Understanding and Automatically Preventing Injection Attacks on Node.js
|
|
- Emmeline Barnett
- 5 years ago
- Views:
Transcription
1 Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU Darmstadt Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond) 1
2 Why JavaScript? Relevant and challenging Rank of top languages on GitHub over time (Source: GitHub.com) 2
3 Why JavaScript? Relevant and challenging 1096 pages 153 pages 3
4 Motivation: JavaScript (In)Security JavaScript: Popular beyond the browser Client-side web app Browser Operating system 4
5 Motivation: JavaScript (In)Security JavaScript: Popular beyond the browser Client-side web app Server-side or desktop app Mobile app Browser Node.js Dalvik VM Operating system Operating system Operating system 4
6 Motivation: JavaScript (In)Security JavaScript: Popular beyond the browser Sandbox Client-side web app Server-side or desktop app Sandbox Mobile app Browser Node.js Dalvik VM Operating system Operating system Operating system 4
7 Motivation: JavaScript (In)Security JavaScript: Popular beyond the browser Sandbox Client-side web app No sandbox! Server-side or desktop app Sandbox Mobile app Browser Node.js Dalvik VM Operating system Operating system Operating system 4
8 Culture of Naive Reuse Node.js code: Builds on 3rd-party code Over modules No specified trust relationships between modules Many indirect dependences 5
9 Culture of Naive Reuse Node.js code: Builds on 3rd-party code Over modules No specified trust relationships between modules Many indirect dependences Risk of vulnerable and malicious code 5
10 Real Example: Growl Module var msg = /* receive growl(msg); from network */ 6
11 Real Example: Growl Module var msg = /* receive growl(msg); from network */ Growl module: Platform-specific command to show notifications Pass message to command without any checks 6
12 Running Example function backupfile(name, ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg")? "pics" : "other"; console.log(eval("messages.backup_" + kind)); } 7
13 Running Example function backupfile(name, ext) { } var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); Construct shell command Execute it var kind = (ext === "jpg")? "pics" : "other"; console.log(eval("messages.backup_" + kind)); 7
14 Running Example function backupfile(name, ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg")? "pics" : "other"; console.log(eval("messages.backup_" + kind)); } Construct JavaScript code and execute it 7
15 Running Example function backupfile(name, ext) { var cmd = []; } cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); Injection APIs: Interpret string as code var kind = (ext === "jpg")? "pics" : "other"; console.log(eval("messages.backup_" + kind)); 7
16 Running Example function backupfile(name, ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); var kind = (ext === "jpg")? "pics" : "other"; console.log(eval("messages.backup_" + kind)); } Injection attack: backupfile("-h && rm -rf * && echo ", "") 7
17 Our Contributions 1. Study of injection vulnerabilities First large-scale study of Node.js security 236K modules, 816M lines of JavaScript 2. Repair of vulnerabilities Static analysis and runtime enforcement Automatic and easy to deploy Small overhead and high accuracy 8
18 Our Contributions 1. Study of injection vulnerabilities First large-scale study of Node.js security 236K modules, 816M lines of JavaScript 2. Repair of vulnerabilities Static analysis and runtime enforcement Automatic and easy to deploy Small overhead and high accuracy 8
19 Study: Prevalence Are injection vulnerabilities widespread? 9
20 Study: Prevalence Are injection vulnerabilities widespread? 9
21 Study: Prevalence Are injection vulnerabilities widespread? Direct uses 9
22 Study: Prevalence Are injection vulnerabilities widespread? Indirect uses via other modules 9
23 Study: Prevalence Are injection vulnerabilities widespread? Manual inspection of 150 call sites Attacker-controlled data may reach API: 58% Defense mechanisms None: 90% Regular expression: 9% 9
24 Study: Developer Reactions Do developers fix vulnerabilities? Reported 20 previously unknown vulnerabilities After several months, only 3 fixed 10
25 Study: Developer Reactions Do developers fix vulnerabilities? Reported 20 previously unknown vulnerabilities After several months, only 3 fixed 10
26 Study: Developer Reactions Do developers fix vulnerabilities? Reported 20 previously unknown vulnerabilities After several months, only 3 fixed Need mitigation technique that requires very little developer attention 10
27 Our Contributions 1. Study of injection vulnerabilities First large-scale study of Node.js security 236K modules, 816M lines of JavaScript 2. Repair of vulnerabilities Static analysis and runtime enforcement Automatic and easy to deploy Small overhead and high accuracy 11
28 Our Contributions 1. Study of injection vulnerabilities First large-scale study of Node.js security 236K modules, 816M lines of JavaScript 2. Repair of vulnerabilities Static analysis and runtime enforcement Automatic and easy to deploy Small overhead and high accuracy 11
29 Preventing Injections Vulnerable code Static analysis String templates Statically safe code Synthesize policy Code with Runtime inputs runtime checks Dynamic enforcement Safe runtime behavior 12
30 Static Analysis: Template Trees 1. Backward data flow analysis Overapproximate strings passed to injection API Represent possible values as a tree 13
31 Static Analysis: Template Trees 1. Backward data flow analysis Overapproximate strings passed to injection API Represent possible values as a tree function backupfile(name, ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); } 13
32 Static Analysis: Template Trees 1. Backward data flow analysis Overapproximate strings passed to injection API Represent possible values as a tree function backupfile(name, ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); } $cmd join 13
33 Static Analysis: Template Trees 1. Backward data flow analysis Overapproximate strings passed to injection API Represent possible values as a tree function backupfile(name, ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); } join push $cmd /.localbackup/ 13
34 Static Analysis: Template Trees 1. Backward data flow analysis Overapproximate strings passed to injection API Represent possible values as a tree function backupfile(name, ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); } $cmd push join push /.localbackup/ + $name. $ext 13
35 Static Analysis: Template Trees 1. Backward data flow analysis Overapproximate strings passed to injection API Represent possible values as a tree function backupfile(name, ext) { var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); } join push push /.localbackup/ push + $cmd cp $name. $ext 13
36 Static Analysis: Template Trees 1. Backward data flow analysis Overapproximate strings passed to injection API Represent possible values as a tree function backupfile(name, ext) { } var cmd = []; cmd.push("cp"); cmd.push(name + "." + ext); cmd.push(" /.localbackup/"); exec(cmd.join(" ")); empty array push push push join /.localbackup/ + cp $name. $ext 13
37 Static Analysis: Templates 2. Evaluate template trees into templates Statically model operations (bottom-up) Unknown parts to be filled at runtime 14
38 Static Analysis: Templates 2. Evaluate template trees into templates Statically model operations (bottom-up) Unknown parts to be filled at runtime join push push /.localbackup/ push + empty array cp $name. $ext cp $name.$ext /.localbackup/ 14
39 Synthesizing a Policy Create runtime policy from templates Enforce structure via partial AST For unknown parts, allow only benign AST nodes 15
40 Synthesizing a Policy Create runtime policy from templates Enforce structure via partial AST For unknown parts, allow only benign AST nodes cp $name.$ext /.localbackup/ Bash grammar Command Arguments cp??? /.localbackup/ 15
41 Runtime Enforcement Enforce policy on strings passed to injection APIs Policy: Command Arguments cp??? /.localbackup/ 16
42 Runtime Enforcement Enforce policy on strings passed to injection APIs Policy: Runtime string: cp f.txt /.localbackup/ Command Command Arguments Arguments cp cp??? /.localbackup/ f.txt /.localbackup/ 16
43 Runtime Enforcement Enforce policy on strings passed to injection APIs Policy: Runtime string: cp f.txt /.localbackup/ Command Command Accepted Arguments Arguments cp cp??? /.localbackup/ f.txt /.localbackup/ 16
44 Runtime Enforcement Enforce policy on strings passed to injection APIs Policy: Command Runtime string: cp -h && rm -rf * && echo /.localbackup/ CompoundCmd Arguments Command Command Command cp ??? /.localbackup/... 16
45 Runtime Enforcement Enforce policy on strings passed to injection APIs Policy: Command Runtime string: cp -h && rm -rf * && echo /.localbackup/ CompoundCmd Arguments Command Command Command cp ??? /.localbackup/... Rejected 16
46 Evaluation: Static Analysis Setup: 51K call sites of injection APIs Precision: Statically safe: To be checked at runtime: 63.3% 36.7% Most call sites: Performance: 4.4 seconds per module At least 10 known characters Only 1 hole 17
47 Evaluation: Runtime Enforcement Setup 24 modules 56 benign and 65 malicious inputs Results: Zero false negatives (i.e., no missed injections) Five false positives (i.e., overly conservative) Overhead (avg.): 0.74 milliseconds per call 18
48 Conclusion Understand injection vulnerabilities First large-scale empirical study of Node.js (in)security Detect and prevent injections Static inference of expected string values AST-based runtime policy Automated repair of vulnerabilities More details: Technical report on my web site 19
Synode: Understanding and Automatically Preventing Injection Attacks on Node.js
Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu 1 Michael Pradel 1 Ben Livshits 2 1 TU Darmstadt 2 Imperial College London, Brave Software February
More informationSynode: Understanding and Automatically Preventing Injection Attacks on Node.js
Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu TU Darmstadt cris.staicu@gmail.com Michael Pradel TU Darmstadt michael@binaervarianz.de Benjamin
More informationUnderstanding and Automatically Preventing Injection Attacks on Node.js
Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu, Michael Pradel, Ben Livshits Technical Report TUD-CS-2016-14663 TU Darmstadt, Department of Computer Science
More informationZigZag - Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities
ZigZag - Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Michael Weissbacher, William Robertson, Engin Kirda, Christopher Kruegel, Giovanni Vigna 1 XMLHTTPRequest
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationSecuring Production Applications & Data at Runtime. Prevoty
Securing Production Applications & Data at Runtime Prevoty Introducing Prevoty Scalable visibility and protection for all applications and services 20+ 3 Over Verticals: Awards & Recognitions Years in
More informationDLint: Dynamically Checking Bad Coding Practices in JavaScript
DLint: Dynamically Checking Bad Coding Practices in JavaScript Liang Gong 1, Michael Pradel 2, Manu Sridharan 3 and Koushik Sen 1 1 UC Berkeley 2 TU Darmstadt 3 Samsung Research America Why JavaScript?
More informationFreezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers
Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers Cristian-Alexandru Staicu and Michael Pradel Technical Report TUD-CS-217-35 TU Darmstadt, Department of Computer Science
More informationThe security of Mozilla Firefox s Extensions. Kristjan Krips
The security of Mozilla Firefox s Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting
More informationCode-Reuse Attacks for the Web: Breaking XSS mitigations via Script Gadgets
Code-Reuse Attacks for the Web: Breaking XSS mitigations via Script Gadgets Sebastian Lekies (@slekies) Krzysztof Kotowicz (@kkotowicz) Eduardo Vela Nava (@sirdarckcat) Agenda 1. 2. 3. 4. 5. 6. Introduction
More informationVirtualSwindle: An Automated Attack Against In-App Billing on Android
Northeastern University Systems Security Lab VirtualSwindle: An Automated Attack Against In-App Billing on Android ASIACCS 2014 Collin Mulliner, William Robertson, Engin Kirda {crm,wkr,ek}[at]ccs.neu.edu
More informationSoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14
SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14 Presenter: Mathias Payer, EPFL http://hexhive.github.io 1 Memory attacks: an ongoing war Vulnerability classes
More informationDLint: Dynamically Checking Bad Coding Practices in JavaScript
DLint: Dynamically Checking Bad Coding Practices in JavaScript Liang Gong 1, Michael Pradel 2, Manu Sridharan 3 and Koushik Sen 1 1 UC Berkeley 2 TU Darmstadt 3 Samsung Research America Why JavaScript?
More informationDefend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title
Defend Your Web Applications Against the OWASP Top 10 Security Risks Speaker Name, Job Title Application Security Is Business Continuity Maintain and grow revenue Identify industry threats Protect assets
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationWeb Security: Vulnerabilities & Attacks
Computer Security Course. Song Dawn Web Security: Vulnerabilities & Attacks Cross-site Scripting What is Cross-site Scripting (XSS)? Vulnerability in web application that enables attackers to inject client-side
More informationISOLATION DEFENSES GRAD SEC OCT
ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Setting Possibly with multiple tenants OS: users / processes Browser: webpages / browser extensions Cloud:
More informationPractical Techniques for Regeneration and Immunization of COTS Applications
Practical Techniques for Regeneration and Immunization of COTS Applications Lixin Li Mark R.Cornwell E.Hultman James E. Just R. Sekar Stony Brook University Global InfoTek, Inc (Research supported by DARPA,
More informationISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS. Waqas Nazir - CEO - DigitSec, Inc.
1 ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS Waqas Nazir - CEO - DigitSec, Inc. EXPLOITATION AND SECURITY 2 OF SAAS APPLICATIONS OVERVIEW STATE OF SAAS SECURITY CHALLENGES WITH SAAS FORCE.COM
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationWe will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries
We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries PoCs included Content Security Policy WAFs whitelists nonces
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationWHITE PAPER. AirGap. The Technology That Makes Isla a Powerful Web Malware Isolation System
AirGap The Technology That Makes Isla a Powerful Web Malware Isolation System Introduction Web browsers have become a primary target for cyber attacks on the enterprise. If you think about it, it makes
More informationTypeDevil: Dynamic Type Inconsistency Analysis for JavaScript
TypeDevil: Dynamic Type Inconsistency Analysis for JavaScript Michael Pradel 1, Parker Schuh 2, Koushik Sen 2 1 TU Darmstadt, 2 UC Berkeley 1 Motivation JavaScript: Dynamic and permissive Problems remain
More informationAdvanced Threat Defense Certification Testing Report. Trend Micro Incorporated Trend Micro Deep Discovery Inspector
Advanced Threat Defense Certification Testing Report Trend Micro Deep Discovery Inspector ICSA Labs Advanced Threat Defense July 12, 2016 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg,
More informationCuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes
CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes Patrick Carter, Collin Mulliner, Martina Lindorfer, William Robertson, Engin Kirda 02/23/2016 Android 2015
More informationSaving Time and Costs with Virtual Patching and Legacy Application Modernizing
Case Study Virtual Patching/Legacy Applications May 2017 Saving Time and Costs with Virtual Patching and Legacy Application Modernizing Instant security and operations improvement without code changes
More informationDefining a Model for Defense in Depth
Defining a Model for Defense in Depth James Sullivan, Michael Locasto University of Calgary LAW 2015 Sullivan / Locasto Modelling Defense in Depth LAW 2015 1 / 33 Introduction Key Problem Problem: What
More informationStatic analysis of PHP applications
Static analysis of PHP applications Ondřej Šerý DISTRIBUTED SYSTEMS RESEARCH GROUP http://dsrg.mff.cuni.cz CHARLES UNIVERSITY PRAGUE Faculty of Mathematics and Physics References G. Wassermann, Z. Su:
More informationSandboxing untrusted code: policies and mechanisms
Sandboxing untrusted code: policies and mechanisms Frank Piessens (Frank.Piessens@cs.kuleuven.be) Secappdev 2011 1 Overview Introduction Java and.net Sandboxing Runtime monitoring Information Flow Control
More informationEx-Ray: Detection of History-Leaking Browser Extensions
Ex-Ray: Detection of History-Leaking Browser Extensions Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca Stringhini, William Robertson, Engin Kirda Northeastern University, University
More informationSecurity. CSC309 TA: Sukwon Oh
Security CSC309 TA: Sukwon Oh Outline SQL Injection NoSQL Injection (MongoDB) Same Origin Policy XSSI XSS CSRF (XSRF) SQL Injection What is SQLI? Malicious user input is injected into SQL statements and
More informationAt a Glance: Symantec Security.cloud vs Microsoft O365 E3
At a Glance: Symantec Email Security.cloud vs Microsoft O365 E3 Microsoft O365 E3 Security as a Feature Symantec Email Security.cloud Why This Is Important Spam Protection Third-party blacklists subscribed
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationGenerating String Attack Inputs Using Constrained Symbolic Execution. presented by Kinga Dobolyi
Generating String Attack Inputs Using Constrained Symbolic Execution presented by Kinga Dobolyi What is a String Attack? Web applications are 3 tiered Vulnerabilities in the application layer Buffer overruns,
More information2 Lecture Embedded System Security A.-R. Darmstadt, Android Security Extensions
2 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2014 Android Security Extensions App A Perm. P 1 App B Perm. P 2 Perm. P 3 Kirin [2009] Reference Monitor Prevents the installation
More informationLooking Forward: Challenges in Mobile Security. John Mitchell Stanford University
Looking Forward: Challenges in Mobile Security John Mitchell Stanford University Outline Mobile platform security SessionJuggler Using phone as authentication token SelectiveAuth Protecting resources on
More informationCERT C++ COMPLIANCE ENFORCEMENT
CERT C++ COMPLIANCE ENFORCEMENT AUTOMATED SOURCE CODE ANALYSIS TO MAINTAIN COMPLIANCE SIMPLIFY AND STREAMLINE CERT C++ COMPLIANCE The CERT C++ compliance module reports on dataflow problems, software defects,
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationHow to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis
White paper How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis AhnLab, Inc. Table of Contents Introduction... 1 Multidimensional Analysis... 1 Cloud-based Analysis...
