Title: NodeSentry: Least-privilege library integration for server-side JavaScript
Authors: De Groef, Willem
Massacci, Fabio
Piessens, Frank
Issue Date: 8-Dec-2014
Publisher: ACM
Host Document: Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC 2014) pages:446-455
Series Title: ACSAC '14
Conference: Annual Computer Security Applications Conference edition:30 location:New Orleans, Louisiana date:8-12 December 2014
Abstract: Node.js is a popular JavaScript server-side framework with an efficient runtime for cloud-based event-driven architectures. Its strength is the presence of thousands of third-party libraries which allow developers to quickly build and deploy applications. These very libraries are a source of security threats as a vulnerability in one library can (and in some cases did) compromise one's entire server.

In order to support the least-privilege integration of libraries, we developed NodeSentry, the first security architecture for server-side JavaScript. Our policy enforcement infrastructure supports an easy deployment of web-hardening techniques and access control policies on interactions between libraries and their environment, including any dependent library.

We discuss the implementation of NodeSentry, and present its practical evaluation. For hundreds of concurrent clients, NodeSentry has the same capacity and throughput as plain Node.js. Only on a large scale, when Node.js itself yields to a heavy load, NodeSentry shows a limited overhead.
ISBN: 978-1-4503-3005-3
Publication status: published
KU Leuven publication type: IC
Appears in Collections:Informatics Section

Files in This Item:
File Description Status SizeFormat
acsac2014_nodesentry.pdf Published 318KbAdobe PDFView/Open
acsac2014_nodesentry_presentation.pdf Published 257KbAdobe PDFView/Open


All items in Lirias are protected by copyright, with all rights reserved.