AFFOGATO: Runtime Detection of Injection Attacks for Node.js']js

被引:12
|
作者
Gauthier, Francois [1 ]
Hassanshahi, Behnaz [1 ]
Jordan, Alexander [1 ]
机构
[1] Oracle Labs, Brisbane, Qld, Australia
来源
COMPANION PROCEEDINGS FOR THE ISSTA/ECOOP 2018 WORKSHOPS | 2018年
关键词
dynamic taint analysis; injection vulnerabilities; Node.[!text type='js']js[!/text;
D O I
10.1145/3236454.3236502
中图分类号
TP31 [计算机软件];
学科分类号
081202 ; 0835 ;
摘要
Node.js took JavaScript from the browser to server-side web applications, and injection vulnerabilities are now commonly reported in Node.js modules. However, existing taint analysis approaches for JavaScript require extensive manual modelling, and fail to analyse simple Node.js applications that contain hundreds of third-party modules. For this reason, we developed AFFOGATO, a robust and practical grey-box taint analysis tool that uses black-box reasoning to overcome the need for manual modelling while using white-box program analysis to reason about critical program operations. We evaluate AFFOGATO on a suite of Node.js modules and show how it can detect all publicly disclosed injection vulnerabilities with an acceptable overhead, outperforming existing state-of-the-art tools for Node.js.
引用
收藏
页码:94 / 99
页数:6
相关论文
共 50 条
  • [1] SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS']JS
    Staicu, Cristian-Alexandru
    Pradel, Michael
    Livshits, Benjamin
    [J]. 25TH ANNUAL NETWORK AND DISTRIBUTED SYSTEM SECURITY SYMPOSIUM (NDSS 2018), 2018,
  • [2] NodeMOP: Runtime Verification for Node.js']js Applications
    Schiavio, Filippo
    Sun, Haiyang
    Bonetta, Daniele
    Rosa, Andrea
    Binder, Walter
    [J]. SAC '19: PROCEEDINGS OF THE 34TH ACM/SIGAPP SYMPOSIUM ON APPLIED COMPUTING, 2019, : 1794 - 1801
  • [3] Energy and Runtime Performance Optimization of Node.js']js Web Requests
    Patrou, Maria
    Kent, Kenneth B.
    Siu, Joran
    Dawson, Michael
    [J]. 2021 IEEE INTERNATIONAL CONFERENCE ON CLOUD ENGINEERING, IC2E 2021, 2021, : 71 - 82
  • [4] Identification of Dependency-based Attacks on Node.js']js
    Pfretzschner, Brian
    ben Othmane, Lotfi
    [J]. PROCEEDINGS OF THE 12TH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY AND SECURITY (ARES 2017), 2017,
  • [5] Towards Runtime Monitoring of Node.js']js and Its Application to the Internet of Things
    Ancona, Davide
    Franceschini, Luca
    Delzanno, Giorgio
    Leotta, Maurizio
    Ribaudo, Marina
    Ricca, Filippo
    [J]. ELECTRONIC PROCEEDINGS IN THEORETICAL COMPUTER SCIENCE, 2018, (264): : 27 - 42
  • [6] NodeRacer: Event Race Detection for Node.js']js Applications
    Endo, Andre Takeshi
    Moller, Anders
    [J]. 2020 IEEE 13TH INTERNATIONAL CONFERENCE ON SOFTWARE TESTING, VALIDATION AND VERIFICATION (ICST 2020), 2020, : 120 - 130
  • [7] Assessing the Security of Node.js']js Platform
    Ojamaa, Andres
    Dueuena, Karl
    [J]. 2012 INTERNATIONAL CONFERENCE FOR INTERNET TECHNOLOGY AND SECURED TRANSACTIONS, 2012, : 348 - 355
  • [8] Strand: scalable trilateration with Node.js']js
    Tserpes, Konstantinos
    Pateraki, Maria
    Varlamis, Iraklis
    [J]. JOURNAL OF CLOUD COMPUTING-ADVANCES SYSTEMS AND APPLICATIONS, 2019, 8 (01):
  • [9] Race Detection for Event-Driven Node.js']js Applications
    Chang, Xiaoning
    Dou, Wensheng
    Wei, Jun
    Huang, Tao
    Xie, Jinhui
    Deng, Yuetang
    Yang, Jianbo
    Yang, Jiaheng
    [J]. 2021 36TH IEEE/ACM INTERNATIONAL CONFERENCE ON AUTOMATED SOFTWARE ENGINEERING ASE 2021, 2021, : 480 - 491
  • [10] NodeXP: NOde.js']js server-side Java']JavaScript injection vulnerability DEtection and eXPloitation
    Ntantogian, Christoforos
    Bountakas, Panagiotis
    Antonaropoulos, Dimitris
    Patsakis, Constantinos
    Xenakis, Christos
    [J]. JOURNAL OF INFORMATION SECURITY AND APPLICATIONS, 2021, 58
12345