Write a Blog >>
ICSE 2021
Mon 17 May - Sat 5 June 2021

The large amount of third-party packages available in fast-moving software ecosystems, such as the Node.js/npm, enables attackers to compromise applications by pushing malicious updates to their package dependencies. Studying the npm repository, we observed that many packages perform only simple computations and do not need access to filesystem or network APIs. This offers the opportunity to enforce least-privilege design per package, protecting them from malicious updates. We discuss the design space and propose a lightweight permission system that protects Node.js/npm applications by enforcing package permissions at runtime. Our system makes a large number of packages much harder to be exploited, almost for free.

Thu 27 May
Times are displayed in time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

20:50 - 21:50
3.6.1. Security Vulnerabilities: Different DomainsTechnical Track at Blended Sessions Room 1 +12h
Chair(s): Davide FucciBlekinge Institute of Technology
20:50
20m
Paper
Containing Malicious Package Updates in npm with a Lightweight Permission SystemTechnical Track
Technical Track
Gabriel FerreiraCarnegie Mellon University, Limin JiaCarnegie Mellon University, Joshua SunshineCarnegie Mellon University, Christian KaestnerCarnegie Mellon University
Pre-print
21:10
20m
Paper
Too Quiet in the Library: An Empirical Study of Security Updates in Android Apps’ Native CodeArtifact ReusableTechnical TrackArtifact Available
Technical Track
Sumaya AlmaneeUniversity of California, Irvine, Arda ÜnalUniversity of California, Irvine, Mathias PayerEPFL, Joshua GarciaUniversity of California, Irvine
Pre-print
21:30
20m
Paper
If It’s Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API HardeningTechnical Track
Technical Track
Pre-print

Fri 28 May
Times are displayed in time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

08:50 - 09:50
3.6.1. Security Vulnerabilities: Different DomainsTechnical Track at Blended Sessions Room 1
08:50
20m
Paper
Containing Malicious Package Updates in npm with a Lightweight Permission SystemTechnical Track
Technical Track
Gabriel FerreiraCarnegie Mellon University, Limin JiaCarnegie Mellon University, Joshua SunshineCarnegie Mellon University, Christian KaestnerCarnegie Mellon University
Pre-print
09:10
20m
Paper
Too Quiet in the Library: An Empirical Study of Security Updates in Android Apps’ Native CodeArtifact ReusableTechnical TrackArtifact Available
Technical Track
Sumaya AlmaneeUniversity of California, Irvine, Arda ÜnalUniversity of California, Irvine, Mathias PayerEPFL, Joshua GarciaUniversity of California, Irvine
Pre-print
09:30
20m
Paper
If It’s Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API HardeningTechnical Track
Technical Track
Pre-print

Information for Participants
Info for Blended Sessions Room 1: