ODGen tool was presented at this year’s Usenix Security Symposium
The researchers proved the effectiveness of ODGen by applying it to thousands of Node.js libraries, where it discovered 180 zero-day vulnerabilities and received 70 CVEs.
Graph-based scanners parse source code files to build a graph structure that represents the different properties and execution branches of an application. This graph can then be used to model and find vulnerabilities in the source code.
Graph query-based approaches have proven to be very effective in detecting vulnerabilities in some programming languages. One technique in particular, Code Property Graph (CPG), has proven to be successful in securing C/C++ and PHP code.
“At the same time, many of these NPM packages are less maintained and vulnerabilities are prevalent in the NPM ecosystem. That is why we decided to perform the study to make the ecosystem a safer environment.”
Object Dependence Graph
The researchers designed ODGen to detect vulnerabilities at application and package levels. They tested the tool on 330 documented vulnerabilities that spanned across 16 categories, including cross-site scripting (XSS), server- and client-side request forgery (SSRF/CSRF), SQL injection, prototype pollution, and command injection.
The tool was able to detect 13 types of vulnerabilities with very high accuracy, discovering 302 of the 330 bugs.
They expanded their test by crawling 300,000 NPM packages and applying ODGen with graph queries to detect queries. ODGen reported nearly 3,000 security bugs, of which the researchers verified 264 that belonged to libraries with more than 1,000 weekly downloads. They were able to confirm and report 180 security bugs, many of which were in libraries that are used widely in web applications. Of the discovered vulnerabilities, 70 were assigned CVEs.
In the future, Cao said, the team might extend ODGen to other programming languages used in web applications, including PHP and Java.