Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35...
Transcript of Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35...
![Page 1: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/1.jpg)
![Page 2: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/2.jpg)
Year
Mod
ule
Coun
t
![Page 3: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/3.jpg)
Third-party code can be dangerous
![Page 4: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/4.jpg)
Recursive imports: 100s of third party packagesKLoCs: Understanding/verifying code is difficult impossible
Third-party code can be dangerous
Package LoClodash 44Krequest 48Kasync 55Kunderscore 1.5Kexpress 15K
natural 15Kwinston 6.6K
Popularity: can cause widespread problems; O(10K) apps
![Page 5: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/5.jpg)
![Page 6: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/6.jpg)
Towards Fine-grained, Automated Application Compartmentalization
Nikos Vasilakis, Ben Karel, Nick RoesslerNathan Dautenhahn, André DeHon, Jonathan M. Smith
0. Problem; 1. Opportunity; 2. Transformations; 3. Policies; 4. Discussion
University of Pennsylvania
![Page 7: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/7.jpg)
Idea/Outline: put modules into boxes
?
Today: your device runs the app in a box● ..so that it doesn’t mess up with other apps
Automated Transformations: ● decompose app into multiple sub-apps● run each sub-app in its own box
boxes can be OS processes; arrows can be IPC pipes etc.
Runtime Policies:● control which features to “switch off”● developer decides, not library author
globals, compartment types, interconnects, etc.
![Page 8: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/8.jpg)
A Blogging platform -- what could go wrong?
var dbc = require("./dbc.json");
var ejs = require("ejs");
function (req, res) {
var m = require("minimatch");
var res = m.test(/d/, req.body)
// do something with result and db
res.end()
}
Problem: ejs (module; client code) can read dbc:● Cache of loaded modules● Read globals/this (environment) ● Poison prototype chain (direct access)● Import filesystem module: fs.read()
Problem: minimatch (module; client code) can DoS:● Pathological regular expressions
Note: JS is a high-level, memory-safe language
Import database configuration
Import glob-to-regex
Import template rendering
![Page 9: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/9.jpg)
TransformationsAutomated Parameterizable Decomposition
![Page 10: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/10.jpg)
Problem: ejs (module; client code) can read dbc:● Read globals/this (environment) ● Poison prototype chain (direct access)● Cache of loaded modules● Import filesystem module: fs.read()
Problem: minimatch (module; client code) can DoS:● Pathological regular expressions
Automated Transformationsvar ba = require("breakapp")();
var dbc = require("./dbc.json");
var ejs = require("ejs");
function (req, res) {
var m = require("minimatch");
var res = m.test(/d/, req.body)
// do something with result and db
res.end()
}
Change what require does
Spawn a new compartment
Spawn a new compartmentTransform function calls to RPCs
?
![Page 11: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/11.jpg)
var minim = require("minimatch") (before/default)
importstatement
pkg
var minim = require("minimatch") (after/breakapp-enabled)
importstatement
pkg
Transformations recap
Automated Decomposition at the Module BoundaryNo tracing, no inference, no annotations, no manual rewritesApplications run as (special cases of) distributed systems
![Page 12: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/12.jpg)
PoliciesOptional Runtime Fine-Tuning
![Page 13: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/13.jpg)
Optional Runtime Policiesvar ba = require("breakapp")({type: ba.type.SBX});
var dbc = require("./dbc.json", {type: ba.type.NONE});
var ejs = require("ejs", {type: ba.type.LXC});
function (req, res) {
var m = require("minimatch",
{type: ba.type.PROC, ctx: {dbc: dbc}});
var res = m.test(/d/, req.body)
// do something with result and db
res.end()
}
Change default compartmentalization
Do not spawn compartment
Spawn new process, share dbcTransform function calls to RPCs
?
Spawn in Linux Container
![Page 14: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/14.jpg)
var minim = require("minimatch", {type: ba.type.PROC, ipc: ba.ipc.UDS})
importstatement
pkg per module policy(with defaults)
var ba = require("breakapp")({type: ba.type.SBX})
top-level policy(with defaults)
importstatement
pkg
Policies recap
Optional fine-tuning of performance/isolation trade-offNo reliance on discovered vulnerabilities; choice at deployment/runtimeBackwards- and forwards-compatible policy expressions
![Page 15: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/15.jpg)
DiscussionDecomposition Potential; Performance
![Page 16: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/16.jpg)
ApplicationDirectModules
TotalModules
“Home”LoC
3rd-partyLoC LoC/File
cash 15 84 1486 49201 13.84commands eslint 34 135 187801 187409 39.97
yo 30 301 107713 107564 18.45popcorn 46 765 14304 423558 12.34
desktop twitter 10 120 2514 167253 41.29atom 57 358 15939 562491 107.1hackernews 5 871 309 317261 6.42
mobile mattermost 17 521 6296 292149 21.37sockmarket 14 44 2440 201443 101.48express 26 42 10159 11920 54.93
server ghost 62 981 42467 426249 19.35strider 64 659 21090 314924 30.41chalk 3 4 217 166 18.44
utility natural 3 3 12483 15732 81.51winston 6 6 4274 6600 79.52avg. 26.13 326.27 28K 205K 43.09
![Page 17: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/17.jpg)
verbs left-pad left-pad-L cash chalk debug ejs dns nacl nacl-L
Benchmarks
Late
ncy
(ms)
![Page 18: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/18.jpg)
Conclusion
![Page 19: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/19.jpg)
Opportunity: risky third-party modules but clear boundaries of trust
Summary/Takeaways
![Page 20: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/20.jpg)
Summary/Takeaways
Idea: Automated Transformations + Runtime Policies
![Page 21: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/21.jpg)
Summary/Takeaways
Contrast: {Static, Dynamic} Analysis
![Page 22: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/22.jpg)
Summary/Takeaways
Questions?
Future: can we make apps with many, possibly dangerous, third-party packages be safer than their monolithic counterparts?
(more details in the paper)
![Page 23: Year - TU Dortmund · express 26 42 10159 11920 54.93 server ghost 62 981 42467 426249 19.35 strider 64 659 21090 314924 30.41 chalk 3 4 217 166 18.44 utility natural 3 3 12483 15732](https://reader035.fdocuments.us/reader035/viewer/2022070815/5f0f2e4c7e708231d442e33e/html5/thumbnails/23.jpg)
Thank you!