Understanding and Automatically Preventing Injection Attacks on Node.js
Size: px
Start display at page:

Download "Understanding and Automatically Preventing Injection Attacks on Node.js"

Transcription

1 Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU Darmstadt Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond) 1

2 Why JavaScript? Relevant and challenging Rank of top languages on GitHub over time (Source: GitHub.com) 2

3 Why JavaScript? Relevant and challenging 1096 pages 153 pages 3

4 Motivation: JavaScript (In)Security JavaScript: Popular beyond the browser Client-side web app Browser Operating system 4

5 Motivation: JavaScript (In)Security JavaScript: Popular beyond the browser Client-side web app Server-side or desktop app Mobile app Browser Node.js Dalvik VM Operating system Operating system Operating system 4

6 Motivation: JavaScript (In)Security JavaScript: Popular beyond the browser Sandbox Client-side web app Server-side or desktop app Sandbox Mobile app Browser Node.js Dalvik VM Operating system Operating system Operating system 4

7 Motivation: JavaScript (In)Security JavaScript: Popular beyond the browser Sandbox Client-side web app No sandbox! Server-side or desktop app Sandbox Mobile app Browser Node.js Dalvik VM Operating system Operating system Operating system 4

8 Culture of Naive Reuse Node.js code: Builds on 3rd-party code Over modules No specified trust relationships between modules Many indirect dependences 5

9 Culture of Naive Reuse Node.js code: Builds on 3rd-party code Over modules No specified trust relationships between modules Many indirect dependences Risk of vulnerable and malicious code 5

10 Real Example: Growl Module var msg = /* receive growl(msg); from network */ 6

11 Real Example: Growl Module var msg = /* receive growl(msg); from network */ Growl module: Platform-specific command to show notifications Pass message to command without any checks 6

12 Running Example function backupfile(name, ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg")? "pics" : "other"; console.log(eval("messages.backup_" + kind)); } 7

13 Running Example function backupfile(name, ext) { } var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); Construct shell command Execute it var kind = (ext === "jpg")? "pics" : "other"; console.log(eval("messages.backup_" + kind)); 7

14 Running Example function backupfile(name, ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg")? "pics" : "other"; console.log(eval("messages.backup_" + kind)); } Construct JavaScript code and execute it 7

15 Running Example function backupfile(name, ext) { var cmd = []; } cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); Injection APIs: Interpret string as code var kind = (ext === "jpg")? "pics" : "other"; console.log(eval("messages.backup_" + kind)); 7

16 Running Example function backupfile(name, ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg")? "pics" : "other"; console.log(eval("messages.backup_" + kind)); } Injection attack: backupfile("-h && rm -rf * && echo ", "") 7

17 Our Contributions 1. Study of injection vulnerabilities First large-scale study of Node.js security 236K modules, 816M lines of JavaScript 2. Repair of vulnerabilities Static analysis and runtime enforcement Automatic and easy to deploy Small overhead and high accuracy 8

18 Our Contributions 1. Study of injection vulnerabilities First large-scale study of Node.js security 236K modules, 816M lines of JavaScript 2. Repair of vulnerabilities Static analysis and runtime enforcement Automatic and easy to deploy Small overhead and high accuracy 8

19 Study: Prevalence Are injection vulnerabilities widespread? 9

20 Study: Prevalence Are injection vulnerabilities widespread? 9

21 Study: Prevalence Are injection vulnerabilities widespread? Direct uses 9

22 Study: Prevalence Are injection vulnerabilities widespread? Indirect uses via other modules 9

23 Study: Prevalence Are injection vulnerabilities widespread? Manual inspection of 150 call sites Attacker-controlled data may reach API: 58% Defense mechanisms None: 90% Regular expression: 9% 9

24 Study: Developer Reactions Do developers fix vulnerabilities? Reported 20 previously unknown vulnerabilities After several months, only 3 fixed 10

25 Study: Developer Reactions Do developers fix vulnerabilities? Reported 20 previously unknown vulnerabilities After several months, only 3 fixed 10

26 Study: Developer Reactions Do developers fix vulnerabilities? Reported 20 previously unknown vulnerabilities After several months, only 3 fixed Need mitigation technique that requires very little developer attention 10

27 Our Contributions 1. Study of injection vulnerabilities First large-scale study of Node.js security 236K modules, 816M lines of JavaScript 2. Repair of vulnerabilities Static analysis and runtime enforcement Automatic and easy to deploy Small overhead and high accuracy 11

