Wolf at the Door: Preventing Install-Time Attacks in npm with Latch

21Citations
Citations of this article
15Readers
Mendeley users who have this article in their library.
Get full text

Abstract

The npm software ecosystem allows developers to easily import code written by others. However, manual vetting of every individual installed component is made difficult in many cases by the number of transitive dependencies brought in by installing popular packages. This has enabled attackers to propagate malicious code by hiding it deep into the dependency chains of popular packages. A particularly dangerous form of attack comes from malicious code embedded into package install scripts. We tackle the problem of preventing undesirable install-time behavior by proposing Latch, a system for mediating install-time capabilities of npm packages. Latch generates permission manifests summarizing each package's install-time behavior and checks them against user-defined policies to ensure compliance. Policies in Latch are expressed in a rich formal policy language that covers a broad range of use cases. Our key insight is that expressive Latch policies empower users to define and enforce their own individualized security needs. Evaluation of practical Latch policies on all publicly available npm packages and on a number of real-world attack packages demonstrates that our approach is effective in identifying and stopping unwanted behavior while minimizing disruption due to undesired alerts.

Cite

CITATION STYLE

APA

Wyss, E., Wittman, A., Davidson, D., & De Carli, L. (2022). Wolf at the Door: Preventing Install-Time Attacks in npm with Latch. In ASIA CCS 2022 - Proceedings of the 2022 ACM Asia Conference on Computer and Communications Security (pp. 1139–1153). Association for Computing Machinery, Inc. https://doi.org/10.1145/3488932.3523262

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free