JavaScript applications today are not limited to just client-side web applications and server-side code powered by Node.js.They became the standard for desktop application development with the emergence and popularity...JavaScript applications today are not limited to just client-side web applications and server-side code powered by Node.js.They became the standard for desktop application development with the emergence and popularity of the Electron framework.Combining the features of client-side and server-side applications,the Electron applications possess a completely different security posture.The attacks typical for front-end applications can now be escalated to the back-end attacks,for example,making a cross-site scripting result in a remote code execution on the user’s machine.The goal of our study is to analyze the typical security vulnerabilities of an Electron application,study common mitigation controls,and propose new remediation solutions that are easy to implement for developers.In this study we analyze security vulnerabilities in over a hundred open source Electron applications using automated and manual static analysis.We explore the mitigation controls existing in the Electron framework,and propose changes to the framework that will prevent many of the common vulnerabilities.Based on these results,we develop an IDE plugin for Electron applications that automatically suggests remediations to common security defects within a developer’s work environment,thus shifting the fixing of a vulnerability to earlier in the software development life cycle.We show the effectiveness of the IDE plugin by applying the plugin’s suggestions to the analyzed open source applications and demonstrating that they stop being exploitable after the applied fix.展开更多
文摘JavaScript applications today are not limited to just client-side web applications and server-side code powered by Node.js.They became the standard for desktop application development with the emergence and popularity of the Electron framework.Combining the features of client-side and server-side applications,the Electron applications possess a completely different security posture.The attacks typical for front-end applications can now be escalated to the back-end attacks,for example,making a cross-site scripting result in a remote code execution on the user’s machine.The goal of our study is to analyze the typical security vulnerabilities of an Electron application,study common mitigation controls,and propose new remediation solutions that are easy to implement for developers.In this study we analyze security vulnerabilities in over a hundred open source Electron applications using automated and manual static analysis.We explore the mitigation controls existing in the Electron framework,and propose changes to the framework that will prevent many of the common vulnerabilities.Based on these results,we develop an IDE plugin for Electron applications that automatically suggests remediations to common security defects within a developer’s work environment,thus shifting the fixing of a vulnerability to earlier in the software development life cycle.We show the effectiveness of the IDE plugin by applying the plugin’s suggestions to the analyzed open source applications and demonstrating that they stop being exploitable after the applied fix.
