Containing Malicious Package Updates in npm with a Lightweight Permission System.
Saved in:
| Title: | Containing Malicious Package Updates in npm with a Lightweight Permission System. |
|---|---|
| Authors: | Ferreira, Gabriel1, Jia, Limin1, Sunshine, Joshua1, Kästner, Christian1 |
| Source: | ICSE: International Conference on Software Engineering. 5/22/2021, p1334-1346. 13p. |
| Subjects: | Supply chains, Software ecosystems, Computer software packaging, Software engineering, Artificial intelligence |
| Abstract: | The large amount of third-party packages available in fast-moving software ecosystems, such as Node.js/npm, enables attackers to compromise applications by pushing malicious updates to their package dependencies. Studying the npm repository, we observed that many packages in the npm repository that are used in Node.js applications perform only simple computations and do not need access to filesystem or network APIs. This offers the opportunity to enforce least-privilege design per package, protecting applications and package dependencies from malicious updates. We propose a lightweight permission system that protects Node.js applications by enforcing package permissions at runtime. We discuss the design space of solutions and show that our system makes a large number of packages much harder to be exploited, almost for free. [ABSTRACT FROM AUTHOR] |
| Copyright of ICSE: International Conference on Software Engineering is the property of Association for Computing Machinery and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.) | |
| Database: | Engineering Source |
| FullText | Links: – Type: pdflink Text: Availability: 0 |
|---|---|
| Header | DbId: egs DbLabel: Engineering Source An: 155538776 AccessLevel: 6 PubType: Conference PubTypeId: conference PreciseRelevancyScore: 0 |
| IllustrationInfo | |
| Items | – Name: Title Label: Title Group: Ti Data: Containing Malicious Package Updates in npm with a Lightweight Permission System. – Name: Author Label: Authors Group: Au Data: <searchLink fieldCode="AR" term="%22Ferreira%2C+Gabriel%22">Ferreira, Gabriel</searchLink><relatesTo>1</relatesTo><br /><searchLink fieldCode="AR" term="%22Jia%2C+Limin%22">Jia, Limin</searchLink><relatesTo>1</relatesTo><br /><searchLink fieldCode="AR" term="%22Sunshine%2C+Joshua%22">Sunshine, Joshua</searchLink><relatesTo>1</relatesTo><br /><searchLink fieldCode="AR" term="%22Kästner%2C+Christian%22">Kästner, Christian</searchLink><relatesTo>1</relatesTo> – Name: TitleSource Label: Source Group: Src Data: <searchLink fieldCode="JN" term="%22ICSE%3A+International+Conference+on+Software+Engineering%22">ICSE: International Conference on Software Engineering</searchLink>. 5/22/2021, p1334-1346. 13p. – Name: Subject Label: Subjects Group: Su Data: <searchLink fieldCode="DE" term="%22Supply+chains%22">Supply chains</searchLink><br /><searchLink fieldCode="DE" term="%22Software+ecosystems%22">Software ecosystems</searchLink><br /><searchLink fieldCode="DE" term="%22Computer+software+packaging%22">Computer software packaging</searchLink><br /><searchLink fieldCode="DE" term="%22Software+engineering%22">Software engineering</searchLink><br /><searchLink fieldCode="DE" term="%22Artificial+intelligence%22">Artificial intelligence</searchLink> – Name: Abstract Label: Abstract Group: Ab Data: The large amount of third-party packages available in fast-moving software ecosystems, such as Node.js/npm, enables attackers to compromise applications by pushing malicious updates to their package dependencies. Studying the npm repository, we observed that many packages in the npm repository that are used in Node.js applications perform only simple computations and do not need access to filesystem or network APIs. This offers the opportunity to enforce least-privilege design per package, protecting applications and package dependencies from malicious updates. We propose a lightweight permission system that protects Node.js applications by enforcing package permissions at runtime. We discuss the design space of solutions and show that our system makes a large number of packages much harder to be exploited, almost for free. [ABSTRACT FROM AUTHOR] – Name: AbstractSuppliedCopyright Label: Group: Ab Data: <i>Copyright of ICSE: International Conference on Software Engineering is the property of Association for Computing Machinery and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract.</i> (Copyright applies to all Abstracts.) |
| PLink | https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=egs&AN=155538776 |
| RecordInfo | BibRecord: BibEntity: Identifiers: – Type: doi Value: 10.1109/ICSE43902.2021.00121 Languages: – Code: eng Text: English PhysicalDescription: Pagination: PageCount: 13 StartPage: 1334 Subjects: – SubjectFull: Supply chains Type: general – SubjectFull: Software ecosystems Type: general – SubjectFull: Computer software packaging Type: general – SubjectFull: Software engineering Type: general – SubjectFull: Artificial intelligence Type: general Titles: – TitleFull: Containing Malicious Package Updates in npm with a Lightweight Permission System. Type: main BibRelationships: HasContributorRelationships: – PersonEntity: Name: NameFull: Ferreira, Gabriel – PersonEntity: Name: NameFull: Jia, Limin – PersonEntity: Name: NameFull: Sunshine, Joshua – PersonEntity: Name: NameFull: Kästner, Christian IsPartOfRelationships: – BibEntity: Dates: – D: 22 M: 05 Text: 5/22/2021 Type: published Y: 2021 Titles: – TitleFull: ICSE: International Conference on Software Engineering Type: main |
| ResultId | 1 |