Containing Malicious Package Updates in npm with a Lightweight Permission System.

Saved in:
Bibliographic Details
Title: Containing Malicious Package Updates in npm with a Lightweight Permission System.
Authors: Ferreira, Gabriel1, Jia, Limin1, Sunshine, Joshua1, Kästner, Christian1
Source: ICSE: International Conference on Software Engineering. 5/22/2021, p1334-1346. 13p.
Subjects: Supply chains, Software ecosystems, Computer software packaging, Software engineering, Artificial intelligence
Abstract: The large amount of third-party packages available in fast-moving software ecosystems, such as Node.js/npm, enables attackers to compromise applications by pushing malicious updates to their package dependencies. Studying the npm repository, we observed that many packages in the npm repository that are used in Node.js applications perform only simple computations and do not need access to filesystem or network APIs. This offers the opportunity to enforce least-privilege design per package, protecting applications and package dependencies from malicious updates. We propose a lightweight permission system that protects Node.js applications by enforcing package permissions at runtime. We discuss the design space of solutions and show that our system makes a large number of packages much harder to be exploited, almost for free. [ABSTRACT FROM AUTHOR]
Copyright of ICSE: International Conference on Software Engineering is the property of Association for Computing Machinery and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Database: Engineering Source
FullText Links:
  – Type: pdflink
Text:
  Availability: 0
Header DbId: egs
DbLabel: Engineering Source
An: 155538776
AccessLevel: 6
PubType: Conference
PubTypeId: conference
PreciseRelevancyScore: 0
IllustrationInfo
Items – Name: Title
  Label: Title
  Group: Ti
  Data: Containing Malicious Package Updates in npm with a Lightweight Permission System.
– Name: Author
  Label: Authors
  Group: Au
  Data: <searchLink fieldCode="AR" term="%22Ferreira%2C+Gabriel%22">Ferreira, Gabriel</searchLink><relatesTo>1</relatesTo><br /><searchLink fieldCode="AR" term="%22Jia%2C+Limin%22">Jia, Limin</searchLink><relatesTo>1</relatesTo><br /><searchLink fieldCode="AR" term="%22Sunshine%2C+Joshua%22">Sunshine, Joshua</searchLink><relatesTo>1</relatesTo><br /><searchLink fieldCode="AR" term="%22Kästner%2C+Christian%22">Kästner, Christian</searchLink><relatesTo>1</relatesTo>
– Name: TitleSource
  Label: Source
  Group: Src
  Data: <searchLink fieldCode="JN" term="%22ICSE%3A+International+Conference+on+Software+Engineering%22">ICSE: International Conference on Software Engineering</searchLink>. 5/22/2021, p1334-1346. 13p.
– Name: Subject
  Label: Subjects
  Group: Su
  Data: <searchLink fieldCode="DE" term="%22Supply+chains%22">Supply chains</searchLink><br /><searchLink fieldCode="DE" term="%22Software+ecosystems%22">Software ecosystems</searchLink><br /><searchLink fieldCode="DE" term="%22Computer+software+packaging%22">Computer software packaging</searchLink><br /><searchLink fieldCode="DE" term="%22Software+engineering%22">Software engineering</searchLink><br /><searchLink fieldCode="DE" term="%22Artificial+intelligence%22">Artificial intelligence</searchLink>
– Name: Abstract
  Label: Abstract
  Group: Ab
  Data: The large amount of third-party packages available in fast-moving software ecosystems, such as Node.js/npm, enables attackers to compromise applications by pushing malicious updates to their package dependencies. Studying the npm repository, we observed that many packages in the npm repository that are used in Node.js applications perform only simple computations and do not need access to filesystem or network APIs. This offers the opportunity to enforce least-privilege design per package, protecting applications and package dependencies from malicious updates. We propose a lightweight permission system that protects Node.js applications by enforcing package permissions at runtime. We discuss the design space of solutions and show that our system makes a large number of packages much harder to be exploited, almost for free. [ABSTRACT FROM AUTHOR]
– Name: AbstractSuppliedCopyright
  Label:
  Group: Ab
  Data: <i>Copyright of ICSE: International Conference on Software Engineering is the property of Association for Computing Machinery and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract.</i> (Copyright applies to all Abstracts.)
PLink https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=egs&AN=155538776
RecordInfo BibRecord:
  BibEntity:
    Identifiers:
      – Type: doi
        Value: 10.1109/ICSE43902.2021.00121
    Languages:
      – Code: eng
        Text: English
    PhysicalDescription:
      Pagination:
        PageCount: 13
        StartPage: 1334
    Subjects:
      – SubjectFull: Supply chains
        Type: general
      – SubjectFull: Software ecosystems
        Type: general
      – SubjectFull: Computer software packaging
        Type: general
      – SubjectFull: Software engineering
        Type: general
      – SubjectFull: Artificial intelligence
        Type: general
    Titles:
      – TitleFull: Containing Malicious Package Updates in npm with a Lightweight Permission System.
        Type: main
  BibRelationships:
    HasContributorRelationships:
      – PersonEntity:
          Name:
            NameFull: Ferreira, Gabriel
      – PersonEntity:
          Name:
            NameFull: Jia, Limin
      – PersonEntity:
          Name:
            NameFull: Sunshine, Joshua
      – PersonEntity:
          Name:
            NameFull: Kästner, Christian
    IsPartOfRelationships:
      – BibEntity:
          Dates:
            – D: 22
              M: 05
              Text: 5/22/2021
              Type: published
              Y: 2021
          Titles:
            – TitleFull: ICSE: International Conference on Software Engineering
              Type: main
ResultId 1