understanding and automatically preventing injection
play

Understanding and Automatically Preventing Injection Attacks on - PowerPoint PPT Presentation

Sep 27, 2022 •40 likes •520 views

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU Darmstadt Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond) 1 Why JavaScript? Relevant and challenging

  1. Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU Darmstadt Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond) 1

  2. Why JavaScript? Relevant and challenging Rank of top languages on GitHub over time 2 (Source: GitHub.com)

  3. Why JavaScript? Relevant and challenging 1096 pages 153 pages 3

  4. Motivation: JavaScript (In)Security JavaScript: Popular beyond the browser Client-side web app Browser Operating system 4

  5. Motivation: JavaScript (In)Security JavaScript: Popular beyond the browser Client-side Server-side or Mobile web app desktop app app Browser Node.js Dalvik VM Operating Operating Operating system system system 4

  6. Motivation: JavaScript (In)Security JavaScript: Popular beyond the browser Sandbox Sandbox Client-side Server-side or Mobile web app desktop app app Browser Node.js Dalvik VM Operating Operating Operating system system system 4

  7. Motivation: JavaScript (In)Security JavaScript: Popular beyond the browser Sandbox No sandbox! Sandbox Client-side Server-side or Mobile web app desktop app app Browser Node.js Dalvik VM Operating Operating Operating system system system 4

  8. Culture of Naive Reuse Node.js code: Builds on 3rd-party code � Over 300.000 modules � No specified trust relationships between modules � Many indirect dependences 5

  9. Culture of Naive Reuse Node.js code: Builds on 3rd-party code � Over 300.000 modules � No specified trust relationships between modules � Many indirect dependences Risk of vulnerable and malicious code 5

  10. Real Example: Growl Module var msg = /* receive from network */ growl(msg); 6

  11. Real Example: Growl Module var msg = /* receive from network */ growl(msg); Growl module: � Platform-specific command to show notifications � Pass message to command without any checks 6

  12. Running Example function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg") ? "pics" : "other"; console.log(eval("messages.backup_" + kind )); } 7

  13. Running Example function backupFile(name , ext) { var cmd = []; Construct cmd.push("cp"); shell command cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); Execute it var kind = (ext === "jpg") ? "pics" : "other"; console.log(eval("messages.backup_" + kind )); } 7

  14. Running Example function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg") ? "pics" : "other"; console.log(eval("messages.backup_" + kind )); } Construct JavaScript code and execute it 7

  15. Running Example function backupFile(name , ext) { var cmd = []; cmd.push("cp"); Injection APIs: cmd.push(name + "." + ext); Interpret string cmd.push("˜/. localBackup/"); as code exec(cmd.join(" ")); var kind = (ext === "jpg") ? "pics" : "other"; console.log(eval("messages.backup_" + kind )); } 7

  16. Running Example function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg") ? "pics" : "other"; console.log(eval("messages.backup_" + kind )); } Injection attack: backupFile("-h && rm -rf * && echo ", "") 7

  17. Our Contributions 1. Study of injection vulnerabilities � First large-scale study of Node.js security � 236K modules, 816M lines of JavaScript 2. Repair of vulnerabilities � Static analysis and runtime enforcement � Automatic and easy to deploy � Small overhead and high accuracy 8

  18. Our Contributions 1. Study of injection vulnerabilities � First large-scale study of Node.js security � 236K modules, 816M lines of JavaScript 2. Repair of vulnerabilities � Static analysis and runtime enforcement � Automatic and easy to deploy � Small overhead and high accuracy 8

  19. Study: Prevalence Are injection vulnerabilities widespread? 9

  20. Study: Prevalence Are injection vulnerabilities widespread? 9

  21. Study: Prevalence Are injection vulnerabilities widespread? Direct uses 9

  22. Study: Prevalence Are injection vulnerabilities widespread? Indirect uses via other modules 9

  23. Study: Prevalence Are injection vulnerabilities widespread? Manual inspection of 150 call sites � Attacker-controlled data may reach API: 58% � Defense mechanisms � None: 90% � Regular expression: 9% 9

  24. Study: Developer Reactions Do developers fix vulnerabilities? � Reported 20 previously unknown vulnerabilities � After several months, only 3 fixed 10

