CAREER: Mining and Exploiting Web Vulnerabilities of Prototype-based Programming Languages via Object Property Graph

Prototype-based languages, such as JavaScript or ECMAScript in general, are a special type of object-oriented programming languages that rely on a prototypical object to get the initial properties of a new object. Such programming languages are widely used in the World Wide Web (WWW), such as Web browser extensions, server-side Node.js applications, and client-side scripting.

While they are popular and successful to improve the Web with abundant new functionalities, at the same time, prototype-based languages also introduce new types of object-related vulnerabilities. Examples of such object-related vulnerabilities on the Web are like prototype pollution that pollutes an object property via the prototypical chain, and internal property tampering that tampers an internal property of Web application objects.

State-of-the-art works adopt graph-based structures, such as Control-flow Graph, Data-flow Graph and Code Property Graph, to represent target computer programs and efficiently mine vulnerabilities in languages like C/C++ and PHP. However, the detection of vulnerabilities in prototype-based languages, particularly the aforementioned object-related ones, is still challenging and remains unknown.

In this project, a flow-, context-, branch- and path-sensitive abstract interpretation of prototype-based language will be designed, implemented and evaluated to efficiently detect and exploit vulnerabilities of prototype-based languages, particularly JavaScript. The abstract interpretation will generate a special graph structure, called Object Property Graph, to represent JavaScript objects, scopes, and variables as nodes and their relations as edges.

The advantage of Object Property Graph is that it can efficiently find the definition and use of certain objects via Abstract Syntax Tree and all the properties of a given object. Furthermore, the proposed Object Property Graph will be used to not only detect and exploit JavaScript vulnerabilities but also guide the generation of additional JavaScript code with object-related properties to trigger low-level vulnerabilities in JavaScript engine. The investigator will involve undergraduates, women, K-12 students and minorities in the project.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.