06.09 | Prototype Pollution and Beyond: An Existential, Emerging Threat to the World Wide Web
2023.05.30
演讲者
Yinzhi Cao
头衔职位
Assistant professor in Computer Science at Johns Hopkins University
时间
2023年6月9日(周五)上午10:00-11:00
地点
江湾校区二号交叉学科楼A1010
联系人
杨哲慜,yangzhemin@fudan.edu.cn
演讲简介
Prototype pollution is a relatively-new type of vulnerability specific to prototype-based languages, such as JavaScript, which allows an adversary to pollute a base object’s property, leading to further consequences such as Cross-site Scripting (XSS) and session fixation. In this talk, I am presenting our research works in the past five years, which detect and exploit not only prototype pollution vulnerabilities but also other related JavaScript vulnerabilities across server- and client-side applications. I will start from our ESEC/FSE’2021 paper, which is flow- and context-sensitive JavaScript static analysis with hybrid branch-sensitivity and points-to information to generate a novel graph structure, called Object Property Graph (OPG), using abstract interpretation. Then, I will present our improved graph, called Object Dependence Graph (USENIX’2022), in detecting a wide range of JavaScript vulnerabilities and our dynamic analysis (NDSS’2022) in exploiting prototype pollution vulnerabilities in real-world websites. Lastly, I will introduce our recent progress (IEEE S&P’2023 and CCS’2023) in scaling JavaScript abstract interpretation. Our JavaScript works discovered over 450 Node.js vulnerabilities with 102 CVE identifiers, 2,738 vulnerable websites, and 43 vulnerable browser extensions in total over the years.
关于讲者
Dr. Yinzhi Cao is an assistant professor in Computer Science at Johns Hopkins University. His research mainly focuses on the security and privacy of the Web, smartphones, and machine learning using program analysis techniques. His past work was widely featured by over 30 media outlets, such as NSF Science Now (Episode 38), CCTV News, IEEE Spectrum, Yahoo! News, and ScienceDaily. He received three distinguished paper awards at USENIX Security'2021, SOSP’17, and IEEE CNS’15 respectively, and one best paper nomination at CCS’20. He is a recipient of the DARPA Young Faculty Award (YFA) 2022, the Amazon Research Award 2021 and 2017, and NSF CAREER Award 2021.
