Modular call graph construction for security scanning of Node.js applications

Benjamin Barslev Nielsen, Martin Toldam Torp, Anders Møller

Publikation: Bidrag til bog/antologi/rapport/proceedingKonferencebidrag i proceedingsForskningpeer review

391 Downloads (Pure)

Abstract

Most of the code in typical Node.js applications comes from third-party libraries that consist of a large number of interdependent modules. Because of the dynamic features of JavaScript, it is difficult to obtain detailed information about the module dependencies, which is vital for reasoning about the potential consequences of security vulnerabilities in libraries, and for many other software development tasks. The underlying challenge is how to construct precise call graphs that capture the connectivity between functions in the modules. In this work we present a novel approach to call graph construction for Node.js applications that is modular, taking into account the modular structure of Node.js applications, and sufficiently accurate and efficient to be practically useful. We demonstrate experimentally that the constructed call graphs are useful for security scanning, reducing the number of false positives by 81% compared to npm audit and with zero false negatives. Compared to js-callgraph, the call graph construction is significantly more accurate and efficient. The experiments also show that the analysis time is reduced substantially when reusing modular call graphs.

OriginalsprogEngelsk
TitelISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis
RedaktørerCristian Cadar, Xiangyu Zhang
Antal sider13
ForlagAssociation for Computing Machinery
Publikationsdatojul. 2021
Sider29-41
ISBN (Elektronisk)9781450384599
DOI
StatusUdgivet - jul. 2021
Begivenhed30th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2021 - Virtual, Online, Danmark
Varighed: 11 jul. 202117 jul. 2021

Konference

Konference30th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2021
Land/OmrådeDanmark
ByVirtual, Online
Periode11/07/202117/07/2021
SponsorACM SIGSOFT
NavnProceedings of the ACM SIGSOFT International Symposium on the Foundations of Software Engineering
ISSN1539-7521

Fingeraftryk

Dyk ned i forskningsemnerne om 'Modular call graph construction for security scanning of Node.js applications'. Sammen danner de et unikt fingeraftryk.

Citationsformater