BinWrap: Hybrid Protection against Native Node.js Add-ons

Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security Pub Date : 2023-07-10 DOI:10.1145/3579856.3590330

G. Christou, Grigoris Ntousakis, Eric Lahtinen, S. Ioannidis, V. Kemerlis, Nikos Vasilakis

{"title":"BinWrap: Hybrid Protection against Native Node.js Add-ons","authors":"G. Christou, Grigoris Ntousakis, Eric Lahtinen, S. Ioannidis, V. Kemerlis, Nikos Vasilakis","doi":"10.1145/3579856.3590330","DOIUrl":null,"url":null,"abstract":"Modern applications, written in high-level programming languages, enjoy the security benefits of memory and type safety. Unfortunately, even a single memory-unsafe library can wreak havoc on the rest of an otherwise safe application, nullifying all the security guarantees offered by the high-level language and its managed runtime. We perform a study across the Node.js ecosystem to understand the use patterns of binary add-ons. Taking the identified trends into account, we propose a new hybrid permission model aimed at protecting both a binary add-on and its language-specific wrapper. The permission model is applied all around a native add-on and is enforced through a hybrid language-binary scheme that interposes on accesses to sensitive resources from all parts of the native library. We infer the add-on’s permission set automatically over both its binary and JavaScript sides, via a set of novel program analyses. Applied to a wide variety of native add-ons, we show that our framework, BinWrap, reduces access to sensitive resources, defends against real-world exploits, and imposes an overhead that ranges between 0.71%–10.4%.","PeriodicalId":156082,"journal":{"name":"Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security","volume":"13 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-07-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3579856.3590330","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

Modern applications, written in high-level programming languages, enjoy the security benefits of memory and type safety. Unfortunately, even a single memory-unsafe library can wreak havoc on the rest of an otherwise safe application, nullifying all the security guarantees offered by the high-level language and its managed runtime. We perform a study across the Node.js ecosystem to understand the use patterns of binary add-ons. Taking the identified trends into account, we propose a new hybrid permission model aimed at protecting both a binary add-on and its language-specific wrapper. The permission model is applied all around a native add-on and is enforced through a hybrid language-binary scheme that interposes on accesses to sensitive resources from all parts of the native library. We infer the add-on’s permission set automatically over both its binary and JavaScript sides, via a set of novel program analyses. Applied to a wide variety of native add-ons, we show that our framework, BinWrap, reduces access to sensitive resources, defends against real-world exploits, and imposes an overhead that ranges between 0.71%–10.4%.

查看原文本刊更多论文

BinWrap:针对本地Node.js附加组件的混合保护

用高级编程语言编写的现代应用程序享有内存和类型安全带来的安全优势。不幸的是，即使一个内存不安全的库也会对其他安全的应用程序造成严重破坏，使高级语言及其托管运行时提供的所有安全保证无效。我们对Node.js生态系统进行了研究，以了解二进制附加组件的使用模式。考虑到已确定的趋势，我们提出了一种新的混合权限模型，旨在保护二进制附加组件及其特定于语言的包装器。权限模型应用于所有本地附加组件，并通过混合语言-二进制方案强制执行，该方案干预对来自本地库所有部分的敏感资源的访问。通过一组新颖的程序分析，我们自动推断出附加组件在二进制和JavaScript方面的权限集。应用于各种各样的本地附加组件，我们表明我们的框架BinWrap减少了对敏感资源的访问，防御了真实世界的攻击，并施加了0.71%-10.4%的开销。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security

自引率

0.00%

发文量