Conference paper Open Access

Demo: Detecting Third-Party Library Problems with Combined Program Analysis

Grigoris Ntousakis; Sotiris Ioannidis; Nikos Vasilakis


MARC21 XML Export

<?xml version='1.0' encoding='UTF-8'?>
<record xmlns="http://www.loc.gov/MARC21/slim">
  <leader>00000nam##2200000uu#4500</leader>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">third-party librabies, bugs, vulnerabilities, attacks, program analysis, RWX permission system, snyk test, npm audit</subfield>
  </datafield>
  <controlfield tag="005">20211119134848.0</controlfield>
  <controlfield tag="001">5713403</controlfield>
  <datafield tag="711" ind1=" " ind2=" ">
    <subfield code="d">15-19 November 2021</subfield>
    <subfield code="g">CCS</subfield>
    <subfield code="a">ACM/SIGSAC Conference on Computer and Communications Security</subfield>
    <subfield code="c">Seul, Republic of Korea / virtual</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">TU Crete</subfield>
    <subfield code="a">Sotiris Ioannidis</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">CSAIL, MIT</subfield>
    <subfield code="a">Nikos Vasilakis</subfield>
  </datafield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="s">504487</subfield>
    <subfield code="z">md5:9a38fbeaf9a667919eb111b85db03526</subfield>
    <subfield code="u">https://zenodo.org/record/5713403/files/Demo - Detecting Third-Party Library Problems with Combined Program Analysis.pdf</subfield>
  </datafield>
  <datafield tag="542" ind1=" " ind2=" ">
    <subfield code="l">open</subfield>
  </datafield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="y">Conference website</subfield>
    <subfield code="u">https://www.sigsac.org/ccs/CCS2021/</subfield>
  </datafield>
  <datafield tag="260" ind1=" " ind2=" ">
    <subfield code="c">2021-11-19</subfield>
  </datafield>
  <datafield tag="909" ind1="C" ind2="O">
    <subfield code="p">openaire</subfield>
    <subfield code="p">user-cyreneproject-eu</subfield>
    <subfield code="o">oai:zenodo.org:5713403</subfield>
  </datafield>
  <datafield tag="100" ind1=" " ind2=" ">
    <subfield code="u">TU Crete</subfield>
    <subfield code="a">Grigoris Ntousakis</subfield>
  </datafield>
  <datafield tag="245" ind1=" " ind2=" ">
    <subfield code="a">Demo: Detecting Third-Party Library Problems with Combined Program Analysis</subfield>
  </datafield>
  <datafield tag="980" ind1=" " ind2=" ">
    <subfield code="a">user-cyreneproject-eu</subfield>
  </datafield>
  <datafield tag="536" ind1=" " ind2=" ">
    <subfield code="c">952690</subfield>
    <subfield code="a">Certifying the Security and Resilience of Supply Chain Services</subfield>
  </datafield>
  <datafield tag="540" ind1=" " ind2=" ">
    <subfield code="u">https://creativecommons.org/licenses/by/4.0/legalcode</subfield>
    <subfield code="a">Creative Commons Attribution 4.0 International</subfield>
  </datafield>
  <datafield tag="650" ind1="1" ind2="7">
    <subfield code="a">cc-by</subfield>
    <subfield code="2">opendefinition.org</subfield>
  </datafield>
  <datafield tag="520" ind1=" " ind2=" ">
    <subfield code="a">&lt;p&gt;Third-party libraries ease the software development process and thus have become an integral part of modern software engineering. Unfortunately, they are not usually vetted by human developers and thus are often responsible for introducing bugs, vulnerabilities, or attacks to programs that will eventually reach end-users. In this demonstration, we present a combined static and dynamic program analysis for inferring and enforcing third-party library permissions in server-side JavaScript. This analysis is centered around a RWX permission system across library boundaries. We demonstrate that our tools can detect zero-day vulnerabilities injected into popular libraries and often missed by state-of-the-art tools such as snyk test and npm audit.&lt;/p&gt;</subfield>
  </datafield>
  <datafield tag="773" ind1=" " ind2=" ">
    <subfield code="n">doi</subfield>
    <subfield code="i">isVersionOf</subfield>
    <subfield code="a">10.5281/zenodo.5713402</subfield>
  </datafield>
  <datafield tag="024" ind1=" " ind2=" ">
    <subfield code="a">10.5281/zenodo.5713403</subfield>
    <subfield code="2">doi</subfield>
  </datafield>
  <datafield tag="980" ind1=" " ind2=" ">
    <subfield code="a">publication</subfield>
    <subfield code="b">conferencepaper</subfield>
  </datafield>
</record>
115
97
views
downloads
All versions This version
Views 115115
Downloads 9797
Data volume 48.9 MB48.9 MB
Unique views 107107
Unique downloads 9292

Share

Cite as