Nodest: Feedback-driven static analysis of Node.js applications

Research output: Contribution to book/anthology/report/proceedingArticle in proceedingsResearchpeer-review

Standard

Nodest : Feedback-driven static analysis of Node.js applications. / Nielsen, Benjamin Barslev; Hassanshahi, Behnaz; Gauthier, François.

ESEC/FSE 2019 - Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ed. / Sven Apel; Marlon Dumas; Alessandra Russo; Dietmar Pfahl. Association for Computing Machinery, 2019. p. 455-465.

Research output: Contribution to book/anthology/report/proceedingArticle in proceedingsResearchpeer-review

Harvard

Nielsen, BB, Hassanshahi, B & Gauthier, F 2019, Nodest: Feedback-driven static analysis of Node.js applications. in S Apel, M Dumas, A Russo & D Pfahl (eds), ESEC/FSE 2019 - Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering. Association for Computing Machinery, pp. 455-465, 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2019, Tallinn, Estonia, 26/08/2019. https://doi.org/10.1145/3338906.3338933

APA

Nielsen, B. B., Hassanshahi, B., & Gauthier, F. (2019). Nodest: Feedback-driven static analysis of Node.js applications. In S. Apel, M. Dumas, A. Russo, & D. Pfahl (Eds.), ESEC/FSE 2019 - Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering (pp. 455-465). Association for Computing Machinery. https://doi.org/10.1145/3338906.3338933

CBE

Nielsen BB, Hassanshahi B, Gauthier F. 2019. Nodest: Feedback-driven static analysis of Node.js applications. Apel S, Dumas M, Russo A, Pfahl D, editors. In ESEC/FSE 2019 - Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering. Association for Computing Machinery. pp. 455-465. https://doi.org/10.1145/3338906.3338933

MLA

Nielsen, Benjamin Barslev, Behnaz Hassanshahi and François Gauthier "Nodest: Feedback-driven static analysis of Node.js applications"., Apel, Sven and Dumas, Marlon Russo, Alessandra Pfahl, Dietmar (editors). ESEC/FSE 2019 - Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering. Association for Computing Machinery. 2019, 455-465. https://doi.org/10.1145/3338906.3338933

Vancouver

Nielsen BB, Hassanshahi B, Gauthier F. Nodest: Feedback-driven static analysis of Node.js applications. In Apel S, Dumas M, Russo A, Pfahl D, editors, ESEC/FSE 2019 - Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering. Association for Computing Machinery. 2019. p. 455-465 https://doi.org/10.1145/3338906.3338933

Author

Nielsen, Benjamin Barslev ; Hassanshahi, Behnaz ; Gauthier, François. / Nodest : Feedback-driven static analysis of Node.js applications. ESEC/FSE 2019 - Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering. editor / Sven Apel ; Marlon Dumas ; Alessandra Russo ; Dietmar Pfahl. Association for Computing Machinery, 2019. pp. 455-465

Bibtex

@inproceedings{a570825030ca44218493c91f28e57748,
title = "Nodest: Feedback-driven static analysis of Node.js applications",
abstract = "Node.js provides the ability to write JavaScript programs for the server-side and has become a popular language for developing web applications. Node.js allows direct access to the underlying filesystem, operating system resources, and databases, but does not provide any security mechanism such as sandboxing of untrusted code, and injection vulnerabilities are now commonly reported in Node.js modules. Existing static dataflow analysis techniques do not scale to Node.js applications to find injection vulnerabilities because small Node.js web applications typically depend on many third-party modules. We present a new feedback-driven static analysis that scales well to detect injection vulnerabilities in Node.js applications. The key idea behind our new technique is that not all third-party modules need to be analyzed to detect an injection vulnerability. Results of running our analysis, Nodest, on real-world Node.js applications show that the technique scales to large applications and finds previously known as well as new vulnerabilities. In particular, Nodest finds 63 true positive taint flows in a set of our benchmarks, whereas a state-of-the-art static analysis reports 3 only. Moreover, our analysis scales to Express, the most popular Node.js web framework, and reports non-trivial injection vulnerabilities.",
keywords = "JavaScript, Node.js, Program analysis, Security analysis, Static analysis, Taint analysis",
author = "Nielsen, {Benjamin Barslev} and Behnaz Hassanshahi and Fran{\cc}ois Gauthier",
year = "2019",
doi = "10.1145/3338906.3338933",
language = "English",
pages = "455--465",
editor = "Sven Apel and Marlon Dumas and Alessandra Russo and Dietmar Pfahl",
booktitle = "ESEC/FSE 2019 - Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering",
publisher = "Association for Computing Machinery",

}

RIS

TY - GEN

T1 - Nodest

T2 - Feedback-driven static analysis of Node.js applications

AU - Nielsen, Benjamin Barslev

AU - Hassanshahi, Behnaz

AU - Gauthier, François

PY - 2019

Y1 - 2019

N2 - Node.js provides the ability to write JavaScript programs for the server-side and has become a popular language for developing web applications. Node.js allows direct access to the underlying filesystem, operating system resources, and databases, but does not provide any security mechanism such as sandboxing of untrusted code, and injection vulnerabilities are now commonly reported in Node.js modules. Existing static dataflow analysis techniques do not scale to Node.js applications to find injection vulnerabilities because small Node.js web applications typically depend on many third-party modules. We present a new feedback-driven static analysis that scales well to detect injection vulnerabilities in Node.js applications. The key idea behind our new technique is that not all third-party modules need to be analyzed to detect an injection vulnerability. Results of running our analysis, Nodest, on real-world Node.js applications show that the technique scales to large applications and finds previously known as well as new vulnerabilities. In particular, Nodest finds 63 true positive taint flows in a set of our benchmarks, whereas a state-of-the-art static analysis reports 3 only. Moreover, our analysis scales to Express, the most popular Node.js web framework, and reports non-trivial injection vulnerabilities.

AB - Node.js provides the ability to write JavaScript programs for the server-side and has become a popular language for developing web applications. Node.js allows direct access to the underlying filesystem, operating system resources, and databases, but does not provide any security mechanism such as sandboxing of untrusted code, and injection vulnerabilities are now commonly reported in Node.js modules. Existing static dataflow analysis techniques do not scale to Node.js applications to find injection vulnerabilities because small Node.js web applications typically depend on many third-party modules. We present a new feedback-driven static analysis that scales well to detect injection vulnerabilities in Node.js applications. The key idea behind our new technique is that not all third-party modules need to be analyzed to detect an injection vulnerability. Results of running our analysis, Nodest, on real-world Node.js applications show that the technique scales to large applications and finds previously known as well as new vulnerabilities. In particular, Nodest finds 63 true positive taint flows in a set of our benchmarks, whereas a state-of-the-art static analysis reports 3 only. Moreover, our analysis scales to Express, the most popular Node.js web framework, and reports non-trivial injection vulnerabilities.

KW - JavaScript

KW - Node.js

KW - Program analysis

KW - Security analysis

KW - Static analysis

KW - Taint analysis

UR - http://www.scopus.com/inward/record.url?scp=85071945300&partnerID=8YFLogxK

U2 - 10.1145/3338906.3338933

DO - 10.1145/3338906.3338933

M3 - Article in proceedings

SP - 455

EP - 465

BT - ESEC/FSE 2019 - Proceedings of the 2019 27th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering

A2 - Apel, Sven

A2 - Dumas, Marlon

A2 - Russo, Alessandra

A2 - Pfahl, Dietmar

PB - Association for Computing Machinery

ER -