IoT Thrust Seminar | Dig Deeper—Mining Object Related Vulnerabilities via Static Analysis

9:30am - 10:30am
Zoom meeting ID: 933 2525 0242, Passcode: iott

As a flexible programming language, JavaScript is widely used at both the front end (browser-based programs or mobile applications) and the back end. At the same time, its flexible features, like the prototype chain, introduce multiple vulnerabilities. For example, prototype pollution allows attackers to pollute the built-in methods of objects which will lead to severe consequences like Denial-of-Service (DoS) or session fixation. Such vulnerabilities are hard to detect but can significantly influence the security of the systems.

In this work, I design and develop an open-sourced JavaScript vulnerability detection platform—–ODGen, which can detect multiple vulnerabilities, for instance, OS command injection, Cross-site scripting (XSS), prototype pollution, and path traversal.

In this talk, I will talk about 1), how I use static analysis to build Object Dependence Graph (ODG) to detect prototype pollution accurately. 2), how do I extend the generated ODG to detect other types of vulnerabilities. 3), how do I plan to solve the long-standing static analysis efficiency problem in the vulnerability detection domain.

Event Format
Speakers / Performers:
Mr. Song Li
Johns Hopkins University

Song Li is a Ph.D. candidate at Johns Hopkins University majoring in Computer Science, advised by Dr. Yinzhi Cao. His research interests are primarily focused on security areas including web security, system security, program analysis, etc. He uses to work on web tracking and now focuses on static/dynamic analysis, trying to solve real-world challenging problems like increasing the accuracy and efficiency of vulnerability detection.

Language
English
Recommended For
Faculty and staff
PG students
Organizer
Internet of Things Thrust, HKUST(GZ)
Post an event
Campus organizations are invited to add their events to the calendar.