  25. Study: Developer Reactions Do developers fix vulnerabilities? � Reported 20 previously unknown vulnerabilities � After several months, only 3 fixed 10

  26. Study: Developer Reactions Do developers fix vulnerabilities? � Reported 20 previously unknown vulnerabilities � After several months, only 3 fixed Need mitigation technique that requires very little developer attention 10

  27. Our Contributions 1. Study of injection vulnerabilities � First large-scale study of Node.js security � 236K modules, 816M lines of JavaScript 2. Repair of vulnerabilities � Static analysis and runtime enforcement � Automatic and easy to deploy � Small overhead and high accuracy 11

  28. Our Contributions 1. Study of injection vulnerabilities � First large-scale study of Node.js security � 236K modules, 816M lines of JavaScript 2. Repair of vulnerabilities � Static analysis and runtime enforcement � Automatic and easy to deploy � Small overhead and high accuracy 11

  29. Preventing Injections Vulnerable code Static analysis String Statically templates safe code Synthesize policy Code with runtime checks Safe Runtime Dynamic enforcement runtime inputs behavior 12

  30. Static Analysis: Template Trees 1. Backward data flow analysis � Overapproximate strings passed to injection API � Represent possible values as a tree 13

  31. Static Analysis: Template Trees 1. Backward data flow analysis � Overapproximate strings passed to injection API � Represent possible values as a tree function backupFile(name , ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); } 13

  32. Static Analysis: Template Trees 1. Backward data flow analysis � Overapproximate strings passed to injection API � Represent possible values as a tree function backupFile(name , ext) { var cmd = []; join cmd.push("cp"); ” ” $cmd cmd.push(name + "." + ext); cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); } 13

  33. Static Analysis: Template Trees 1. Backward data flow analysis � Overapproximate strings passed to injection API � Represent possible values as a tree function backupFile(name , ext) { var cmd = []; join cmd.push("cp"); push ” ” cmd.push(name + "." + ext); ”˜/.localBackup/” $cmd cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); } 13

  34. Static Analysis: Template Trees 1. Backward data flow analysis � Overapproximate strings passed to injection API � Represent possible values as a tree function backupFile(name , ext) { var cmd = []; join cmd.push("cp"); push ” ” cmd.push(name + "." + ext); push ”˜/.localBackup/” cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); + $cmd } ”.” $name $ext 13

  35. Static Analysis: Template Trees 1. Backward data flow analysis � Overapproximate strings passed to injection API � Represent possible values as a tree function backupFile(name , ext) { var cmd = []; join cmd.push("cp"); push ” ” cmd.push(name + "." + ext); push ”˜/.localBackup/” cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); + push } ”cp” ”.” $cmd $name $ext 13

  36. Static Analysis: Template Trees 1. Backward data flow analysis � Overapproximate strings passed to injection API � Represent possible values as a tree function backupFile(name , ext) { var cmd = []; join cmd.push("cp"); push ” ” cmd.push(name + "." + ext); push ”˜/.localBackup/” cmd.push("˜/. localBackup/"); exec(cmd.join(" ")); + push } empty ”cp” ”.” $name $ext array 13

  37. Static Analysis: Templates 2. Evaluate template trees into templates � Statically model operations (bottom-up) � Unknown parts to be filled at runtime 14

Recommend

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu 1 Michael Pradel 1 Ben Livshits 2 1 TU Darmstadt 2 Imperial College London, Brave Software February 20, 2018 This Talk Node.JS and

492 views • 47 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia

Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia

Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF awards CCR-0205422 and CCR-0209322 to Georgia

239 views • 21 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic

Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic

Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic Cashin, Carianne Martinez, Westley Weimer, Stephanie Forrest The Problem Automated program repair may reduce software maintenance costs

86 views • 8 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch: As a rule, proton/ion accelerators need their full aperture at injection, thus avoiding mismatch allows a beam of larger normalized emittance * and containing more Protons. In proton/ion ring accelerators any Injection

454 views • 4 slides
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

487 views • 21 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

466 views • 29 slides
Automatically Documenting Program Changes Ray Buse Wes Weimer De ltaDoc 13 May 2011 diffs

Automatically Documenting Program Changes Ray Buse Wes Weimer De ltaDoc 13 May 2011 diffs

Automatically Documenting Program Changes Ray Buse Wes Weimer De ltaDoc 13 May 2011 diffs Commit Messages 13 th CREST Open Workshop Automated Software Engineering '10 So Much Change Automatically Documenting Program Changes 2 Understanding

589 views • 40 slides
An Interconnected Strategy Understanding, Correcting, and Preventing Bullying, Harassment and

An Interconnected Strategy Understanding, Correcting, and Preventing Bullying, Harassment and

An Interconnected Strategy Understanding, Correcting, and Preventing Bullying, Harassment and Other Forms of Violence Three Components of a Successful Anti-bullying, Harassment and Violence Strategy 1. Knowledge 2. Safe Reporting System 3.

804 views • 36 slides
Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security

Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security

WLCG Group Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security Workshop, Taiwan. 1 Overview Underground market The main motive behind most security attacks: money. 3 Exposure and motivation Grids

434 views • 25 slides
Preventing Security Bugs Through Software Design Christoph Kern, Google xtof@google.com The

Preventing Security Bugs Through Software Design Christoph Kern, Google xtof@google.com The

Preventing Security Bugs Through Software Design Christoph Kern, Google xtof@google.com The Same Bugs, Over and Over Again... SQL-injection, XSS, XSRF, etc -- OWASP Top 10 Root cause Inherently bug-prone APIs Developers are

313 views • 28 slides
Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection Practices The ONE and ONLY Campaign Outbreak History Mistaken Beliefs A Call to Action Resources and Information

591 views • 20 slides
Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry Presented by: Ken Schweitz, President and Doug Culbertson, VP Business Development of Premold Corp Section I. Advantages of RIM Economical

441 views • 29 slides
C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore

C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore

C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore Integrity Network Meeting. Calgary Alberta May 14, 2009 Agenda Wellbore integrity Well design with annular integrity Well design without

443 views • 22 slides
Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits

Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits

Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits Unit February, 2019 1 Railroad Commission of Texas | June 27, 2016 (Change Date In First Master Slide) Session Overview Overview: UIC Online

1.01k views • 79 slides
Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro

Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro

1S-1 An Automatic Place-and-Routed Two- Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro Ueno, Teerachot Siriburanon, Satoshi Kondo, Kenichi Okada, and Akira Matsuzawa Tokyo Institute of

423 views • 10 slides
ROLE OF WOMEN IN COUNTERING/PREVENTING VIOLENT EXTREMISM Victims . Perpetrators . Disruptors

ROLE OF WOMEN IN COUNTERING/PREVENTING VIOLENT EXTREMISM Victims . Perpetrators . Disruptors

ROLE OF WOMEN IN COUNTERING/PREVENTING VIOLENT EXTREMISM Victims . Perpetrators . Disruptors WHAT IS THE PROBLEM? A narrow understanding of womens roles in CVE limits policy options and perpetuates strategic blind spots, such as failing to

473 views • 12 slides
NEVO sequential gas injection system New sequential gas injection system NEVO Answer for

NEVO sequential gas injection system New sequential gas injection system NEVO Answer for

NEVO sequential gas injection system New sequential gas injection system NEVO Answer for market expectations Modern cars Demanding users Workshop time saving KME trademark Major assumptions of NEVO system Simple Quick to

222 views • 21 slides
AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

Saurabh Jha, Subho S. Banerjee , James Cyriac, Zbigniew T. Kalbarczyk and Ravishankar K. Iyer Computer Science, Electrical and Computer Engineering AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

215 views • 8 slides
www.adduxi.com HIGH QUALITY INJECTION ADDUXI IS A MANUFACTURER OF HIGH-PRECISION INDUSTRIAL

www.adduxi.com HIGH QUALITY INJECTION ADDUXI IS A MANUFACTURER OF HIGH-PRECISION INDUSTRIAL

HIGH QUALITY INJECTION www.adduxi.com HIGH QUALITY INJECTION ADDUXI IS A MANUFACTURER OF HIGH-PRECISION INDUSTRIAL PARTS. INJECTION MOLDING OF MISCELLANEOUS THERMOPLASTICS. HIGH QUALITY INJECTION MAIN OBJECTIVE: PERFORMANCE BASED ON

745 views • 33 slides
CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of

CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of

CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: October 31, 2016 at 12:21 CS327E SQL Injection Slideset: 1 SQL Injection What Id Like

440 views • 39 slides

More recommend