COINDEF: A Comprehensive Code Injection Defense for the Electron Framework
Zheng Yang, Simon Chung, Jizhou Chen, Runze Zhang, Brendan Saltaformaggio, Wenke Lee
IEEE Symposium on Security and Privacy 2025 · Day 3 · Systems Security and Access Control
The proliferation of desktop applications built on the **Electron framework** has brought convenience and cross-platform compatibility, but also introduced a critical security vulnerability: the potential for seemingly innocuous front-end code injections to escalate into full-fledged remote code execution (RCE). This talk, presented by Zheng Yang at IEEE S&P, introduces **COINDEF**, a novel defense mechanism designed to comprehensively protect Electron applications from such code injection attacks. The presentation opens with a stark reminder of this threat, citing a real-world incident where an attacker leveraged a malicious link in a chat application to gain internal network access and steal $300,000 USD, an attack made possible by the unique architecture of Electron-like platforms.