Presented at
Black Hat USA 2020 Virtual,
Aug. 5, 2020, 12:30 p.m.
(40 minutes).
<p>Node.js is widely used for developing both server-side and desktop applications. It provides a cross-platform execution environment for JavaScript programs. Due to the increasing popularity, the security of Node.js is critical to web servers and desktop clients.</p><p>We present a novel attack method against the Node.js platform, called hidden property abusing (HPA). The new attack leverages the widely used data exchanging feature of JavaScript to tamper critical program states of Node.js programs, like server-side applications. HPA entitles remote attackers to launch serious attacks, such as stealing confidential data, bypassing security checks, and launching denial of service attacks. To help developers detect the HPA issues of their Node.js applications, we develop a tool, named LYNX, that utilizes hybrid program analysis to automatically reveal HPA vulnerabilities and even synthesize exploits. We apply LYNX on a set of widely used Node.js programs and identify 13 previously unknown vulnerabilities. LYNX successfully generates 10 severe exploits. We have reported all of our findings to the Node.js community. At the time of paper writing, we have received the confirmation of 12 vulnerabilities and got 12 CVEs assigned. Moreover, we collaborated with an authoritative public vulnerability database to help them use a new vulnerability notion and description in related security issues.</p><p>The talk consists of four parts. First, we will introduce recent offensive research on Node.js. Second, we will introduce HPA by demonstrating an exploit on a widely used web framework. Third, we will explain how to leverage program analysis techniques to automatically detect and exploit HPA. In the end, we will have a comprehensive evaluation which discusses how we identified 13 HPA 0days with the help of our detection method.</p>
Presenters:
-
Wenke Lee
- Professor, Georgia Institute of Technology
Wenke Lee is a Professor of Computer Science and John P. Imlay Jr. Chair, and the Co-Director of the Institute for Information Security & Privacy (IISP) at Georgia Tech. He received his PhD in Computer Science from Columbia University in 1999. His research interests include systems and network security, applied cryptography, and machine learning.
-
Feng Xiao
- PhD Student, Georgia Institute of Technology
Feng Xiao is working toward his PhD degree at Georgia Tech. His research interests include software/system security. He has published three papers on top security conferences such as DEF CON, IEEE S&P, and CCS.
-
Jianwei Huang
- PhD Student, Texas A&M University
Jianwei Huang is a PhD student at Texas A&M University. His research focuses on software analysis, web and network security, and system design.
-
Yichang Xiong
- Independent Researcher, \
Yichang Xiong is an independent researcher who studies web security.
-
Guangliang Yang
- Research Scientist, Georgia Institute of Technology
Guangliang Yang is a research scientist working at Georgia Tech. His research interests are in web security and Android security.
-
Hong Hu
- Research Scientist, Georgia Institute of Technology
<p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Dr. Hong Hu is a research scientist of computer science at the Georgia Institute of Technology. His main research area is system and software security, focusing on exploring new attack vectors of memory errors and developing effective defense mechanisms. His work has appeared in top venues of system security, including IEEE S&P, USENIX Security, CCS and NDSS. He received the Best Paper Award from CCS 2019 and ICECCS 2014. Dr. Hu obtained his Ph.D. degree from the National University of Singapore in 2016 and was a Postdoctoral Fellow at Georgia Tech from 2017 to 2019.</span></p>
-
Guofei Gu
- Professor, Texas A&M University
Dr. Guofei Gu is a professor at Texas A&M University. His research interests are in network and system security.
Links:
Similar Presentations: