Malware analysis at runtime

@naugtur, OMHconf 2023

Who's that guy?

https://naugtur.pl

[![](CliffordStoll_2006-embed.jpg)](https://www.ted.com/talks/clifford_stoll_the_call_to_learn?utm_campaign=tedspread&utm_medium=referral&utm_source=tedcomshare) It's going to be a bit like this TED talk by Clifford Stoll

_{^{Put your malicious code in a package and people will gobble it up like cookies.}}

Supply chain attack

delivery

postinstall

typo squatting

dependency confusion

package takeover

prototype poisoning

🙈

BTW

Don't publish malware to NPM please

🛡️

Defenses

Hello, we've found a malicious package version in your dependencies that…
you've been shipping to production for a week.
- npm audit

This new package looks odd. Got time to read it?
- socket.dev

# 📦🛡️📦
 
 Let's put my blue hat back on

---
        ## Hardened Javascript

---
        ## 🤯
        ### JS design is good for security?

- Take ECMA + W3C
        - Add Conway's Law
        - Separation between language and APIs
        - Power only reachable through scope
        - Hardened Javascript controls scope

---
          ### SES-shim
          > Implementation of Hardened Javascript while we wait for it to be standardized.
  
          - `Compartment` - scope isolation
          - `lockdown` - makes your globals secure
  
        ---
        ### `lockdown` 
        #### prevents prototype poisoning

```js

Object.freeze(Object.prototype) 
        // and stuff like that

```
        ---

## LavaMoat

Uses SES-shim to protect app code from malicious dependencies.

---
        ![lavamoat](./lavamoat-logo.png)

#### Tell your devteam if you want to make your work harder

## ⏲️ If time permits

# 🪄 ### Delivering attacks to logic you're not involved with

## Prototype poisoning # 🧪🍏 ![]() ```js const a = {}; Object.prototype.toString = ()=>'👻'; console.log(`scary object: ${a}`); ``` ``` scary object: 👻 ```

### JS can be tweaked and it's no accident - designed in 10 days - humbly assuming there's room for improvement

## polyfills #### and ## prototype poisoning #### are the same thing #### with different intentions

## attack examples # ☠️ repo:[js-training-examples -> defensive coding](https://github.com/naugtur/js-training-examples) > See attacks 2, 4, 5, 7

@naugtur naugtur.pl

naugtur.pl/training