AFFOGATO: Runtime Detection of Injection Attacks for Node.js']js

被引：12

作者：

Gauthier, Francois ^{[1
]}

Hassanshahi, Behnaz ^{[1
]}

Jordan, Alexander ^{[1
]}

机构：

[1] Oracle Labs, Brisbane, Qld, Australia

来源：

COMPANION PROCEEDINGS FOR THE ISSTA/ECOOP 2018 WORKSHOPS | 2018年

关键词：

dynamic taint analysis; injection vulnerabilities; Node.[!text type='js']js[!/text;

D O I：

10.1145/3236454.3236502

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

Node.js took JavaScript from the browser to server-side web applications, and injection vulnerabilities are now commonly reported in Node.js modules. However, existing taint analysis approaches for JavaScript require extensive manual modelling, and fail to analyse simple Node.js applications that contain hundreds of third-party modules. For this reason, we developed AFFOGATO, a robust and practical grey-box taint analysis tool that uses black-box reasoning to overcome the need for manual modelling while using white-box program analysis to reason about critical program operations. We evaluate AFFOGATO on a suite of Node.js modules and show how it can detect all publicly disclosed injection vulnerabilities with an acceptable overhead, outperforming existing state-of-the-art tools for Node.js.

引用

页码：94 / 99

页数：6

共 50 条

[41] Mutode: Generic Java']JavaScript and Node.js']js Mutation Testing Tool
Rodriguez-Baquero, Diego
Linares-Vasquez, Mario
[J]. ISSTA'18: PROCEEDINGS OF THE 27TH ACM SIGSOFT INTERNATIONAL SYMPOSIUM ON SOFTWARE TESTING AND ANALYSIS, 2018, : 372 - 375
[42] Modular Call Graph Construction for Security Scanning of Node.js']js Applications
Nielsen, Benjamin Barslev
Torp, Martin Toldam
Moller, Anders
[J]. ISSTA '21: PROCEEDINGS OF THE 30TH ACM SIGSOFT INTERNATIONAL SYMPOSIUM ON SOFTWARE TESTING AND ANALYSIS, 2021, : 29 - 41
[43] The Design and Research of an Oral Examination Management System Based on Node.js']js
Zhu, Wei-na
Cui, Yan-song
Wang, Dan-zhi
[J]. 2018 INTERNATIONAL CONFERENCE ON COMMUNICATION, NETWORK AND ARTIFICIAL INTELLIGENCE (CNAI 2018), 2018, : 321 - 327
[44] SPMP: A Java']JavaScript Support for Shared Persistent Memory on Node.js']js
Zhang, Qipeng
Li, Tianyou
Deng, Pan
Chen, Yuting
Huang, Linpeng
Rudoff, Andy
[J]. ALGORITHMS AND ARCHITECTURES FOR PARALLEL PROCESSING, ICA3PP 2018, PT II, 2018, 11335 : 354 - 366
[45] Optimizing Energy Efficiency of Node.js']js Applications with CPU DVFS Awareness
Patrou, Maria
Kent, Kenneth B.
Siu, Joran
Dawson, Michael
[J]. 2022 IEEE 13TH INTERNATIONAL GREEN AND SUSTAINABLE COMPUTING CONFERENCE (IGSC), 2022, : 23 - 30
[46] DAF: Dependency-Aware FaaSifier for Node.js']js Monolithic Applications
Ristov, Sasko
Pedratscher, Stefan
Wallnoefer, Jakob
Fahringer, Thomas
[J]. IEEE SOFTWARE, 2021, 38 (01) : 48 - 53
[47] Mining Node.js']js Vulnerabilities via Object Dependence Graph and Query
Li, Song
Kang, Mingqing
Hou, Jianwei
Cao, Yinzhi
[J]. PROCEEDINGS OF THE 31ST USENIX SECURITY SYMPOSIUM, 2022, : 143 - 160
[48] Reasoning about the Node.js']js Event Loop using Async Graphs
Sun, Haiyang
Bonetta, Daniele
Schiavio, Filippo
Binder, Walter
[J]. PROCEEDINGS OF THE 2019 IEEE/ACM INTERNATIONAL SYMPOSIUM ON CODE GENERATION AND OPTIMIZATION (CGO '19), 2019, : 61 - 72
[49] Model-Based Testing of Breaking Changes in Node.js']js Libraries
Muller, Anders
Torp, Martin Toldam
[J]. ESEC/FSE'2019: PROCEEDINGS OF THE 2019 27TH ACM JOINT MEETING ON EUROPEAN SOFTWARE ENGINEERING CONFERENCE AND SYMPOSIUM ON THE FOUNDATIONS OF SOFTWARE ENGINEERING, 2019, : 409 - 419
[50] Node.js']js Based Remote Control of Thermo-optical Plant
Bosak, Tomas
Zakova, Katarina
[J]. PROCEEDINGS OF 2015 12TH INTERNATIONAL CONFERENCE ON REMOTE ENGINEERING AND VIRTUAL INSTRUMENTATION (REV), 2015, : 209 - 213

← 1 2 3 4 5 →