Zihao Jin (Microsoft Research and Tsinghua University), Shuo Chen (Microsoft Research), Yang Chen (Microsoft Research), Haixin Duan (Tsinghua University and Quancheng Laboratory), Jianjun Chen (Tsinghua University and Zhongguancun Laboratory), Jianping Wu (Tsinghua University)

The Electron platform represents a paradigm to develop modern desktop apps using HTML and JavaScript. Microsoft Teams, Visual Studio Code and other flagship products are examples of Electron apps. This new paradigm inherits the security challenges in web programming into the desktop-app realm, thus opens a new way for local-machine exploitation. We conducted a security study about real-world Electron apps, and discovered many vulnerabilities that are now confirmed by the app vendors. The conventional wisdom is to view these bugs as *sanitization errors*. Accordingly, secure programming requires programmers to explicitly enumerate all kinds of unexpected inputs to sanitize. We believe that secure programming should focus on specifying programmers' intentions as opposed to their non-intentions. We introduce a concept called *DOM-tree type*, which expresses the set of DOM trees that an app expects to see during execution, so an exploit will be caught as a type violation. With insights into the HTML standard and the Chromium engine, we build the DOM-tree type mechanism into the Electron platform. The evaluations show that the methodology is practical, and it secures all vulnerable apps that we found in the study.

View More Papers

SynthDB: Synthesizing Database via Program Analysis for Security Testing...

An Chen (University of Georgia), Jiho Lee (University of Virginia), Basanta Chaulagain (University of Georgia), Yonghwi Kwon (University of Virginia), Kyu Hyung Lee (University of Georgia)

Read More

HeteroScore: Evaluating and Mitigating Cloud Security Threats Brought by...

Chongzhou Fang (University of California, Davis), Najmeh Nazari (University of California, Davis), Behnam Omidi (George Mason University), Han Wang (Temple University), Aditya Puri (Foothill High School, Pleasanton, CA), Manish Arora (LearnDesk, Inc.), Setareh Rafatirad (University of California, Davis), Houman Homayoun (University of California, Davis), Khaled N. Khasawneh (George Mason University)

Read More

Post-GDPR Threat Hunting on Android Phones: Dissecting OS-level Safeguards...

Mark Huasong Meng (National University of Singapore), Qing Zhang (ByteDance), Guangshuai Xia (ByteDance), Yuwei Zheng (ByteDance), Yanjun Zhang (The University of Queensland), Guangdong Bai (The University of Queensland), Zhi Liu (ByteDance), Sin G. Teo (Agency for Science, Technology and Research), Jin Song Dong (National University of Singapore)

Read More

Drone Security and the Mysterious Case of DJI's DroneID

Nico Schiller (Ruhr-Universität Bochum), Merlin Chlosta (CISPA Helmholtz Center for Information Security), Moritz Schloegel (Ruhr-Universität Bochum), Nils Bars (Ruhr University Bochum), Thorsten Eisenhofer (Ruhr University Bochum), Tobias Scharnowski (Ruhr-University Bochum), Felix Domke (Independent), Lea Schönherr (CISPA Helmholtz Center for Information Security), Thorsten Holz (CISPA Helmholtz Center for Information Security)

Read More