Doctoral Thesis Proposal - Nuno Sabino

— 11:30am

Location:
In Person - Gates Hillman 7101

Speaker:
NUNO SABINO, Ph.D. Student, Computer Science Department, Carnegie Mellon University
https://cmuportugal.org/students/nuno-sabino/


Improving Code-Injection Vulnerability Detection & Confirmation in JS Programs via Program Analysis

Applications written in JavaScript are often vulnerable to a range of security threats. On the frontend, DOM-based Cross-Site Scripting (DOM-XSS) allows attackers to inject malicious JavaScript code into a webpage. On the backend, arbitrary code execution (ACE) and arbitrary command injection (ACI) enable attackers to execute arbitrary code or commands on the server. Exploiting such vulnerabilities can lead to severe consequences, including unauthorized access to sensitive data and even full system compromise.

Each potential flow identified by these tools traces a program path where attacker-controlled input, such as a URL, reaches a sensitive function that may lead to arbitrary code execution. DTA requires finding a concrete input that demonstrates a potential flow in the target application, but prior work fails to thoroughly explore program paths. In the backend, these tools miss ACI and ACE that require inputs with complex structure. We develop a novel type- and structure-aware fuzzing technique to explore Node.js packages, and an enumerator to synthesize syntactically valid payloads for ACE vulnerabilities. Incorporating these components on prior work NodeMedic led to finding 2257 potential flows and confirm vulnerabilities in 766 Node.js packages.

A unique challenge in exploring frontend code is that program behavior may depend on user actions on the webpage. To address this, we develop a fuzzer to interact with the target webpage and evaluated it against 43,436 popular pages. Furthermore, we found that including optional GET parameters in the target URL uncovers significantly more DOM-XSS vulnerabilities. This led us to use dynamic symbolic execution to automatically synthesize GET parameters satisfying program constraints. Compared to our replication of prior work DOMsday, the fuzzer increases potential DOM-XSS flows found by 37% and confirms 57% more vulnerabilities.

Finally, we find that non-exploitable potential flows may still hint towards real vulnerabilities that require additional steps to confirm, such as bypassing sanitization measures and extending the attacker’s capabilities by executing other program parts. Thus, we propose the design and implementation of exploration strategies that efficiently explores the program to discover an exploitable path, using information from a given potential flow that we assume to have found already. 

Thesis Committee

Limin Jia (Chair)
Pedro Adão (Co-chair, Instituto Superior Técnico)
Rui Maranhão (Co-chair, Universidade do Porto)
Lujo Bauer
Ruben Martins
José Fragoso (Instituto Superior Técnico)

Cristian-Alexandru Staicu (CISPA Helmholtz Center for Information Security)

Event Website:
https://csd.cmu.edu/calendar/doctoral-thesis-proposal-nuno-sabino