TY - GEN
T1 - NodeSentry
T2 - 30th Annual Computer Security Applications Conference, ACSAC 2014
AU - De Groef, W.
AU - Massacci, F.
AU - Piessens, F.
PY - 2014/12/8
Y1 - 2014/12/8
N2 - Node.js is a popular JavaScript server-side framework with an efficient runtime for cloud-based event-driven architectures. Its strength is the presence of thousands of third-party libraries which allow developers to quickly build and deploy applications. These very libraries are a source of security threats as a vulnerability in one library can (and in some cases did) compromise one s entire server. In order to support the least-privilege integration of libraries, we developed NodeSentry, the first security architecture for server-side JavaScript. Our policy enforcement infrastructure supports an easy deployment of web-hardening techniques and access control policies on interactions between libraries and their environment, including any dependent library. We discuss the implementation of NodeSentry, and present its practical evaluation. For hundreds of concurrent clients, NodeSentry has the same capacity and throughput as plain Node.js. Only on a large scale, when Node.js itself yields to a heavy load, NodeSentry shows a limited overhead.
AB - Node.js is a popular JavaScript server-side framework with an efficient runtime for cloud-based event-driven architectures. Its strength is the presence of thousands of third-party libraries which allow developers to quickly build and deploy applications. These very libraries are a source of security threats as a vulnerability in one library can (and in some cases did) compromise one s entire server. In order to support the least-privilege integration of libraries, we developed NodeSentry, the first security architecture for server-side JavaScript. Our policy enforcement infrastructure supports an easy deployment of web-hardening techniques and access control policies on interactions between libraries and their environment, including any dependent library. We discuss the implementation of NodeSentry, and present its practical evaluation. For hundreds of concurrent clients, NodeSentry has the same capacity and throughput as plain Node.js. Only on a large scale, when Node.js itself yields to a heavy load, NodeSentry shows a limited overhead.
U2 - 10.1145/2664243.2664276
DO - 10.1145/2664243.2664276
M3 - Conference contribution
T3 - ACM International Conference Proceeding Series
SP - 446
EP - 455
BT - Proceedings - 30th Annual Computer Security Applications Conference, ACSAC 2014
PB - Association for Computing Machinery
Y2 - 8 December 2014 through 12 December 2014
ER -