Write a Blog >>
ICSE 2020
Wed 24 June - Thu 16 July 2020
Sat 11 Jul 2020 16:35 - 16:47 at Baekje - A28-Android and Web Testing Chair(s): Reyhaneh Jabbarvand

Modern JavaScript applications extensively depend on third-party libraries. Especially for the Node.js platform, vulnerabilities can have severe consequences to the security of applications, resulting in, for example, cross-site scripting and command-line injection vulnerabilities. Existing static analysis tools that have been developed to detect such issues automatically are either too coarse, looking only at package dependency structure while ignoring dataflow, or rely on manually-written taint specifications for the most popular libraries to ensure analysis scalability. In this work, we propose a technique for automatically extracting taint specifications for JavaScript libraries, based on a dynamic analysis that leverages the existing test suites of the libraries and their available clients in the npm repository. Due to the dynamic nature of JavaScript, mapping observations from dynamic analysis to taint specifications that fit into a static analysis is nontrivial. Our main insight is that this challenge can be addressed by a combination of an access path mechanism to name entry and exit points and the use of membranes around the libraries of interest. We show that our approach is effective at inferring useful taint specifications at scale. Our prototype tool automatically extracts 146 additional taint sinks and 7,840 propagation summaries spanning 1,393 npm modules. By integrating the extracted specifications in a commercial, state-of-the-art static analysis, 136 new alerts are produced, many of which correspond to likely security vulnerabilities. Moreover, many important specifications that were originally manually written are among the ones that our tool can now extract automatically.

Sat 11 Jul

Displayed time zone: (UTC) Coordinated Universal Time change

16:05 - 17:05
A28-Android and Web TestingTechnical Papers / Demonstrations at Baekje
Chair(s): Reyhaneh Jabbarvand University of Illinois Urbana-Champaign
16:05
3m
Talk
AppTestMigrator: A Tool for Automated Test Migration for Android AppsDemo
Demonstrations
Farnaz Behrang Georgia Tech, Alessandro Orso Georgia Tech
16:08
12m
Talk
Revealing Injection Vulnerabilities by Leveraging Existing TestsArtifact ReusableTechnicalArtifact Available
Technical Papers
Katherine Hough George Mason University, Gebrehiwet Biyane Welearegai University of Potsdam, Germany, Christian Hammer University of Potsdam, A: Jonathan Bell Northeastern University
16:20
12m
Talk
Accessibility Issues in Android Apps: State of Affairs, Sentiments, and Ways ForwardTechnical
Technical Papers
Abdulaziz Alshayban University of California, Irvine, Iftekhar Ahmed University of California at Irvine, USA, Sam Malek University of California, Irvine
16:32
3m
Talk
WasmView: Visual Testing for WebAssembly ApplicationsDemo
Demonstrations
Alan Romano University at Buffalo, SUNY, Weihang Wang University at Buffalo, SUNY
16:35
12m
Talk
Extracting Taint Specifications for JavaScript LibrariesTechnical
Technical Papers
Cristian-Alexandru Staicu TU Darmstadt, Martin Toldam Torp Aarhus University, Max Schaefer GitHub, Inc., Anders Møller Aarhus University, Michael Pradel University of Stuttgart
Pre-print Media Attached
16:47
12m
Talk
Finding Client-side Business Flow Tampering VulnerabilitiesTechnical
Technical Papers
I Luk Kim Purdue University, Yunhui Zheng IBM Research, Hogun Park Purdue University, Weihang Wang University at Buffalo, SUNY, Wei You Renmin University of China, Yousra Aafer Purdue University, Xiangyu Zhang Purdue University