kth.sePublications
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Code-Reuse Attacks in Managed Programming Languages and Runtimes
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Theoretical Computer Science, TCS. (Language-Based Security)ORCID iD: 0000-0002-2621-5179
2024 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

The ubiquity of digital systems in modern society highlights the critical importance of software security. As applications grow in complexity, the threats targeting them have also become more sophisticated. Managed programming languages such as C# and JavaScript, widely used in modern software development, support memory safety properties to avoid common vulnerabilities like buffer overflows. However, while these languages guard against many traditional memory corruption issues, they are not impervious to all forms of attack. Code-reuse attacks represent a significant threat within this context, as they exploit the program's logic, allowing attackers to repurpose existing code within the system to achieve malicious objectives.

Code-reuse attacks present a unique challenge in managed languages because they manipulate legitimate code fragments, making detection and prevention particularly difficult. As these threats continue to evolve, it is increasingly vital to systematically understand and mitigate code-reuse attacks in memory-safe languages. This thesis addresses this challenge by investigating the vulnerabilities inherent in managed languages and their runtimes.

The thesis presents a new taxonomy for code-reuse attacks in managed languages and runtimes. This taxonomy systematically categorizes code-reuse attacks, identifying the key components and their combinations that lead to successful exploits. By offering a structured framework for understanding the key ingredients of code-reuse attacks, this work advances the field of software security. The thesis designs and implements scalable (static and dynamic) program analysis techniques for detecting two classes of code-reuse attacks: object injection vulnerabilities in C# and prototype pollution vulnerabilities in JavaScript. It focuses on the root causes of these attacks and provides systematic approaches for addressing them.

This work introduces four tools designed to identify and exploit code-reuse attacks in real-world applications: SerialDetector, Silent Spring, Dasty, and GHunter. We developed them to perform static and dynamic analyses, successfully identifying critical vulnerabilities in popular applications, libraries, and runtimes. We report the results of large-scale evaluations, demonstrating the effectiveness of these tools and our approaches in detecting and exploiting vulnerabilities that could lead to significant security breaches. The results of this work highlight the importance of ongoing research and development in the field of cybersecurity, particularly as threats continue to evolve and become more sophisticated. 

Abstract [sv]

De digitala systemens ständiga närvaro i det moderna samhället lyfter fram den kritiska betydelsen av mjukvarusäkerhet. I takt med att applikationer blir alltmer komplexa har även hoten mot dem blivit mer sofistikerad. Hanterade programmeringsspråk som C# och JavaScript, vilka används flitigt inom modern mjukvaruutveckling, stödjer minnessäkerhetsegenskaper för att undvika vanliga sårbarheter som buffer overflow. Trots att dessa språk skyddar mot många traditionella minneskorruptionsproblem är de inte immuna mot alla typer av attacker. Kodåteranvändningsattacker utgör ett betydande hot i detta sammanhang eftersom de utnyttjar programlogiken och låter en angripare återanvända befintlig kod inom systemet för att uppnå sina mål.

Kodåteranvändningsattacker utgör en unik utmaning i hanterade språk eftersom de manipulerar legitima kodfragment vilket gör dem särskilt svåra att upptäcka och förhindra. I takt med att dessa hot fortsätter att utvecklas blir det allt viktigare att systematiskt förstå och hindra kodåteranvändningsattacker i minnessäkra språk. Denna avhandling tar sig an denna utmaning genom att undersöka de sårbarheter som är associerade med hanterade språk och dess exekveringsmiljöer.

I avhandlingen presenteras en ny taxonomi för kodåteranvändningsattacker i hanterade språk och dess exekveringsmiljöer. Denna taxonomi kategoriserar systematiskt kodåteranvändningsattacker och identifierar de nyckelkomponenter och deras kombinationer som leder till framgångsrika exploateringar. Genom att erbjuda ett strukturerat ramverk för att förstå de grundläggande elementen i kodåteranvändningsattacker bidrar detta arbete till utvecklingen av mjukvarusäkerhet. Avhandlingen utformar och implementerar skalbara (statiska och dynamiska) programanalystekniker för att upptäcka två klasser av kodåteranvändningsattacker: objektinjektionssårbarheter i C# och prototype pollution-sårbarheter i JavaScript. Fokus ligger på de grundläggande orsakerna till dessa attacker och erbjuder systematiska metoder för att hantera dem.