More informationMaximum Security with Minimum Impact : Going Beyond Next Gen
SESSION ID: SP03-W10 Maximum Security with Minimum Impact : Going Beyond Next Gen Wendy Moore Director, User Protection Trend Micro @WMBOTT Hyper-competitive Cloud Rapid adoption Social Global Mobile IoT
More informationJITProf: Pinpointing JIT-Unfriendly JavaScript Code
JITProf: Pinpointing JIT-Unfriendly JavaScript Code Liang Gong 1, Michael Pradel 2, Koushik Sen 1 1 UC Berkeley, 2 TU Darmstadt 1 Motivation JavaScript: One of the most popular languages Performance: Crucial
More informationOWASP AppSec Research The OWASP Foundation New Insights into Clickjacking
New Insights into Clickjacking Marco `embyte` Balduzzi iseclab @ EURECOM embyte@iseclab.org AppSec Research 2010 Joint work with Egele, Kirda, Balzarotti and Kruegel Copyright The Foundation Permission
More informationInjection. CSC 482/582: Computer Security Slide #1
Injection Slide #1 Topics 1. Injection Attacks 2. SQL Injection 3. Mitigating SQL Injection 4. XML Injection Slide #2 Injection Injection attacks trick an application into including unintended commands
More informationSubversive-C: Abusing and Protecting Dynamic Message Dispatch
Subversive-C: Abusing and Protecting Dynamic Message Dispatch Julian Lettner, Benjamin Kollenda, Andrei Homescu, Per Larsen, Felix Schuster, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Michael Franz
More informationStefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan. Stanford University, Chalmers University of Technology
Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology One of the most popular application platforms Easy to deploy and access Almost anything
More informationNode.js. Could a few lines of code it all up? Head of AppSec Research
Node.js Could a few lines of code F@#k it all up? Erez Yalon Head of AppSec Research erez.yalon@checkmarx.com @ErezYalon Could a few lines of code F@#k it all up? Short answer: Longer answer: YES! Definitely
More informationDLint: Dynamically Checking Bad Coding Practices in JavaScript
DLint: Dynamically Checking Bad Coding Practices in JavaScript Lian Gong, Michael Pradel, Manu Sridharan and Koushik Sen Presented by Adriano Lages dos Santos Belo Horizonte - 16/04/2015 Introduction Javascript
More informationNode.js Vulnerabilities
Node.js Vulnerabilities Amadou Crookes December 13th, 2013 Abstract Node.js is a fresh take on building fast, scalable network applications in the form of a server side framework. There are two main differences
More informationCh 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated
Ch 1: The Mobile Risk Ecosystem CNIT 128: Hacking Mobile Devices Updated 1-12-16 The Mobile Ecosystem Popularity of Mobile Devices Insecurity of Mobile Devices The Mobile Risk Model Mobile Network Architecture
More informationDEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology
DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology Traditional Programming When writing a program, programmers typically
More informationSecuring Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation
Securing Software Applications Using Dynamic Dataflow Analysis Steve Cook OWASP June 16, 2010 0 Southwest Research Institute scook@swri.org (210) 522-6322 Copyright The OWASP Foundation Permission is granted
More informationWeb Application Vulnerabilities: OWASP Top 10 Revisited
Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and
More informationBOOSTING THE SECURITY
BOOSTING THE SECURITY OF YOUR ANGULAR APPLICATION Philippe De Ryck March 2017 https://www.websec.be ANGULAR APPLICATIONS RUN WITHIN THE BROWSER JS code HTML code Load application JS code / HTML code JS
More informationTrusted Types - W3C TPAC
Trusted Types - W3C TPAC Krzysztof Kotowicz, Google koto@google.com https://github.com/wicg/trusted-types Slides: https://tinyurl.com/tttpac DOM XSS DOM XSS is a growing, prevalent problem source sink
More informationWHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION
WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION 2 Web application firewalls (WAFs) entered the security market at the turn of the century as web apps became increasingly
More informationSYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet
SYMANTEC ENTERPRISE SECURITY Symantec Internet Security Threat Report September 00 Power and Energy Industry Data Sheet An important note about these statistics The statistics discussed in this document
More informationThe Top 6 WAF Essentials to Achieve Application Security Efficacy
The Top 6 WAF Essentials to Achieve Application Security Efficacy Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and
More informationTangeloHub Documentation
TangeloHub Documentation Release None Kitware, Inc. September 21, 2015 Contents 1 User s Guide 3 1.1 Managing Data.............................................. 3 1.2 Running an Analysis...........................................
