Efficient module-level dynamic analysis for dynamic languages with module recontextualization

Vasilakis, Nikos; Ntousakis, Grigoris; Heller, Veit; Rinard, Martin

doi:10.1145/3468264.3468574

Cited by 5 publications

(1 citation statement)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Additionally, static analysis is typically run on the development version of a library-but the malicious event-stream was offered only on the npm registry rather than its GitHub repository. [7,20,24,30] is a long-standing technique for monitoring, understanding, and potentially intervening in program behavior during its execution. Since dynamic analysis tracks an execution of the program, it depends on certain test inputs to understand common program behavior.…”

Section: Static Program Analysis Static Program Analysismentioning

confidence: 99%

A systematic analysis of the event-stream incident

Arvanitis

Ntousakis

Ioannidis

et al. 2022

Proceedings of the 15th European Workshop on Systems Security

Self Cite

View full text Add to dashboard Cite

On October 5, 2018, a GitHub user announced a critical security vulnerability in event-stream, a JavaScript package meant to simplify working with data-streams. The vulnerability, was introduced by a new maintainer, by including code designed to harvest account details from select Bitcoin wallets when executing as part of the Copay wallet. At the time of the incident, event-stream was used by hundreds of applications and averaged about two million downloads per week. This paper reports on the results of an independent analysis of the event-steam incident. A series of steps allowed the attacker to take control of important account functions, while the attack was designed to activate only on select few environments-only when part of a specific dependency tree, only on specific wallets, and only on the live Bitcoin network. Conventional program analysis techniques would have likely missed the attack, and manual vetting proved to be inadequate for the scale and complexity of dependencies used in modern applications. This incident is an important example of the risks associated with long software supply chains using third-party libraries, calling the research community to arms. CCS CONCEPTS• Software and its engineering → Automated static analysis; Dynamic analysis; Scripting languages; • Security and privacy → Software and application security.

show abstract

Section: Static Program Analysis Static Program Analysismentioning

confidence: 99%