Abstract
JavaScript is everywhere. With the introduction of Node.js in 2009, JavaScript can be used for implementing web servers and desktop applications, and it has become one of the most widely used languages. The dynamic nature of JavaScript is a challenge for static analysis. When statically analyzing Node.js programs, we additionally face challenges due to the fact that Node.js applications typically depend on many third-party packages. Unfortunately, previous sound static analyses for JavaScript fail to analyze some of the most popular packages in Node.js.
Security vulnerabilities are often reported for Node.js packages. This is critical, since a Node.js application has direct access to the underlying file-system and operating system resources. This means that if an attacker can exploit an injection vulnerability, then the attacker might gain full control of the underlying machine. Static analysis can be used to detect such injection vulnerabilities, but unfortunately no existing sound static analyses scales to large Node.js applications. A typical Node.js application is quite large, since it depends on many third-party packages. Package-level security scanners exist that report if an application uses a dependency that has a vulnerability. These security scanners have many false positives, since they only look at the dependency tree, without considering the application code. To fix a security vulnerability in an application, the solution sometimes is to update to a newer version of the vulnerable dependency. However, performing such updates are not trivial. Updating a dependency might result in the application no longer working, due to breaking changes in the dependency update. Currently, understanding whether an update contains breaking changes, whether the application is affected by them, and if affected, then how to patch the application, is a completely manual, time-consuming, and error-prone task.
This thesis presents new sound static analysis techniques that can analyze the most popular packages in Node.js, and a technique for scaling a static analysis that detects injection vulnerabilities in Node.js applications. For aiding developers in updating libraries with breaking changes, we present a tool that combines static analysis and user interaction for automatically patching the code to become compatible with the new version. To address the problem with too many false positives in package-level security scanners, we develop a modular call graph analysis, and a security scanner that only reports a potential vulnerability if the vulnerable part of the library API is reachable according to the call graph.
Security vulnerabilities are often reported for Node.js packages. This is critical, since a Node.js application has direct access to the underlying file-system and operating system resources. This means that if an attacker can exploit an injection vulnerability, then the attacker might gain full control of the underlying machine. Static analysis can be used to detect such injection vulnerabilities, but unfortunately no existing sound static analyses scales to large Node.js applications. A typical Node.js application is quite large, since it depends on many third-party packages. Package-level security scanners exist that report if an application uses a dependency that has a vulnerability. These security scanners have many false positives, since they only look at the dependency tree, without considering the application code. To fix a security vulnerability in an application, the solution sometimes is to update to a newer version of the vulnerable dependency. However, performing such updates are not trivial. Updating a dependency might result in the application no longer working, due to breaking changes in the dependency update. Currently, understanding whether an update contains breaking changes, whether the application is affected by them, and if affected, then how to patch the application, is a completely manual, time-consuming, and error-prone task.
This thesis presents new sound static analysis techniques that can analyze the most popular packages in Node.js, and a technique for scaling a static analysis that detects injection vulnerabilities in Node.js applications. For aiding developers in updating libraries with breaking changes, we present a tool that combines static analysis and user interaction for automatically patching the code to become compatible with the new version. To address the problem with too many false positives in package-level security scanners, we develop a modular call graph analysis, and a security scanner that only reports a potential vulnerability if the vulnerable part of the library API is reachable according to the call graph.
Original language | English |
---|
Place of publication | Aarhus |
---|---|
Publisher | Århus Universitet |
Number of pages | 284 |
Publication status | Published - 2021 |