research-article

Open access

BinWrap: Hybrid Protection against Native Node.js Add-ons

Authors:

George Christou,

Grigoris Ntousakis,

Sotiris Ioannidis,

Vasileios P. Kemerlis,

Nikos VasilakisAuthors Info & Claims

ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security

Pages 429 - 442

https://doi.org/10.1145/3579856.3590330

Published: 10 July 2023 Publication History

All formats PDF

Abstract

Modern applications, written in high-level programming languages, enjoy the security benefits of memory and type safety. Unfortunately, even a single memory-unsafe library can wreak havoc on the rest of an otherwise safe application, nullifying all the security guarantees offered by the high-level language and its managed runtime. We perform a study across the Node.js ecosystem to understand the use patterns of binary add-ons. Taking the identified trends into account, we propose a new hybrid permission model aimed at protecting both a binary add-on and its language-specific wrapper. The permission model is applied all around a native add-on and is enforced through a hybrid language-binary scheme that interposes on accesses to sensitive resources from all parts of the native library. We infer the add-on’s permission set automatically over both its binary and JavaScript sides, via a set of novel program analyses. Applied to a wide variety of native add-ons, we show that our framework, BinWrap, reduces access to sensitive resources, defends against real-world exploits, and imposes an overhead that ranges between 0.71%–10.4%.

References

[1]

Pieter Agten, Steven Van Acker, Yoran Brondsema, Phu H Phung, Lieven Desmet, and Frank Piessens. 2012. JSand: Complete Client-Side Sandboxing of Third-Party JavaScript without Browser Modifications. In Annual Computer Security Applications Conference (ACSAC). 1–10.

Digital Library

[2]

Apache. 2022. CouchDB. https://docs.couchdb.org/en/stable/.

[3]

ARM. 2018. Domains. https://developer.arm.com/documentation/ddi0406/b/System-Level-Architecture/Virtual-Memory-System-Architecture–VMSA-/Memory-access-control/Domains.

[4]

Steve Bannister. 2018. Memory Tagging Extension: Enhancing memory safety through architecture. https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/enhancing-memory-safety.

[5]

Frédéric Besson, Sandrine Blazy, Alexandre Dang, Thomas Jensen, and Pierre Wilke. 2019. Compiling Sandboxes: Formally Verified Software Fault Isolation. In European Symposium on Programming (ESOP). 499–524.

[6]

Tyler Bletsch, Xuxian Jiang, Vince W Freeh, and Zhenkai Liang. 2011. Jump-Oriented Programming: A New Class of Code-Reuse Attack. In ACM Asia Symposium on Information, Computer and Communications Security (ASIACCS). 30–40.

Digital Library

[7]

Jeff Bonwick. 1994. The Slab Allocator: An Object-Caching Kernel Memory Allocator. In Proc. of USENIX Summer. 87–98.

[8]

Erik Bosman and Herbert Bos. 2014. Framing Signals—A Return to Portable Shellcode. In IEEE Symposium on Security and Privacy (S&P). 243–258.

Digital Library

[9]

Kjell Braden, Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi, Stephen Crane, Michael Franz, and Per Larsen. 2016. Leakage-Resilient Layout Randomization for Mobile Devices. In Network and Distributed System Security Symposium (NDSS).

[10]

Bugtraq. [n. d.]. Getting around non-executable stack (and fix). https://seclists.org/bugtraq/1997/Aug/63.

[11]

Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin Von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. 2019. A Systematic Evaluation of Transient Execution Attacks and Defenses. In USENIX Security Symposium (SEC). 249–266.

[12]

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. 2010. Return-Oriented Programming without Returns. In ACM Conference on Computer and Communications Security (CCS). 559–572.

Digital Library

[13]

R Joseph Connor, Tyler McDaniel, Jared M Smith, and Max Schuchard. 2020. PKU Pitfalls: Attacks on PKU-based Memory Isolation Systems. In USENIX Security Symposium (SEC). 1409–1426.

[14]

Intel Corporation. 2019. Control-flow Enforcement Technology Specification.

[15]

Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. 1998. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In USENIX Security Symposium (SEC), Vol. 98. 63–78.

[16]

Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, and Michael Franz. 2015. Readactor: Practical Code Randomization Resilient to Memory Disclosure. In IEEE Symposium on Security and Privacy (S&P). 763–780.

Digital Library

[17]

Willem De Groef, Fabio Massacci, and Frank Piessens. 2014. NodeSentry: Least-privilege Library Integration for Server-Side JavaScript. In Annual Computer Security Applications Conference (ACSAC). 446–455.

