Meta-repository for the USENIX Security'18 project on Event Handler Poisoning.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md

README.md

node-cure

Welcome!

This project is a meta-repository for the USENIX Security'18 paper A Sense of Time for JavaScript and Node.js: First-Class Timeouts as a Cure for Event Handler Poisoning by James C. Davis (@davisjam), Eric R. Williamson (@ewmson), and Dongyoon Lee (@dylosy).

In this project:

  • We described the "Event Handler Poisoning" (EHP) attack on server-side programs that use the event-driven architecture -- for example, many Node.js applications fit this description.
  • We identified many examples of possible EHP vectors in the snyk.io vulnerability database.
  • We explored First-Class Timeouts as an approach to detecting and responding to EHP attacks.
  • We documented potential EHP vectors among Node.js core APIs, changed the implementation of fs.readFile, and prepared a guide about EHP attacks for nodejs.org.

The reproducibility package consists of three repositories: