1
views
0
recommends
+1 Recommend
0 collections
    0
    shares
      • Record: found
      • Abstract: found
      • Article: found
      Is Open Access

      Containing Malicious Package Updates in npm with a Lightweight Permission System

      Preprint
      , , ,

      Read this article at

      Bookmark
          There is no author summary for this article yet. Authors can add summaries to their articles on ScienceOpen to make them more accessible to a non-specialist audience.

          Abstract

          The large amount of third-party packages available in fast-moving software ecosystems, such as Node.js/npm, enables attackers to compromise applications by pushing malicious updates to their package dependencies. Studying the npm repository, we observed that many packages in the npm repository that are used in Node.js applications perform only simple computations and do not need access to filesystem or network APIs. This offers the opportunity to enforce least-privilege design per package, protecting applications and package dependencies from malicious updates. We propose a lightweight permission system that protects Node.js applications by enforcing package permissions at runtime. We discuss the design space of solutions and show that our system makes a large number of packages much harder to be exploited, almost for free.

          Related collections

          Author and article information

          Journal
          07 March 2021
          Article
          2103.05769
          2c07e391-99f4-43a7-bf3b-22cd3eda5e84

          http://arxiv.org/licenses/nonexclusive-distrib/1.0/

          Custom metadata
          13 pages
          cs.CR cs.SE

          Software engineering,Security & Cryptology
          Software engineering, Security & Cryptology

          Comments

          Comment on this article