More informationPerformance Issues and Optimizations in JavaScript: An Empirical Study
Performance Issues and Optimizations in JavaScript: An Empirical Study Marija Selakovic Department of Computer Science TU Darmstadt, Germany m.selakovic89@gmail.com Michael Pradel Department of Computer
More informationAn Introduction to the Waratek Application Security Platform
Product Analysis January 2017 An Introduction to the Waratek Application Security Platform The Transformational Application Security Technology that Improves Protection and Operations Highly accurate.
More informationIS 2620: Developing Secure Systems. Building Security In Lecture 2
IS 2620: Developing Secure Systems Building Security In Lecture 2 Jan 30, 2007 Software Security Renewed interest idea of engineering software so that it continues to function correctly under malicious
More informationAdvanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection
Advanced Threat Defense Certification Testing Report Symantec Advanced Threat Protection ICSA Labs Advanced Threat Defense December 8, 2015 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg,
More informationCFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer
CFIXX: Object Type Integrity Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer Control-Flow Hijacking Attacks C / C++ are ubiquitous and insecure Browsers: Chrome, Firefox, Internet Explorer Servers:
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2010 Quiz I All problems are open-ended questions. In order to receive credit you must answer
More informationStatic Analysis. Systems and Internet Infrastructure Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Trent
More informationAN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE
AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE Nicholas Carlini, Adrienne Porter Felt, David Wagner University of California, Berkeley CHROME EXTENSIONS CHROME EXTENSIONS servers servers
More informationSecuring Untrusted Code
Securing Untrusted Code Untrusted Code May be untrustworthy Intended to be benign, but may be full of vulnerabilities These vulnerabilities may be exploited by attackers (or other malicious processes)
More informationOverview Cross-Site Scripting (XSS) Christopher Lam Introduction Description Programming Languages used Types of Attacks Reasons for XSS Utilization Attack Scenarios Steps to an XSS Attack Compromises
More informationTREND MICRO SMART PROTECTION SUITES
SOLUTION BROCHURE TREND MICRO SMART ROTECTION SUITES Maximum endpoint security from your proven security partner Get smarter security that goes where your users go The threat landscape is constantly changing,
More informationWho is Docker and how he can help us? Heino Talvik
Who is Docker and how he can help us? Heino Talvik heino.talvik@seb.ee heino.talvik@gmail.com What is Docker? Software guy view: Marriage of infrastucture and Source Code Management Hardware guy view:
More informationTREND MICRO SMART PROTECTION SUITES
SOLUTION BROCHURE TREND MICRO SMART ROTECTION SUITES Maximum Trend Micro XGen security from your proven security partner Get smarter security that goes where your users go The threat landscape is constantly
More informationWeb Security: Vulnerabilities & Attacks
Computer Security Course. Song Dawn Web Security: Vulnerabilities & Attacks Slide credit: John Mitchell Dawn Song Security User Interface Dawn Song Safe to type your password? SAFEBANK Bank of the Safe
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationProgram Testing and Analysis: Manual Testing Prof. Dr. Michael Pradel Software Lab, TU Darmstadt
Program Testing and Analysis: Manual Testing Prof. Dr. Michael Pradel Software Lab, TU Darmstadt Partly based on slides from Peter Müller, ETH Zurich 1 Warm-up Quiz What does the following code print?
More informationApplication Security Using Runtime Protection
Application Security Using Runtime Protection How RASP can secure your web applications with point & click protection Waratek Solves the Application Security Problems That No One Else Can Application Security
More informationCOMP 2718: Shell Scripts: Part 1. By: Dr. Andrew Vardy
COMP 2718: Shell Scripts: Part 1 By: Dr. Andrew Vardy Outline Shell Scripts: Part 1 Hello World Shebang! Example Project Introducing Variables Variable Names Variable Facts Arguments Exit Status Branching:
More informationCS261 Scribe Notes: Secure Computation 1
CS261 Scribe Notes: Secure Computation 1 Scriber: Cameron Rasmussen October 24, 2018 1 Introduction It is often the case that code is being run locally on our system that isn t completely trusted, a prime
More informationROSAEC Survey Workshop SELab. Soohyun Baik
ROSAEC Survey Workshop SELab. Soohyun Baik Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel,
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by machine learning and intelligent automation. By rethinking
More informationBUFFERZONE Advanced Endpoint Security
BUFFERZONE Advanced Endpoint Security Enterprise-grade Containment, Bridging and Intelligence BUFFERZONE defends endpoints against a wide range of advanced and targeted threats with patented containment,
More informationUsing Threat Modeling To Find Design Flaws
Using Threat Modeling To Find Design Flaws Introduction Jim DelGrosso Run Cigital's Architecture Analysis practice 20+ years in software development in many different domains ~15 years focusing on software
More informationSecurity Philosophy. Humans have difficulty understanding risk
Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy
More informationConfiguring BIG-IP ASM v12.1 Application Security Manager
Course Description Configuring BIG-IP ASM v12.1 Application Security Manager Description The BIG-IP Application Security Manager course gives participants a functional understanding of how to deploy, tune,
More informationLecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015
Lecture 10 Denial of Service Attacks (cont d) Thursday 24/12/2015 Agenda DoS Attacks (cont d) TCP DoS attacks DNS DoS attacks DoS via route hijacking DoS at higher layers Mobile Platform Security Models
More informationThe Mimecast Security Risk Assessment Quarterly Report May 2017
The Mimecast Email Security Risk Assessment Quarterly Report May 2017 The Mimecast Email Security Risk Assessment Quarterly Report May 2017 Many organizations think their current email security systems
More informationAn Introduction to Runtime Application Self-Protection (RASP)
Product Analysis June 2016 An Introduction to Runtime Application Self-Protection (RASP) The Transformational Application Security Technology that Improves Protection and Operations Highly accurate. Easy
More informationSelf-defending software: Automatically patching errors in deployed software
Self-defending software: Automatically patching errors in deployed software Michael Ernst University of Washington Joint work with: Saman Amarasinghe, Jonathan Bachrach, Michael Carbin, Sung Kim, Samuel
More informationQuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android
QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias Markmann 1 Dennis Gessner 2 Dirk Westhoff 3 1 HAW Hamburg, Germany 2 NEC Laboratories Europe, Heidelberg, Germany
More informationDetecting Drive-by-Download Attacks based on HTTP Context-Types Ryo Kiire, Shigeki Goto Waseda University
Detecting Drive-by-Download Attacks based on HTTP Context-Types Ryo Kiire, Shigeki Goto Waseda University 1 Outline Background Related Work Purpose Method Experiment Results Conclusion & Future Work 2
More informationOn Mobile Malware Infections N. Asokan
On Mobile Malware Infections N. Asokan (joint work with Hien Thi Thu Truong, Eemil Lagerspetz, Petteri Nurmi, Adam J. Oliner, Sasu Tarkoma, Sourav Bhattacharya) Mobile malware alarm bells Google Search
More informationBREAKTHROUGH CYBER SECURITY FREQUENTLY ASKED QUESTIONS
BREAKTHROUGH CYBER SECURITY FREQUENTLY ASKED QUESTIONS www.gbmstech.com What does GBMS Tech do? WE STOP MALWARE from running on your computers and mobile devices. We block CryptoLocker and Ransomware without
More informationHonours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui
Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing
More informationlast time: command injection
Web Security 1 last time: command injection 2 placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string
More informationBuilding Secure PHP Apps
Building Secure PHP Apps is your PHP app truly secure? Let s make sure you get home on time and sleep well at night. Ben Edmunds This book is for sale at http://leanpub.com/buildingsecurephpapps This version
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationDefense-in-depth techniques. for modern web applications
Defense-in-depth techniques for modern web applications About Us Lukas Weichselbaum Michele Spagnuolo Senior Information Security Engineer Senior Information Security Engineer We work in a focus area of
More informationBrowser Exploits? Grab em by the Collar! Presented By: Debasish Mandal
Browser Exploits? Grab em by the Collar! Presented By: Debasish Mandal (@debasishm89) About Me Security researcher, currently working in McAfee IPS Vulnerability Research Team. Working in information security
More information