SaTC: CORE: Small: Studying and Measuring the Consequence of Prototype Pollution Vulnerabilities Automatically via Joint Taintflow Analysis

SaTC：核心：小型：通过联合污染流分析自动研究和测量原型污染漏洞的后果

• 批准号: 2154404
• 负责人: Yinzhi Cao
• 金额: $ 50万
• 依托单位: Johns Hopkins University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-10-01 至 2025-09-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2154404&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Studying; Measuring

Prototype pollution is a relatively new type of vulnerability that was discovered in 2018. State-of-the-art works all focus on prototype pollution itself but not the follow-up influence, which we call further consequences in this project. Although people understand that prototype pollution may lead to some consequences such as overwriting critical variables, it remains unclear what a list of possible consequences could be and more importantly how prevalent they are in the real world. This greatly limits people’s understanding of prototype pollution: They often do not take prototype pollution seriously because they think it is a "theoretical" vulnerability, which may not have a severe consequence as other web vulnerabilities.In this project, an automated framework on a novel joint taint-flow analysis is designed to systematically study and measure further consequences of prototype pollution vulnerabilities in the real world. Specifically, such an analysis connects different taint-flows based on object lookup and assignment statements. The project will answer three fundamental questions in prototype pollution, i.e., (i) where to inject/alter a property, (ii) what property to pollute, and (iii) what value to inject. For example, a Cross-site Scripting (XSS) consequence depends on the answer to the question (iii) and the corresponding joint taint-flow: The taint goes into the value of a polluted property belonging to a polluted object as an en-route stop, and then finally to a traditional XSS sink like eval.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

原型污染是2018年发现的一种相对较新的漏洞。最先进的工作都关注原型污染本身，而不是后续影响，我们在这个项目中称之为进一步后果，尽管人们明白这一点。原型污染可能会导致一些后果，例如覆盖关键变量，但目前尚不清楚可能的后果是什么，更重要的是它们在现实世界中的普遍程度，这极大地限制了人们对原型污染的理解：他们通常不采取行动。原型污染严重，因为他们认为这是一个“理论”漏洞，可能不会像其他网络漏洞那样造成严重后果。在这个项目中，设计了一个新型联合污染流分析的自动化框架，旨在系统地研究和测量现实世界中原型污染漏洞的进一步后果具体来说，这样的分析基于对象查找和赋值语句连接不同的污点流，该项目将回答原型污染中的三个基本问题，即（i）在哪里注入/更改属性，（ii）什么属性。污染，以及 (iii) 注入什么值 例如，跨站脚本 (XSS) 后果取决于问题 (iii) 的答案和相应的联合污点流：污点进入 a 的值。属于污染对象的污染财产作为途中停靠点，最后到像 eval 这样的传统 XSS 接收器。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力价值和更广泛的影响审查进行评估，被认为值得支持标准。