28 Our Contributions 1. Study of injection vulnerabilities First large-scale study of Node.js security 236K modules, 816M lines of JavaScript 2. Repair of vulnerabilities Static analysis and runtime enforcement Automatic and easy to deploy Small overhead and high accuracy 11

29 Preventing Injections Vulnerable code Static analysis String templates Statically safe code Synthesize policy Code with Runtime inputs runtime checks Dynamic enforcement Safe runtime behavior 12

30 Static Analysis: Template Trees 1. Backward data flow analysis Overapproximate strings passed to injection API Represent possible values as a tree 13

31 Static Analysis: Template Trees 1. Backward data flow analysis Overapproximate strings passed to injection API Represent possible values as a tree function backupfile(name, ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); } 13

32 Static Analysis: Template Trees 1. Backward data flow analysis Overapproximate strings passed to injection API Represent possible values as a tree function backupfile(name, ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); } $cmd join 13

33 Static Analysis: Template Trees 1. Backward data flow analysis Overapproximate strings passed to injection API Represent possible values as a tree function backupfile(name, ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); } join push $cmd /.localbackup/ 13

34 Static Analysis: Template Trees 1. Backward data flow analysis Overapproximate strings passed to injection API Represent possible values as a tree function backupfile(name, ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); } $cmd push join push /.localbackup/ + $name. $ext 13

35 Static Analysis: Template Trees 1. Backward data flow analysis Overapproximate strings passed to injection API Represent possible values as a tree function backupfile(name, ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); } join push push /.localbackup/ push + $cmd cp $name. $ext 13

36 Static Analysis: Template Trees 1. Backward data flow analysis Overapproximate strings passed to injection API Represent possible values as a tree function backupfile(name, ext) { } var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); empty array push push push join /.localbackup/ + cp $name. $ext 13

37 Static Analysis: Templates 2. Evaluate template trees into templates Statically model operations (bottom-up) Unknown parts to be filled at runtime 14

38 Static Analysis: Templates 2. Evaluate template trees into templates Statically model operations (bottom-up) Unknown parts to be filled at runtime join push push /.localbackup/ push + empty array cp $name. $ext cp $name.$ext /.localbackup/ 14

39 Synthesizing a Policy Create runtime policy from templates Enforce structure via partial AST For unknown parts, allow only benign AST nodes 15

40 Synthesizing a Policy Create runtime policy from templates Enforce structure via partial AST For unknown parts, allow only benign AST nodes cp $name.$ext /.localbackup/ Bash grammar Command Arguments cp??? /.localbackup/ 15

41 Runtime Enforcement Enforce policy on strings passed to injection APIs Policy: Command Arguments cp??? /.localbackup/ 16

42 Runtime Enforcement Enforce policy on strings passed to injection APIs Policy: Runtime string: cp f.txt /.localbackup/ Command Command Arguments Arguments cp cp??? /.localbackup/ f.txt /.localbackup/ 16

43 Runtime Enforcement Enforce policy on strings passed to injection APIs Policy: Runtime string: cp f.txt /.localbackup/ Command Command Accepted Arguments Arguments cp cp??? /.localbackup/ f.txt /.localbackup/ 16

44 Runtime Enforcement Enforce policy on strings passed to injection APIs Policy: Command Runtime string: cp -h && rm -rf * && echo /.localbackup/ CompoundCmd Arguments Command Command Command cp ??? /.localbackup/... 16

45 Runtime Enforcement Enforce policy on strings passed to injection APIs Policy: Command Runtime string: cp -h && rm -rf * && echo /.localbackup/ CompoundCmd Arguments Command Command Command cp ??? /.localbackup/... Rejected 16

46 Evaluation: Static Analysis Setup: 51K call sites of injection APIs Precision: Statically safe: To be checked at runtime: 63.3% 36.7% Most call sites: Performance: 4.4 seconds per module At least 10 known characters Only 1 hole 17

47 Evaluation: Runtime Enforcement Setup 24 modules 56 benign and 65 malicious inputs Results: Zero false negatives (i.e., no missed injections) Five false positives (i.e., overly conservative) Overhead (avg.): 0.74 milliseconds per call 18

