13

  25. Static Phase 1. Intra-procedural backward data flow analysis: Over-approximates strings passed to injection APIs Unknown parts to be filled at runtime ”$hole” function backupFile (name , ext ) { var cmd = [ ] ; cmd . push ( "cp" ) ; cmd . push (name + "." + ext ) ; cmd . push ( "˜/.localBackup/" ) ; exec (cmd . j o i n ( " " ) ) ; } ”cp $name.$ext ˜/.localBackup/” 13

  26. Static Phase 1. Intra-procedural backward data flow analysis: Over-approximates strings passed to injection APIs Unknown parts to be filled at runtime ”$hole” function backupFile (name , ext ) { var cmd = [ ] ; cmd . push ( "cp" ) ; cmd . push (name + "." + ext ) ; ”˜/.localBackup/” cmd . push ( "˜/.localBackup/" ) ; exec (cmd . j o i n ( " " ) ) ; } ”cp $name.$ext ˜/.localBackup/” 13

  27. Static Phase 1. Intra-procedural backward data flow analysis: Over-approximates strings passed to injection APIs Unknown parts to be filled at runtime ”$hole” function backupFile (name , ext ) { var cmd = [ ] ; cmd . push ( "cp" ) ; cmd . push (name + "." + ext ) ; ”˜/.localBackup/” cmd . push ( "˜/.localBackup/" ) ; exec (cmd . j o i n ( " " ) ) ; } ”$name.$ext ˜/.localBackup/” ”cp $name.$ext ˜/.localBackup/” 13

  28. Static Phase 1. Intra-procedural backward data flow analysis: Over-approximates strings passed to injection APIs Unknown parts to be filled at runtime ”$hole” function backupFile (name , ext ) { var cmd = [ ] ; cmd . push ( "cp" ) ; cmd . push (name + "." + ext ) ; ”˜/.localBackup/” cmd . push ( "˜/.localBackup/" ) ; exec (cmd . j o i n ( " " ) ) ; } ”$name.$ext ˜/.localBackup/” ”cp $name.$ext ˜/.localBackup/” ”cp $name.$ext ˜/.localBackup/” 13

  29. Static Phase 2. Synthesize runtime policy using templates: Enforce structure via partial AST For unknown parts allow only safe nodes 14

  30. Static Phase 2. Synthesize runtime policy using templates: Enforce structure via partial AST For unknown parts allow only safe nodes ”cp $name.$ext ˜/.localBackup” command args command literal list value literal literal cp value value ˜/.localBackup ?? 14

  31. Runtime Phase Enforce policy on strings passed to injection APIs Policy: command args command literal list value literal literal cp value value ˜/.localBackup ?? 15

  32. Runtime Phase Enforce policy on strings passed to injection APIs Runtime string: Policy: ”cp file.txt ˜/.localBackup” command command args args command command literal list literal list value value literal literal literal literal cp cp value value value value ˜/.localBackup ?? ˜/.localBackup file.txt 15

  33. Runtime Phase Enforce policy on strings passed to injection APIs Runtime string: Policy: ”cp file.txt ˜/.localBackup” command command args args command command literal list literal list value value literal literal literal literal cp cp value value value value ˜/.localBackup ?? ˜/.localBackup file.txt 15

  34. Runtime Phase Runtime string: ”cp x || rm * -rf ˜/.localBackup” command next command args control command || literal list args command value literal literal list cp value value x rm glob literal literal value value value ˜/.localBackup -rf * 16

  35. Runtime Phase Runtime string: ”cp x || rm * -rf ˜/.localBackup” command next command args control command || literal list args command value literal literal list cp value value x rm glob literal literal value value value ˜/.localBackup -rf * 16

  36. This Talk Node.JS and Empirical Synode Evaluation Injections Study 17

  37. Evaluation: Static Phase Setup 51K call sites of injection APIs Precision 36.7% of the call sites statically safe 63.3% to be checked at runtime Context most call sites have at least: 10 constant characters per template 1 unknown per template Performance 4.4 seconds per module 18

  38. Evaluation: Runtime Phase Setup 24 modules 56 benign and 65 malicious inputs Results zero malicious inputs that we do not stop five benign inputs that we incorrectly stop overhead: 0.74 milliseconds per call 19

  39. Conclusions Study of injection vulnerabilities First large-scale study of Node.js security exec and eval are prevalent in npm ecosystem Developers are slow to react 20

  40. Conclusions Study of injection vulnerabilities First large-scale study of Node.js security exec and eval are prevalent in npm ecosystem Developers are slow to react 20

  41. Conclusions Study of injection vulnerabilities First large-scale study of Node.js security exec and eval are prevalent in npm ecosystem Developers are slow to react Prevention of injections Automatic and easy to deploy https://github.com/sola-da/Synode Small overhead and high accuracy 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU Darmstadt Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond) 1 Why JavaScript? Relevant and challenging

520 views • 48 slides
Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic

Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic

Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic Cashin, Carianne Martinez, Westley Weimer, Stephanie Forrest The Problem Automated program repair may reduce software maintenance costs

86 views • 8 slides
Automatically Documenting Program Changes Ray Buse Wes Weimer De ltaDoc 13 May 2011 diffs

Automatically Documenting Program Changes Ray Buse Wes Weimer De ltaDoc 13 May 2011 diffs

Automatically Documenting Program Changes Ray Buse Wes Weimer De ltaDoc 13 May 2011 diffs Commit Messages 13 th CREST Open Workshop Automated Software Engineering '10 So Much Change Automatically Documenting Program Changes 2 Understanding

589 views • 40 slides
An Interconnected Strategy Understanding, Correcting, and Preventing Bullying, Harassment and

An Interconnected Strategy Understanding, Correcting, and Preventing Bullying, Harassment and

An Interconnected Strategy Understanding, Correcting, and Preventing Bullying, Harassment and Other Forms of Violence Three Components of a Successful Anti-bullying, Harassment and Violence Strategy 1. Knowledge 2. Safe Reporting System 3.

804 views • 36 slides
Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security

Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security

WLCG Group Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security Workshop, Taiwan. 1 Overview Underground market The main motive behind most security attacks: money. 3 Exposure and motivation Grids

434 views • 25 slides
ROLE OF WOMEN IN COUNTERING/PREVENTING VIOLENT EXTREMISM Victims . Perpetrators . Disruptors

ROLE OF WOMEN IN COUNTERING/PREVENTING VIOLENT EXTREMISM Victims . Perpetrators . Disruptors

ROLE OF WOMEN IN COUNTERING/PREVENTING VIOLENT EXTREMISM Victims . Perpetrators . Disruptors WHAT IS THE PROBLEM? A narrow understanding of womens roles in CVE limits policy options and perpetuates strategic blind spots, such as failing to

473 views • 12 slides
Preventing Preventing Sepsis: Sepsis: A C A Community B ommunity Based ased Approach

Preventing Preventing Sepsis: Sepsis: A C A Community B ommunity Based ased Approach

Preventing Preventing Sepsis: Sepsis: A C A Community B ommunity Based ased Approach Approach NY NYS S Se Senior nior Acti Action on Co Coun uncil cil Dec Decem embe ber 13 r 13, , 20 2016 16 Ev Eve e Bank Bankert ert

283 views • 24 slides
Understanding the New OH&S Rules Why Updated/New Legislation? Every year, hardworking

Understanding the New OH&S Rules Why Updated/New Legislation? Every year, hardworking

Understanding the New OH&S Rules Why Updated/New Legislation? Every year, hardworking Albertans are killed or injured on the job. A strong health and safety workplace culture is essential to preventing work-related injuries, illnesses and

954 views • 57 slides
Module 5 Understanding DIC and How to Apply Topics Covered in This Module Entitlement to

Module 5 Understanding DIC and How to Apply Topics Covered in This Module Entitlement to

Module 5 Understanding DIC and How to Apply Topics Covered in This Module Entitlement to Dependency and Indemnity Compensation (DIC) DIC Rate Table DIC Granted Automatically When DIC Is Not Automatic Aid and Attendance

221 views • 7 slides
Automatically Constructing Semantic Web Services from Online Sources Craig A. Knoblock Jos

Automatically Constructing Semantic Web Services from Online Sources Craig A. Knoblock Jos

Automatically Constructing Semantic Web Services from Online Sources Craig A. Knoblock Jos Luis Ambite, Sirish Darbha, Aman Goel, Kristina Lerman, Rahul Parundekar, and Tom Russ University Southern California Goal Automatically build

870 views • 38 slides
Preventing Slips, Trips and Falls Rob Shaw www.robshawassociates.com Who We Are Rob: Over

Preventing Slips, Trips and Falls Rob Shaw www.robshawassociates.com Who We Are Rob: Over

Preventing Slips, Trips and Falls Rob Shaw www.robshawassociates.com Who We Are Rob: Over 14 years with HSE investigating and preventing falls Technical Lead for the HSE Falls Prevention Team Has delivered training and consultancy

471 views • 36 slides
Cultivating a Healthy Workplace Powering You To Do The Work Understanding, recognizing,

Cultivating a Healthy Workplace Powering You To Do The Work Understanding, recognizing,

Cultivating a Healthy Workplace Powering You To Do The Work Understanding, recognizing, addressing, and preventing burnout in the workplace Power Up Your Pantry, University of Missouri New Chapter Coaching, LLC, Columbia, Missouri Housekeeping

953 views • 72 slides
REFUGE CONTAINER FIRE PREVENTION PREVENTING PROTECTING RESPONDING [etc] PREVENTING PROTECTING

REFUGE CONTAINER FIRE PREVENTION PREVENTING PROTECTING RESPONDING [etc] PREVENTING PROTECTING

REFUGE CONTAINER FIRE PREVENTION PREVENTING PROTECTING RESPONDING [etc] PREVENTING PROTECTING RESPONDING FIRE KILLS BIN FIRE RISKS DELIBERATE ACCIDENTAL PREVENTING PROTECTING RESPONDING BIN FIRE RISKS PREVENTING PROTECTING RESPONDING BIN

141 views • 10 slides
Ubiquitous and Mobile Computing CS 528: Automatically Characterizing Places with Opportunistic

Ubiquitous and Mobile Computing CS 528: Automatically Characterizing Places with Opportunistic

Ubiquitous and Mobile Computing CS 528: Automatically Characterizing Places with Opportunistic CrowdSensing using Smartphones Gauri Pulekar Computer Science Dept. Worcester Polytechnic Institute (WPI) Automatically Characterizing Places with

311 views • 30 slides
Preventing Needless Preventing Needless Work Disability Work Disability By Helping People By

Preventing Needless Preventing Needless Work Disability Work Disability By Helping People By

Preventing Needless Preventing Needless Work Disability Work Disability By Helping People By Helping People Stay Employed Stay Employed Jennifer Christian, MD, MPH Webility Corporation Plan for This Session Introduce ACOEMs newest

877 views • 29 slides
Presentation Background Jeremy Dwyer Coronial insights into understanding and Case Investigator

Presentation Background Jeremy Dwyer Coronial insights into understanding and Case Investigator

Presentation Background Jeremy Dwyer Coronial insights into understanding and Case Investigator preventing drug-related harms Coroners Prevention Unit Coroners Court of Victoria Insight Audrey Jamieson Coroner Pharmaceutical Society of

495 views • 11 slides
Visualization Techniques for Big Data Jonathon Storrick Jon.Storrick@gmail.com Center for

Visualization Techniques for Big Data Jonathon Storrick Jon.Storrick@gmail.com Center for

CASOS Visualization Techniques for Big Data Jonathon Storrick Jon.Storrick@gmail.com Center for Computational Analysis of Social and Organizational Systems http://www.casos.cs.cmu.edu/ A brief intro to Meta-Nodes A meta-node is what we

595 views • 11 slides
Dev Lab: Node + Express What is Node? Node.js = JavaScript + File I/O + A Package Manager or:

Dev Lab: Node + Express What is Node? Node.js = JavaScript + File I/O + A Package Manager or:

Dev Lab: Node + Express What is Node? Node.js = JavaScript + File I/O + A Package Manager or: Node.js = JavaScript - A Web Browser Whats it like? Single-threaded Asynchronous & non-blocking Great for real-time applications

493 views • 24 slides
Adversarial Attacks on Node Embeddings via Graph Poisoning Aleksandar Bojchevski, Stephan

Adversarial Attacks on Node Embeddings via Graph Poisoning Aleksandar Bojchevski, Stephan

Adversarial Attacks on Node Embeddings via Graph Poisoning Aleksandar Bojchevski, Stephan Gnnemann Technical University of Munich ICML 2019 Node embeddings are used to Classify scientific papers Recommend items Classify proteins

336 views • 21 slides
Using Node.js to improve the performance of Mobile apps and Mobile web Tom Hughes-Croucher @sh 1

Using Node.js to improve the performance of Mobile apps and Mobile web Tom Hughes-Croucher @sh 1

Using Node.js to improve the performance of Mobile apps and Mobile web Tom Hughes-Croucher @sh 1 mmer Scalable Server-Side Code with JavaScript Who is Tom? Wrote W3C Standards 10+ years in the web industry Node Worked on projects

705 views • 58 slides
REST APIs with NodeJS Winter Semester 2016/17 Tobias Seitz Ludwig-Maximilians-Universitt

REST APIs with NodeJS Winter Semester 2016/17 Tobias Seitz Ludwig-Maximilians-Universitt

Practical Course: Web Development REST APIs with NodeJS Winter Semester 2016/17 Tobias Seitz Ludwig-Maximilians-Universitt Mnchen Practical Course Web Development WS 16/17 - 04 - 1 Todays Agenda APIs What is it? REST

849 views • 39 slides
A Method for Evolving Networks by Introducing New Virtual Node/link Types using Node Plug-ins

A Method for Evolving Networks by Introducing New Virtual Node/link Types using Node Plug-ins

A Method for Evolving Networks by Introducing New Virtual Node/link Types using Node Plug-ins Yasusi Kanada Hitachi, Ltd., Japan Introduction Virtual networks (or slices) are suited for development of new services. Service providers

139 views • 13 slides
Dynamic Computational Geometry Roberto Tamassia Department of Computer Science Brown University

Dynamic Computational Geometry Roberto Tamassia Department of Computer Science Brown University

Dynamic Computational Geometry Roberto Tamassia Department of Computer Science Brown University 1991 Roberto Tamassia Dynamic Computational Geometry ALCOM Summer School, Aarhus, August 1991 1 Summary Range Searching (Range Tree)

751 views • 52 slides
Homework 4 Due Thursday Oct 7 CLRS 12-4 (number of binary trees) CLRS 13.3-6 (rb insert

Homework 4 Due Thursday Oct 7 CLRS 12-4 (number of binary trees) CLRS 13.3-6 (rb insert

Homework 4 Due Thursday Oct 7 CLRS 12-4 (number of binary trees) CLRS 13.3-6 (rb insert implementation) 1 Chapter 13: Red-Black Trees A red-black tree is a node-colored BST. Each node is colored either black or red. The following special

700 views • 33 slides

More recommend