CISPA
Browse

Preventing Dynamic Library Compromise on Node.js via RWX-Based Privilege Reduction

Download (1.41 MB)
conference contribution
posted on 2023-11-29, 18:17 authored by Nikos Vasilakis, Cristian-Alexandru StaicuCristian-Alexandru Staicu, Grigoris Ntousakis, Konstantinos Kallas, Ben Karel, André DeHon, Michael Pradel
Third-party libraries ease the development of large-scale software systems. However, libraries often execute with significantly more privilege than needed to complete their task. Such additional privilege is sometimes exploited at runtime via inputs passed to a library, even when the library itself is not actively malicious. We present Mir, a system addressing dynamic compromise by introducing a fine-grained read-write-execute (RWX) permission model at the boundaries of libraries: every field of every free variable name in the context of an imported library is governed by a permission set. To help specify the permissions given to existing code, Mir’s automated inference generates default permissions by analyzing how libraries are used by their clients. Applied to over 1,000 JavaScript libraries for Node.js, Mir shows practical security (61/63 attacks mitigated), performance (2.1s for static analysis and +1.93% for dynamic enforcement), and compatibility (99.09%) characteristics and enables a novel quantification of privilege reduction.

History

Preferred Citation

Nikos Vasilakis, Cristian-Alexandru Staicu, Grigoris Ntousakis, Konstantinos Kallas, Ben Karel, André DeHon and Michael Pradel. Preventing Dynamic Library Compromise on Node.js via RWX-Based Privilege Reduction. In: ACM Conference on Computer and Communications Security (CCS). 2021.

Primary Research Area

  • Empirical and Behavioral Security

Secondary Research Area

  • Threat Detection and Defenses

Name of Conference

ACM Conference on Computer and Communications Security (CCS)

Legacy Posted Date

2021-09-17

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3478, title = "Preventing Dynamic Library Compromise on Node.js via RWX-Based Privilege Reduction", author = "Vasilakis, Nikos and Staicu, Cristian-Alexandru and Ntousakis, Grigoris and Kallas, Konstantinos and Karel, Ben and DeHon, André and Pradel, Michael", booktitle="{ACM Conference on Computer and Communications Security (CCS)}", year="2021", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC