understanding and automatically preventing injection
play

Understanding and Automatically Preventing Injection Attacks on - PowerPoint PPT Presentation

Sep 27, 2022 •40 likes •520 views

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU Darmstadt Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond) 1 Why JavaScript? Relevant and challenging

  1. Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU Darmstadt Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond) 1

  2. Why JavaScript? Relevant and challenging Rank of top languages on GitHub over time 2 (Source: GitHub.com)

  3. Why JavaScript? Relevant and challenging 1096 pages 153 pages 3

  4. Motivation: JavaScript (In)Security JavaScript: Popular beyond the browser Client-side web app Browser Operating system 4

  5. Motivation: JavaScript (In)Security JavaScript: Popular beyond the browser Client-side Server-side or Mobile web app desktop app app Browser Node.js Dalvik VM Operating Operating Operating system system system 4

  6. Motivation: JavaScript (In)Security JavaScript: Popular beyond the browser Sandbox Sandbox Client-side Server-side or Mobile web app desktop app app Browser Node.js Dalvik VM Operating Operating Operating system system system 4

  7. Motivation: JavaScript (In)Security JavaScript: Popular beyond the browser Sandbox No sandbox! Sandbox Client-side Server-side or Mobile web app desktop app app Browser Node.js Dalvik VM Operating Operating Operating system system system 4

  8. Culture of Naive Reuse Node.js code: Builds on 3rd-party code � Over 300.000 modules � No specified trust relationships between modules � Many indirect dependences 5

  9. Culture of Naive Reuse Node.js code: Builds on 3rd-party code � Over 300.000 modules � No specified trust relationships between modules � Many indirect dependences Risk of vulnerable and malicious code 5

  10. Real Example: Growl Module var msg = /* receive from network */ growl(msg); 6

  11. Real Example: Growl Module var msg = /* receive from network */ growl(msg); Growl module: � Platform-specific command to show notifications � Pass message to command without any checks 6

  12. Running Example function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg") ? "pics" : "other"; console.log(eval("messages.backup_" + kind )); } 7

  13. Running Example function backupFile(name , ext) { var cmd = []; Construct cmd.push("cp"); shell command cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); Execute it var kind = (ext === "jpg") ? "pics" : "other"; console.log(eval("messages.backup_" + kind )); } 7

  14. Running Example function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg") ? "pics" : "other"; console.log(eval("messages.backup_" + kind )); } Construct JavaScript code and execute it 7

  15. Running Example function backupFile(name , ext) { var cmd = []; cmd.push("cp"); Injection APIs: cmd.push(name + "." + ext); Interpret string cmd.push("˜/. localBackup/"); as code exec(cmd.join(" ")); var kind = (ext === "jpg") ? "pics" : "other"; console.log(eval("messages.backup_" + kind )); } 7

  16. Running Example function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg") ? "pics" : "other"; console.log(eval("messages.backup_" + kind )); } Injection attack: backupFile("-h && rm -rf * && echo ", "") 7

  17. Our Contributions 1. Study of injection vulnerabilities � First large-scale study of Node.js security � 236K modules, 816M lines of JavaScript 2. Repair of vulnerabilities � Static analysis and runtime enforcement � Automatic and easy to deploy � Small overhead and high accuracy 8

  18. Our Contributions 1. Study of injection vulnerabilities � First large-scale study of Node.js security � 236K modules, 816M lines of JavaScript 2. Repair of vulnerabilities � Static analysis and runtime enforcement � Automatic and easy to deploy � Small overhead and high accuracy 8

  19. Study: Prevalence Are injection vulnerabilities widespread? 9

  20. Study: Prevalence Are injection vulnerabilities widespread? 9

  21. Study: Prevalence Are injection vulnerabilities widespread? Direct uses 9

  22. Study: Prevalence Are injection vulnerabilities widespread? Indirect uses via other modules 9

  23. Study: Prevalence Are injection vulnerabilities widespread? Manual inspection of 150 call sites � Attacker-controlled data may reach API: 58% � Defense mechanisms � None: 90% � Regular expression: 9% 9

  24. Study: Developer Reactions Do developers fix vulnerabilities? � Reported 20 previously unknown vulnerabilities � After several months, only 3 fixed 10

