Mayall: A Framework for Desktop JavaScript Auditing and Post-Exploitation Analysis
Journal Title: Informatics - Year 2018, Vol 5, Issue 4
Abstract
Writing desktop applications in JavaScript offers developers the opportunity to create cross-platform applications with cutting-edge capabilities. However, in doing so, they are potentially submitting their code to a number of unsanctioned modifications from malicious actors. Electron is one such JavaScript application framework which facilitates this multi-platform out-the-box paradigm and is based upon the Node.js JavaScript runtime—an increasingly popular server-side technology. By bringing this technology to the client-side environment, previously unrealized risks are exposed to users due to the powerful system programming interface that Node.js exposes. In a concerted effort to highlight previously unexposed risks in these rapidly expanding frameworks, this paper presents the Mayall Framework, an extensible toolkit aimed at JavaScript security auditing and post-exploitation analysis. This paper also exposes fifteen highly popular Electron applications and demonstrates that two-thirds of applications were found to be using known vulnerable elements with high CVSS (Common Vulnerability Scoring System) scores. Moreover, this paper discloses a wide-reaching and overlooked vulnerability within the Electron Framework which is a direct byproduct of shipping the runtime unaltered with each application, allowing malicious actors to modify source code and inject covert malware inside verified and signed applications without restriction. Finally, a number of injection vectors are explored and appropriate remediations are proposed.
Authors and Affiliations
Adam Rapley, Xavier Bellekens, Lynsay A. Shepherd and Colin McLean
Keywords
Related Articles
- EP ID EP44154
- DOI https://www.mdpi.com/2227-9709/5/4/46/pdf
- Views 259
- Downloads 0
Data Provenance for Agent-Based Models in a Distributed Memory
Agent-Based Models (ABMs) assist with studying emergent collective behavior of individual entities in social, biological, economic, network, and physical systems. Data provenance can support ABM by explaining individual...
The Effects of Motion Artifacts on Self-Avatar Agency
One way of achieving self-agency in virtual environments is by using a motion capture system and retargeting user’s motion to the virtual avatar. In this study, we investigated whether the self-agency is affected when mo...
digiMe: An Online Portal to Support Connectivity through E-Learning in Medical Education
Connectivity is intrinsic to all aspects of our life today, be it political, economic, technological, scientific, or personal. Higher education is also transcending the previous paradigm of technology enabled content d...
Detecting Transitions in Manual Tasks from Wearables: An Unsupervised Labeling Approach†
Authoring protocols for manual tasks such as following recipes, manufacturing processes or laboratory experiments requires significant effort. This paper presents a system that estimates individual procedure transition...
Developing a Model of Distributed Sensemaking: A Case Study of Military Analysis
In this paper, we examine the role of representational artefacts in sensemaking. Embodied within representational media, such as maps, charts and lists, are a number of affordances, which can furnish sensemakers with t...