Understanding and Automatically Preventing Injection Attacks on - - PowerPoint PPT Presentation

understanding and automatically preventing injection
SMART_READER_LITE
LIVE PREVIEW

Understanding and Automatically Preventing Injection Attacks on - - PowerPoint PPT Presentation

Sep 27, 2022 40 likes •524 views

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU Darmstadt Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond) 1 Why JavaScript? Relevant and challenging

slide-1
SLIDE 1

1

Michael Pradel TU Darmstadt

Understanding and Automatically Preventing Injection Attacks on Node.js

Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond)

slide-2
SLIDE 2

2

Why JavaScript?

Relevant and challenging

Rank of top languages on GitHub over time

(Source: GitHub.com)

slide-3
SLIDE 3

3

Why JavaScript?

1096 pages 153 pages Relevant and challenging

slide-4
SLIDE 4

4

Motivation: JavaScript (In)Security

JavaScript: Popular beyond the browser

Client-side web app Browser Operating system

slide-5
SLIDE 5

4

Motivation: JavaScript (In)Security

JavaScript: Popular beyond the browser

Client-side web app Server-side or desktop app Mobile app Dalvik VM Node.js Browser Operating system Operating system Operating system

slide-6
SLIDE 6

4

Motivation: JavaScript (In)Security

JavaScript: Popular beyond the browser

Sandbox Sandbox Client-side web app Server-side or desktop app Mobile app Dalvik VM Node.js Browser Operating system Operating system Operating system

slide-7
SLIDE 7

4

Motivation: JavaScript (In)Security

JavaScript: Popular beyond the browser

Sandbox Sandbox No sandbox! Client-side web app Server-side or desktop app Mobile app Dalvik VM Node.js Browser Operating system Operating system Operating system

slide-8
SLIDE 8

5

Culture of Naive Reuse

Node.js code: Builds on 3rd-party code

Over 300.000 modules No specified trust relationships

between modules

Many indirect dependences

slide-9
SLIDE 9

5

Culture of Naive Reuse

Node.js code: Builds on 3rd-party code

Over 300.000 modules No specified trust relationships

between modules

Many indirect dependences

Risk of vulnerable and malicious code

slide-10
SLIDE 10

6

Real Example: Growl Module

var msg = /* receive from network */ growl(msg);

slide-11
SLIDE 11

6

Real Example: Growl Module

var msg = /* receive from network */ growl(msg);

Growl module:

Platform-specific command to show notifications Pass message to command without any checks

slide-12
SLIDE 12

7

Running Example

function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg") ? "pics" : "other"; console.log(eval("messages.backup_" + kind )); }

slide-13
SLIDE 13

7

Running Example

function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg") ? "pics" : "other"; console.log(eval("messages.backup_" + kind )); }

Construct shell command Execute it

slide-14
SLIDE 14

7

Running Example

function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg") ? "pics" : "other"; console.log(eval("messages.backup_" + kind )); }

Construct JavaScript code and execute it

slide-15
SLIDE 15

7

Running Example

function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg") ? "pics" : "other"; console.log(eval("messages.backup_" + kind )); }

Injection APIs: Interpret string as code

slide-16
SLIDE 16

7

Running Example

function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg") ? "pics" : "other"; console.log(eval("messages.backup_" + kind )); } Injection attack:

backupFile("-h && rm -rf * && echo ", "")

slide-17
SLIDE 17

8

Our Contributions

  • 1. Study of injection vulnerabilities

First large-scale study of Node.js security 236K modules, 816M lines of JavaScript

  • 2. Repair of vulnerabilities

Static analysis and runtime enforcement Automatic and easy to deploy Small overhead and high accuracy

slide-18
SLIDE 18

8

Our Contributions

  • 1. Study of injection vulnerabilities

First large-scale study of Node.js security 236K modules, 816M lines of JavaScript

  • 2. Repair of vulnerabilities

Static analysis and runtime enforcement Automatic and easy to deploy Small overhead and high accuracy

slide-19
SLIDE 19

9

Study: Prevalence

Are injection vulnerabilities widespread?

slide-20
SLIDE 20

9

Study: Prevalence

Are injection vulnerabilities widespread?

slide-21
SLIDE 21

9

Study: Prevalence

Are injection vulnerabilities widespread?

Direct uses

slide-22
SLIDE 22

9

Study: Prevalence

Are injection vulnerabilities widespread?

Indirect uses via

  • ther

modules

slide-23
SLIDE 23

9

Study: Prevalence

Are injection vulnerabilities widespread? Manual inspection of 150 call sites

Attacker-controlled data may reach API: 58% Defense mechanisms None: 90% Regular expression: 9%

slide-24
SLIDE 24

10

Study: Developer Reactions

Do developers fix vulnerabilities?

Reported 20 previously unknown

vulnerabilities

After several months, only 3 fixed

slide-25
SLIDE 25

10

Study: Developer Reactions

Do developers fix vulnerabilities?

Reported 20 previously unknown

vulnerabilities

After several months, only 3 fixed

slide-26
SLIDE 26

10

Study: Developer Reactions

Do developers fix vulnerabilities?

Reported 20 previously unknown

vulnerabilities

After several months, only 3 fixed

Need mitigation technique that requires very little developer attention

slide-27
SLIDE 27

11

Our Contributions

  • 1. Study of injection vulnerabilities

First large-scale study of Node.js security 236K modules, 816M lines of JavaScript

  • 2. Repair of vulnerabilities

Static analysis and runtime enforcement Automatic and easy to deploy Small overhead and high accuracy

slide-28
SLIDE 28

11

Our Contributions

  • 1. Study of injection vulnerabilities

First large-scale study of Node.js security 236K modules, 816M lines of JavaScript

  • 2. Repair of vulnerabilities

Static analysis and runtime enforcement Automatic and easy to deploy Small overhead and high accuracy

slide-29
SLIDE 29

12

Preventing Injections

Vulnerable code Code with runtime checks Safe runtime behavior String templates Statically safe code Runtime inputs

Static analysis Dynamic enforcement Synthesize policy

slide-30
SLIDE 30

13

Static Analysis: Template Trees

  • 1. Backward data flow analysis

Overapproximate strings passed to injection API Represent possible values as a tree

slide-31
SLIDE 31

13

Static Analysis: Template Trees

  • 1. Backward data flow analysis

Overapproximate strings passed to injection API Represent possible values as a tree

function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); }

slide-32
SLIDE 32

13

Static Analysis: Template Trees

  • 1. Backward data flow analysis

Overapproximate strings passed to injection API Represent possible values as a tree

$cmd join ” ”

function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); }

slide-33
SLIDE 33

13

Static Analysis: Template Trees

  • 1. Backward data flow analysis

Overapproximate strings passed to injection API Represent possible values as a tree

function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); }

$cmd push join ” ” ”˜/.localBackup/”

slide-34
SLIDE 34

13

Static Analysis: Template Trees

  • 1. Backward data flow analysis

Overapproximate strings passed to injection API Represent possible values as a tree

function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); }

$name ”.” $ext $cmd push push join ” ” ”˜/.localBackup/” +

slide-35
SLIDE 35

13

Static Analysis: Template Trees

  • 1. Backward data flow analysis

Overapproximate strings passed to injection API Represent possible values as a tree

function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); }

$cmd ”cp” $name ”.” $ext push push push join ” ” ”˜/.localBackup/” +

slide-36
SLIDE 36

13

Static Analysis: Template Trees

  • 1. Backward data flow analysis

Overapproximate strings passed to injection API Represent possible values as a tree

function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); }

empty array ”cp” $name ”.” $ext push push push join ” ” ”˜/.localBackup/” +

slide-37
SLIDE 37

14

Static Analysis: Templates

  • 2. Evaluate template trees into templates

Statically model operations (bottom-up) Unknown parts to be filled at runtime

slide-38
SLIDE 38

14

Static Analysis: Templates

  • 2. Evaluate template trees into templates

Statically model operations (bottom-up) Unknown parts to be filled at runtime

”cp $name.$ext ˜/.localBackup/”

empty array ”cp” $name ”.” $ext push push push join ” ” ”˜/.localBackup/” +

slide-39
SLIDE 39

15

Synthesizing a Policy

Create runtime policy from templates

Enforce structure via partial AST For unknown parts, allow only benign AST nodes

slide-40
SLIDE 40

15

Synthesizing a Policy

Create runtime policy from templates

Enforce structure via partial AST For unknown parts, allow only benign AST nodes

”cp $name.$ext ˜/.localBackup/”

Bash grammar

Command Literal Arguments Literal Literal cp ??? ˜/.localBackup/

slide-41
SLIDE 41

16

Runtime Enforcement

Enforce policy on strings passed to injection APIs

Policy:

Command Literal Arguments Literal Literal cp ??? ˜/.localBackup/

slide-42
SLIDE 42

16

Runtime Enforcement

Enforce policy on strings passed to injection APIs

Policy: Runtime string:

”cp f.txt ˜/.localBackup/”

Command Literal Arguments Literal Literal cp f.txt ˜/.localBackup/ Command Literal Arguments Literal Literal cp ??? ˜/.localBackup/

slide-43
SLIDE 43

16

Runtime Enforcement

Enforce policy on strings passed to injection APIs

Policy: Runtime string:

”cp f.txt ˜/.localBackup/”

Command Literal Arguments Literal Literal cp f.txt ˜/.localBackup/

Accepted

Command Literal Arguments Literal Literal cp ??? ˜/.localBackup/

slide-44
SLIDE 44

16

Runtime Enforcement

Enforce policy on strings passed to injection APIs

Policy: Runtime string:

”cp -h && rm -rf * && echo ˜/.localBackup/”

CompoundCmd Command Command Literal Command ... ... ... ... Command Literal Arguments Literal Literal cp ??? ˜/.localBackup/

slide-45
SLIDE 45

16

Runtime Enforcement

Enforce policy on strings passed to injection APIs Rejected

Policy: Runtime string:

”cp -h && rm -rf * && echo ˜/.localBackup/”

CompoundCmd Command Command Literal Command ... ... ... ... Command Literal Arguments Literal Literal cp ??? ˜/.localBackup/

slide-46
SLIDE 46

17

Evaluation: Static Analysis

Setup:

51K call sites of injection APIs

Statically safe: 36.7% To be checked at runtime: 63.3% Most call sites:

At least 10 known characters Only 1 hole

Precision: Performance:

4.4 seconds per module

slide-47
SLIDE 47

18

Evaluation: Runtime Enforcement

Setup

24 modules 56 benign and 65 malicious inputs

Results:

Zero false negatives (i.e., no missed injections) Five false positives (i.e., overly conservative) Overhead (avg.): 0.74 milliseconds per call

slide-48
SLIDE 48

19

Conclusion

Understand injection vulnerabilities

First large-scale empirical study of Node.js

(in)security

Detect and prevent injections

Static inference of expected string values AST-based runtime policy

→ Automated repair of vulnerabilities

More details: Technical report on my web site