NodeSentry: Least-Privilege Library Integration for Server-Side JavaScript

Presentation pdf 257KB

Node.js is a popular JavaScript server-side framework with an efficient runtime for cloud-based event architectures. Its strength is the presence of thousands of third party libraries which allow developers to quickly build and deploy applications. These very libraries are a source of security threats as a vulnerability in one library can (and in some cases did) compromise one’s entire server.

In order to support the least-privilege integration of libraries we developed NodeSentry, the first security architecture for server-side JavaScript. Our policy enforcement infrastructure supports an easy deployment of web-hardening techniques and access control policies on interactions between libraries and their environment, including any dependent library.

We discuss the implementation of NodeSentry, and present its practical evaluation.
For hundreds of concurrent clients, NodeSentry has the same capacity and throughput of plain Node.js. Only on a large scale, when Node.js itself yields to a heavy load, NodeSentry shows a limited overhead.

Author(s):

Willem De Groef    
iMinds-DistriNet, KU Leuven
Belgium

Fabio Massacci    
University of Trento
Italy

Frank Piessens    
iMinds-DistriNet, KU Leuven
Belgium