Researchers at Johns Hopkins University recently discovered a startling 180 zero-day vulnerabilities in thousands of Node.js libraries using a new code analysis tool they developed specifically for this purpose, called ODGen.

Seventy of these flaws have since been assigned Common Vulnerability and Exposure (CVE) identifiers. They include command injection flaws, path traversal vulnerabilities, arbitrary code execution issues, and cross-site scripting vulnerabilities, including some in widely used applications.

In a paper published at the Usenix Security Symposium earlier this month, Johns Hopkins researchers – Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao – described ODGen as a better alternative to current code analysis and software. -called graphical queries. approaches to finding Node.js vulnerabilities.

Program analysis-based approaches have proven useful in helping to detect individual types of vulnerabilities such as code injection flaws in JavaScript. But they can’t be easily extended to catch all sorts of vulnerabilities that might be present in the Node.js platform, the researchers said. Similarly, graph-based code analysis methods — where code is first represented as a graph and then queried for specific coding errors — work well in environments like C++ and PHP. However, graph-based approaches are not as effective in extracting JavaScript vulnerabilities due to the programming language’s heavy use of dynamic features, they noted.

A “new” approach to finding JavaScript vulnerabilities

So the researchers instead developed what they described as a “new” and better method called Object Dependence Graph (ODG) which can be used to detect vulnerabilities in Node.js. They implemented ODGen to generate “ODG” for Node.js programs to detect vulnerabilities, they said.

Cao, assistant professor of computer science at Johns Hopkins University and co-author of the research report, uses some analogies to describe graph-based code analysis in general and their objective dependency graph proposal. “If we view a vulnerability as a special pattern – say, a green node connected to a red node and then to a black node – a graph-based code analysis tool first converts programs into a graph with many nodes and edges,” Cao explains. . “The tool then looks for such patterns in the graph to locate a vulnerability.”

The Object Dependence Graph the researchers came up with refines this approach by representing JavaScript objects as nodes and adding programming language-specific functionality — including object dependencies — and then checking for errors. Cao describes how the method works using grains in a handful of rice: if all the grains look alike before boiling, but assume two different shades after boiling – one representing the good grains and the other the bad grains – then it becomes easier to spot and eliminate bad grains. “Abstract interpretation is a bit like the boiling process that converts rice — that is, programs — into objects of different colors,” so mistakes are easier to spot, Cao says.

A variety of bugs

To see if their approach works, the researchers first tested ODGen against a sample of 330 previously reported vulnerabilities in Node.js packages on the Node Package Manager (npm) repository. The test showed that the scanner correctly identified 302 out of 330 vulnerabilities. Building on the relatively high accuracy rate, the researchers ran ODGen on some 300,000 Java packages in npm. The scanner reported a total of 2,964 potential vulnerabilities in the packages. The researchers checked 264 of them – all with more than 1,000 downloads per week on average – and were able to confirm that 180 were legitimate vulnerabilities. Forty-three of these were at the application level, 122 were in packages imported by other applications or code, and the remaining 15 were present in indirect packages.

A plurality (80) of the confirmed vulnerabilities detected by ODGen were command injection streams that allow attackers to execute arbitrary code at the operating system level through a vulnerable application. Thirty were path crossing faults; 24 enabled code tampering and 19 involved a specific type of command injection attack called prototype pollution.

About The Author

Related Posts