Digital Library

[18]

Nicholas DeMarinis, Kent Williams-King, Di Jin, Rodrigo Fonseca, and Vasileios P. Kemerlis. 2020. sysfilter: Automated System Call Filtering for Commodity Software. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID). 459–474.

[19]

ExploitDB. 2000. cURL 6.1 < 7.4 – Remote Buffer Overflow. https://www.exploit-db.com/exploits/20293.

[20]

ExploitDB. 2004. LibPNG Graphics Library – Remote Buffer Overflow. https://www.exploit-db.com/exploits/389.

[21]

ExploitDB. 2010. LibTIFF Buffer Overflow (Metasploit). https://www.exploit-db.com/exploits/16869.

[22]

Stephanie Forrest, Anil Somayaji, and David H. Ackley. 1997. Building Diverse Computer Systems. In Workshop on Hot Topics in Operating Systems (HotOS). 67–72.

[23]

Google. 2017. Orinoco: young generation garbage collection. https://v8.dev/blog/orinoco-parallel-scavenger.

[24]

Google. 2018. V8 Garbage Collector. https://github.com/thlorenz/v8-perf/blob/master/gc.md.

[25]

Google. 2022. Ignition. https://v8.dev/docs/ignition.

[26]

Google. 2022. Sparkplug – a non-optimizing JavaScript compiler. https://v8.dev/blog/sparkplug.

[27]

Google. 2022. V8’s public API. https://v8.dev/docs/api.

[28]

Google. 2022. What is V8?https://v8.dev.

[29]

Mohammad Hedayati, Spyridoula Gravani, Ethan Johnson, John Criswell, Michael L Scott, Kai Shen, and Mike Marty. 2019. Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries. In USENIX Annual Technical Conference (ATC). 489–504.

[30]

IBM. 2022. Kernel Storage-Protection Keys. https://www.ibm.com/docs/en/aix/7.1?topic=concepts-kernel-storage-protection-keys.

[31]

Intel. 2000. Intel IA-64 Architecture Software Developer’s Manual. http://refspecs.linux-foundation.org/IA64-softdevman-vol2.pdf.

[32]

Intel. 2022. Memory Protection Keys. https://www.kernel.org/doc/html/latest/core-api/protection-keys.html.

[33]

kashif. 2022. node-cuda provides NVIDIA CUDA bindings for Node.js. https://github.com/kashif/node-cuda.

[34]

The Linux Kernel. 2023. Seccomp BPF (SECure COMPuting with filters). https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html.

[35]

keyhash. 2022. Cryptonight hashing functions for Node.js. https://github.com/keyhash/node-cryptonight-old-hardware.

[36]

Paul Kirth, Mitchel Dickerson, Stephen Crane, Per Larsen, Adrian Dabrowski, David Gens, Yeoul Na, Stijn Volckaert, and Michael Franz. 2022. PKRU-Safe: Automatically Locking Down the Heap Between Safe and Unsafe Languages. In European Conference on Computer Systems (EuroSys). 132–148.

Digital Library

[37]

Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea nd R. Sekar, and Dawn Song. 2014. Code-Pointer Integrity. In USENIX Symposium on Operating Systems Design and Implementation (OSDI). 147–163.

[38]

Xiaoxuan Lou, Tianwei Zhang, Jun Jiang, and Yinqian Zhang. 2021. A Survey of Microarchitectural Side-channel Vulnerabilities, Attacks, and Defenses in Cryptography. ACM Computing Surveys (CSUR) 54, 6 (2021), 1–37.

Digital Library

[39]

Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P Chung, Taesoo Kim, and Wenke Lee. 2015. ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks. In ACM Conference on Computer and Communications Security (CCS). 280–291.

Digital Library

[40]

Jonas Magazinius, Daniel Hedin, and Andrei Sabelfeld. 2014. Architectures for Inlining Security Monitors in Web applications. In International Symposium on Engineering Secure Software and Systems (ESSoS). 141–160.

Digital Library

[41]

Samuel Mergendahl, Nathan Burow, and Hamed Okhravi. 2022. Cross-language Attacks. In Network and Distributed System Security Symposium (NDSS).

[42]

MITRE. 2020. CVE-2020-28248. https://nvd.nist.gov/vuln/detail/CVE-2020-28248.

[43]

Onur Mutlu and Jeremie S Kim. 2019. Rowhammer: A Retrospective. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (TCAD) 39, 8 (2019), 1555–1571.

