Mayall: A Framework for Desktop JavaScript Auditing and Post-Exploitation Analysis
Journal Title: Informatics - Year 2018, Vol 5, Issue 4
Abstract
Writing desktop applications in JavaScript offers developers the opportunity to create cross-platform applications with cutting-edge capabilities. However, in doing so, they are potentially submitting their code to a number of unsanctioned modifications from malicious actors. Electron is one such JavaScript application framework which facilitates this multi-platform out-the-box paradigm and is based upon the Node.js JavaScript runtime—an increasingly popular server-side technology. By bringing this technology to the client-side environment, previously unrealized risks are exposed to users due to the powerful system programming interface that Node.js exposes. In a concerted effort to highlight previously unexposed risks in these rapidly expanding frameworks, this paper presents the Mayall Framework, an extensible toolkit aimed at JavaScript security auditing and post-exploitation analysis. This paper also exposes fifteen highly popular Electron applications and demonstrates that two-thirds of applications were found to be using known vulnerable elements with high CVSS (Common Vulnerability Scoring System) scores. Moreover, this paper discloses a wide-reaching and overlooked vulnerability within the Electron Framework which is a direct byproduct of shipping the runtime unaltered with each application, allowing malicious actors to modify source code and inject covert malware inside verified and signed applications without restriction. Finally, a number of injection vectors are explored and appropriate remediations are proposed.
Authors and Affiliations
Adam Rapley, Xavier Bellekens, Lynsay A. Shepherd and Colin McLean
Keywords
Related Articles
- EP ID EP44154
- DOI https://www.mdpi.com/2227-9709/5/4/46/pdf
- Views 249
- Downloads 0
Mobile Phones Help Develop Listening Skills
Listening is one of the most difficult language skills among the four communication competences; however, it has received much less time in English learning than the other three (reading, writing, and speaking). Also,...
Teaching HCI Skills in Higher Education through Game Design: A Study of Students’ Perceptions
Human-computer interaction (HCI) is an area with a wide range of concepts and knowledge. Therefore, a need to innovate in the teaching-learning processes to achieve an effective education arises. This article describes...
An Internet of Things Based Multi-Level Privacy-Preserving Access Control for Smart Living
The presence of the Internet of Things (IoT) in healthcare through the use of mobile medical applications and wearable devices allows patients to capture their healthcare data and enables healthcare professionals to be...
The Experience of Learning in “The Cube”: Queensland University of Technology’s Giant Interactive Multimedia Environment
In this paper we report findings of the first phase of an investigation, which explored the experience of learning amongst high-level managers, project leaders and visitors in Queensland University of Technology’s (QUT...
Understanding the EMR-Related Experiences of Pregnant Japanese Women to Redesign Antenatal Care EMR Systems
Woman-centered antenatal care necessitates Electronic Medical Record (EMR) systems that respect women’s preferences. However, women’s preferences regarding EMR systems in antenatal care remain unknown. This work aims t...