Conference paper Open Access

Demo: Detecting Third-Party Library Problems with Combined Program Analysis

Grigoris Ntousakis; Sotiris Ioannidis; Nikos Vasilakis

Third-party libraries ease the software development process and thus have become an integral part of modern software engineering. Unfortunately, they are not usually vetted by human developers and thus are often responsible for introducing bugs, vulnerabilities, or attacks to programs that will eventually reach end-users. In this demonstration, we present a combined static and dynamic program analysis for inferring and enforcing third-party library permissions in server-side JavaScript. This analysis is centered around a RWX permission system across library boundaries. We demonstrate that our tools can detect zero-day vulnerabilities injected into popular libraries and often missed by state-of-the-art tools such as snyk test and npm audit.

Files (504.5 kB)
Name Size
Demo - Detecting Third-Party Library Problems with Combined Program Analysis.pdf
md5:9a38fbeaf9a667919eb111b85db03526
504.5 kB Download
109
88
views
downloads
All versions This version
Views 109109
Downloads 8888
Data volume 44.4 MB44.4 MB
Unique views 102102
Unique downloads 8383

Share

Cite as