kth.sePublications
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
GHunter: Universal Prototype Pollution Gadgets in JavaScript Runtimes
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Theoretical Computer Science, TCS. (Language-Based Security)ORCID iD: 0009-0000-8376-6287
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Theoretical Computer Science, TCS. (Language-Based Security)ORCID iD: 0000-0002-2621-5179
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Theoretical Computer Science, TCS. (Language-Based Security)ORCID iD: 0000-0001-6005-5992
2024 (English)In: Proceedings of the 33rd USENIX Security Symposium, USENIX - The Advanced Computing Systems Association, 2024, p. 3693-3710Conference paper, Published paper (Refereed)
Abstract [en]

Prototype pollution is a recent vulnerability that affects JavaScript code, leading to high impact attacks such as arbitrary code execution and privilege escalation. The vulnerability is rooted in JavaScript's prototype-based inheritance, enabling attackers to inject arbitrary properties into an object's prototype at runtime. The impact of prototype pollution depends on the existence of otherwise benign pieces of code (gadgets), which inadvertently read from these attacker-controlled properties to execute security-sensitive operations. While prior works primarily study gadgets in third-party libraries and client-side applications, gadgets in JavaScript runtime environments are arguably more impactful as they affect any application that executes on these runtimes.

In this paper we design, implement, and evaluate a pipeline, GHunter, to systematically detect gadgets in V8-based JavaScript runtimes with prime focus on Node.js and Deno. GHunter supports a lightweight dynamic taint analysis to automatically identify gadget candidates which we validate manually to derive proof-of-concept exploits. We implement GHunter by modifying the V8 engine and the targeted runtimes along with features for facilitating manual validation. Driven by the comprehensive test suites of Node.js and Deno, we use GHunter in a systematic study of gadgets in these runtimes. We identified a total of 56 new gadgets in Node.js and 67 gadgets in Deno, pertaining to vulnerabilities such as arbitrary code execution (19), privilege escalation (31), path traversal (13), and more. Moreover, we systematize, for the first time, existing mitigations for prototype pollution and gadgets in terms of development guidelines. We collect a list of vulnerable applications and revisit the fixes through the lens of our guidelines. Through this exercise, we also identified one high-severity CVE leading to remote code execution, which was due to incorrectly fixing a gadget.
Place, publisher, year, edition, pages
USENIX - The Advanced Computing Systems Association, 2024. p. 3693-3710
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:kth:diva-354769OAI: oai:DiVA.org:kth-354769DiVA, id: diva2:1905311
Conference
33rd USENIX Security Symposium, August 14-16, 2024, Philadelphia, PA, USA.
Note

QC 20241014

Part of ISBN 978-1-939133-44-1

Available from: 2024-10-13 Created: 2024-10-13 Last updated: 2024-11-26Bibliographically approved
In thesis
1. Code-Reuse Attacks in Managed Programming Languages and Runtimes
Open this publication in new window or tab >>Code-Reuse Attacks in Managed Programming Languages and Runtimes
2024 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

The ubiquity of digital systems in modern society highlights the critical importance of software security. As applications grow in complexity, the threats targeting them have also become more sophisticated. Managed programming languages such as C# and JavaScript, widely used in modern software development, support memory safety properties to avoid common vulnerabilities like buffer overflows. However, while these languages guard against many traditional memory corruption issues, they are not impervious to all forms of attack. Code-reuse attacks represent a significant threat within this context, as they exploit the program's logic, allowing attackers to repurpose existing code within the system to achieve malicious objectives.

Code-reuse attacks present a unique challenge in managed languages because they manipulate legitimate code fragments, making detection and prevention particularly difficult. As these threats continue to evolve, it is increasingly vital to systematically understand and mitigate code-reuse attacks in memory-safe languages. This thesis addresses this challenge by investigating the vulnerabilities inherent in managed languages and their runtimes.

The thesis presents a new taxonomy for code-reuse attacks in managed languages and runtimes. This taxonomy systematically categorizes code-reuse attacks, identifying the key components and their combinations that lead to successful exploits. By offering a structured framework for understanding the key ingredients of code-reuse attacks, this work advances the field of software security. The thesis designs and implements scalable (static and dynamic) program analysis techniques for detecting two classes of code-reuse attacks: object injection vulnerabilities in C# and prototype pollution vulnerabilities in JavaScript. It focuses on the root causes of these attacks and provides systematic approaches for addressing them.

This work introduces four tools designed to identify and exploit code-reuse attacks in real-world applications: SerialDetector, Silent Spring, Dasty, and GHunter. We developed them to perform static and dynamic analyses, successfully identifying critical vulnerabilities in popular applications, libraries, and runtimes. We report the results of large-scale evaluations, demonstrating the effectiveness of these tools and our approaches in detecting and exploiting vulnerabilities that could lead to significant security breaches. The results of this work highlight the importance of ongoing research and development in the field of cybersecurity, particularly as threats continue to evolve and become more sophisticated. 
Abstract [sv]

De digitala systemens ständiga närvaro i det moderna samhället lyfter fram den kritiska betydelsen av mjukvarusäkerhet. I takt med att applikationer blir alltmer komplexa har även hoten mot dem blivit mer sofistikerad. Hanterade programmeringsspråk som C# och JavaScript, vilka används flitigt inom modern mjukvaruutveckling, stödjer minnessäkerhetsegenskaper för att undvika vanliga sårbarheter som buffer overflow. Trots att dessa språk skyddar mot många traditionella minneskorruptionsproblem är de inte immuna mot alla typer av attacker. Kodåteranvändningsattacker utgör ett betydande hot i detta sammanhang eftersom de utnyttjar programlogiken och låter en angripare återanvända befintlig kod inom systemet för att uppnå sina mål.

Kodåteranvändningsattacker utgör en unik utmaning i hanterade språk eftersom de manipulerar legitima kodfragment vilket gör dem särskilt svåra att upptäcka och förhindra. I takt med att dessa hot fortsätter att utvecklas blir det allt viktigare att systematiskt förstå och hindra kodåteranvändningsattacker i minnessäkra språk. Denna avhandling tar sig an denna utmaning genom att undersöka de sårbarheter som är associerade med hanterade språk och dess exekveringsmiljöer.

I avhandlingen presenteras en ny taxonomi för kodåteranvändningsattacker i hanterade språk och dess exekveringsmiljöer. Denna taxonomi kategoriserar systematiskt kodåteranvändningsattacker och identifierar de nyckelkomponenter och deras kombinationer som leder till framgångsrika exploateringar. Genom att erbjuda ett strukturerat ramverk för att förstå de grundläggande elementen i kodåteranvändningsattacker bidrar detta arbete till utvecklingen av mjukvarusäkerhet. Avhandlingen utformar och implementerar skalbara (statiska och dynamiska) programanalystekniker för att upptäcka två klasser av kodåteranvändningsattacker: objektinjektionssårbarheter i C# och prototype pollution-sårbarheter i JavaScript. Fokus ligger på de grundläggande orsakerna till dessa attacker och erbjuder systematiska metoder för att hantera dem.

Detta arbete introducerar fyra verktyg som är utformade för att identifiera och utnyttja kodåteranvändningsattacker i verkliga applikationer: SerialDetector, Silent Spring, Dasty och GHunter. Vi utvecklade dem för att utföra både statisk och dynamisk analys, och med dem, identifierat kritiska sårbarheter i populära applikationer, bibliotek och exekveringsmiljöer. Vi redovisar resultaten av storskaliga utvärderingar som visar verktygens och våra metoders effektivitet i att upptäcka och utnyttja sårbarheter som kan leda till betydande säkerhetsintrång. Resultaten av detta arbete belyser vikten av kontinuerlig forskning och utveckling inom cybersäkerhetsområdet, särskilt i takt med att hoten fortsätter att utvecklas och bli mer sofistikerade. 
Place, publisher, year, edition, pages
Stockholm: KTH Royal Institute of Technology, 2024. p. vii, 89
Series
TRITA-EECS-AVL ; 2024:75
Keywords
web security, code-reuse attacks, taxonomy, static taint analysis, dynamic taint analysis, object injection vulnerabilities, prototype pollution, webb­säkerhet, kodåteranvändningsattacker, taxonomi, statisk taint-analys, dynamisk taint-analys, objektinjektionssårbarheter, prototypförorening
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kth:diva-354771 (URN)978-91-8106-067-6 (ISBN)
Public defence
2024-11-01, https://kth-se.zoom.us/s/67516226890, E2, 1337, Osquars backe 2, Stockholm, 09:00 (English)
Opponent
Supervisors
Note

QC 20241014

Available from: 2024-10-14 Created: 2024-10-14 Last updated: 2024-10-14Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Conference paper

Authority records

Cornelissen, EricShcherbakov, MikhailBalliu, Musard

Search in DiVA

By author/editor
Cornelissen, EricShcherbakov, MikhailBalliu, Musard
By organisation
Theoretical Computer Science, TCS
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar

urn-nbn

Altmetric score

urn-nbn
Total: 69 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.46.0
|
WCAG
|
KTH Library
|
DiVA support
|
Register in DiVA
|
Posting your thesis
|
SwePub