Malware analysis at runtime

@naugtur, Confidence 2024

Who's that guy?

https://naugtur.pl

[![](CliffordStoll_2006-embed.jpg)](https://www.ted.com/talks/clifford_stoll_the_call_to_learn?utm_campaign=tedspread&utm_medium=referral&utm_source=tedcomshare) It's going to be a bit like this TED talk by Clifford Stoll

_{^{Put your malicious code in a package and people will gobble it up like cookies.}}

# 🤡
        Watch me run actual malware!

---
        ### Where do I get malware when I actually want to?
        - [npmjs.com/package/object-color](https://www.npmjs.com/package/object-color) ⛔
        - [socket.dev/npm/package/object-color](https://socket.dev/npm/package/object-color) ✔️
        
        ---
      ### Did I mention it's obfuscated?

```js
          eval(function(p,a,c,k,e,d){while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+c+'\\b','g'),k[c])}}return p}('63 25=[
          "\\17\\19\\39\\13\\16\\46\\24\\22\\7\\9\\8\\7\\9\\15\\7\\15\\16\\7\\9\\14\\7\\9\\17\\7\\15\\8\\7\\13\\15\\7\\13\\13\\
        ```

Not a problem for Hardened Javascript

---

# Demo time!

https://github.com/naugtur/lavalab

---

#### why stop at obfuscation?

```js
        const vmsc = new vm.Script(code, {
          produceCachedData: true,
        });
        const cached = vmsc.createCachedData();
        ```

```js
        const rebuilt = new vm.Script(" ".repeat(1337), {
          cachedData: cached,
          filename: "a.js",
        });
        rebuilt.runInThisContext();

```
       #### compiled JS bytecode payloads!

---

# moar demo 🤪

---
        ![lavamoat](./lavamoat-logo.png)

#### LavaMoat

Supply chain attack

delivery

postinstall

typo squatting

dependency confusion

package takeover

prototype poisoning

🙈

BTW

Don't publish malware to NPM please

🛡️

Defenses

Hello, we've found a malicious package version in your dependencies that…
you've been shipping to production for a week.
- npm audit

This new package looks odd. Got time to read it?
- socket.dev

There's a fix for this vulnerability but you're many versions behind. Want a custom patch?
- seal.security

# 📦🛡️📦
 
 Let's put my blue hat back on

---
        ## Hardened Javascript

---
        ## 🤯
        ### JS design is good for security?

- Take ECMA + W3C
        - Add Conway's Law
        - Separation between language and APIs
        - Power only reachable through scope
        - Hardened Javascript controls scope

---
          ### SES-shim
          > Implementation of Hardened Javascript while we wait for it to be standardized.
  
          - `Compartment` - scope isolation
          - `lockdown` - makes your globals secure
  
        ---
        ### `lockdown` 
        #### prevents prototype poisoning

```js

Object.freeze(Object.prototype) 
        // and stuff like that

```
        ---

## LavaMoat

Uses SES-shim to protect app code from malicious dependencies.

---
        ![lavamoat](./lavamoat-logo.png)

#### Part of your tech stack to make runtime secure

---
            
        ```
        package.json:
          "scripts": {
            "generate-policy": "lavamoat build.js --autopolicy",
            "build": "lavamoat build.js",
        ```
        
        ---
        
        #### policy file
                  
        ```js
        ./lavamoat/node/policy.json:
          "that-eslint-plugin>evilpackage": {
            "builtin": {
              "https.request": true
            },
            "globals": {
              "process.env": true
            },
        
        ```
        
        ---
        
        #### policy override file
                  
        ```js
        ./lavamoat/node/policy-override.json:
          "that-eslint-plugin>evilpackage": {
            "builtin": {
              "https": false
            },
            "globals": {
              "process": false
            },
        
        ```
                
        ---
        
        ```
        $ npm run build
        ```
        ```
        Error: LavaMoat - required node builtin package not in 
        allowlist: package "evilpackage" requested "https"
        
        TypeError: Cannot read properties of undefined 
          (reading 'env')
        ```

---

## What about browser apps?

We have a webpack plugin in beta.

Let's see it in action!

## ⏲️ If time permits

# 🪄 ### Delivering attacks to logic you're not involved with

## Prototype poisoning # 🧪🍏 ![]() ```js const a = {}; Object.prototype.toString = ()=>'👻'; console.log(`scary object: ${a}`); ``` ``` scary object: 👻 ```

### JS can be tweaked and it's no accident - designed in 10 days - humbly assuming there's room for improvement

## polyfills #### and ## prototype poisoning #### are the same thing #### with different intentions

## attack examples # ☠️ repo:[js-training-examples -> defensive coding](https://github.com/naugtur/js-training-examples) > See attacks 2, 4, 5, 7

@naugtur naugtur.pl

naugtur.pl/training