Detecting Node.js Prototype Pollution Vulnerabilities via Object Lookup Analysis (ESEC/FSE 2021 - Research Papers)

Who

Song Li, Mingqing Kang, Jianwei Hou, Yinzhi Cao

Track

ESEC/FSE 2021 Research Papers

Time Zone

The program is currently displayed in (GMT+03:00) Athens.

Use conference time zone: (GMT+03:00) AthensSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Thu 26 Aug 2021 17:00 - 17:10 - Dependability—Vulnerabilities 1 Chair(s): Felipe Fronchetti
Fri 27 Aug 2021 05:00 - 05:10 - Dependability—Vulnerabilities 1 Chair(s): Marsha Chechik

Abstract

Prototype pollution is a type of vulnerability specific to prototype-based languages, such as JavaScript, which allows an adversary to pollute a base object’s property, leading to a further consequence such as Denial of Service (DoS), arbitrary code execution, and session fixation. On one hand, the only prior work in detecting prototype pollution adopts dynamic analysis to fuzz package inputs, which inevitably has code coverage issues in triggering some deeply embedded vulnerabilities. On the other hand, it is challenging to apply state-of-the-art static analysis in detecting prototype pollution because of the involvement of prototype chains and fine-grained object relations including built-in ones.

In this paper, we propose a flow-, context-, and branch-sensitive static taint analysis tool, called ObjLupAnsys, to detect prototype pollution vulnerabilities. The key of ObjLupAnsys is a so-called object lookup analysis, which gradually expands the source and sink objects into big clusters with a complex inner structure by performing targeted object lookups in both clusters so that a system
built-in function can be redefined. Specifically, at the source cluster, ObjLupAnsys proactively creates new object properties based on how the target program uses the initial source object; at the sink cluster, ObjLupAnsys assigns property values in object lookups to decrease the number of object lookups to reach a system built-in function.

We implemented an open-source tool and applied it for the detection of prototype pollution among Node.js packages. Our evaluation shows that ObjLupAnsys finds 61 zero-day, previously-unknown,
exploitable vulnerabilities as opposed to 18 by the state-of-the-art dynamic fuzzing tool and three by a state-of-the-art static analysis tool that is modified to detect prototype pollution. To date, 11 vulnerable Node.js packages are assigned with CVE numbers and five have already been patched by their developers. In addition, ObjLupAnsys also discovered seven applications or packages including a real-world, online website, which are indirectly vulnerable due to the inclusion of vulnerable packages found by ObjLupAnsys.

DOI

https://doi.org/10.1145/3468264.3468542

Song Li

Johns Hopkins University

United States

Mingqing Kang

Johns Hopkins University

United States

Jianwei Hou

Johns Hopkins University; Renmin University of China

United States

Yinzhi Cao

Johns Hopkins University

United States

Time Zone

The program is currently displayed in (GMT+03:00) Athens.

Use conference time zone: (GMT+03:00) AthensSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Thu 26 Aug
Displayed time zone: Athens change

17:00 - 18:00	Dependability—Vulnerabilities 1Research Papers +12h Chair(s): Felipe Fronchetti University of São Paulo, Brazil

17:00 10m Paper		Detecting Node.js Prototype Pollution Vulnerabilities via Object Lookup Analysis Research Papers Song Li Johns Hopkins University, Mingqing Kang Johns Hopkins University, Jianwei Hou Johns Hopkins University; Renmin University of China, Yinzhi Cao Johns Hopkins University DOI
17:10 10m Paper		Detecting Concurrency Vulnerabilities Based on Partial Orders of Memory and Thread Events Research Papers Kunpeng Yu Xi'an Jiaotong University, Chenxu Wang Xi'an Jiaotong University, Yan Cai Institute of Software at Chinese Academy of Sciences, Xiapu Luo Hong Kong Polytechnic University, Zijiang Yang Western Michigan University DOI
17:20 10m Paper		Vulnerability Detection with Fine-Grained Interpretations Research Papers Yi Li New Jersey Institute of Technology, Shaohua Wang New Jersey Institute of Technology, Tien N. Nguyen University of Texas at Dallas DOI Pre-print
17:30 30m Live Q&A		Q&A (Dependability—Vulnerabilities 1) Research Papers

Fri 27 Aug
Displayed time zone: Athens change

05:00 - 06:00	Dependability—Vulnerabilities 1Research Papers Chair(s): Marsha Chechik University of Toronto

05:00 10m Paper		Detecting Node.js Prototype Pollution Vulnerabilities via Object Lookup Analysis Research Papers Song Li Johns Hopkins University, Mingqing Kang Johns Hopkins University, Jianwei Hou Johns Hopkins University; Renmin University of China, Yinzhi Cao Johns Hopkins University DOI
05:10 10m Paper		Detecting Concurrency Vulnerabilities Based on Partial Orders of Memory and Thread Events Research Papers Kunpeng Yu Xi'an Jiaotong University, Chenxu Wang Xi'an Jiaotong University, Yan Cai Institute of Software at Chinese Academy of Sciences, Xiapu Luo Hong Kong Polytechnic University, Zijiang Yang Western Michigan University DOI
05:20 10m Paper		Vulnerability Detection with Fine-Grained Interpretations Research Papers Yi Li New Jersey Institute of Technology, Shaohua Wang New Jersey Institute of Technology, Tien N. Nguyen University of Texas at Dallas DOI Pre-print
05:30 30m Live Q&A		Q&A (Dependability—Vulnerabilities 1) Research Papers