Containing Malicious Package Updates in npm with a Lightweight Permission System
The large amount of third-party packages available in fast-moving software ecosystems, such as Node.js/npm, enables attackers to compromise applications by pushing malicious updates to their package dependencies. Studying the npm repository, we observed that many packages in the npm repository that...
Uloženo v:
| Vydáno v: | Proceedings / International Conference on Software Engineering s. 1334 - 1346 |
|---|---|
| Hlavní autoři: | , , , |
| Médium: | Konferenční příspěvek |
| Jazyk: | angličtina |
| Vydáno: |
IEEE
01.05.2021
|
| Témata: | |
| ISBN: | 1665402962, 9781665402965 |
| ISSN: | 1558-1225 |
| On-line přístup: | Získat plný text |
| Tagy: |
Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
|
| Abstract | The large amount of third-party packages available in fast-moving software ecosystems, such as Node.js/npm, enables attackers to compromise applications by pushing malicious updates to their package dependencies. Studying the npm repository, we observed that many packages in the npm repository that are used in Node.js applications perform only simple computations and do not need access to filesystem or network APIs. This offers the opportunity to enforce least-privilege design per package, protecting applications and package dependencies from malicious updates. We propose a lightweight permission system that protects Node.js applications by enforcing package permissions at runtime. We discuss the design space of solutions and show that our system makes a large number of packages much harder to be exploited, almost for free. |
|---|---|
| AbstractList | The large amount of third-party packages available in fast-moving software ecosystems, such as Node.js/npm, enables attackers to compromise applications by pushing malicious updates to their package dependencies. Studying the npm repository, we observed that many packages in the npm repository that are used in Node.js applications perform only simple computations and do not need access to filesystem or network APIs. This offers the opportunity to enforce least-privilege design per package, protecting applications and package dependencies from malicious updates. We propose a lightweight permission system that protects Node.js applications by enforcing package permissions at runtime. We discuss the design space of solutions and show that our system makes a large number of packages much harder to be exploited, almost for free. |
| Author | Jia, Limin Kastner, Christian Sunshine, Joshua Ferreira, Gabriel |
| Author_xml | – sequence: 1 givenname: Gabriel surname: Ferreira fullname: Ferreira, Gabriel organization: Carnegie Mellon University – sequence: 2 givenname: Limin surname: Jia fullname: Jia, Limin organization: Carnegie Mellon University – sequence: 3 givenname: Joshua surname: Sunshine fullname: Sunshine, Joshua organization: Carnegie Mellon University – sequence: 4 givenname: Christian surname: Kastner fullname: Kastner, Christian organization: Carnegie Mellon University |
| BookMark | eNotj9FOwjAUQJuIiYB8gT70B4a9t-3d-mgWVJIZSZBn0rG70cg6wmYIfy9GX855O8mZiFHsIgvxCGoOoNzTMl8vjHYK56gQ5koBwo2YAJE1Ch3hSIzB2iwBRHsnZn0fSmVM6kCRGYtV3sXBhxhiI9_9IexC993Lld99-Ybl5lj5gXsZoozHVp7DsJdeFqHZD2f-pVzxqQ3XZhfl-tIP3N6L29ofep79eyo2L4vP_C0pPl6X-XOReMzskIAGJmUzn5agHdUGNKNXmoEMmRQrZzVZMqWjMrMWXJXWhK5iR2mG5PRUPPx1AzNvj6fQ-tNl667PoDL9A7HhUAQ |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IH CBEJK RIE RIO |
| DOI | 10.1109/ICSE43902.2021.00121 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan (POP) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP) 1998-present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EndPage | 1346 |
| ExternalDocumentID | 9402108 |
| Genre | orig-research |
| GroupedDBID | -~X .4S .DC 123 23M 29O 5VS 6IE 6IF 6IH 6IK 6IL 6IM 6IN 8US AAJGR AAWTH ABLEC ADZIZ AFFNX ALMA_UNASSIGNED_HOLDINGS APO ARCSS AVWKF BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO EDO FEDTE I-F I07 IEGSK IJVOP IPLJI M43 OCL RIE RIL RIO RNS XOL |
| ID | FETCH-LOGICAL-a285t-131e6058a7b1396f413e2a03e1646472d9536564b96b85519d7f629de96782693 |
| IEDL.DBID | RIE |
| ISBN | 1665402962 9781665402965 |
| ISICitedReferencesCount | 25 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000684601800108&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| ISSN | 1558-1225 |
| IngestDate | Wed Aug 27 02:50:26 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-a285t-131e6058a7b1396f413e2a03e1646472d9536564b96b85519d7f629de96782693 |
| PageCount | 13 |
| ParticipantIDs | ieee_primary_9402108 |
| PublicationCentury | 2000 |
| PublicationDate | 2021-May |
| PublicationDateYYYYMMDD | 2021-05-01 |
| PublicationDate_xml | – month: 05 year: 2021 text: 2021-May |
| PublicationDecade | 2020 |
| PublicationTitle | Proceedings / International Conference on Software Engineering |
| PublicationTitleAbbrev | ICSE |
| PublicationYear | 2021 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssib044791064 ssj0006499 |
| Score | 2.4226177 |
| Snippet | The large amount of third-party packages available in fast-moving software ecosystems, such as Node.js/npm, enables attackers to compromise applications by... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 1334 |
| SubjectTerms | design trade-offs Ecosystems malicious package updates package management permission system Runtime sandboxing Security Software supplychain security |
| Title | Containing Malicious Package Updates in npm with a Lightweight Permission System |
| URI | https://ieeexplore.ieee.org/document/9402108 |
| WOSCitedRecordID | wos000684601800108&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LS8NAEB7a4sFT1VZ8swePpk03m93suVQUagloobey2QcUMS196N93Z5NWBC_ekpzCvr6Z2fm-D-CeCZ4qrW1kVJxFzGVFhKpqkbE6MYXlKXNBXX8sJpNsNpN5Ax4OXBhrbWg-sz18DHf5Zql3WCrrS4YZStaEphC84mrt1w5jwgMfhv71KcxZ8I70cOmzJL9okdSFTrsxlZzWWk_797Tm1A1i2X8evo48SAeSFh30gubZL-eVADyP7f_98gl0fxh8JD9g0yk0bHkG7b2FA6l3dAdyVKeqTCLIiw_JNbbEklzpd3_OkOkK6wEbsihJufogWLMliowxn_8KJVWSYy8NNtKWpNI-78L0cfQ2fIpqk4VI0SxFK_qBxatRJQofDHLnQc1SFScWhceYoAbvd1POCsmLzIdX0gjHqTRWepijXCbn0CqXpb0A4jNL45hLTUod4y5RGVc-f3FCU7Q2k5fQwQGaryodjXk9Nld_f76GY5yBqrnwBlrb9c7ewpH-3C4267sw-d8sZqbb |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LT8JAEJ4gmugJFYxv9-DR8thut90zgUAspImQcCPb7m5CjIXw0L_vzrZgTLx4a3tqptOd5_d9AM8s5IHMMu0p2Y48ZqLUQ1Y1T-nMV6nmATOOXT8Ox-NoNhNJBV4OWBittVs-0028dLN8tcx22CprCYYVSnQEx6icVaK19t7DWGhDHyb_5TnMmVOPtAHT1knWbRHWhVq7bSo4Ldme9vdBiarrtEVr2H3r2TDtYFq003SsZ7-0V1zo6df-99Ln0PjB8JHkEJ0uoKLzS6jtRRxI-U_XIUF-qkImgoxsUp7hUixJZPZuTxoyXWFHYEMWOclXHwS7tkSSGCv6L9dUJQlu0-AqbU4K9vMGTPu9SXfglTILnqRRgGL0HY3DURmmNh3kxlpWU9n2NVKPsZAqnPAGnKWCp5FNsIQKDadCaWEDHeXCv4Jqvsz1NRBbWyrDTKACahg3voy4tBWMCTOK4mbiBupooPmqYNKYl7a5_fvxE5wOJqN4Hg_Hr3dwhl-jWDW8h-p2vdMPcJJ9bheb9aNzhG8Xx6ok |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=Proceedings+%2F+International+Conference+on+Software+Engineering&rft.atitle=Containing+Malicious+Package+Updates+in+npm+with+a+Lightweight+Permission+System&rft.au=Ferreira%2C+Gabriel&rft.au=Jia%2C+Limin&rft.au=Sunshine%2C+Joshua&rft.au=Kastner%2C+Christian&rft.date=2021-05-01&rft.pub=IEEE&rft.isbn=9781665402965&rft.issn=1558-1225&rft.spage=1334&rft.epage=1346&rft_id=info:doi/10.1109%2FICSE43902.2021.00121&rft.externalDocID=9402108 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1558-1225&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1558-1225&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1558-1225&client=summon |