We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
HODOR: Reducing Attack Surface on Node.js via System Call Limitation
Node.js developers can significantly reduce attack surface with HODL, a system call level protection system that leverages cross-language program analysis to filter out unnecessary system calls and limit potential exploits.
- Node.js is a cross-platform JavaScript runtime environment that has revolutionized the way web applications are built.
- Existing efforts to reduce attack surface using program analysis are insufficient, as they do not account for arbitrary command exclusions.
- The HODL system call level protection system for Node.js applications is presented, which focuses on third-level and system call-level security.
- HODL uses cross-language program analysis to generate a precise system call list, and context-sensitive analysis to identify system calls that can be safely filtered.
- The system call list is divided into system calls required by the means thread and system calls required by the thread pool, and the filters are installed accordingly.
- The optimization of C or C++ call graph constructions reduces system call permission by 71%.
- The optimization of JavaScript call graph constructions identifies hidden requirement system calls for 23% of packages.
- HODL can effectively mitigate the execution of 73% of exploits and reduce the attack surface of Node.js applications to nearly 20%.
- The selcamp mechanism is effective in mitigating arbitrary code or command exclusions by restricting the available system call set for a given application.
- HODL does not affect the normal operations of the application.
- The HODL system is lightweight and can be easily integrated into the Node.js engine.
- The optimization of script call graph constructions helps identify hidden requirement system calls for 23% of packages.
- The optimization of C or C++ call graph constructions further reduces system call permission by 71%.
- HODL can reduce the attack surface of the means thread to 19% and the thread pool threads to 7%.
- The dependent relations would expand a malicious package to large attack surface.
- The attacker can exploit vulnerabilities by injecting arbitrary bash code into execute method at line 15.
- HODL can effectively mitigate the execution of 73% of exploits.
- HODL is a novel protection mechanism for Node.js applications focusing on third-level and system call-level security.