  25. Study: Developer Reactions Do developers fix vulnerabilities? � Reported 20 previously unknown vulnerabilities � After several months, only 3 fixed 10

  26. Study: Developer Reactions Do developers fix vulnerabilities? � Reported 20 previously unknown vulnerabilities � After several months, only 3 fixed Need mitigation technique that requires very little developer attention 10

  27. Our Contributions 1. Study of injection vulnerabilities � First large-scale study of Node.js security � 236K modules, 816M lines of JavaScript 2. Repair of vulnerabilities � Static analysis and runtime enforcement � Automatic and easy to deploy � Small overhead and high accuracy 11

  28. Our Contributions 1. Study of injection vulnerabilities � First large-scale study of Node.js security � 236K modules, 816M lines of JavaScript 2. Repair of vulnerabilities � Static analysis and runtime enforcement � Automatic and easy to deploy � Small overhead and high accuracy 11

  29. Preventing Injections Vulnerable code Static analysis String Statically templates safe code Synthesize policy Code with runtime checks Safe Runtime Dynamic enforcement runtime inputs behavior 12

  30. Static Analysis: Template Trees 1. Backward data flow analysis � Overapproximate strings passed to injection API � Represent possible values as a tree 13

  31. Static Analysis: Template Trees 1. Backward data flow analysis � Overapproximate strings passed to injection API � Represent possible values as a tree function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); } 13

  32. Static Analysis: Template Trees 1. Backward data flow analysis � Overapproximate strings passed to injection API � Represent possible values as a tree function backupFile(name , ext) { var cmd = []; join cmd.push("cp"); ” ” $cmd cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); } 13

  33. Static Analysis: Template Trees 1. Backward data flow analysis � Overapproximate strings passed to injection API � Represent possible values as a tree function backupFile(name , ext) { var cmd = []; join cmd.push("cp"); push ” ” cmd.push(name + "." + ext); ”˜/.localBackup/” $cmd cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); } 13

  34. Static Analysis: Template Trees 1. Backward data flow analysis � Overapproximate strings passed to injection API � Represent possible values as a tree function backupFile(name , ext) { var cmd = []; join cmd.push("cp"); push ” ” cmd.push(name + "." + ext); push ”˜/.localBackup/” cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); + $cmd } ”.” $name $ext 13

  35. Static Analysis: Template Trees 1. Backward data flow analysis � Overapproximate strings passed to injection API � Represent possible values as a tree function backupFile(name , ext) { var cmd = []; join cmd.push("cp"); push ” ” cmd.push(name + "." + ext); push ”˜/.localBackup/” cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); + push } ”cp” ”.” $cmd $name $ext 13

  36. Static Analysis: Template Trees 1. Backward data flow analysis � Overapproximate strings passed to injection API � Represent possible values as a tree function backupFile(name , ext) { var cmd = []; join cmd.push("cp"); push ” ” cmd.push(name + "." + ext); push ”˜/.localBackup/” cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); + push } empty ”cp” ”.” $name $ext array 13

  37. Static Analysis: Templates 2. Evaluate template trees into templates � Statically model operations (bottom-up) � Unknown parts to be filled at runtime 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu 1 Michael Pradel 1 Ben Livshits 2 1 TU Darmstadt 2 Imperial College London, Brave Software February 20, 2018 This Talk Node.JS and

492 views • 47 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia

Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia

Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF awards CCR-0205422 and CCR-0209322 to Georgia

239 views • 21 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic

Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic

Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic Cashin, Carianne Martinez, Westley Weimer, Stephanie Forrest The Problem Automated program repair may reduce software maintenance costs

86 views • 8 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch: As a rule, proton/ion accelerators need their full aperture at injection, thus avoiding mismatch allows a beam of larger normalized emittance * and containing more Protons. In proton/ion ring accelerators any Injection

454 views • 4 slides
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

487 views • 21 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

466 views • 29 slides
Automatically Documenting Program Changes Ray Buse Wes Weimer De ltaDoc 13 May 2011 diffs

Automatically Documenting Program Changes Ray Buse Wes Weimer De ltaDoc 13 May 2011 diffs

Automatically Documenting Program Changes Ray Buse Wes Weimer De ltaDoc 13 May 2011 diffs Commit Messages 13 th CREST Open Workshop Automated Software Engineering '10 So Much Change Automatically Documenting Program Changes 2 Understanding

589 views • 40 slides
An Interconnected Strategy Understanding, Correcting, and Preventing Bullying, Harassment and

An Interconnected Strategy Understanding, Correcting, and Preventing Bullying, Harassment and

An Interconnected Strategy Understanding, Correcting, and Preventing Bullying, Harassment and Other Forms of Violence Three Components of a Successful Anti-bullying, Harassment and Violence Strategy 1. Knowledge 2. Safe Reporting System 3.

804 views • 36 slides
Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security

Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security

WLCG Group Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security Workshop, Taiwan. 1 Overview Underground market The main motive behind most security attacks: money. 3 Exposure and motivation Grids

434 views • 25 slides
Preventing Security Bugs Through Software Design Christoph Kern, Google xtof@google.com The

Preventing Security Bugs Through Software Design Christoph Kern, Google xtof@google.com The

Preventing Security Bugs Through Software Design Christoph Kern, Google xtof@google.com The Same Bugs, Over and Over Again... SQL-injection, XSS, XSRF, etc -- OWASP Top 10 Root cause Inherently bug-prone APIs Developers are

313 views • 28 slides
Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection Practices The ONE and ONLY Campaign Outbreak History Mistaken Beliefs A Call to Action Resources and Information

591 views • 20 slides
Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry Presented by: Ken Schweitz, President and Doug Culbertson, VP Business Development of Premold Corp Section I. Advantages of RIM Economical

441 views • 29 slides
The Impact of Attack Profile Classification on the Robustness of Collaborative Recommendation *

The Impact of Attack Profile Classification on the Robustness of Collaborative Recommendation *

Center for W eb I ntelligence Center for W eb I ntelligence School of CTI, DePaul University Chicago, Illinois, USA The Impact of Attack Profile Classification on the Robustness of Collaborative Recommendation * Chad Williams, Runa Bhaumik,

380 views • 24 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS A story about how TCL interpretation works in

COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS A story about how TCL interpretation works in

COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS A story about how TCL interpretation works in F5 iRules and how it can be detected or exploited WHOAMI AND THANKS Big thanks to my fellow researchers Jesper Blomstrm Pasi Saarinen

679 views • 47 slides
FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

1.13k views • 65 slides
End-to-end Injection Safety at Scale Mike Samuel, Google Security Engineering March 2019 2019 |

End-to-end Injection Safety at Scale Mike Samuel, Google Security Engineering March 2019 2019 |

End-to-end Injection Safety at Scale Mike Samuel, Google Security Engineering March 2019 2019 | About me Security engineer @ Google Hacks libraries, tools, languages TC39 member ( JavaScript language committee ) Editor of "A Roadmap

407 views • 29 slides
Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

SAC Summer School 2019 Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions allow us to prove that our schemes achieve a certain leakage profile but doesnt tell us if a leakage profile is

477 views • 22 slides
Physics of Injection-induced Earthquakes Unveiled by Seismic Wave Analysis and Numerical Models

Physics of Injection-induced Earthquakes Unveiled by Seismic Wave Analysis and Numerical Models

Physics of Injection-induced Earthquakes Unveiled by Seismic Wave Analysis and Numerical Models Yihe Huang University of Michigan Injection-induced earthquakes : Earthquakes induced by fluid injection related to energy technologies including

756 views • 32 slides
BP Midstream Partners 4Q and full year 2018 Results February 28, 2019 BP MAD DOG 1 BP

BP Midstream Partners 4Q and full year 2018 Results February 28, 2019 BP MAD DOG 1 BP

BP MIDSTREAM PARTNERS BP Midstream Partners 4Q and full year 2018 Results February 28, 2019 BP MAD DOG 1 BP MIDSTREAM PARTNERS 4Q & FULL YEAR 2018 RESULTS Offshore deepwater Gulf of Mexico Cautionary statement BP MIDSTREAM PARTNERS

456 views • 27 slides

More recommend