Digital Library

[44]

Santosh Nagarakatte, Jianzhou Zhao, Milo MK Martin, and Steve Zdancewic. 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. In ACM Conference on Programming Language Design and Implementation (PLDI). 245–258.

Digital Library

[45]

Santosh Nagarakatte, Jianzhou Zhao, Milo MK Martin, and Steve Zdancewic. 2010. CETS: Compiler Enforced Temporal Safety for C. In International Symposium on Memory Management (ISMM). 31–40.

Digital Library

[46]

Node.js. 2022. Native Abstractions for Node.js. https://github.com/nodejs/nan.

[47]

Node.js. 2022. What is Node-API?https://nodejs.github.io/node-addon-examples/about/what/.

[48]

ohmu. 2022. The missing POSIX system calls for Node. https://github.com/ohmu/node-posix.

[49]

Onarlioglu, Kaan and Bilge, Leyla and Lanzi, Andrea and Balzarotti, Davide and Kirda, Engin. 2010. G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries. In Annual Computer Security Applications Conference (ACSAC). 49–58.

[50]

Aleph One. 1996. Smashing The Stack For Fun And Profit. Phrack Magazine 7, 49 (1996).

[51]

OpenBSD. 2003. i386 W⌃X. https://marc.info/?l=openbsd-misc&m=105056000801065.

[52]

openJS Foundation. 2009. Node.js. https://nodejs.org/en/.

[53]

Soyeon Park, Sangho Lee, Wen Xu, Hyungon Moon, and Taesoo Kim. 2019. libmpk: Software Abstraction for Intel Memory Protection Keys (Intel MPK). In USENIX Annual Technical Conference (ATC). 241–254.

[54]

Marios Pomonis, Theofilos Petsios, Angelos D. Keromytis, Michalis Polychronakis, and Vasileios P. Kemerlis. 2017. kR X: Comprehensive Kernel Protection against Just-In-Time Code Reuse. In European Conference on Computer Systems (EuroSys). 420–436.

Digital Library

[55]

Prior99. 2022. Unofficial bindings for node to libpng. https://github.com/Prior99/node-libpng.

[56]

Sergej Proskurin, Marius Momeu, Seyedhamed Ghavamnia, Vasileios P Kemerlis, and Michalis Polychronakis. 2020. xMP: Selective Memory Protection for Kernel and User Space. In IEEE Symposium on Security and Privacy (S&P). 563–577.

[57]

Red Hat Blog – Huzaifa Sidhpurwala. 2018. Security Technologies: FORTIFY_SOURCE. https://www.redhat.com/en/blog/security-technologies-fortifysource.

[58]

Red Hat Blog – Huzaifa Sidhpurwala. 2019. Security Technologies: RELRO. https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro.

[59]

Jonathan Salwan. 2015. ROPgadget Tool. https://github.com/JonathanSalwan/ROPgadget.

[60]

Sascha Schirra. 2022. Ropper. https://github.com/sashs/Ropper.

[61]

David Schrammel, Samuel Weiser, Richard Sadek, and Stefan Mangard. 2022. Jenny: Securing Syscalls for PKU-based Memory Isolation Systems. In USENIX Security Symposium (SEC). 936–952.

[62]

David Schrammel, Samuel Weiser, Stefan Steinegger, Martin Schwarzl, Michael Schwarz, Stefan Mangard, and Daniel Gruss. 2020. Donky: Domain Keys – Efficient In-Process Isolation for RISC-V and x86. In USENIX Security Symposium (SEC). 1677–1694.

[63]

Hovav Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In ACM Conference on Computer and Communications Security (CCS). 552–561.

Digital Library

[64]

Snyk. 2021. Vulnerability Database. https://snyk.io/vuln?type=npm.

[65]

Snyk. 2022. node-sass vulnerabilities. https://security.snyk.io/package/npm/node-sass.

[66]

Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. Sok: Eternal War in Memory. In IEEE Symposium on Security and Privacy (S&P). 48–62.

[67]

Mike Ter Louw, Phu H Phung, Rohini Krishnamurti, and Venkat N Venkatakrishnan. 2013. SafeScript: JavaScript Transformation for Policy Enforcement. In Nordic Conference on Secure IT Systems (NordSec). 67–83.

[68]

Anjo Vahldiek-Oberwagner, Eslam Elnikety, Nuno O Duarte, Michael Sammler, Peter Druschel, and Deepak Garg. 2019. ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK). In USENIX Security Symposium (SEC). 1221–1238.

[69]

Victor Van der Veen, Nitish Dutt-Sharma, Lorenzo Cavallaro, and Herbert Bos. 2012. Memory Errors: The Past, the Present, and the Future. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID). 86–106.

Digital Library

[70]

Nikos Vasilakis, Ben Karel, Nick Roessler, Nathan Dautenhahn, André DeHon, and Jonathan M Smith. 2018. BreakApp: Automated, Flexible Application Compartmentalization. In NDSS.

[71]

Nikos Vasilakis, Grigoris Ntousakis, Veit Heller, and Martin C. Rinard. 2021. Efficient Module-Level Dynamic Analysis for Dynamic Languages with Module Recontextualization. In ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE). 1202–1213.

[72]

Nikos Vasilakis, Cristian-Alexandru Staicu, Grigoris Ntousakis, Konstantinos Kallas, Ben Karel, André DeHon, and Michael Pradel. 2021. Preventing Dynamic Library Compromise on Node.js via RWX-Based Privilege Reduction. In ACM Conference on Computer and Communications Security (CCS). 1821–1838.

Digital Library

[73]

Verdaccio. 2022. Lightweight private npm proxy registry built in Node.js. https://verdaccio.org/docs/what-is-verdaccio.

[74]

Alexios Voulimeneas, Jonas Vinck, Ruben Mechelinck, and Stijn Volckaert. 2022. You Shall Not (by)Pass! Practical, Secure, and Fast PKU-based Sandboxing. In European Conference on Computer Systems (EuroSys). 266–282.

[75]

David Williams-King, Hidenori Kobayashi, Kent Williams-King, Graham Patterson, Frank Spano, Yu Jian Wu, Junfeng Yang, and Vasileios P. Kemerlis. 2020. Egalito: Layout-agnostic Binary Recompilation. In International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 133–147.

Digital Library

Cited By

Momeu MKilger FRoemheld CSchnückel SProskurin SPolychronakis MKemerlis VQuek TGao DZhou JCardenas A(2024)ISLAB: Immutable Memory Management Metadata for Commodity Operating System KernelsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3644994(1159-1172)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3644994
Abbadini MFacchinetti DOldani GRossi MParaboschi S(2023)NatiSand: Native Code Sandboxing for JavaScript RuntimesProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607233(639-653)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607233
Abbadini MBeretta MFacchinetti DOldani GRossi MParaboschi S(2023)Lightweight Cloud Application Sandboxing2023 IEEE International Conference on Cloud Computing Technology and Science (CloudCom)10.1109/CloudCom59040.2023.00033(139-146)Online publication date: 4-Dec-2023
https://doi.org/10.1109/CloudCom59040.2023.00033

Index Terms

BinWrap: Hybrid Protection against Native Node.js Add-ons
1. Information systems
  1. World Wide Web
    1. Web interfaces
2. Security and privacy
  1. Software and application security
    1. Software security engineering
    2. Web application security

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security

July 2023

1066 pages

ISBN:9798400700989

DOI:10.1145/3579856

Editors:
Joseph Liu
Monash University, Australia
,
Yang Xiang
Swinburne University of Technology, Australia
,
Surya Nepal
Data61, Australia
,
Gene Tsudik
University of California Irvine, USA

Copyright © 2023 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 July 2023

Check for updates

Badges

Distinguished Paper

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

ASIA CCS '23

Sponsor:

SIGSAC

ASIA CCS '23: ACM Asia Conference on Computer and Communications Security

July 10 - 14, 2023

VIC, Melbourne, Australia

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
458
Total Downloads

Downloads (Last 12 months)387
Downloads (Last 6 weeks)49

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Momeu MKilger FRoemheld CSchnückel SProskurin SPolychronakis MKemerlis VQuek TGao DZhou JCardenas A(2024)ISLAB: Immutable Memory Management Metadata for Commodity Operating System KernelsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3644994(1159-1172)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3644994
Abbadini MFacchinetti DOldani GRossi MParaboschi S(2023)NatiSand: Native Code Sandboxing for JavaScript RuntimesProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607233(639-653)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607233
Abbadini MBeretta MFacchinetti DOldani GRossi MParaboschi S(2023)Lightweight Cloud Application Sandboxing2023 IEEE International Conference on Cloud Computing Technology and Science (CloudCom)10.1109/CloudCom59040.2023.00033(139-146)Online publication date: 4-Dec-2023
https://doi.org/10.1109/CloudCom59040.2023.00033

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents