NodeSentry: Least-privilege library integration for server-side JavaScript

W. De Groef, F. Massacci, F. Piessens

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

Node.js is a popular JavaScript server-side framework with an efficient runtime for cloud-based event-driven architectures. Its strength is the presence of thousands of third-party libraries which allow developers to quickly build and deploy applications. These very libraries are a source of security threats as a vulnerability in one library can (and in some cases did) compromise one s entire server. In order to support the least-privilege integration of libraries, we developed NodeSentry, the first security architecture for server-side JavaScript. Our policy enforcement infrastructure supports an easy deployment of web-hardening techniques and access control policies on interactions between libraries and their environment, including any dependent library. We discuss the implementation of NodeSentry, and present its practical evaluation. For hundreds of concurrent clients, NodeSentry has the same capacity and throughput as plain Node.js. Only on a large scale, when Node.js itself yields to a heavy load, NodeSentry shows a limited overhead.
Original languageEnglish
Title of host publicationProceedings - 30th Annual Computer Security Applications Conference, ACSAC 2014
PublisherAssociation for Computing Machinery
Pages446-455
DOIs
Publication statusPublished - 8 Dec 2014
Externally publishedYes
Event30th Annual Computer Security Applications Conference, ACSAC 2014 - New Orleans, United States
Duration: 8 Dec 201412 Dec 2014

Publication series

NameACM International Conference Proceeding Series

Conference

Conference30th Annual Computer Security Applications Conference, ACSAC 2014
Country/TerritoryUnited States
CityNew Orleans
Period8/12/1412/12/14

Fingerprint

Dive into the research topics of 'NodeSentry: Least-privilege library integration for server-side JavaScript'. Together they form a unique fingerprint.

Cite this