Nikos Vasilakis
Cristian-Alexandru Staicu
Grigoris Ntousakis
Michael Pradel
ABSTRACT
Third-party libraries ease the development of large-scale software systems. However, libraries often execute with significantly more privilege than needed to complete their task. Such additional privilege is sometimes exploited at runtime via inputs passed to a library, even when the library itself is not actively malicious. We present Mir, a system addressing dynamic compromise by introducing a fine-grained read-write-execute (RWX) permission model at the boundaries of libraries: every field of every free variable name in the context of an imported library is governed by a permission set. To help specify the permissions given to existing code, Mir's automated inference generates default permissions by analyzing how libraries are used by their clients. Applied to over 1,000 JavaScript libraries for Node.js, Mir shows practical security (61/63 attacks mitigated), performance (2.1s for static analysis and +1.93% for dynamic enforcement), and compatibility (99.09%) characteristics---and enables a novel quantification of privilege reduction.
- Carmine Abate, Arthur Azevedo de Amorim, Roberto Blanco, Ana Nora Evans, Guglielmo Fachini, Catalin Hritcu, Théo Laurent, Benjamin C. Pierce, Marco Stronati, and Andrew Tolmach. 2018. When Good Components Go Bad: Formally Secure Compilation Despite Dynamic Compromise. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18). ACM, New York, NY, USA, 1351--1368. https://doi.org/10.1145/3243734.3243745Google Scholar
Digital Library
- Ajin Abraham. 2017a. Snyk: Arbitrary Code Execution in node-serialize. https://snyk.io/vuln/npm:node-serialize:20170208. https://snyk.io/vuln/npm:node-serialize:20170208 Accessed: 2020-03--19.Google Scholar
- Ajin Abraham. 2017b. Snyk: Arbitrary Code Execution in serialize-to-js. https://snyk.io/vuln/npm:serialize-to-js:20170208. https://snyk.io/vuln/npm:serialize-to-js:20170208 Accessed: 2020-03--19.Google Scholar
- Mike Accetta, Robert Baron, William Bolosky, David Golub, Richard Rashid, Avadis Tevanian, and Michael Young. 1986. Mach: A New Kernel Foundation for UNIX Development. In USENIX Technical Conference .Google Scholar
- Pieter Agten, Steven Van Acker, Yoran Brondsema, Phu H. Phung, Lieven Desmet, and Frank Piessens. 2012. JSand: Complete Client-side Sandboxing of Third-party JavaScript Without Browser Modifications. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC '12). ACM, New York, NY, USA, 1--10. https://doi.org/10.1145/2420950.2420952Google ScholarDigital Library
- Mark Aiken, Manuel F"ahndrich, Chris Hawblitzel, Galen Hunt, and James Larus. 2006. Deconstructing Process Isolation. In Proceedings of the 2006 Workshop on Memory System Performance and Correctness (MSPC '06). ACM, New York, NY, USA, 1--10. https://doi.org/10.1145/1178597.1178599Google ScholarDigital Library
- Devdatta Akhawe, Prateek Saxena, and Dawn Song. 2012. Privilege Separation in HTML5 Applications. In Proceedings of the 21th USENIX Security Symposium, Bellevue, WA, USA, August 8--10, 2012, Tadayoshi Kohno (Ed.). USENIX Association, 429--444. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/akhaweGoogle Scholar
- Esben Andreasen, Liang Gong, Anders Møller, Michael Pradel, Marija Selakovic, Koushik Sen, and Cristian-Alexandru Staicu. 2017. A Survey of Dynamic Analysis and Test Generation for JavaScript. Comput. Surveys (2017).Google Scholar
- Unknown Author. 2020. Snyk: Arbitrary Code Injection in serialize-javascript. https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062. https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062 Accessed: 2020-03--19.Google Scholar
- Niels Avonds, Raoul Strackx, Pieter Agten, and Frank Piessens. 2013. Salus: Non-hierarchical memory access rights to enforce the principle of least privilege. In International Conference on Security and Privacy in Communication Systems. Springer, 252--269.Google ScholarCross Ref
- Babak Amin Azad, Pierre Laperdrix, and Nick Nikiforakis. 2019. Less is more: quantifying the security benefits of debloating web applications. In 28th $$USENIX$$ Security Symposium ($$USENIX$$ Security 19). 1697--1714.Google Scholar
- Andrew Berman, Virgil Bourassa, and Erik Selberg. 1995. TRON: Process-specific File Protection for the UNIX Operating System. In Proceedings of the USENIX 1995 Technical Conference Proceedings (TCON'95). USENIX Association, Berkeley, CA, USA, 14--14. http://dl.acm.org/citation.cfm?id=1267411.1267425Google Scholar
- Nataliia Bielova and Tamara Rezk. 2016. A taxonomy of information flow monitors. In International Conference on Principles of Security and Trust. Springer, 46--67.Google ScholarCross Ref
- Prithvi Bisht and V. N. Venkatakrishnan. 2008. XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, 5th International Conference, DIMVA 2008, Paris, France, July 10--11, 2008. Proceedings. 23--43.Google Scholar
- Andrea Bittau, Petr Marchenko, Mark Handley, and Brad Karp. 2008. Wedge: Splitting Applications into Reduced-privilege Compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation (NSDI'08). USENIX Association, Berkeley, CA, USA, 309--322. http://dl.acm.org/citation.cfm?id=1387589.1387611Google ScholarDigital Library
- David Brumley and Dawn Song. 2004. Privtrans: Automatically Partitioning Programs for Privilege Separation. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13 (SSYM'04). USENIX Association, Berkeley, CA, USA, 5--5. http://dl.acm.org/citation.cfm?id=1251375.1251380Google ScholarDigital Library
- Stefano Calzavara, Michele Bugliesi, Silvia Crafa, and Enrico Steffinlongo. 2015. Fine-Grained Detection of Privilege Escalation Attacks on Browser Extensions. In Programming Languages and Systems - 24th European Symposium on Programming, ESOP 2015, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2015, London, UK, April 11--18, 2015. Proceedings (Lecture Notes in Computer Science), Jan Vitek (Ed.), Vol. 9032. Springer, 510--534. https://doi.org/10.1007/978--3--662--46669--8_21Google ScholarCross Ref
- Alvin Cheung, Owen Arden, Samuel Madden, and Andrew C Myers. 2012. Automatic partitioning of database applications. arXiv preprint arXiv:1208.0271 (2012).Google Scholar
- Ryan Dahl and the Deno Contributors. 2019. Deno. https://deno.land/manual/getting_started/permissions. https://deno.land/manual/getting_started/permissions Accessed: 2020-06--11.Google Scholar
- Willem De Groef, Fabio Massacci, and Frank Piessens. 2014. NodeSentry: Least-privilege Library Integration for Server-side JavaScript. In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC '14). ACM, New York, NY, USA, 446--455. https://doi.org/10.1145/2664243.2664276Google ScholarDigital Library
- Christos Dimoulas, Scott Moore, Aslan Askarov, and Stephen Chong. 2014. Declarative policies for capability control. In 2014 IEEE 27th Computer Security Foundations Symposium. IEEE, 3--17.Google ScholarDigital Library
- Sophia Drossopoulou and James Noble. 2013. The Need for Capability Policies. In Proceedings of the 15th Workshop on Formal Techniques for Java-like Programs (FTfJP '13). ACM, New York, NY, USA, Article 6, 7 pages. https://doi.org/10.1145/2489804.2489811Google ScholarDigital Library
- Sophia Drossopoulou, James Noble, Mark S. Miller, and Toby Murray. 2016. Permission and Authority Revisited, Towards a Formalisation. In Proceedings of the 18th Workshop on Formal Techniques for Java-like Programs (FTfJP'16). Association for Computing Machinery, New York, NY, USA, Article 10, 6 pages. https://doi.org/10.1145/2955811.2955821Google ScholarDigital Library
- Asger Feldthaus, Max Sch"a fer, Manu Sridharan, Julian Dolby, and Frank Tip. 2013. Efficient construction of approximate call graphs for JavaScript IDE services. In 35th International Conference on Software Engineering, ICSE '13, San Francisco, CA, USA, May 18--26, 2013 .Google ScholarDigital Library
- Robert Bruce Findler and Matthias Felleisen. 2002. Contracts for Higher-order Functions. In Proceedings of the Seventh ACM SIGPLAN International Conference on Functional Programming (ICFP '02). ACM, New York, NY, USA, 48--59. https://doi.org/10.1145/581478.581484Google ScholarDigital Library
- Inc Google. 2009. Closure. https://developers.google.com/closure/. https://developers.google.com/closure/ Accessed: 2019-06--11.Google Scholar
- Khilan Gudka, Robert NM Watson, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Ilias Marinos, Peter G Neumann, and Alex Richardson. 2015. Clean application compartmentalization with SOAAP. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 1016--1031.Google ScholarDigital Library
