kth.sePublications
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Theoretical Computer Science, TCS.ORCID iD: 0000-0002-2621-5179
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Theoretical Computer Science, TCS.ORCID iD: 0000-0001-6005-5992
CISPA Helmholtz Ctr Informat Secur, Saarbrucken, Germany..
2023 (English)In: Proceedings Of The 32Nd Usenix Security Symposium, USENIX ASSOC , 2023, p. 5521-5538Conference paper, Published paper (Refereed)
Abstract [en]

Prototype pollution is a dangerous vulnerability affecting prototype-based languages like JavaScript and the Node.js platform. It refers to the ability of an attacker to inject properties into an object's root prototype at runtime and subsequently trigger the execution of legitimate code gadgets that access these properties on the object's prototype, leading to attacks such as Denial of Service (DoS), privilege escalation, and Remote Code Execution (RCE). While there is anecdotal evidence that prototype pollution leads to RCE, current research does not tackle the challenge of gadget detection, thus only showing feasibility of DoS attacks, mainly against Node.js libraries. In this paper, we set out to study the problem in a holistic way, from the detection of prototype pollution to detection of gadgets, with the ambitious goal of finding end-to-end exploits beyond DoS, in full-fledged Node.js applications. We build the first multi-staged framework that uses multilabel static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detect universal gadgets, notably, by analyzing the Node.js source code. We implement our framework on top of GitHub's static analysis framework CodeQL to find 11 universal gadgets in core Node.js APIs, leading to code execution. Furthermore, we use our methodology in a study of 15 popular Node.js applications to identify prototype pollutions and gadgets. We manually exploit eight RCE vulnerabilities in three high-profile applications such as NPM CLI, Parse Server, and Rocket.Chat. Our results provide alarming evidence that prototype pollution in combination with powerful universal gadgets lead to RCE in Node.js.
Place, publisher, year, edition, pages
USENIX ASSOC , 2023. p. 5521-5538
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:kth:diva-342283ISI: 001066451505040Scopus ID: 2-s2.0-85164832590OAI: oai:DiVA.org:kth-342283DiVA, id: diva2:1830958
Conference
32nd USENIX Security Symposium, AUG 09-11, 2023, Anaheim, CA, USA
Note

Part of ISBN 978-1-939133-37-3

QC 20240124

Available from: 2024-01-24 Created: 2024-01-24 Last updated: 2024-10-14Bibliographically approved
In thesis
1. Code-Reuse Attacks in Managed Programming Languages and Runtimes
Open this publication in new window or tab >>Code-Reuse Attacks in Managed Programming Languages and Runtimes
2024 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

The ubiquity of digital systems in modern society highlights the critical importance of software security. As applications grow in complexity, the threats targeting them have also become more sophisticated. Managed programming languages such as C# and JavaScript, widely used in modern software development, support memory safety properties to avoid common vulnerabilities like buffer overflows. However, while these languages guard against many traditional memory corruption issues, they are not impervious to all forms of attack. Code-reuse attacks represent a significant threat within this context, as they exploit the program's logic, allowing attackers to repurpose existing code within the system to achieve malicious objectives.

Code-reuse attacks present a unique challenge in managed languages because they manipulate legitimate code fragments, making detection and prevention particularly difficult. As these threats continue to evolve, it is increasingly vital to systematically understand and mitigate code-reuse attacks in memory-safe languages. This thesis addresses this challenge by investigating the vulnerabilities inherent in managed languages and their runtimes.

The thesis presents a new taxonomy for code-reuse attacks in managed languages and runtimes. This taxonomy systematically categorizes code-reuse attacks, identifying the key components and their combinations that lead to successful exploits. By offering a structured framework for understanding the key ingredients of code-reuse attacks, this work advances the field of software security. The thesis designs and implements scalable (static and dynamic) program analysis techniques for detecting two classes of code-reuse attacks: object injection vulnerabilities in C# and prototype pollution vulnerabilities in JavaScript. It focuses on the root causes of these attacks and provides systematic approaches for addressing them.

This work introduces four tools designed to identify and exploit code-reuse attacks in real-world applications: SerialDetector, Silent Spring, Dasty, and GHunter. We developed them to perform static and dynamic analyses, successfully identifying critical vulnerabilities in popular applications, libraries, and runtimes. We report the results of large-scale evaluations, demonstrating the effectiveness of these tools and our approaches in detecting and exploiting vulnerabilities that could lead to significant security breaches. The results of this work highlight the importance of ongoing research and development in the field of cybersecurity, particularly as threats continue to evolve and become more sophisticated. 
Abstract [sv]

De digitala systemens ständiga närvaro i det moderna samhället lyfter fram den kritiska betydelsen av mjukvarusäkerhet. I takt med att applikationer blir alltmer komplexa har även hoten mot dem blivit mer sofistikerad. Hanterade programmeringsspråk som C# och JavaScript, vilka används flitigt inom modern mjukvaruutveckling, stödjer minnessäkerhetsegenskaper för att undvika vanliga sårbarheter som buffer overflow. Trots att dessa språk skyddar mot många traditionella minneskorruptionsproblem är de inte immuna mot alla typer av attacker. Kodåteranvändningsattacker utgör ett betydande hot i detta sammanhang eftersom de utnyttjar programlogiken och låter en angripare återanvända befintlig kod inom systemet för att uppnå sina mål.

Kodåteranvändningsattacker utgör en unik utmaning i hanterade språk eftersom de manipulerar legitima kodfragment vilket gör dem särskilt svåra att upptäcka och förhindra. I takt med att dessa hot fortsätter att utvecklas blir det allt viktigare att systematiskt förstå och hindra kodåteranvändningsattacker i minnessäkra språk. Denna avhandling tar sig an denna utmaning genom att undersöka de sårbarheter som är associerade med hanterade språk och dess exekveringsmiljöer.

I avhandlingen presenteras en ny taxonomi för kodåteranvändningsattacker i hanterade språk och dess exekveringsmiljöer. Denna taxonomi kategoriserar systematiskt kodåteranvändningsattacker och identifierar de nyckelkomponenter och deras kombinationer som leder till framgångsrika exploateringar. Genom att erbjuda ett strukturerat ramverk för att förstå de grundläggande elementen i kodåteranvändningsattacker bidrar detta arbete till utvecklingen av mjukvarusäkerhet. Avhandlingen utformar och implementerar skalbara (statiska och dynamiska) programanalystekniker för att upptäcka två klasser av kodåteranvändningsattacker: objektinjektionssårbarheter i C# och prototype pollution-sårbarheter i JavaScript. Fokus ligger på de grundläggande orsakerna till dessa attacker och erbjuder systematiska metoder för att hantera dem.

Detta arbete introducerar fyra verktyg som är utformade för att identifiera och utnyttja kodåteranvändningsattacker i verkliga applikationer: SerialDetector, Silent Spring, Dasty och GHunter. Vi utvecklade dem för att utföra både statisk och dynamisk analys, och med dem, identifierat kritiska sårbarheter i populära applikationer, bibliotek och exekveringsmiljöer. Vi redovisar resultaten av storskaliga utvärderingar som visar verktygens och våra metoders effektivitet i att upptäcka och utnyttja sårbarheter som kan leda till betydande säkerhetsintrång. Resultaten av detta arbete belyser vikten av kontinuerlig forskning och utveckling inom cybersäkerhetsområdet, särskilt i takt med att hoten fortsätter att utvecklas och bli mer sofistikerade. 
Place, publisher, year, edition, pages
Stockholm: KTH Royal Institute of Technology, 2024. p. vii, 89
Series
TRITA-EECS-AVL ; 2024:75
Keywords
web security, code-reuse attacks, taxonomy, static taint analysis, dynamic taint analysis, object injection vulnerabilities, prototype pollution, webb­säkerhet, kodåteranvändningsattacker, taxonomi, statisk taint-analys, dynamisk taint-analys, objektinjektionssårbarheter, prototypförorening
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kth:diva-354771 (URN)978-91-8106-067-6 (ISBN)
Public defence
2024-11-01, https://kth-se.zoom.us/s/67516226890, E2, 1337, Osquars backe 2, Stockholm, 09:00 (English)
Opponent
Supervisors
Note

QC 20241014

Available from: 2024-10-14 Created: 2024-10-14 Last updated: 2024-10-14Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

ScopusConference website

Authority records

Shcherbakov, MikhailBalliu, Musard

Search in DiVA

By author/editor
Shcherbakov, MikhailBalliu, Musard
By organisation
Theoretical Computer Science, TCS
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar

urn-nbn

Altmetric score

urn-nbn
Total: 107 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.46.0
|
WCAG
|
KTH Library
|
DiVA support
|
Register in DiVA
|
Posting your thesis
|
SwePub