Prova de Doutoramento do aluno Tiago Luís de Oliveira Brito
Área: Engenharia Informática e de Computadores
Título da Tese: Applying Code Property Graphs On Modern Web Languages For Security and Privacy Analysis
Local da Prova: https://videoconf-colibri.zoom.us/j/91289480600
Data: 20/05/2024
Hora: 11h00
Abstract: Many technologies and programming languages have been designed to take full advantage of the potential of the World Wide Web, increasing its usability, usefulness and efficiency for use cases such as social networking, multimedia sharing, online shopping and banking, education, gaming and others. Most of these use cases are nowadays implemented using highly dynamic web applications with modern web programming languages, such as JavaScript and WebAssembly, which might introduce new vulnerabilities, some of which are language specific. Code analysis tools are essential for detecting vulnerabilities in these modern codebases, as they take away the burden of manually analyzing large applications and allow vulnerability testing to be integrated into continuous integration / continuous delivery (CI/CD) pipelines. In the last few years, the research community proposed a static analysis technique for vulnerability detection called Code Property Graph (CPG), which despite the promising results is still relatively unexplored, particularly for highly dynamic untyped languages and web binaries. Additionally, it is difficult to evaluate the available state-of-the-art tools that implement the CPG technique because there are no gold-standard datasets that allow for a rigorous evaluation. The goals of this thesis are to research how Code Property Graphs can be applied to these highly dynamic languages and develop frameworks and datasets for evaluating these techniques in modern web codebases. To achieve these goals we made the following contributions: i) tested the viability of applying CPGs for detecting vulnerabilities in WebAssembly binaries, ii) studied state-of-the-art static analysis techniques used for vulnerability detection in the Node.js ecosystem and Node Package Manager (npm) repositories, iii) created an annotated dataset for vulnerabilities in npm packages for testing those state-of-the-art static analysis techniques, and iv) designed a custom CPG-based analysis for detecting violations of privacy policies in web applications and detecting injection vulnerabilities in our curated dataset.