Aarhus University Seal / Aarhus Universitets segl

Static Analysis for Node.js

Research output: Book/anthology/dissertation/reportPh.D. thesis

Standard

Static Analysis for Node.js. / Nielsen, Benjamin Barslev.

Aarhus : Aarhus Universitet, 2021. 284 p.

Research output: Book/anthology/dissertation/reportPh.D. thesis

Harvard

Nielsen, BB 2021, Static Analysis for Node.js. Aarhus Universitet, Aarhus.

APA

Nielsen, B. B. (2021). Static Analysis for Node.js. Aarhus Universitet.

CBE

Nielsen BB 2021. Static Analysis for Node.js. Aarhus: Aarhus Universitet. 284 p.

MLA

Nielsen, Benjamin Barslev Static Analysis for Node.js Aarhus: Aarhus Universitet. 2021.

Vancouver

Nielsen BB. Static Analysis for Node.js. Aarhus: Aarhus Universitet, 2021. 284 p.

Author

Nielsen, Benjamin Barslev. / Static Analysis for Node.js. Aarhus : Aarhus Universitet, 2021. 284 p.

Bibtex

@phdthesis{b2ce4663ffe049eaa5da8c14e844a6c8,
title = "Static Analysis for Node.js",
abstract = "JavaScript is everywhere. With the introduction of Node.js in 2009, JavaScript can be used for implementing web servers and desktop applications, and it has become one of the most widely used languages. The dynamic nature of JavaScript is a challenge for static analysis. When statically analyzing Node.js programs, we additionally face challenges due to the fact that Node.js applications typically depend on many third-party packages. Unfortunately, previous sound static analyses for JavaScript fail to analyze some of the most popular packages in Node.js. Security vulnerabilities are often reported for Node.js packages. This is critical, since a Node.js application has direct access to the underlying file-system and operating system resources. This means that if an attacker can exploit an injection vulnerability, then the attacker might gain full control of the underlying machine. Static analysis can be used to detect such injection vulnerabilities, but unfortunately no existing sound static analyses scales to large Node.js applications. A typical Node.js application is quite large, since it depends on many third-party packages. Package-level security scanners exist that report if an application uses a dependency that has a vulnerability. These security scanners have many false positives, since they only look at the dependency tree, without considering the application code. To fix a security vulnerability in an application, the solution sometimes is to update to a newer version of the vulnerable dependency. However, performing such updates are not trivial. Updating a dependency might result in the application no longer working, due to breaking changes in the dependency update. Currently, understanding whether an update contains breaking changes, whether the application is affected by them, and if affected, then how to patch the application, is a completely manual, time-consuming, and error-prone task. This thesis presents new sound static analysis techniques that can analyze the most popular packages in Node.js, and a technique for scaling a static analysis that detects injection vulnerabilities in Node.js applications. For aiding developers in updating libraries with breaking changes, we present a tool that combines static analysis and user interaction for automatically patching the code to become compatible with the new version. To address the problem with too many false positives in package-level security scanners, we develop a modular call graph analysis, and a security scanner that only reports a potential vulnerability if the vulnerable part of the library API is reachable according to the call graph. ",
author = "Nielsen, {Benjamin Barslev}",
note = "Udgivelses{\aa}r 2020",
year = "2021",
language = "English",
publisher = "Aarhus Universitet",

}

RIS

TY - BOOK

T1 - Static Analysis for Node.js

AU - Nielsen, Benjamin Barslev

N1 - Udgivelsesår 2020

PY - 2021

Y1 - 2021

N2 - JavaScript is everywhere. With the introduction of Node.js in 2009, JavaScript can be used for implementing web servers and desktop applications, and it has become one of the most widely used languages. The dynamic nature of JavaScript is a challenge for static analysis. When statically analyzing Node.js programs, we additionally face challenges due to the fact that Node.js applications typically depend on many third-party packages. Unfortunately, previous sound static analyses for JavaScript fail to analyze some of the most popular packages in Node.js. Security vulnerabilities are often reported for Node.js packages. This is critical, since a Node.js application has direct access to the underlying file-system and operating system resources. This means that if an attacker can exploit an injection vulnerability, then the attacker might gain full control of the underlying machine. Static analysis can be used to detect such injection vulnerabilities, but unfortunately no existing sound static analyses scales to large Node.js applications. A typical Node.js application is quite large, since it depends on many third-party packages. Package-level security scanners exist that report if an application uses a dependency that has a vulnerability. These security scanners have many false positives, since they only look at the dependency tree, without considering the application code. To fix a security vulnerability in an application, the solution sometimes is to update to a newer version of the vulnerable dependency. However, performing such updates are not trivial. Updating a dependency might result in the application no longer working, due to breaking changes in the dependency update. Currently, understanding whether an update contains breaking changes, whether the application is affected by them, and if affected, then how to patch the application, is a completely manual, time-consuming, and error-prone task. This thesis presents new sound static analysis techniques that can analyze the most popular packages in Node.js, and a technique for scaling a static analysis that detects injection vulnerabilities in Node.js applications. For aiding developers in updating libraries with breaking changes, we present a tool that combines static analysis and user interaction for automatically patching the code to become compatible with the new version. To address the problem with too many false positives in package-level security scanners, we develop a modular call graph analysis, and a security scanner that only reports a potential vulnerability if the vulnerable part of the library API is reachable according to the call graph.

AB - JavaScript is everywhere. With the introduction of Node.js in 2009, JavaScript can be used for implementing web servers and desktop applications, and it has become one of the most widely used languages. The dynamic nature of JavaScript is a challenge for static analysis. When statically analyzing Node.js programs, we additionally face challenges due to the fact that Node.js applications typically depend on many third-party packages. Unfortunately, previous sound static analyses for JavaScript fail to analyze some of the most popular packages in Node.js. Security vulnerabilities are often reported for Node.js packages. This is critical, since a Node.js application has direct access to the underlying file-system and operating system resources. This means that if an attacker can exploit an injection vulnerability, then the attacker might gain full control of the underlying machine. Static analysis can be used to detect such injection vulnerabilities, but unfortunately no existing sound static analyses scales to large Node.js applications. A typical Node.js application is quite large, since it depends on many third-party packages. Package-level security scanners exist that report if an application uses a dependency that has a vulnerability. These security scanners have many false positives, since they only look at the dependency tree, without considering the application code. To fix a security vulnerability in an application, the solution sometimes is to update to a newer version of the vulnerable dependency. However, performing such updates are not trivial. Updating a dependency might result in the application no longer working, due to breaking changes in the dependency update. Currently, understanding whether an update contains breaking changes, whether the application is affected by them, and if affected, then how to patch the application, is a completely manual, time-consuming, and error-prone task. This thesis presents new sound static analysis techniques that can analyze the most popular packages in Node.js, and a technique for scaling a static analysis that detects injection vulnerabilities in Node.js applications. For aiding developers in updating libraries with breaking changes, we present a tool that combines static analysis and user interaction for automatically patching the code to become compatible with the new version. To address the problem with too many false positives in package-level security scanners, we develop a modular call graph analysis, and a security scanner that only reports a potential vulnerability if the vulnerable part of the library API is reachable according to the call graph.

M3 - Ph.D. thesis

BT - Static Analysis for Node.js

PB - Aarhus Universitet

CY - Aarhus

ER -