48 Conclusion Understand injection vulnerabilities First large-scale empirical study of Node.js (in)security Detect and prevent injections Static inference of expected string values AST-based runtime policy Automated repair of vulnerabilities More details: Technical report on my web site 19

Similar documents

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu 1 Michael Pradel 1 Ben Livshits 2 1 TU Darmstadt 2 Imperial College London, Brave Software February

More information

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu TU Darmstadt cris.staicu@gmail.com Michael Pradel TU Darmstadt michael@binaervarianz.de Benjamin

More information

Understanding and Automatically Preventing Injection Attacks on Node.js

Understanding and Automatically Preventing Injection Attacks on Node.js Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu, Michael Pradel, Ben Livshits Technical Report TUD-CS-2016-14663 TU Darmstadt, Department of Computer Science

More information

ZigZag - Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities

ZigZag - Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities ZigZag - Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Michael Weissbacher, William Robertson, Engin Kirda, Christopher Kruegel, Giovanni Vigna 1 XMLHTTPRequest

More information

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top 10 The Ten Most Critical Web Application Security Risks OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain

More information

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection

More information

Securing Production Applications & Data at Runtime. Prevoty

Securing Production Applications & Data at Runtime. Prevoty Securing Production Applications & Data at Runtime Prevoty Introducing Prevoty Scalable visibility and protection for all applications and services 20+ 3 Over Verticals: Awards & Recognitions Years in

More information

DLint: Dynamically Checking Bad Coding Practices in JavaScript

DLint: Dynamically Checking Bad Coding Practices in JavaScript DLint: Dynamically Checking Bad Coding Practices in JavaScript Liang Gong 1, Michael Pradel 2, Manu Sridharan 3 and Koushik Sen 1 1 UC Berkeley 2 TU Darmstadt 3 Samsung Research America Why JavaScript?

More information

Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers

Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers Cristian-Alexandru Staicu and Michael Pradel Technical Report TUD-CS-217-35 TU Darmstadt, Department of Computer Science

More information

The security of Mozilla Firefox s Extensions. Kristjan Krips

The security of Mozilla Firefox s Extensions. Kristjan Krips The security of Mozilla Firefox s Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting

More information

Code-Reuse Attacks for the Web: Breaking XSS mitigations via Script Gadgets

Code-Reuse Attacks for the Web: Breaking XSS mitigations via Script Gadgets Code-Reuse Attacks for the Web: Breaking XSS mitigations via Script Gadgets Sebastian Lekies (@slekies) Krzysztof Kotowicz (@kkotowicz) Eduardo Vela Nava (@sirdarckcat) Agenda 1. 2. 3. 4. 5. 6. Introduction

More information

VirtualSwindle: An Automated Attack Against In-App Billing on Android

VirtualSwindle: An Automated Attack Against In-App Billing on Android Northeastern University Systems Security Lab VirtualSwindle: An Automated Attack Against In-App Billing on Android ASIACCS 2014 Collin Mulliner, William Robertson, Engin Kirda {crm,wkr,ek}[at]ccs.neu.edu

More information

SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14

SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14 SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14 Presenter: Mathias Payer, EPFL http://hexhive.github.io 1 Memory attacks: an ongoing war Vulnerability classes

More information

DLint: Dynamically Checking Bad Coding Practices in JavaScript

DLint: Dynamically Checking Bad Coding Practices in JavaScript DLint: Dynamically Checking Bad Coding Practices in JavaScript Liang Gong 1, Michael Pradel 2, Manu Sridharan 3 and Koushik Sen 1 1 UC Berkeley 2 TU Darmstadt 3 Samsung Research America Why JavaScript?

More information

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title Defend Your Web Applications Against the OWASP Top 10 Security Risks Speaker Name, Job Title Application Security Is Business Continuity Maintain and grow revenue Identify industry threats Protect assets

More information

DreamFactory Security Guide

DreamFactory Security Guide DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit

More information

Web Security: Vulnerabilities & Attacks

Web Security: Vulnerabilities & Attacks Computer Security Course. Song Dawn Web Security: Vulnerabilities & Attacks Cross-site Scripting What is Cross-site Scripting (XSS)? Vulnerability in web application that enables attackers to inject client-side

More information

ISOLATION DEFENSES GRAD SEC OCT

ISOLATION DEFENSES GRAD SEC OCT ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Setting Possibly with multiple tenants OS: users / processes Browser: webpages / browser extensions Cloud:

More information

Practical Techniques for Regeneration and Immunization of COTS Applications

Practical Techniques for Regeneration and Immunization of COTS Applications Practical Techniques for Regeneration and Immunization of COTS Applications Lixin Li Mark R.Cornwell E.Hultman James E. Just R. Sekar Stony Brook University Global InfoTek, Inc (Research supported by DARPA,

More information

ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS. Waqas Nazir - CEO - DigitSec, Inc.

ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS. Waqas Nazir - CEO - DigitSec, Inc. 1 ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS Waqas Nazir - CEO - DigitSec, Inc. EXPLOITATION AND SECURITY 2 OF SAAS APPLICATIONS OVERVIEW STATE OF SAAS SECURITY CHALLENGES WITH SAAS FORCE.COM

More information

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Threat Modeling. Bart De Win Secure Application Development Course, Credits to Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,

More information

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries PoCs included Content Security Policy WAFs whitelists nonces

More information

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Application Security through a Hacker s Eyes James Walden Northern Kentucky University Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways

More information

C1: Define Security Requirements

C1: Define Security Requirements OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security

More information

WHITE PAPER. AirGap. The Technology That Makes Isla a Powerful Web Malware Isolation System

WHITE PAPER. AirGap. The Technology That Makes Isla a Powerful Web Malware Isolation System AirGap The Technology That Makes Isla a Powerful Web Malware Isolation System Introduction Web browsers have become a primary target for cyber attacks on the enterprise. If you think about it, it makes

More information

TypeDevil: Dynamic Type Inconsistency Analysis for JavaScript

TypeDevil: Dynamic Type Inconsistency Analysis for JavaScript TypeDevil: Dynamic Type Inconsistency Analysis for JavaScript Michael Pradel 1, Parker Schuh 2, Koushik Sen 2 1 TU Darmstadt, 2 UC Berkeley 1 Motivation JavaScript: Dynamic and permissive Problems remain

More information

Advanced Threat Defense Certification Testing Report. Trend Micro Incorporated Trend Micro Deep Discovery Inspector

Advanced Threat Defense Certification Testing Report. Trend Micro Incorporated Trend Micro Deep Discovery Inspector Advanced Threat Defense Certification Testing Report Trend Micro Deep Discovery Inspector ICSA Labs Advanced Threat Defense July 12, 2016 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg,

More information

CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes

CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes Patrick Carter, Collin Mulliner, Martina Lindorfer, William Robertson, Engin Kirda 02/23/2016 Android 2015

More information

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing Case Study Virtual Patching/Legacy Applications May 2017 Saving Time and Costs with Virtual Patching and Legacy Application Modernizing Instant security and operations improvement without code changes

More information

Defining a Model for Defense in Depth

Defining a Model for Defense in Depth Defining a Model for Defense in Depth James Sullivan, Michael Locasto University of Calgary LAW 2015 Sullivan / Locasto Modelling Defense in Depth LAW 2015 1 / 33 Introduction Key Problem Problem: What

More information

Static analysis of PHP applications

Static analysis of PHP applications Static analysis of PHP applications Ondřej Šerý DISTRIBUTED SYSTEMS RESEARCH GROUP http://dsrg.mff.cuni.cz CHARLES UNIVERSITY PRAGUE Faculty of Mathematics and Physics References G. Wassermann, Z. Su:

More information

Sandboxing untrusted code: policies and mechanisms

Sandboxing untrusted code: policies and mechanisms Sandboxing untrusted code: policies and mechanisms Frank Piessens (Frank.Piessens@cs.kuleuven.be) Secappdev 2011 1 Overview Introduction Java and.net Sandboxing Runtime monitoring Information Flow Control

More information

Ex-Ray: Detection of History-Leaking Browser Extensions

Ex-Ray: Detection of History-Leaking Browser Extensions Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca Stringhini, William Robertson, Engin Kirda Northeastern University, University

More information

Security. CSC309 TA: Sukwon Oh

Security. CSC309 TA: Sukwon Oh Security CSC309 TA: Sukwon Oh Outline SQL Injection NoSQL Injection (MongoDB) Same Origin Policy XSSI XSS CSRF (XSRF) SQL Injection What is SQLI? Malicious user input is injected into SQL statements and

More information

At a Glance: Symantec Security.cloud vs Microsoft O365 E3

At a Glance: Symantec Security.cloud vs Microsoft O365 E3 At a Glance: Symantec Email Security.cloud vs Microsoft O365 E3 Microsoft O365 E3 Security as a Feature Symantec Email Security.cloud Why This Is Important Spam Protection Third-party blacklists subscribed

More information

in memory: an evolution of attacks Mathias Payer Purdue University

in memory: an evolution of attacks Mathias Payer Purdue University in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory

More information

Generating String Attack Inputs Using Constrained Symbolic Execution. presented by Kinga Dobolyi

Generating String Attack Inputs Using Constrained Symbolic Execution. presented by Kinga Dobolyi Generating String Attack Inputs Using Constrained Symbolic Execution presented by Kinga Dobolyi What is a String Attack? Web applications are 3 tiered Vulnerabilities in the application layer Buffer overruns,

More information

2 Lecture Embedded System Security A.-R. Darmstadt, Android Security Extensions

2 Lecture Embedded System Security A.-R. Darmstadt, Android Security Extensions 2 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2014 Android Security Extensions App A Perm. P 1 App B Perm. P 2 Perm. P 3 Kirin [2009] Reference Monitor Prevents the installation

More information

Looking Forward: Challenges in Mobile Security. John Mitchell Stanford University

Looking Forward: Challenges in Mobile Security. John Mitchell Stanford University Looking Forward: Challenges in Mobile Security John Mitchell Stanford University Outline Mobile platform security SessionJuggler Using phone as authentication token SelectiveAuth Protecting resources on

More information

CERT C++ COMPLIANCE ENFORCEMENT

CERT C++ COMPLIANCE ENFORCEMENT CERT C++ COMPLIANCE ENFORCEMENT AUTOMATED SOURCE CODE ANALYSIS TO MAINTAIN COMPLIANCE SIMPLIFY AND STREAMLINE CERT C++ COMPLIANCE The CERT C++ compliance module reports on dataflow problems, software defects,

More information

Inject malicious code Call any library functions Modify the original code

Inject malicious code Call any library functions Modify the original code Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt

More information

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis White paper How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis AhnLab, Inc. Table of Contents Introduction... 1 Multidimensional Analysis... 1 Cloud-based Analysis...

More information

Maximum Security with Minimum Impact : Going Beyond Next Gen

Maximum Security with Minimum Impact : Going Beyond Next Gen SESSION ID: SP03-W10 Maximum Security with Minimum Impact : Going Beyond Next Gen Wendy Moore Director, User Protection Trend Micro @WMBOTT Hyper-competitive Cloud Rapid adoption Social Global Mobile IoT

More information

JITProf: Pinpointing JIT-Unfriendly JavaScript Code

JITProf: Pinpointing JIT-Unfriendly JavaScript Code JITProf: Pinpointing JIT-Unfriendly JavaScript Code Liang Gong 1, Michael Pradel 2, Koushik Sen 1 1 UC Berkeley, 2 TU Darmstadt 1 Motivation JavaScript: One of the most popular languages Performance: Crucial

More information

OWASP AppSec Research The OWASP Foundation New Insights into Clickjacking

OWASP AppSec Research The OWASP Foundation New Insights into Clickjacking New Insights into Clickjacking Marco `embyte` Balduzzi iseclab @ EURECOM embyte@iseclab.org AppSec Research 2010 Joint work with Egele, Kirda, Balzarotti and Kruegel Copyright The Foundation Permission

More information

Injection. CSC 482/582: Computer Security Slide #1

Injection. CSC 482/582: Computer Security Slide #1 Injection Slide #1 Topics 1. Injection Attacks 2. SQL Injection 3. Mitigating SQL Injection 4. XML Injection Slide #2 Injection Injection attacks trick an application into including unintended commands

More information

Subversive-C: Abusing and Protecting Dynamic Message Dispatch

Subversive-C: Abusing and Protecting Dynamic Message Dispatch Subversive-C: Abusing and Protecting Dynamic Message Dispatch Julian Lettner, Benjamin Kollenda, Andrei Homescu, Per Larsen, Felix Schuster, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Michael Franz

More information

Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan. Stanford University, Chalmers University of Technology

Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan. Stanford University, Chalmers University of Technology Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology One of the most popular application platforms Easy to deploy and access Almost anything

More information

Node.js. Could a few lines of code it all up? Head of AppSec Research

Node.js. Could a few lines of code it all up? Head of AppSec Research Node.js Could a few lines of code F@#k it all up? Erez Yalon Head of AppSec Research erez.yalon@checkmarx.com @ErezYalon Could a few lines of code F@#k it all up? Short answer: Longer answer: YES! Definitely

More information

DLint: Dynamically Checking Bad Coding Practices in JavaScript

DLint: Dynamically Checking Bad Coding Practices in JavaScript DLint: Dynamically Checking Bad Coding Practices in JavaScript Lian Gong, Michael Pradel, Manu Sridharan and Koushik Sen Presented by Adriano Lages dos Santos Belo Horizonte - 16/04/2015 Introduction Javascript

More information

Node.js Vulnerabilities

Node.js Vulnerabilities Node.js Vulnerabilities Amadou Crookes December 13th, 2013 Abstract Node.js is a fresh take on building fast, scalable network applications in the form of a server side framework. There are two main differences

More information

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated Ch 1: The Mobile Risk Ecosystem CNIT 128: Hacking Mobile Devices Updated 1-12-16 The Mobile Ecosystem Popularity of Mobile Devices Insecurity of Mobile Devices The Mobile Risk Model Mobile Network Architecture

More information

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology Traditional Programming When writing a program, programmers typically

More information

Securing Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation

Securing Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation Securing Software Applications Using Dynamic Dataflow Analysis Steve Cook OWASP June 16, 2010 0 Southwest Research Institute scook@swri.org (210) 522-6322 Copyright The OWASP Foundation Permission is granted

More information

Web Application Vulnerabilities: OWASP Top 10 Revisited

Web Application Vulnerabilities: OWASP Top 10 Revisited Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and

More information

BOOSTING THE SECURITY

BOOSTING THE SECURITY BOOSTING THE SECURITY OF YOUR ANGULAR APPLICATION Philippe De Ryck March 2017 https://www.websec.be ANGULAR APPLICATIONS RUN WITHIN THE BROWSER JS code HTML code Load application JS code / HTML code JS

More information

Trusted Types - W3C TPAC

Trusted Types - W3C TPAC Trusted Types - W3C TPAC Krzysztof Kotowicz, Google koto@google.com https://github.com/wicg/trusted-types Slides: https://tinyurl.com/tttpac DOM XSS DOM XSS is a growing, prevalent problem source sink

More information

WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION

WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION 2 Web application firewalls (WAFs) entered the security market at the turn of the century as web apps became increasingly

More information

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet SYMANTEC ENTERPRISE SECURITY Symantec Internet Security Threat Report September 00 Power and Energy Industry Data Sheet An important note about these statistics The statistics discussed in this document

More information

The Top 6 WAF Essentials to Achieve Application Security Efficacy

The Top 6 WAF Essentials to Achieve Application Security Efficacy The Top 6 WAF Essentials to Achieve Application Security Efficacy Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and

More information

TangeloHub Documentation

TangeloHub Documentation TangeloHub Documentation Release None Kitware, Inc. September 21, 2015 Contents 1 User s Guide 3 1.1 Managing Data.............................................. 3 1.2 Running an Analysis...........................................

More information

Performance Issues and Optimizations in JavaScript: An Empirical Study

Performance Issues and Optimizations in JavaScript: An Empirical Study Performance Issues and Optimizations in JavaScript: An Empirical Study Marija Selakovic Department of Computer Science TU Darmstadt, Germany m.selakovic89@gmail.com Michael Pradel Department of Computer

More information

An Introduction to the Waratek Application Security Platform

An Introduction to the Waratek Application Security Platform Product Analysis January 2017 An Introduction to the Waratek Application Security Platform The Transformational Application Security Technology that Improves Protection and Operations Highly accurate.

More information

IS 2620: Developing Secure Systems. Building Security In Lecture 2

IS 2620: Developing Secure Systems. Building Security In Lecture 2 IS 2620: Developing Secure Systems Building Security In Lecture 2 Jan 30, 2007 Software Security Renewed interest idea of engineering software so that it continues to function correctly under malicious

More information

Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection

Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection Advanced Threat Defense Certification Testing Report Symantec Advanced Threat Protection ICSA Labs Advanced Threat Defense December 8, 2015 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg,

More information

CFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer

CFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer CFIXX: Object Type Integrity Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer Control-Flow Hijacking Attacks C / C++ are ubiquitous and insecure Browsers: Chrome, Firefox, Internet Explorer Servers:

