(2021) Preventing Dynamic Library Compromise on Node.js via RWX-Based Privilege Reduction.
|
Text
mir ccs 2021.pdf Download (1MB) | Preview |
Abstract
Third-party libraries ease the development of large-scale software systems. However, libraries often execute with significantly more privilege than needed to complete their task. Such additional privilege is sometimes exploited at runtime via inputs passed to a library, even when the library itself is not actively malicious. We present Mir, a system addressing dynamic compromise by introducing a fine-grained read-write-execute (RWX) permission model at the boundaries of libraries: every field of every free variable name in the context of an imported library is governed by a permission set. To help specify the permissions given to existing code, Mir’s automated inference generates default permissions by analyzing how libraries are used by their clients. Applied to over 1,000 JavaScript libraries for Node.js, Mir shows practical security (61/63 attacks mitigated), performance (2.1s for static analysis and +1.93% for dynamic enforcement), and compatibility (99.09%) characteristics and enables a novel quantification of privilege reduction.
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Divisions: | Cristian-Alexandru Staicu (CS) |
| Conference: | CCS ACM Conference on Computer and Communications Security |
| Depositing User: | Cristian-Alexandru Staicu |
| Date Deposited: | 17 Sep 2021 09:23 |
| Last Modified: | 17 Sep 2021 09:23 |
| Primary Research Area: | NRA5: Empirical & Behavioral Security |
| URI: | https://publications.cispa.saarland/id/eprint/3478 |
Actions
Actions (login required)
 |
View Item |