Ιδρυματικό Αποθετήριο [SANDBOX]
Πολυτεχνείο Κρήτης
EN  |  EL

Αναζήτηση

Πλοήγηση

Ο Χώρος μου

Preventing dynamic library compromise on Node.js via RWX-based privilege reduction

Vasilakis Nikos, Staicu Cristian-Alexandru, Ntousakis Grigorios, Kallas Konstantinos, Karel Ben, DeHon André, Pradel Michael

Απλή Εγγραφή


URIhttp://purl.tuc.gr/dl/dias/0B314531-0264-4753-B88F-A6E867D9CED7-
Αναγνωριστικόhttps://doi.org/10.1145/3460120.3484535-
Αναγνωριστικόhttps://dl.acm.org/doi/10.1145/3460120.3484535-
Γλώσσαen-
Μέγεθος18 pagesen
ΤίτλοςPreventing dynamic library compromise on Node.js via RWX-based privilege reductionen
ΔημιουργόςVasilakis Nikosen
ΔημιουργόςStaicu Cristian-Alexandruen
ΔημιουργόςNtousakis Grigoriosen
ΔημιουργόςΝτουσακης Γρηγοριοςel
ΔημιουργόςKallas Konstantinosen
ΔημιουργόςKarel Benen
ΔημιουργόςDeHon Andréen
ΔημιουργόςPradel Michaelen
ΕκδότηςAssociation for Computing Machinery (ACM)en
ΠερίληψηThird-party libraries ease the development of large-scale software systems. However, libraries often execute with significantly more privilege than needed to complete their task. Such additional privilege is sometimes exploited at runtime via inputs passed to a library, even when the library itself is not actively malicious. We present Mir, a system addressing dynamic compromise by introducing a fine-grained read-write-execute (RWX) permission model at the boundaries of libraries: every field of every free variable name in the context of an imported library is governed by a permission set. To help specify the permissions given to existing code, Mir's automated inference generates default permissions by analyzing how libraries are used by their clients. Applied to over 1,000 JavaScript libraries for Node.js, Mir shows practical security (61/63 attacks mitigated), performance (2.1s for static analysis and +1.93% for dynamic enforcement), and compatibility (99.09%) characteristics---and enables a novel quantification of privilege reduction.en
ΤύποςΠλήρης Δημοσίευση σε Συνέδριοel
ΤύποςConference Full Paperen
Άδεια Χρήσηςhttp://creativecommons.org/licenses/by/4.0/en
Ημερομηνία2023-06-02-
Ημερομηνία Δημοσίευσης2021-
Θεματική ΚατηγορίαSupply-chain attacksen
Θεματική ΚατηγορίαThird-party librariesen
Θεματική ΚατηγορίαProgram analysisen
Βιβλιογραφική ΑναφοράN. Vasilakis, C.-A. Staicu, G. Ntousakis, K. Kallas, B. Karel, A. DeHon, and M. Pradel, “Preventing dynamic library compromise on Node.js via RWX-based privilege reduction,” in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS 2021), Virtual event, 2021, pp. 1821–1838, doi: 10.1145/3460120.3484535.en

Διαθέσιμα αρχεία

Υπηρεσίες

Στατιστικά