More information

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2010 Quiz I All problems are open-ended questions. In order to receive credit you must answer

More information

Static Analysis. Systems and Internet Infrastructure Security

Static Analysis. Systems and Internet Infrastructure Security Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Trent

More information

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE Nicholas Carlini, Adrienne Porter Felt, David Wagner University of California, Berkeley CHROME EXTENSIONS CHROME EXTENSIONS servers servers

More information

Securing Untrusted Code

Securing Untrusted Code Securing Untrusted Code Untrusted Code May be untrustworthy Intended to be benign, but may be full of vulnerabilities These vulnerabilities may be exploited by attackers (or other malicious processes)

More information

Overview Cross-Site Scripting (XSS) Christopher Lam Introduction Description Programming Languages used Types of Attacks Reasons for XSS Utilization Attack Scenarios Steps to an XSS Attack Compromises

More information

TREND MICRO SMART PROTECTION SUITES

TREND MICRO SMART PROTECTION SUITES SOLUTION BROCHURE TREND MICRO SMART ROTECTION SUITES Maximum endpoint security from your proven security partner Get smarter security that goes where your users go The threat landscape is constantly changing,

More information

Who is Docker and how he can help us? Heino Talvik

Who is Docker and how he can help us? Heino Talvik Who is Docker and how he can help us? Heino Talvik heino.talvik@seb.ee heino.talvik@gmail.com What is Docker? Software guy view: Marriage of infrastucture and Source Code Management Hardware guy view:

More information

TREND MICRO SMART PROTECTION SUITES

TREND MICRO SMART PROTECTION SUITES SOLUTION BROCHURE TREND MICRO SMART ROTECTION SUITES Maximum Trend Micro XGen security from your proven security partner Get smarter security that goes where your users go The threat landscape is constantly

More information

Web Security: Vulnerabilities & Attacks

Web Security: Vulnerabilities & Attacks Computer Security Course. Song Dawn Web Security: Vulnerabilities & Attacks Slide credit: John Mitchell Dawn Song Security User Interface Dawn Song Safe to type your password? SAFEBANK Bank of the Safe

More information

Buffer overflow background

Buffer overflow background and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer

More information

Program Testing and Analysis: Manual Testing Prof. Dr. Michael Pradel Software Lab, TU Darmstadt

Program Testing and Analysis: Manual Testing Prof. Dr. Michael Pradel Software Lab, TU Darmstadt Program Testing and Analysis: Manual Testing Prof. Dr. Michael Pradel Software Lab, TU Darmstadt Partly based on slides from Peter Müller, ETH Zurich 1 Warm-up Quiz What does the following code print?

More information

Application Security Using Runtime Protection

Application Security Using Runtime Protection Application Security Using Runtime Protection How RASP can secure your web applications with point & click protection Waratek Solves the Application Security Problems That No One Else Can Application Security

More information

COMP 2718: Shell Scripts: Part 1. By: Dr. Andrew Vardy

COMP 2718: Shell Scripts: Part 1. By: Dr. Andrew Vardy COMP 2718: Shell Scripts: Part 1 By: Dr. Andrew Vardy Outline Shell Scripts: Part 1 Hello World Shebang! Example Project Introducing Variables Variable Names Variable Facts Arguments Exit Status Branching:

More information

CS261 Scribe Notes: Secure Computation 1

CS261 Scribe Notes: Secure Computation 1 CS261 Scribe Notes: Secure Computation 1 Scriber: Cameron Rasmussen October 24, 2018 1 Introduction It is often the case that code is being run locally on our system that isn t completely trusted, a prime

More information

ROSAEC Survey Workshop SELab. Soohyun Baik

ROSAEC Survey Workshop SELab. Soohyun Baik ROSAEC Survey Workshop SELab. Soohyun Baik Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel,

More information

SentinelOne Technical Brief

SentinelOne Technical Brief SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by machine learning and intelligent automation. By rethinking

More information

BUFFERZONE Advanced Endpoint Security

BUFFERZONE Advanced Endpoint Security BUFFERZONE Advanced Endpoint Security Enterprise-grade Containment, Bridging and Intelligence BUFFERZONE defends endpoints against a wide range of advanced and targeted threats with patented containment,

More information

Using Threat Modeling To Find Design Flaws

Using Threat Modeling To Find Design Flaws Using Threat Modeling To Find Design Flaws Introduction Jim DelGrosso Run Cigital's Architecture Analysis practice 20+ years in software development in many different domains ~15 years focusing on software

More information

Security Philosophy. Humans have difficulty understanding risk

Security Philosophy. Humans have difficulty understanding risk Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy

More information

Configuring BIG-IP ASM v12.1 Application Security Manager

Configuring BIG-IP ASM v12.1 Application Security Manager Course Description Configuring BIG-IP ASM v12.1 Application Security Manager Description The BIG-IP Application Security Manager course gives participants a functional understanding of how to deploy, tune,

More information

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015 Lecture 10 Denial of Service Attacks (cont d) Thursday 24/12/2015 Agenda DoS Attacks (cont d) TCP DoS attacks DNS DoS attacks DoS via route hijacking DoS at higher layers Mobile Platform Security Models

More information

The Mimecast Security Risk Assessment Quarterly Report May 2017

The Mimecast Security Risk Assessment Quarterly Report May 2017 The Mimecast Email Security Risk Assessment Quarterly Report May 2017 The Mimecast Email Security Risk Assessment Quarterly Report May 2017 Many organizations think their current email security systems

More information

An Introduction to Runtime Application Self-Protection (RASP)

An Introduction to Runtime Application Self-Protection (RASP) Product Analysis June 2016 An Introduction to Runtime Application Self-Protection (RASP) The Transformational Application Security Technology that Improves Protection and Operations Highly accurate. Easy

More information

Self-defending software: Automatically patching errors in deployed software

Self-defending software: Automatically patching errors in deployed software Self-defending software: Automatically patching errors in deployed software Michael Ernst University of Washington Joint work with: Saman Amarasinghe, Jonathan Bachrach, Michael Carbin, Sung Kim, Samuel

More information

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias Markmann 1 Dennis Gessner 2 Dirk Westhoff 3 1 HAW Hamburg, Germany 2 NEC Laboratories Europe, Heidelberg, Germany

More information

Detecting Drive-by-Download Attacks based on HTTP Context-Types Ryo Kiire, Shigeki Goto Waseda University

Detecting Drive-by-Download Attacks based on HTTP Context-Types Ryo Kiire, Shigeki Goto Waseda University Detecting Drive-by-Download Attacks based on HTTP Context-Types Ryo Kiire, Shigeki Goto Waseda University 1 Outline Background Related Work Purpose Method Experiment Results Conclusion & Future Work 2

More information

On Mobile Malware Infections N. Asokan

On Mobile Malware Infections N. Asokan On Mobile Malware Infections N. Asokan (joint work with Hien Thi Thu Truong, Eemil Lagerspetz, Petteri Nurmi, Adam J. Oliner, Sasu Tarkoma, Sourav Bhattacharya) Mobile malware alarm bells Google Search

More information

BREAKTHROUGH CYBER SECURITY FREQUENTLY ASKED QUESTIONS

BREAKTHROUGH CYBER SECURITY FREQUENTLY ASKED QUESTIONS BREAKTHROUGH CYBER SECURITY FREQUENTLY ASKED QUESTIONS www.gbmstech.com What does GBMS Tech do? WE STOP MALWARE from running on your computers and mobile devices. We block CryptoLocker and Ransomware without

More information

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing

More information

last time: command injection

last time: command injection Web Security 1 last time: command injection 2 placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string

More information

Building Secure PHP Apps

Building Secure PHP Apps Building Secure PHP Apps is your PHP app truly secure? Let s make sure you get home on time and sleep well at night. Ben Edmunds This book is for sale at http://leanpub.com/buildingsecurephpapps This version

More information

RKN 2015 Application Layer Short Summary

RKN 2015 Application Layer Short Summary RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,

More information

Defense-in-depth techniques. for modern web applications

Defense-in-depth techniques. for modern web applications Defense-in-depth techniques for modern web applications About Us Lukas Weichselbaum Michele Spagnuolo Senior Information Security Engineer Senior Information Security Engineer We work in a focus area of

More information

Browser Exploits? Grab em by the Collar! Presented By: Debasish Mandal

Browser Exploits? Grab em by the Collar! Presented By: Debasish Mandal Browser Exploits? Grab em by the Collar! Presented By: Debasish Mandal (@debasishm89) About Me Security researcher, currently working in McAfee IPS Vulnerability Research Team. Working in information security

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback