You Can Run But You Can't Hide: Runtime Protection Against Malicious Package Updates For Node.js

You Can Run But You Can't Hide: Runtime Protection Against Malicious Package Updates For Node.js

Maliciously prepared software packages are an extensively leveraged weapon for software supply chain attacks. The detection of malicious packages is undoubtedly of high priority and many academic and commercial approaches have been developed. In the inevitable case of an attack, one needs resilience...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Ohm, Marc, Pohl, Timo, Boes, Felix
Format: Artikel
Sprache:eng
Schlagworte:
Computer Science - Cryptography and Security
Computer Science - Programming Languages
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page
container_issue
container_start_page
container_title
container_volume
creator Ohm, Marc
Pohl, Timo
Boes, Felix
description Maliciously prepared software packages are an extensively leveraged weapon for software supply chain attacks. The detection of malicious packages is undoubtedly of high priority and many academic and commercial approaches have been developed. In the inevitable case of an attack, one needs resilience against malicious code. To this end, we present a runtime protection for Node.js that automatically limits a package's capabilities to an established minimum. The detection of required capabilities as well as their enforcement at runtime has been implemented and evaluated against known malicious attacks. Our approach was able to prevent 9/10 historic attacks with a median install-time overhead of less than 0.6 seconds and a median runtime overhead of less than 0.2 seconds.
doi_str_mv 10.48550/arxiv.2305.19760
format Article
fullrecord <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_2305_19760</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2305_19760</sourcerecordid><originalsourceid>FETCH-LOGICAL-a670-c19da07fd9caa0dcf44f2f2ce0e36cefcab37a8904a94d2524fa16f94e655cbb3</originalsourceid><addsrcrecordid>eNotzzFPwzAUBGAvDKjwA5h4G1OCk9hJzVYiSisVWlVlYAov9nNlaOPKcRD8e9TS6XQ3nPQxdpPxVIyl5PcYftx3mhdcppmqSn7JPt79ADV2sB46eBwinPtdhJkz9HDco9sTrIKPpKPzHUy26Lo-wgvunHZ-6GGF-gu3BG8Hg5F6mPoAr95Q-tlfsQuLu56uzzlim-nTpp4li-XzvJ4sEiwrnuhMGeSVNUojcqOtEDa3uSZORanJamyLCseKC1TC5DIXFrPSKkGllLptixG7_b89EZtDcHsMv82R2pyoxR_sF08e</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>You Can Run But You Can't Hide: Runtime Protection Against Malicious Package Updates For Node.js</title><source>arXiv.org</source><creator>Ohm, Marc ; Pohl, Timo ; Boes, Felix</creator><creatorcontrib>Ohm, Marc ; Pohl, Timo ; Boes, Felix</creatorcontrib><description>Maliciously prepared software packages are an extensively leveraged weapon for software supply chain attacks. The detection of malicious packages is undoubtedly of high priority and many academic and commercial approaches have been developed. In the inevitable case of an attack, one needs resilience against malicious code. To this end, we present a runtime protection for Node.js that automatically limits a package's capabilities to an established minimum. The detection of required capabilities as well as their enforcement at runtime has been implemented and evaluated against known malicious attacks. Our approach was able to prevent 9/10 historic attacks with a median install-time overhead of less than 0.6 seconds and a median runtime overhead of less than 0.2 seconds.</description><identifier>DOI: 10.48550/arxiv.2305.19760</identifier><language>eng</language><subject>Computer Science - Cryptography and Security ; Computer Science - Programming Languages</subject><creationdate>2023-05</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,776,881</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/2305.19760$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.2305.19760$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Ohm, Marc</creatorcontrib><creatorcontrib>Pohl, Timo</creatorcontrib><creatorcontrib>Boes, Felix</creatorcontrib><title>You Can Run But You Can't Hide: Runtime Protection Against Malicious Package Updates For Node.js</title><description>Maliciously prepared software packages are an extensively leveraged weapon for software supply chain attacks. The detection of malicious packages is undoubtedly of high priority and many academic and commercial approaches have been developed. In the inevitable case of an attack, one needs resilience against malicious code. To this end, we present a runtime protection for Node.js that automatically limits a package's capabilities to an established minimum. The detection of required capabilities as well as their enforcement at runtime has been implemented and evaluated against known malicious attacks. Our approach was able to prevent 9/10 historic attacks with a median install-time overhead of less than 0.6 seconds and a median runtime overhead of less than 0.2 seconds.</description><subject>Computer Science - Cryptography and Security</subject><subject>Computer Science - Programming Languages</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNotzzFPwzAUBGAvDKjwA5h4G1OCk9hJzVYiSisVWlVlYAov9nNlaOPKcRD8e9TS6XQ3nPQxdpPxVIyl5PcYftx3mhdcppmqSn7JPt79ADV2sB46eBwinPtdhJkz9HDco9sTrIKPpKPzHUy26Lo-wgvunHZ-6GGF-gu3BG8Hg5F6mPoAr95Q-tlfsQuLu56uzzlim-nTpp4li-XzvJ4sEiwrnuhMGeSVNUojcqOtEDa3uSZORanJamyLCseKC1TC5DIXFrPSKkGllLptixG7_b89EZtDcHsMv82R2pyoxR_sF08e</recordid><startdate>20230531</startdate><enddate>20230531</enddate><creator>Ohm, Marc</creator><creator>Pohl, Timo</creator><creator>Boes, Felix</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20230531</creationdate><title>You Can Run But You Can't Hide: Runtime Protection Against Malicious Package Updates For Node.js</title><author>Ohm, Marc ; Pohl, Timo ; Boes, Felix</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a670-c19da07fd9caa0dcf44f2f2ce0e36cefcab37a8904a94d2524fa16f94e655cbb3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Computer Science - Cryptography and Security</topic><topic>Computer Science - Programming Languages</topic><toplevel>online_resources</toplevel><creatorcontrib>Ohm, Marc</creatorcontrib><creatorcontrib>Pohl, Timo</creatorcontrib><creatorcontrib>Boes, Felix</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Ohm, Marc</au><au>Pohl, Timo</au><au>Boes, Felix</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>You Can Run But You Can't Hide: Runtime Protection Against Malicious Package Updates For Node.js</atitle><date>2023-05-31</date><risdate>2023</risdate><abstract>Maliciously prepared software packages are an extensively leveraged weapon for software supply chain attacks. The detection of malicious packages is undoubtedly of high priority and many academic and commercial approaches have been developed. In the inevitable case of an attack, one needs resilience against malicious code. To this end, we present a runtime protection for Node.js that automatically limits a package's capabilities to an established minimum. The detection of required capabilities as well as their enforcement at runtime has been implemented and evaluated against known malicious attacks. Our approach was able to prevent 9/10 historic attacks with a median install-time overhead of less than 0.6 seconds and a median runtime overhead of less than 0.2 seconds.</abstract><doi>10.48550/arxiv.2305.19760</doi><oa>free_for_read</oa></addata></record>
fulltext fulltext_linktorsrc
identifier DOI: 10.48550/arxiv.2305.19760
ispartof
issn
language eng
recordid cdi_arxiv_primary_2305_19760
source arXiv.org
subjects Computer Science - Cryptography and Security
Computer Science - Programming Languages
title You Can Run But You Can't Hide: Runtime Protection Against Malicious Package Updates For Node.js
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-13T19%3A54%3A21IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=You%20Can%20Run%20But%20You%20Can't%20Hide:%20Runtime%20Protection%20Against%20Malicious%20Package%20Updates%20For%20Node.js&rft.au=Ohm,%20Marc&rft.date=2023-05-31&rft_id=info:doi/10.48550/arxiv.2305.19760&rft_dat=%3Carxiv_GOX%3E2305_19760%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true