Willem De Groef
ABSTRACT
Node.js is a popular JavaScript server-side framework with an efficient runtime for cloud-based event-driven architectures. Its strength is the presence of thousands of third-party libraries which allow developers to quickly build and deploy applications. These very libraries are a source of security threats as a vulnerability in one library can (and in some cases did) compromise one's entire server.
In order to support the least-privilege integration of libraries, we developed NodeSentry, the first security architecture for server-side JavaScript. Our policy enforcement infrastructure supports an easy deployment of web-hardening techniques and access control policies on interactions between libraries and their environment, including any dependent library.
We discuss the implementation of NodeSentry, and present its practical evaluation. For hundreds of concurrent clients, NodeSentry has the same capacity and throughput as plain Node.js. Only on a large scale, when Node.js itself yields to a heavy load, NodeSentry shows a limited overhead.
- Modsecurity -- the open source web application firewall. https://www.modsecurity.org/.Google Scholar
- P. Agten, S. Van Acker, Y. Brondsema, P. H. Phung, L. Desmet, and F. Piessens. JSand: Complete Client-Side Sandboxing of Third-Party JavaScript without Browser Modifications. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), pages 1--10, 2012. Google ScholarDigital Library
- A. Barth. RFC 6265: HTTP State Management Mechanism. http://tools.ietf.org/html/rfc6265, 2011.Google Scholar
- N. Bielova. Survey on JavaScript Security Policies and their Enforcement Mechanisms in a Web Browser. Journal of Logic and Algebraic Programming, 2012.Google Scholar
- N. Bielova, D. Devriese, F. Massacci, and F. Piessens. Reactive non-interference for a browser model. In Proceedings of the International Conference on Network and System Security (NSS), pages 97--104, 2011.Google ScholarCross Ref
- B. Braun, P. Gemein, H. P. Reiser, and J. Posegga. Control-flow integrity in web applications. In Engineering Secure Software and Systems (ESSOS'13), pages 1--16. Springer, 2013. Google ScholarDigital Library
- J. Burket, P. Mutchler, M. Weaver, M. Zaveri, and D. Evans. GuardRails: A Data-Centric Web Application Security Framework. In Proceedings of the USENIX Conference on Web Application Development (WebApps), 2011. Google ScholarDigital Library
- F. Chong and G. Carraro. Architecture strategies for catching the long tail. Technical report, Microsoft Corporation, April 2006. Available on the web at http://msdn.microsoft.com/en-us/library/aa479069.asp.Google Scholar
- W. De Groef, D. Devriese, N. Nikiforakis, and F. Piessens. FlowFox: a Web Browser with Flexible and Precise Information Flow Control. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), pages 748--759, 2012. Google ScholarDigital Library
- W. De Groef, D. Devriese, N. Nikiforakis, and F. Piessens. Secure Multi-Execution of Web Scripts: Theory and Practice. Journal of Computer Security, 22(4):469--509, 2014.Google ScholarCross Ref
- L. Desmet, W. Joosen, F. Massacci, P. Philippaerts, F. Piessens, I. Siahaan, and D. Vanoverberghe. Security-by-contract on the. net platform. Information Security Technical Report, 13(1):25--32, 2008. Google ScholarDigital Library
- D. Devriese and F. Piessens. Noninterference Through Secure Multi-Execution. In Proceedings of the IEEE Symposium on Security and Privacy (SP), pages 109--124, 2010. Google ScholarDigital Library
- U. Erlingsson. The inlined reference monitor approach to security policy enforcement. PhD thesis, Cornell University, 2003. Google ScholarDigital Library
- D. Flanagan. JavaScript: the definitive guide. "O'Reilly Media, Inc.", 2002. Google ScholarDigital Library
- M. Fredrikson, R. Joiner, S. Jha, T. Reps, S. Hassen, and V. Yegneswaran. Efficient Runtime Policy Enforcement Using Counterexample-Guided Abstraction Refinement. In Proceedings of the International Conference on Computer Aided Verification (CAV), 2012. Google ScholarDigital Library
- P. Gardner, S. Maffeis, and G. Smith. Towards A Program Logic for JavaScript. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), January 2012. Google ScholarDigital Library
- L. Griffin, B. Butler, E. de Leastar, B. Jennings, and D. Botvich. On the Performance of Access Control Policy Evaluation. In Proceedings of the IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pages 25--32, 2012. Google ScholarDigital Library
- A. Guha, C. Saftoiu, and S. Krishnamurthi. The Essence of JavaScript. In Proceedings of the European Conference on Object-Oriented Programming (ECOOP), pages 126--150, 2010. Google ScholarDigital Library
- N. J. Gunther. Guerrilla capacity planning -- a tactical approach to planning for highly scalable applications and services. Springer, 2007. Google ScholarDigital Library
- J. Hodges, C. Jackson, and A. Barth. Rfc 6797: Http strict transport security (hsts). http://tools.ietf.org/html/rfc6797, 2012.Google Scholar
- P. Hosek, M. Migliavacca, I. Papagiannis, D. M. Eyers, D. Evans, B. Shand, J. Bacon, and P. Pietzuch. SafeWeb: A Middleware for Securing Ruby-based Web Applications. In Proceedings of the International Middleware Conference, pages 480--499, 2011. Google ScholarDigital Library
- T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the International World Wide Web Conference (WWW), pages 601--610, May 2007. Google ScholarDigital Library
- K. M. Kavanagh, M. Nicolett, and O. Rochford. Magic Quadrant for Security Information and Event Management. http://www.gartner.com/technology/reprints.do?id=1-1W1N1U4&ct=140627, June 2014.Google Scholar
- P. B. Kruchten. Architectural Blueprints -- The "4+1" View Model of Software Architecture. Journal of IEEE Software, 12(6):42--50, 1995. Google ScholarDigital Library
- T. Krueger, C. Gehl, K. Rieck, and P. Laskov. TokDoc: A Self-Healing Web Application Firewall. In Proceedings of the 2010 ACM Symposium on Applied Computing (SAC), pages 1846--1853, 2010. Google ScholarDigital Library
- S. Lekies, B. Stock, and M. Johns. 25 Million Flows Later -- Large-scale Detection of DOM-based XSS. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2013. Google ScholarDigital Library
- B. Livshits. Dynamic Taint Tracking in Managed Runtimes. Technical Report MSR-TR-2012-114, Microsoft Research, 2012.Google Scholar
- J. Magazinius, A. Askarov, and A. Sabelfeld. A Lattice-based Approach to Mashup Security. In Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS), pages 15--23, 2010. Google ScholarDigital Library
- L. Meyerovich, A. Felt, and M. Miller. Object views: Fine-grained sharing in browsers. In Proceedings of the 19th international conference on World wide web, pages 721--730. ACM, 2010. Google ScholarDigital Library
- L. A. Meyerovich and B. Livshits. ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. In Proceedings of the IEEE Symposium on Security and Privacy (SP), pages 481--496, 2010. Google ScholarDigital Library
- M. S. Miller. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. PhD thesis, Johns Hopkins University, Baltimore, Maryland, USA, May 2006. Google ScholarDigital Library
- A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Proceedings of the IFIP International Information Security Conference, pages 372--382, 2005.Google ScholarCross Ref
- N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), pages 736--747, 2012. Google ScholarDigital Library
- A. Ojamaa and K. Duuna. Assessing the Security of Node.js Platform. In Proceedings of the International Conference for Internet Technology and Secured Transactions (ICITST), pages 348--355, 2012.Google Scholar
- P. H. Phung, D. Sands, and A. Chudnov. Lightweight Self-Protecting JavaScript. In Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS), pages 47--60, 2009. Google ScholarDigital Library
- C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. ACM Transactions on the Web (TWEB), 1(11), September 2007. Google ScholarDigital Library
- G. Richards, C. Hammer, F. Z. Nardelli, S. Jagannathan, and J. Vitek. Flexible Access Control for JavaScript. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages & Applications (OOPSLA), 2013. Google ScholarDigital Library
- F. B. Schneider. Enforceable Security Policies. ACM Transactions on Information and System Security (TISSEC), 3(1):30--50, 2000. Google ScholarDigital Library
- S. Stamm, S. Brandon, and G. Markham. Reining in the Web with Content Security Policy. In Proceedings of the International Conference on World Wide Web (WWW), 2010. Google ScholarDigital Library
- D. Stefan, E. Z. Yang, P. Marchenko, A. Russo, H. Dave, K. Brad, and D. Mazieres. Protecting Users by Confining JavaScript with COWL. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI 14), 2014. Google ScholarDigital Library
- S. Tilkov and S. Vinoski. Node.js: Using JavaScript to Build High-Performance Network Programs. IEEE Internet Computing, 14(6):80--83, 2010. Google ScholarDigital Library
- S. Van Acker, P. De Ryck, L. Desmet, F. Piessens, and W. Joosen. WebJail: Least-privilege Integration of Third-party Components in Web Mashups. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2011. Google ScholarDigital Library
- S. Van Acker, N. Nikiforakis, L. Desmet, F. Piessens, and W. Joosen. Monkey-in-the-browser: Malware and vulnerabilities in augmented browsing script markets. In Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2014. Google ScholarDigital Library
- T. Van Cutsem and M. S. Miller. Trustworthy Proxies: Virtualizing Objects with Invariants. In Proceedings of the European Conference on Object-Oriented Programming (ECOOP), pages 154--178, 2013. Google ScholarDigital Library
- J. Wei, L. Singaravelu, and C. Pu. A Secure Information Flow Architecture for Web Service Platforms. IEEE Transactions on Services Computing, 1(2):75--87, 2008. Google ScholarDigital Library
Index Terms
- NodeSentry: least-privilege library integration for server-side JavaScript
Recommendations
Isolating JavaScript in dynamic code environments
APLWACA '10: Proceedings of the 2010 Workshop on Analysis and Programming Languages for Web Applications and Cloud ApplicationsWe analyze the source code of four well-known large web applications, namely WordPress, phpBB, phpMyAdmin and Drupal. We want to quantify the level of language intermixing in modern web applications and, if possible, we want to categorize all coding ...
GUARDIA: specification and enforcement of javascript security policies without VM modifications
ManLang '18: Proceedings of the 15th International Conference on Managed Languages & RuntimesThe complex architecture of browser technologies and dynamic characteristics of JavaScript make it difficult to ensure security in client-side web applications. Browser-level security policies alone are not sufficient because it is difficult to apply ...
A Bottom-Up Approach to Teaching Server-Side Web Development Skills (Abstract Only)
SIGCSE '15: Proceedings of the 46th ACM Technical Symposium on Computer Science EducationWhen dealing with the topic of back-end programming many CS web development courses typically focus on how to use a popular web framework, for example Spring MVC or Ruby on Rails. The problem with this approach is that students will most likely end up ...
Comments