[PLDI24] Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs скачать в хорошем качестве

[PLDI24] Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs

Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs (Video, PLDI 2024) Mafalda Ferreira, Miguel Monteiro, Tiago Brito, Miguel E. Coimbra, Nuno Santos, Limin Jia, and José Fragoso Santos (INESC-ID, Portugal / Universidade de Lisboa, Portugal; INESC-ID, Portugal / Universidade de Lisboa, Portugal; INESC-ID, Portugal / Universidade de Lisboa, Portugal; INESC-ID, Portugal / Universidade de Lisboa, Portugal; INESC-ID, Portugal / Universidade de Lisboa, Portugal; Carnegie Mellon University, USA; INESC-ID, Portugal / Universidade de Lisboa, Portugal) Abstract: While static analysis tools that rely on Code Property Graphs (CPGs) to detect security vulnerabilities have proven effective, deciding how much information to include in the graphs remains a challenge. Including less information can lead to a more scalable analysis but at the cost of reduced effectiveness in identifying vulnerability patterns, potentially resulting in classification errors. Conversely, more information in the graph allows for a more effective analysis but may affect scalability. For example, scalability issues have been recently highlighted in ODGen, the state-of-the-art CPG-based tool for detecting Node.js vulnerabilities. This paper examines a new point in the design space of CPGs for JavaScript vulnerability detection. We introduce the Multiversion Dependency Graph (MDG), a novel graph-based data structure that captures the state evolution of objects and their properties during program execution. Compared to the graphs used by ODGen, MDGs are significantly simpler without losing key information needed for vulnerability detection. We implemented Graph.js, a new MDG-based static vulnerability scanner specialized in analyzing npm packages and detecting taint-style and prototype pollution vulnerabilities. Our evaluation shows that Graph.js outperforms ODGen by significantly reducing both the false negatives and the analysis time. Additionally, we have identified 49 previously undiscovered vulnerabilities in npm packages. Article: https://doi.org/10.1145/3656394 Supplementary archive: https://doi.org/10.5281/zenodo.10936488 (Badges: Artifacts Available, Artifacts Evaluated — Reusable) ORCID: https://orcid.org/0000-0002-5307-4279, https://orcid.org/0000-0002-6346-7340, https://orcid.org/0000-0001-5982-9794, https://orcid.org/0000-0002-7191-5895, https://orcid.org/0000-0001-9938-0653, https://orcid.org/0000-0002-8160-349X, https://orcid.org/0000-0001-5077-300X Video Tags: Static Analysis, JavaScript, Vulnerability Detection, pldi24main-p79-p, doi:10.1145/3656394, doi:10.5281/zenodo.10936488, orcid:0000-0002-5307-4279, orcid:0000-0002-6346-7340, orcid:0000-0001-5982-9794, orcid:0000-0002-7191-5895, orcid:0000-0001-9938-0653, orcid:0000-0002-8160-349X, orcid:0000-0001-5077-300X, Artifacts Available, Artifacts Evaluated — Reusable Presentation at the PLDI 2024 conference, June 24–28, 2024, https://pldi24.sigplan.org/ Sponsored by ACM SIGPLAN,