Creating and sharing knowledge for telecommunications

Project: DIVINA: Detecting Injection Vulnerabilities In Node.js Applications

Acronym: DIVINA
Main Objective:
JavaScript is the de facto language for client-side programming and, with the advent of Node.js, has rapidly become one of the most popular languages for implementing server-side applications. Node.js code is not sandboxed, making it open to a broad range of security attacks. Among them, one of the most serious is injection attacks, which allows attackers to run arbitrary code on the targeted execution platform. Node.js has been used to build high-profile applications, such as Skype, Slack and WhatsApp, and thus, injection attacks on Node.js code can have serious consequences as they can lead to breaches of user data or be used as building blocks for more sophisticated attacks on a company’s network and servers. Despite this security-critical situation, program analysis tools for detecting vulnerabilities in Node.js applications remain underdeveloped due to the complexity of the JS semantics. The dynamic features and event-driven programming paradigm makes the design of efficient and effective program analysis tools for JavaScript highly challenging. In this project, we plan to develop DIVINA: a new analysis tool for detecting injection vulnerabilities in Node.js applications. Our goal is for DIVINA to be both effective---with low false negative and false positive rates---and efficient---with low overheads---so that it can be integrated in standard code review pipelines. To achieve this, we will leverage the combination of dynamic taint tracking and dynamic symbolic execution. The dynamic taint tracking can detect injection attacks by identifying when attacker- supplied inputs can reach sensitive sinks, such as eval, but can only observe one execution. The information collected by the symbolic execution can drive the dynamic taint analysis to explore vulnerable paths. We aim to deliver a prototype implementation of the analysis tool and results on applying our tool to a set of curated Node.js packages.
Reference: CMU/TIC/0053/2021
Funding: FCT/ CMU
Start Date: 26-03-2022
End Date: 25-03-2023
Team: Pedro Miguel dos Santos Alves Madeira Adão, José Faustino Santos, Nuno Miguel Carvalho Santos, Rui Abreu, Nuno Miguel da Silva Sabino, Tiago Luís de Oliveira Brito
Groups: Security and Quantum Information - Lx
Partners: INESC-ID, CMU
Local Coordinator: Pedro Miguel dos Santos Alves Madeira Adão
Associated Publications