injection attacks on node.js automatically preventing...
TRANSCRIPT
![Page 1: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/1.jpg)
1
Michael PradelTU Darmstadt
Understanding andAutomatically PreventingInjection Attacks on Node.js
Joint work with Cristian Staicu (TU Darmstadt)and Ben Livshits (Microsoft Research, Redmond)
![Page 2: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/2.jpg)
2
Why JavaScript?
Relevant and challenging
Rank of top languages on GitHub over time(Source: GitHub.com)
![Page 3: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/3.jpg)
3
Why JavaScript?
1096 pages 153 pages
Relevant and challenging
![Page 4: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/4.jpg)
4
Motivation: JavaScript (In)Security
JavaScript: Popular beyond the browser
Client-sideweb app
Browser
Operatingsystem
![Page 5: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/5.jpg)
4
Motivation: JavaScript (In)Security
JavaScript: Popular beyond the browser
Client-sideweb app
Server-side ordesktop app
Mobileapp
Dalvik VMNode.jsBrowser
Operatingsystem
Operatingsystem
Operatingsystem
![Page 6: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/6.jpg)
4
Motivation: JavaScript (In)Security
JavaScript: Popular beyond the browserSandbox Sandbox
Client-sideweb app
Server-side ordesktop app
Mobileapp
Dalvik VMNode.jsBrowser
Operatingsystem
Operatingsystem
Operatingsystem
![Page 7: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/7.jpg)
4
Motivation: JavaScript (In)Security
JavaScript: Popular beyond the browserSandbox SandboxNo sandbox!
Client-sideweb app
Server-side ordesktop app
Mobileapp
Dalvik VMNode.jsBrowser
Operatingsystem
Operatingsystem
Operatingsystem
![Page 8: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/8.jpg)
5
Culture of Naive Reuse
Node.js code: Builds on 3rd-party code
� Over 300.000 modules
� No specified trust relationshipsbetween modules
� Many indirect dependences
![Page 9: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/9.jpg)
5
Culture of Naive Reuse
Node.js code: Builds on 3rd-party code
� Over 300.000 modules
� No specified trust relationshipsbetween modules
� Many indirect dependences
Risk of vulnerable and malicious code
![Page 10: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/10.jpg)
6
Real Example: Growl Module
var msg = /* receive
from network */
growl(msg);
![Page 11: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/11.jpg)
6
Real Example: Growl Module
var msg = /* receive
from network */
growl(msg);
Growl module:� Platform-specific command to show notifications� Pass message to command without any checks
![Page 12: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/12.jpg)
7
Running Examplefunction backupFile(name, ext) {
var cmd = [];
cmd.push("cp");
cmd.push(name + "." + ext);
cmd.push("̃ /.localBackup/");
exec(cmd.join(" "));
var kind = (ext === "jpg") ? "pics" : "other";
console.log(eval("messages.backup_" + kind));
}
![Page 13: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/13.jpg)
7
Running Examplefunction backupFile(name, ext) {
var cmd = [];
cmd.push("cp");
cmd.push(name + "." + ext);
cmd.push("̃ /.localBackup/");
exec(cmd.join(" "));
var kind = (ext === "jpg") ? "pics" : "other";
console.log(eval("messages.backup_" + kind));
}
Constructshell command
Execute it
![Page 14: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/14.jpg)
7
Running Examplefunction backupFile(name, ext) {
var cmd = [];
cmd.push("cp");
cmd.push(name + "." + ext);
cmd.push("̃ /.localBackup/");
exec(cmd.join(" "));
var kind = (ext === "jpg") ? "pics" : "other";
console.log(eval("messages.backup_" + kind));
} Construct JavaScript codeand execute it
![Page 15: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/15.jpg)
7
Running Examplefunction backupFile(name, ext) {
var cmd = [];
cmd.push("cp");
cmd.push(name + "." + ext);
cmd.push("̃ /.localBackup/");
exec(cmd.join(" "));
var kind = (ext === "jpg") ? "pics" : "other";
console.log(eval("messages.backup_" + kind));
}
Injection APIs:Interpret stringas code
![Page 16: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/16.jpg)
7
Running Examplefunction backupFile(name, ext) {
var cmd = [];
cmd.push("cp");
cmd.push(name + "." + ext);
cmd.push("̃ /.localBackup/");
exec(cmd.join(" "));
var kind = (ext === "jpg") ? "pics" : "other";
console.log(eval("messages.backup_" + kind));
} Injection attack:backupFile("-h && rm -rf * && echo ", "")
![Page 17: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/17.jpg)
8
Our Contributions
1. Study of injection vulnerabilities� First large-scale study of Node.js security
� 236K modules, 816M lines of JavaScript
2. Repair of vulnerabilities� Static analysis and runtime enforcement
� Automatic and easy to deploy
� Small overhead and high accuracy
![Page 18: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/18.jpg)
8
Our Contributions
1. Study of injection vulnerabilities� First large-scale study of Node.js security
� 236K modules, 816M lines of JavaScript
2. Repair of vulnerabilities� Static analysis and runtime enforcement
� Automatic and easy to deploy
� Small overhead and high accuracy
![Page 19: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/19.jpg)
9
Study: Prevalence
Are injection vulnerabilities widespread?
![Page 20: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/20.jpg)
9
Study: Prevalence
Are injection vulnerabilities widespread?
![Page 21: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/21.jpg)
9
Study: Prevalence
Are injection vulnerabilities widespread?
Direct uses
![Page 22: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/22.jpg)
9
Study: Prevalence
Are injection vulnerabilities widespread?
Indirectuses viaothermodules
![Page 23: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/23.jpg)
9
Study: Prevalence
Are injection vulnerabilities widespread?
Manual inspection of 150 call sites
� Attacker-controlled data may reach API: 58%
� Defense mechanisms� None: 90%� Regular expression: 9%
![Page 24: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/24.jpg)
10
Study: Developer Reactions
Do developers fix vulnerabilities?
� Reported 20 previously unknownvulnerabilities
� After several months, only 3 fixed
![Page 25: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/25.jpg)
10
Study: Developer Reactions
Do developers fix vulnerabilities?
� Reported 20 previously unknownvulnerabilities
� After several months, only 3 fixed
![Page 26: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/26.jpg)
10
Study: Developer Reactions
Do developers fix vulnerabilities?
� Reported 20 previously unknownvulnerabilities
� After several months, only 3 fixed
Need mitigation technique thatrequires very little developer attention
![Page 27: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/27.jpg)
11
Our Contributions
1. Study of injection vulnerabilities� First large-scale study of Node.js security
� 236K modules, 816M lines of JavaScript
2. Repair of vulnerabilities� Static analysis and runtime enforcement
� Automatic and easy to deploy
� Small overhead and high accuracy
![Page 28: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/28.jpg)
11
Our Contributions
1. Study of injection vulnerabilities� First large-scale study of Node.js security
� 236K modules, 816M lines of JavaScript
2. Repair of vulnerabilities� Static analysis and runtime enforcement
� Automatic and easy to deploy
� Small overhead and high accuracy
![Page 29: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/29.jpg)
12
Preventing Injections
Vulnerable code
Code withruntime checks
Saferuntimebehavior
Stringtemplates
Staticallysafe code
Runtimeinputs
Static analysis
Dynamic enforcement
Synthesize policy
![Page 30: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/30.jpg)
13
Static Analysis: Template Trees
1. Backward data flow analysis� Overapproximate strings passed to injection API� Represent possible values as a tree
![Page 31: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/31.jpg)
13
Static Analysis: Template Trees
1. Backward data flow analysis� Overapproximate strings passed to injection API� Represent possible values as a tree
function backupFile(name, ext) {
var cmd = [];
cmd.push("cp");
cmd.push(name + "." + ext);
cmd.push("̃ /.localBackup/");
exec(cmd.join(" "));
}
![Page 32: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/32.jpg)
13
Static Analysis: Template Trees
1. Backward data flow analysis� Overapproximate strings passed to injection API� Represent possible values as a tree
$cmd
join
” ”
function backupFile(name, ext) {
var cmd = [];
cmd.push("cp");
cmd.push(name + "." + ext);
cmd.push("̃ /.localBackup/");
exec(cmd.join(" "));
}
![Page 33: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/33.jpg)
13
Static Analysis: Template Trees
1. Backward data flow analysis� Overapproximate strings passed to injection API� Represent possible values as a tree
function backupFile(name, ext) {
var cmd = [];
cmd.push("cp");
cmd.push(name + "." + ext);
cmd.push("̃ /.localBackup/");
exec(cmd.join(" "));
}
$cmd
push
join
” ”
”˜/.localBackup/”
![Page 34: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/34.jpg)
13
Static Analysis: Template Trees
1. Backward data flow analysis� Overapproximate strings passed to injection API� Represent possible values as a tree
function backupFile(name, ext) {
var cmd = [];
cmd.push("cp");
cmd.push(name + "." + ext);
cmd.push("̃ /.localBackup/");
exec(cmd.join(" "));
}$name ”.” $ext
$cmd
push
push
join
” ”
”˜/.localBackup/”
+
![Page 35: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/35.jpg)
13
Static Analysis: Template Trees
1. Backward data flow analysis� Overapproximate strings passed to injection API� Represent possible values as a tree
function backupFile(name, ext) {
var cmd = [];
cmd.push("cp");
cmd.push(name + "." + ext);
cmd.push("̃ /.localBackup/");
exec(cmd.join(" "));
}$cmd ”cp” $name ”.” $ext
push
push
push
join
” ”
”˜/.localBackup/”
+
![Page 36: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/36.jpg)
13
Static Analysis: Template Trees
1. Backward data flow analysis� Overapproximate strings passed to injection API� Represent possible values as a tree
function backupFile(name, ext) {
var cmd = [];
cmd.push("cp");
cmd.push(name + "." + ext);
cmd.push("̃ /.localBackup/");
exec(cmd.join(" "));
}emptyarray
”cp” $name ”.” $ext
push
push
push
join
” ”
”˜/.localBackup/”
+
![Page 37: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/37.jpg)
14
Static Analysis: Templates
2. Evaluate template trees into templates� Statically model operations (bottom-up)� Unknown parts to be filled at runtime
![Page 38: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/38.jpg)
14
Static Analysis: Templates
2. Evaluate template trees into templates� Statically model operations (bottom-up)� Unknown parts to be filled at runtime
”cp $name.$ext ˜/.localBackup/”
emptyarray
”cp” $name ”.” $ext
push
push
push
join
” ”
”˜/.localBackup/”
+
![Page 39: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/39.jpg)
15
Synthesizing a Policy
Create runtime policy from templates� Enforce structure via partial AST� For unknown parts, allow only benign AST nodes
![Page 40: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/40.jpg)
15
Synthesizing a Policy
Create runtime policy from templates� Enforce structure via partial AST� For unknown parts, allow only benign AST nodes
”cp $name.$ext ˜/.localBackup/”
Bashgrammar
Command
Literal Arguments
Literal Literalcp
??? ˜/.localBackup/
![Page 41: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/41.jpg)
16
Runtime Enforcement
Enforce policy on strings passed toinjection APIsPolicy:
Command
Literal Arguments
Literal Literalcp
??? ˜/.localBackup/
![Page 42: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/42.jpg)
16
Runtime Enforcement
Enforce policy on strings passed toinjection APIsPolicy: Runtime string:
”cp f.txt ˜/.localBackup/”
Command
Literal Arguments
Literal Literalcp
f.txt ˜/.localBackup/
Command
Literal Arguments
Literal Literalcp
??? ˜/.localBackup/
![Page 43: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/43.jpg)
16
Runtime Enforcement
Enforce policy on strings passed toinjection APIsPolicy: Runtime string:
”cp f.txt ˜/.localBackup/”
Command
Literal Arguments
Literal Literalcp
f.txt ˜/.localBackup/
AcceptedCommand
Literal Arguments
Literal Literalcp
??? ˜/.localBackup/
![Page 44: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/44.jpg)
16
Runtime Enforcement
Enforce policy on strings passed toinjection APIsPolicy: Runtime string:
”cp -h && rm -rf * &&echo ˜/.localBackup/”
CompoundCmd
Command Command
Literal
Command
... ...
...
...
Command
Literal Arguments
Literal Literalcp
??? ˜/.localBackup/
![Page 45: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/45.jpg)
16
Runtime Enforcement
Enforce policy on strings passed toinjection APIs
Rejected
Policy: Runtime string:”cp -h && rm -rf * &&
echo ˜/.localBackup/”CompoundCmd
Command Command
Literal
Command
... ...
...
...
Command
Literal Arguments
Literal Literalcp
??? ˜/.localBackup/
![Page 46: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/46.jpg)
17
Evaluation: Static Analysis
Setup:� 51K call sites of injection APIs
Statically safe:36.7%
To be checked at runtime: 63.3%
Most call sites:� At least 10 known characters� Only 1 hole
Precision:
Performance:� 4.4 seconds per module
![Page 47: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/47.jpg)
18
Evaluation: Runtime Enforcement
Setup� 24 modules� 56 benign and 65 malicious inputs
Results:� Zero false negatives (i.e., no missed injections)� Five false positives (i.e., overly conservative)� Overhead (avg.): 0.74 milliseconds per call
![Page 48: Injection Attacks on Node.js Automatically Preventing ...materials.dagstuhl.de/files/17/17022/17022.MichaelPradel1.Slides.pdf · 1 Michael Pradel TU Darmstadt Understanding and Automatically](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa4a1c4679c9178032d4451/html5/thumbnails/48.jpg)
19
Conclusion
Understand injection vulnerabilities� First large-scale empirical study of Node.js
(in)security
Detect and prevent injections� Static inference of expected string values� AST-based runtime policy
→ Automated repair of vulnerabilities
More details: Technical report on my web site