Detta arbete introducerar fyra verktyg som är utformade för att identifiera och utnyttja kodåteranvändningsattacker i verkliga applikationer: SerialDetector, Silent Spring, Dasty och GHunter. Vi utvecklade dem för att utföra både statisk och dynamisk analys, och med dem, identifierat kritiska sårbarheter i populära applikationer, bibliotek och exekveringsmiljöer. Vi redovisar resultaten av storskaliga utvärderingar som visar verktygens och våra metoders effektivitet i att upptäcka och utnyttja sårbarheter som kan leda till betydande säkerhetsintrång. Resultaten av detta arbete belyser vikten av kontinuerlig forskning och utveckling inom cybersäkerhetsområdet, särskilt i takt med att hoten fortsätter att utvecklas och bli mer sofistikerade. 

Place, publisher, year, edition, pages
Stockholm: KTH Royal Institute of Technology , 2024. , p. vii, 89
Series
TRITA-EECS-AVL ; 2024:75
Keywords [en]
web security, code-reuse attacks, taxonomy, static taint analysis, dynamic taint analysis, object injection vulnerabilities, prototype pollution
Keywords [sv]
webb­säkerhet, kodåteranvändningsattacker, taxonomi, statisk taint-analys, dynamisk taint-analys, objektinjektionssårbarheter, prototypförorening
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:kth:diva-354771ISBN: 978-91-8106-067-6 (print)OAI: oai:DiVA.org:kth-354771DiVA, id: diva2:1905323
Public defence
2024-11-01, https://kth-se.zoom.us/s/67516226890, E2, 1337, Osquars backe 2, Stockholm, 09:00 (English)
Opponent
Supervisors
Note

QC 20241014

Available from: 2024-10-14 Created: 2024-10-14 Last updated: 2024-10-14Bibliographically approved
List of papers
1. SerialDetector: Principled and Practical Exploration of Object Injection Vulnerabilities for the Web
Open this publication in new window or tab >>SerialDetector: Principled and Practical Exploration of Object Injection Vulnerabilities for the Web
2021 (English)In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2021), 2021Conference paper, Published paper (Refereed)
Abstract [en]

The last decade has seen a proliferation of code-reuse attacks in the context of web applications. These at-tacks stem from Object Injection Vulnerabilities (OIV) enablingattacker-controlled data to abuse legitimate code fragmentswithin a web application’s codebase to execute a code chain(gadget) that performs malicious computations, like remote codeexecution, on attacker’s behalf. OIVs occur when untrusted datais used to instantiate an object of attacker-controlled type withattacker-chosen properties, thus triggering the execution of codeavailable but not necessarily used by the application. In theweb application domain, OIVs may arise during the processof deserialization of client-side data, e.g., HTTP requests, whenreconstructing the object graph that is subsequently processedby the backend applications on the server side.This paper presents the first systematic approach for de-tecting and exploiting OIVs in .NET applications including theframework and libraries. Our key insight is: The root cause ofOIVs is the untrusted information flow from an application’spublic entry points (e.g., HTTP request handlers) to sensitivemethods that create objects of arbitrary types (e.g., reflectionAPIs) to invoke methods (e.g., native/virtual methods) that triggerthe execution of a gadget. Drawing on this insight, we developand implement SerialDetector, a taint-based dataflow analysisthat discovers OIV patterns in .NET assemblies automatically.We then use these patterns to match publicly available gadgetsand to automatically validate the feasibility of OIV attacks.We demonstrate the effectiveness of our approach by an in-depth evaluation of a complex production software such as theAzure DevOps Server. We describe the key threat models andreport on several remote code execution vulnerabilities found bySerialDetector, including three CVEs on Azure DevOps Server.We also perform an in-breadth security analysis of recent publiclyavailable CVEs. Our results show that SerialDetector can detectOIVs effectively and efficiently. We release our tool publicly tosupport open science and encourage researchers and practitionersexplore the topic further

