Obuhersys is a dynamic analysis framework for detecting cryptographic API misuses in NodeJS software.
It features two methods to dynamically log API misuses at runtime with low overhead:
- ofunc, which inject logging calls by doing AST transformations on the source code, and
- oproxy, which inject logging calls by wrapping the Node Standard Library using JavaScript's Proxy class
The output of either logger can then be run through our checker and ruleset to report any API misuses!
It also features a benchmark for cryptographic API misuse detection in NodeJS which is a port of the wonderful CamBench Analysis Capabilities benchmark written for Java.
In the future, this project will be published to npm with a easy-to-use CLI. For now, use a local installation.
First, clone the repository
gh repo clone pbrucla/obuhersys
cd obuhersys
pnpm installNext, build each subproject
pnpm build
# shell variables to be used later
export oproxy=$(realpath oproxy/)
export ofunc=$(realpath ofunc/)
export ocheck=$(realpath ocheck/)Ensure you are using node v20 or higher
nvm use 20Navigate to the directory containing your JavaScript project.
First make a logs directory
mkdir -p logsThen you may choose between oproxy and ofunc for dynamic analysis. Identical results should be produced although oproxy is slightly faster than ofunc.
To use oproxy (recommended),
node --import $oproxy/dist/index.js yourentrypoint.jsTo use ofunc,
node --import $ofunc/dist/index.js yourentrypoint.jsAfter running the dynamic analysis, a logfile will be created in logs/ to analyze.
Below command will analyze the log and output violations found:
node $ocheck/dist/index.js -c $ocheck/dist/checks.js <your log file>Developed by Psi Beta Rho @ UCLA