synode understanding and automatically preventing
play

Synode: Understanding and Automatically Preventing Injection Attacks - PowerPoint PPT Presentation

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu 1 Michael Pradel 1 Ben Livshits 2 1 TU Darmstadt 2 Imperial College London, Brave Software February 20, 2018 This Talk Node.JS and


  1. Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu 1 Michael Pradel 1 Ben Livshits 2 1 TU Darmstadt 2 Imperial College London, Brave Software February 20, 2018

  2. This Talk Node.JS and Empirical Synode Evaluation Injections Study 0

  3. This Talk Node.JS and Empirical Synode Evaluation Injections Study 0

  4. Node.js 101 JS application JS engine 1

  5. Node.js 101 JS application fs, exec JS engine Node.JS bindings OS 1

  6. Node.js 101 JS application fs, exec JS engine Node.JS bindings OS Node Package Manager 1

  7. Node.js 101 JS application fs, exec JS engine Node.JS bindings OS Node Package Manager Node Security Project 1

  8. Typical Node.JS Application ... vulnerable ... templates module engine strings utility Node.JS application headers ... parser DB access 2

  9. Running Example function backupFile(name, ext) { var cmd = []; cmd.push( "cp" ); cmd.push(name + "." + ext); cmd.push( "˜/.localBackup/" ); exec (cmd.join( " " )); } 3

  10. Running Example function backupFile(name, ext) { var cmd = []; cmd.push( "cp" ); cmd.push(name + "." + ext); cmd.push( "˜/.localBackup/" ); exec (cmd.join( " " )); } Malicious Payload backupFile( "-h && rm -rf * && echo " , "" ) 3

  11. This Talk Node.JS and Empirical Synode Evaluation Injections Study 4

  12. npm Codebase 2.471 236,337 average number of packages package dependences 816,840,082 > 40,000 lines of JavaScript code C files 7,685 9,110 number of packages number of packages containing exec containing eval February 2016 5

  13. Dependences on Injection APIs Percentage of npm modules 20 15 10 5 0 e e e e e e t x v x v x v o t e a e a e a a c c c l l l - - - - l l l - l l e e e e l e v v v v v e e e e e l l l l - - - - l 1 2 - 1 2 2 6

  14. Data Passed to Injection APIs Manual inspection of 150 call sites eval exec 0% 10% 20% 30% 0% 20% 40% 60% code loading simple OS command JSON piped commands higher-order fct. local script property read 7

  15. Data Passed to Injection APIs Manual inspection of 150 call sites eval exec 0% 10% 20% 30% 0% 20% 40% 60% code loading simple OS command JSON piped commands higher-order fct. local script property read 58% contain user-controlled data, out of which: 90% perform no check on this data 9% use regular expressions 7

  16. Submitted Bug Reports Affected module Confirmed Time until fixed mixin-pro yes 1 day no – modulify yes 155 days* proto yes 73 days mongoosify yes – summit yes – microservicebus.node mobile-icon-resizer yes 2 days – – m-log – – mongo-edit yes – mongo-parse – – mock2easy – – mongui – – m2m-supervisor – – nd-validator 180 days – – nameless-cli node-mypeople – – after – – mongoosemask reporting – – kmc – – mod growl yes – – indicates a lack response and * an incomplete fix 8

  17. Lessons Learned multiple dependences on average each module has 2.5 direct dependences no sanitization only 9% use sanitization, often broken unresponsive developers within six months only 25% of the issues were fixed 9

  18. This Talk Node.JS and Empirical Synode Evaluation Injections Study 10

  19. Safe Use of Modules with Synode ... vulnerable ... templates module engine strings utility Node.JS application headers ... parser DB access 11

  20. Overview of Synode npm Static analysis module 12

  21. Overview of Synode npm Static analysis module Statically safe programs Safe behavior 12

  22. Overview of Synode npm Static analysis module Templates Statically Program List of safe programs rewriting safe nodes Safe behavior 12

  23. Overview of Synode npm Static analysis module Templates Statically Program List of safe programs rewriting safe nodes Runtime Dynamic policy Safe behavior inputs enforcement 12

  24. Static Phase 1. Intra-procedural backward data flow analysis: Over-approximates strings passed to injection APIs Unknown parts to be filled at runtime 13

  25. Static Phase 1. Intra-procedural backward data flow analysis: Over-approximates strings passed to injection APIs Unknown parts to be filled at runtime ”$hole” function backupFile (name , ext ) { var cmd = [ ] ; cmd . push ( "cp" ) ; cmd . push (name + "." + ext ) ; cmd . push ( "˜/.localBackup/" ) ; exec (cmd . j o i n ( " " ) ) ; } ”cp $name.$ext ˜/.localBackup/” 13

  26. Static Phase 1. Intra-procedural backward data flow analysis: Over-approximates strings passed to injection APIs Unknown parts to be filled at runtime ”$hole” function backupFile (name , ext ) { var cmd = [ ] ; cmd . push ( "cp" ) ; cmd . push (name + "." + ext ) ; ”˜/.localBackup/” cmd . push ( "˜/.localBackup/" ) ; exec (cmd . j o i n ( " " ) ) ; } ”cp $name.$ext ˜/.localBackup/” 13

  27. Static Phase 1. Intra-procedural backward data flow analysis: Over-approximates strings passed to injection APIs Unknown parts to be filled at runtime ”$hole” function backupFile (name , ext ) { var cmd = [ ] ; cmd . push ( "cp" ) ; cmd . push (name + "." + ext ) ; ”˜/.localBackup/” cmd . push ( "˜/.localBackup/" ) ; exec (cmd . j o i n ( " " ) ) ; } ”$name.$ext ˜/.localBackup/” ”cp $name.$ext ˜/.localBackup/” 13

  28. Static Phase 1. Intra-procedural backward data flow analysis: Over-approximates strings passed to injection APIs Unknown parts to be filled at runtime ”$hole” function backupFile (name , ext ) { var cmd = [ ] ; cmd . push ( "cp" ) ; cmd . push (name + "." + ext ) ; ”˜/.localBackup/” cmd . push ( "˜/.localBackup/" ) ; exec (cmd . j o i n ( " " ) ) ; } ”$name.$ext ˜/.localBackup/” ”cp $name.$ext ˜/.localBackup/” ”cp $name.$ext ˜/.localBackup/” 13

  29. Static Phase 2. Synthesize runtime policy using templates: Enforce structure via partial AST For unknown parts allow only safe nodes 14

  30. Static Phase 2. Synthesize runtime policy using templates: Enforce structure via partial AST For unknown parts allow only safe nodes ”cp $name.$ext ˜/.localBackup” command args command literal list value literal literal cp value value ˜/.localBackup ?? 14

  31. Runtime Phase Enforce policy on strings passed to injection APIs Policy: command args command literal list value literal literal cp value value ˜/.localBackup ?? 15

  32. Runtime Phase Enforce policy on strings passed to injection APIs Runtime string: Policy: ”cp file.txt ˜/.localBackup” command command args args command command literal list literal list value value literal literal literal literal cp cp value value value value ˜/.localBackup ?? ˜/.localBackup file.txt 15

  33. Runtime Phase Enforce policy on strings passed to injection APIs Runtime string: Policy: ”cp file.txt ˜/.localBackup” command command args args command command literal list literal list value value literal literal literal literal cp cp value value value value ˜/.localBackup ?? ˜/.localBackup file.txt 15

  34. Runtime Phase Runtime string: ”cp x || rm * -rf ˜/.localBackup” command next command args control command || literal list args command value literal literal list cp value value x rm glob literal literal value value value ˜/.localBackup -rf * 16

  35. Runtime Phase Runtime string: ”cp x || rm * -rf ˜/.localBackup” command next command args control command || literal list args command value literal literal list cp value value x rm glob literal literal value value value ˜/.localBackup -rf * 16

  36. This Talk Node.JS and Empirical Synode Evaluation Injections Study 17

  37. Evaluation: Static Phase Setup 51K call sites of injection APIs Precision 36.7% of the call sites statically safe 63.3% to be checked at runtime Context most call sites have at least: 10 constant characters per template 1 unknown per template Performance 4.4 seconds per module 18

  38. Evaluation: Runtime Phase Setup 24 modules 56 benign and 65 malicious inputs Results zero malicious inputs that we do not stop five benign inputs that we incorrectly stop overhead: 0.74 milliseconds per call 19

  39. Conclusions Study of injection vulnerabilities First large-scale study of Node.js security exec and eval are prevalent in npm ecosystem Developers are slow to react 20

  40. Conclusions Study of injection vulnerabilities First large-scale study of Node.js security exec and eval are prevalent in npm ecosystem Developers are slow to react 20

  41. Conclusions Study of injection vulnerabilities First large-scale study of Node.js security exec and eval are prevalent in npm ecosystem Developers are slow to react Prevention of injections Automatic and easy to deploy https://github.com/sola-da/Synode Small overhead and high accuracy 20

Recommend


More recommend