National Category
Computer Systems Computer Sciences Software Engineering
Identifiers
urn:nbn:se:kth:diva-288522 (URN)10.14722/ndss.2021.24550 (DOI)000680821200034 ()2-s2.0-85136109202 (Scopus ID)
Conference
Network and Distributed Systems Security (NDSS) Symposium 202121-24 February 2021
Projects
JointForceTrustFull
Note

QC 20210108

Available from: 2021-01-07 Created: 2021-01-07 Last updated: 2024-10-14Bibliographically approved
2. Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js
Open this publication in new window or tab >>Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js
2023 (English)In: Proceedings Of The 32Nd Usenix Security Symposium, USENIX ASSOC , 2023, p. 5521-5538Conference paper, Published paper (Refereed)
Abstract [en]

Prototype pollution is a dangerous vulnerability affecting prototype-based languages like JavaScript and the Node.js platform. It refers to the ability of an attacker to inject properties into an object's root prototype at runtime and subsequently trigger the execution of legitimate code gadgets that access these properties on the object's prototype, leading to attacks such as Denial of Service (DoS), privilege escalation, and Remote Code Execution (RCE). While there is anecdotal evidence that prototype pollution leads to RCE, current research does not tackle the challenge of gadget detection, thus only showing feasibility of DoS attacks, mainly against Node.js libraries. In this paper, we set out to study the problem in a holistic way, from the detection of prototype pollution to detection of gadgets, with the ambitious goal of finding end-to-end exploits beyond DoS, in full-fledged Node.js applications. We build the first multi-staged framework that uses multilabel static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detect universal gadgets, notably, by analyzing the Node.js source code. We implement our framework on top of GitHub's static analysis framework CodeQL to find 11 universal gadgets in core Node.js APIs, leading to code execution. Furthermore, we use our methodology in a study of 15 popular Node.js applications to identify prototype pollutions and gadgets. We manually exploit eight RCE vulnerabilities in three high-profile applications such as NPM CLI, Parse Server, and Rocket.Chat. Our results provide alarming evidence that prototype pollution in combination with powerful universal gadgets lead to RCE in Node.js.

Place, publisher, year, edition, pages
USENIX ASSOC, 2023
National Category
Computer Sciences
Identifiers
urn:nbn:se:kth:diva-342283 (URN)001066451505040 ()2-s2.0-85164832590 (Scopus ID)
Conference
32nd USENIX Security Symposium, AUG 09-11, 2023, Anaheim, CA, USA
Note

Part of ISBN 978-1-939133-37-3

QC 20240124

Available from: 2024-01-24 Created: 2024-01-24 Last updated: 2024-10-14Bibliographically approved
3. Unveiling the Invisible: Detection and Evaluation of Prototype Pollution Gadgets with Dynamic Taint Analysis
Open this publication in new window or tab >>Unveiling the Invisible: Detection and Evaluation of Prototype Pollution Gadgets with Dynamic Taint Analysis
2024 (English)In: WWW 2024 - Proceedings of the ACM Web Conference, Association for Computing Machinery (ACM) , 2024, p. 1800-1811Conference paper, Published paper (Refereed)
Abstract [en]

Prototype-based languages like JavaScript are susceptible to prototype pollution vulnerabilities, enabling an attacker to inject arbitrary properties into an object's prototype. The attacker can subsequently capitalize on the injected properties by executing otherwise benign pieces of code, so-called gadgets, that perform security-sensitive operations. The success of an attack largely depends on the presence of gadgets, leading to high-profile exploits such as privilege escalation and arbitrary code execution (ACE). This paper proposes Dasty, the first semi-automated pipeline to help developers identify gadgets in their applications' software supply chain. Dasty targets server-side Node.js applications and relies on an enhancement of dynamic taint analysis which we implement with the dynamic AST-level instrumentation. Moreover, Dasty provides support for visualization of code flows with an IDE, thus facilitating the subsequent manual analysis for building proof-of-concept exploits. To illustrate the danger of gadgets, we use Dasty in a study of the most dependent-upon NPM packages to analyze the presence of gadgets leading to ACE. Dasty identifies 1,269 server-side packages, of which 631 have code flows that may reach dangerous sinks. We manually prioritize and verify the candidate flows to build proof-of-concept exploits for 49 NPM packages, including popular packages such as ejs, nodemailer and workerpool. To investigate how Dasty integrates with existing tools to find end-to-end exploits, we conduct an in-depth analysis of a popular data visualization dashboard to find one high-severity CVE-2023-31415 leading to remote code execution.