- Jordan Harband and Kevin Smith. 2021. ECMAScript® 2020 Language Specification. https://262.ecma-international.org/11.0/#sec-code-realms. https://262.ecma-international.org/11.0/#sec-code-realms Accessed: 2021-04--14.Google Scholar
- Daniel Hedin, Arnar Birgisson, Luciano Bello, and Andrei Sabelfeld. 2014. JSFlow: Tracking information flow in JavaScript and its APIs. In Proceedings of the 29th Annual ACM Symposium on Applied Computing. 1663--1671.Google ScholarDigital Library
- Kihong Heo, Woosuk Lee, Pardis Pashakhanloo, and Mayur Naik. 2018. Effective program debloating via reinforcement learning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 380--394.Google ScholarDigital Library
- Konrad Jamrozik, Philipp von Styp-Rekowsky, and Andreas Zeller. 2016. Mining sandboxes. In Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14--22, 2016, Laura K. Dillon, Willem Visser, and Laurie A. Williams (Eds.). ACM, 37--48. https://doi.org/10.1145/2884781.2884782Google ScholarDigital Library
- Douglas Kilpatrick. 2003. Privman: A Library for Partitioning Applications. In USENIX Annual Technical Conference, FREENIX Track. 273--284.Google Scholar
- Yoonseok Ko, Tamara Rezk, and Manuel Serrano. [n. d.]. SecureJS Compiler: Portable Memory Isolation in JavaScript. In SAC 2021-The 36th ACM/SIGAPP Symposium On Applied Computing .Google Scholar
- Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the Attack Surface of Node.js Applications. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses ($$RAID$$ 2020) .Google Scholar
- Hyungjoon Koo, Seyedhamed Ghavamnia, and Michalis Polychronakis. 2019. Configuration-Driven Software Debloating. In Proceedings of the 12th European Workshop on Systems Security. 1--6.Google ScholarDigital Library
- Larry Koved, Marco Pistoia, and Aaron Kershenbaum. 2002. Access rights analysis for Java. In Proceedings of the 2002 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages and Applications, OOPSLA 2002, Seattle, Washington, USA, November 4--8, 2002, Mamdouh Ibrahim and Satoshi Matsuoka (Eds.). ACM, 359--372. https://doi.org/10.1145/582419.582452Google ScholarDigital Library
- Benjamin Lamowski, Carsten Weinhold, Adam Lackorzynski, and Hermann H"artig. 2017. Sandcrust: Automatic Sandboxing of Unsafe Components in Rust. In Proceedings of the 9th Workshop on Programming Languages and Operating Systems (PLOS'17). ACM, New York, NY, USA, 51--57. https://doi.org/10.1145/3144555.3144562Google ScholarDigital Library
- Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. (2017).Google Scholar
- R. Levin, E. Cohen, W. Corwin, F. Pollack, and W. Wulf. 1975. Policy/Mechanism Separation in Hydra. In Proceedings of the Fifth ACM Symposium on Operating Systems Principles (SOSP '75). ACM, New York, NY, USA, 132--140. https://doi.org/10.1145/800213.806531Google ScholarDigital Library
- H. M. Levy. 1984. Capability Based Computer Systems .Digital Press. http://www.cs.washington.edu/homes/levy/capabook/Google Scholar
- Shen Liu, Dongrui Zeng, Yongzhe Huang, Frank Capobianco, Stephen McCamant, Trent Jaeger, and Gang Tan. 2019. Program-mandering: Quantitative Privilege Separation. (2019).Google ScholarDigital Library
- Marcela S Melara, Michael J Freedman, and Mic Bowman. 2019 a. EnclaveDom: Privilege separation for large-TCB applications in trusted execution environments. arXiv preprint arXiv:1907.13245 (2019).Google Scholar
- Marcela S Melara, David H Liu, and Michael J Freedman. 2019 b. Pyronia: Redesigning Least Privilege and Isolation for the Age of IoT. arXiv preprint arXiv:1903.01950 (2019).Google Scholar
- Darya Melicher. [n. d.]. Controlling Module Authority Using Programming Language Design. Ph.D. Dissertation. Carnegie Mellon University.Google Scholar
- Darya Melicher, Yangqingwei Shi, Valerie Zhao, Alex Potanin, and Jonathan Aldrich. 2018. Using Object Capabilities and Effects to Build an Authority-safe Module System: Poster. In Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security (HoTSoS '18). ACM, New York, NY, USA, Article 29, 1 pages. https://doi.org/10.1145/3190619.3191691Google ScholarDigital Library
- Adrian Mettler, David Wagner, and Tyler Close. 2010. Joe-E: A Security-Oriented Subset of Java.. In Networked and Distributed Systems Security (NDSS'10), Vol. 10. 357--374.Google Scholar
- Leo A Meyerovich and Benjamin Livshits. 2010. ConScript: Specifying and enforcing fine-grained security policies for Javascript in the browser. In 2010 IEEE Symposium on Security and Privacy. IEEE, 481--496.Google ScholarDigital Library
- James Mickens. 2014. Pivot: Fast, synchronous mashup isolation using generator chains. In 2014 IEEE Symposium on Security and Privacy. IEEE, 261--275.Google ScholarDigital Library
- Mark Samuel Miller. 2006. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. Ph.D. Dissertation. Baltimore, MD, USA. Advisor(s) Shapiro, Jonathan S. AAI3245526.Google Scholar
- Mark S Miller, Mike Samuel, Ben Laurie, Ihab Awad, and Mike Stay. 2009. Caja: Safe active content in sanitized JavaScript, 2008. Google white paper (2009).Google Scholar
- Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2012. You are what you include: large-scale evaluation of remote javascript inclusions. In Proceedings of the 2012 ACM conference on Computer and communications security. 736--747.Google ScholarDigital Library
- npm, Inc. 2012. npm-shrinkwrap: Lock down dependency versions. https://docs.npmjs.com/cli/shrinkwrap. https://docs.npmjs.com/cli/shrinkwrapGoogle Scholar
- Erlend Oftedal et al. 2016. RetireJS. http://retirejs.github.io/retire.js/Google Scholar
- Shankara Pailoor, Xinyu Wang, Hovav Shacham, and Isil Dillig. 2020. Automated policy synthesis for system call sandboxing. Proc. ACM Program. Lang., Vol. 4, OOPSLA (2020), 135:1--135:26. https://doi.org/10.1145/3428203Google ScholarDigital Library
- Andrea Parodi. 2009. Awesome Micro npm Packages (latest commit: Oct 5, 2020; a302e14). https://git.io/JUpA4. https://git.io/JUpA4 Accessed: 2020--10-07.Google Scholar
- Open Web Application Security Project. 2018. OWASP Top Ten Project'17. https://www.owasp.org/index.php/Top_10--2017_Top_10. https://www.owasp.org/index.php/Top_10--2017_Top_10 Accessed: 2018-09--27.Google Scholar
- Niels Provos, Markus Friedl, and Peter Honeyman. 2003. Preventing Privilege Escalation. In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12 (SSYM'03). USENIX Association, Berkeley, CA, USA, 16--16. http://dl.acm.org/citation.cfm?id=1251353.1251369Google ScholarDigital Library
- Martin Rinard. 2011. Manipulating program functionality to eliminate security vulnerabilities. In Moving target defense. Springer, 109--115.Google Scholar
- J. M. Rushby. 1981. Design and Verification of Secure Systems. In Proceedings of the Eighth ACM Symposium on Operating Systems Principles (SOSP '81). ACM, New York, NY, USA, 12--21. https://doi.org/10.1145/800216.806586Google ScholarDigital Library
- Jerome H Saltzer. 1974. Protection and the control of information sharing in Multics. Commun. ACM, Vol. 17, 7 (1974), 388--402.Google ScholarDigital Library
- José Fragoso Santos, Thomas Jensen, Tamara Rezk, and Alan Schmitt. 2015. Hybrid typing of secure information flow in a JavaScript-like language. In Trustworthy Global Computing. Springer, 63--78.Google Scholar
- José Fragoso Santos and Tamara Rezk. 2014. An information flow monitor-inlining compiler for securing a core of javascript. In IFIP International Information Security Conference. Springer, 278--292.Google ScholarCross Ref
- Node Security. 2016. Continuous Security monitoring for your node apps. https://nodesecurity.io/Google Scholar
- Jonathan S Shapiro, Jonathan M Smith, and David J Farber. 1999. EROS: a fast capability system. Vol. 33. ACM.Google Scholar
- Snyk. 2021. Snyk Vulnerability Database. https://snyk.io/vuln?type=npmGoogle Scholar
- Manu Sridharan, Julian Dolby, Satish Chandra, Max Sch"a fer, and Frank Tip. 2012. Correlation Tracking for Points-To Analysis of JavaScript. In ECOOP 2012 - Object-Oriented Programming - 26th European Conference, Beijing, China, June 11--16, 2012. Proceedings. 435--458.Google Scholar
- Cristian-Alexandru Staicu, Martin Toldam Torp, Max Sch"a fer, Anders Møller, and Michael Pradel. 2020. Extracting taint specifications for JavaScript libraries. In ICSE '20: 42nd International Conference on Software Engineering, Seoul, South Korea, 27 June - 19 July, 2020, Gregg Rothermel and Doo-Hwan Bae (Eds.). ACM, 198--209. https://doi.org/10.1145/3377811.3380390Google ScholarDigital Library
- Cristian-Alexandru Staicu, Michael Pradel, and Benjamin Livshits. 2018. Synode: Understanding and Automatically Preventing Injection Attacks on Node. js. In Networked and Distributed Systems Security (NDSS'18). https://doi.org/10.14722/ndss.2018.23071Google Scholar
- Deian Stefan, Edward Z. Yang, Petr Marchenko, Alejandro Russo, Dave Herman, Brad Karp, and David Mazières. 2014. Protecting Users by Confining JavaScript with COWL. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). USENIX Association, Broomfield, CO, 131--146. https://www.usenix.org/conference/osdi14/technical-sessions/presentation/stefanGoogle ScholarDigital Library
- Michael Stepankin. 2016a. [demo.paypal.com] Node.js code injection (RCE). http://artsploit.blogspot.com/2016/08/pprce2.html. http://artsploit.blogspot.com/2016/08/pprce2.html Accessed: 2018--10-05.Google Scholar
- Michael Stepankin. 2016b. Snyk: Code Injection in dustjs-linkedin. https://snyk.io/vuln/npm:dustjs-linkedin:20160819. https://snyk.io/vuln/npm:dustjs-linkedin:20160819 Accessed: 2019-03--19.Google Scholar
- TC39. 2021. Draft Proposal for SES (Secure EcmaScript). https://github.com/tc39/proposal-ses. https://github.com/tc39/proposal-ses Accessed: 2021-04--20.Google Scholar
- Mike Ter Louw, Phu H Phung, Rohini Krishnamurti, and Venkat N Venkatakrishnan. 2013. SafeScript: JavaScript transformation for policy enforcement. In Nordic Conference on Secure IT Systems. Springer, 67--83.Google ScholarDigital Library
- Jeff Terrace, Stephen R Beard, and Naga Praveen Kumar Katta. 2012. JavaScript in JavaScript (js. js): sandboxing third-party scripts. In Presented as part of the 3rd USENIX Conference on Web Application Development (WebApps 12). 95--100.Google Scholar
- Neline van Ginkel, Willem De Groef, Fabio Massacci, and Frank Piessens. 2019. A Server-Side JavaScript Security Architecture for Secure Integration of Third-Party Libraries. Security and Communication Networks, Vol. 2019 (2019).Google Scholar
- Nikos Vasilakis, Achilles Benetopoulos, Shivam Handa, Alizee Schoen, and Martin C. Rinard. 2021 a. Supply-Chain Vulnerability Elimination via Active Learning and Regeneration. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS '21). Association for Computing Machinery, New York, NY, USA.Google ScholarDigital Library
- Nikos Vasilakis, Ben Karel, Nick Roessler, Nathan Dautenhahn, André DeHon, and Jonathan M. Smith. 2018. BreakApp: Automated, Flexible Application Compartmentalization. In Networked and Distributed Systems Security (NDSS'18). https://doi.org/10.14722/ndss.2018.23131Google Scholar
- Nikos Vasilakis, Grigoris Ntousakis, Veit Heller, and Martin C. Rinard. 2021 b. Efficient Module-Level Dynamic Analysis for Dynamic Languages with Module Recontextualization. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2021). Association for Computing Machinery, New York, NY, USA, 1202--1213. https://doi.org/10.1145/3468264.3468574Google ScholarDigital Library
- Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. 1993. Efficient Software-based Fault Isolation. In Proceedings of the Fourteenth ACM Symposium on Operating Systems Principles (SOSP '93). ACM, New York, NY, USA, 203--216. https://doi.org/10.1145/168619.168635Google ScholarDigital Library
- Michael Weissbacher, William K. Robertson, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2015. ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities. In 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12--14, 2015, Jaeyeon Jung and Thorsten Holz (Eds.). USENIX Association, 737--752. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/weissbacherGoogle Scholar
- Yongzheng Wu, Sai Sathyanarayan, Roland HC Yap, and Zhenkai Liang. 2012. Codejail: Application-transparent isolation of libraries with tight program interactions. In European Symposium on Research in Computer Security. Springer, 859--876.Google ScholarCross Ref
- Nicholas C. Zakas and ESLint contributors. 2013. ESLint--Pluggable JavaScript linter. https://eslint.org/. https://eslint.org/ Accessed: 2018-07--12.Google Scholar
- Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small world with High Risks: A Study of Security Threats in the Npm Ecosystem. In Proceedings of the 28th USENIX Conference on Security Symposium (SEC'19). USENIX Association, USA, 995--1010.Google Scholar
Index Terms
- Preventing Dynamic Library Compromise on Node.js via RWX-Based Privilege Reduction
Comments