Detecting Injection Vulnerabilities In Node.js Applications (DIVINA)

Type: National Project Project

Duration: from 2022 Mar 27 to 2023 Mar 26

Financed by: FCT

Prime Contractor: INESC-ID (Other)

In this project, we plan to develop DIVINA: a new analysis tool for detecting injection vulnerabilities in Node.js applications. Our goal is for this tool to be both effective---with low false negative and false positive rates---as well as efficient---with low overheads---so that it can be integrated in standard code review pipelines. To achieve this, we will leverage the combination of dynamic taint tracking and dynamic symbolic execution, using the information collected by the symbolic execution component to drive the dynamic taint analysis. As a secondary goal, we plan to create a dataset of Node.js packages with known injection vulnerabilities on which to evaluate tools for detecting injection vulnerabilities in Node.js applications. We will use the proposed dataset to compare our tools against its main competitors. 

Partnerships

  • INESC-ID (Other)
  • Instituto de Telecomunicações (IT) (Other) - Lisbon, Portugal

Principal Investigators

Members