Place, publisher, year, edition, pages
Association for Computing Machinery (ACM), 2024
Keywords
dynamic taint analysis, prototype pollution, web security
National Category
Software Engineering
Identifiers
urn:nbn:se:kth:diva-347332 (URN)10.1145/3589334.3645579 (DOI)2-s2.0-85194055323 (Scopus ID)
Conference
33rd ACM Web Conference, WWW 2024, Singapore, Singapore, May 13 2024 - May 17 2024
Note

QC 20240613

Part of ISBN 979-840070171-9

Available from: 2024-06-10 Created: 2024-06-10 Last updated: 2024-10-14Bibliographically approved
4. GHunter: Universal Prototype Pollution Gadgets in JavaScript Runtimes
Open this publication in new window or tab >>GHunter: Universal Prototype Pollution Gadgets in JavaScript Runtimes
2024 (English)In: Proceedings of the 33rd USENIX Security Symposium, USENIX - The Advanced Computing Systems Association, 2024, p. 3693-3710Conference paper, Published paper (Refereed)
Abstract [en]

Prototype pollution is a recent vulnerability that affects JavaScript code, leading to high impact attacks such as arbitrary code execution and privilege escalation. The vulnerability is rooted in JavaScript's prototype-based inheritance, enabling attackers to inject arbitrary properties into an object's prototype at runtime. The impact of prototype pollution depends on the existence of otherwise benign pieces of code (gadgets), which inadvertently read from these attacker-controlled properties to execute security-sensitive operations. While prior works primarily study gadgets in third-party libraries and client-side applications, gadgets in JavaScript runtime environments are arguably more impactful as they affect any application that executes on these runtimes.

In this paper we design, implement, and evaluate a pipeline, GHunter, to systematically detect gadgets in V8-based JavaScript runtimes with prime focus on Node.js and Deno. GHunter supports a lightweight dynamic taint analysis to automatically identify gadget candidates which we validate manually to derive proof-of-concept exploits. We implement GHunter by modifying the V8 engine and the targeted runtimes along with features for facilitating manual validation. Driven by the comprehensive test suites of Node.js and Deno, we use GHunter in a systematic study of gadgets in these runtimes. We identified a total of 56 new gadgets in Node.js and 67 gadgets in Deno, pertaining to vulnerabilities such as arbitrary code execution (19), privilege escalation (31), path traversal (13), and more. Moreover, we systematize, for the first time, existing mitigations for prototype pollution and gadgets in terms of development guidelines. We collect a list of vulnerable applications and revisit the fixes through the lens of our guidelines. Through this exercise, we also identified one high-severity CVE leading to remote code execution, which was due to incorrectly fixing a gadget.

Place, publisher, year, edition, pages
USENIX - The Advanced Computing Systems Association, 2024
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kth:diva-354769 (URN)
Conference
33rd USENIX Security Symposium, August 14-16, 2024, Philadelphia, PA, USA.
Note

QC 20241014

Part of ISBN 978-1-939133-44-1

Available from: 2024-10-13 Created: 2024-10-13 Last updated: 2024-10-14Bibliographically approved

Open Access in DiVA

summary(2622 kB)66 downloads
File information
File name SUMMARY01.pdfFile size 2622 kBChecksum SHA-512
4a2e2def2b162b9a13799b23ece8c6932ef47c10d8090a65d241ece8343fb94dfc951a884fa37b685ad097a91be3904c2e681c5ed555f700a5fb19f5940d7e36
Type summaryMimetype application/pdf

Authority records

Shcherbakov, Mikhail

Search in DiVA

By author/editor
Shcherbakov, Mikhail
By organisation
Theoretical Computer Science, TCS
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 518 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf