CS Talk
Darion Cassel, Amazon Web Services
Host: Ruzica Piskac
Title: Automatic Detection and Exploit Synthesis for Node.js Vulnerabilities
Abstract:
The Node.js ecosystem comprises millions of packages written in JavaScript. Many packages suffer from vulnerabilities such as arbitrary code execution (ACE) and arbitrary command injection (ACI). Prior work has developed automated tools based on dynamic taint tracking to detect potential vulnerabilities, and to synthesize proof-of-concept exploits that confirm them, with limited success. A key challenge these tools face is that expected inputs to package APIs have varied types and object structures. Failure to invoke these APIs with inputs of the correct type and with specific fields leads to unsuccessful exploit generation and missed vulnerabilities. Generating inputs that can successfully deliver an effective exploit payload despite manipulation performed by the package is commensurately challenging.
In this talk, I will present NodeMedic-FINE, an extension of my dynamic taint analysis tool NodeMedic, that addresses these challenges. NodeMedic-FINE uses a fuzzer to generate structured inputs that explore more execution paths during dynamic taint analysis. NodeMedic-FINE then leverages provenance graphs generated by NodeMedic to infer the types and structure of the inputs and drive a constraint-based synthesis engine to generate proof-of-concept exploits. In an evaluation of 33,011 Node.js packages that contain calls to ACE and ACI sinks, NodeMedic-FINE finds 1966 potential flows and automatically synthesizes exploits that confirm 622 of them.
Bio:
Darion Cassel (he/him) is an Applied Scientist in Amazon’s Automated Reasoning Group. His research focuses on analysis of information flow security properties in web-based software systems through program analysis and programming language design, and his work has won the PETS’22 Artifact Award. In 2023, he received his Ph.D. from Carnegie Mellon University (CMU) under the supervision of Dr. Limin Jia. He holds a Master’s in Electrical and Computer Engineering from CMU, and a Bachelor’s in Computer Science from the University of Virginia.