Year
Mod
ule
Coun
t
Third-party code can be dangerous
Recursive imports: 100s of third party packagesKLoCs: Understanding/verifying code is difficult impossible
Third-party code can be dangerous
Package LoClodash 44Krequest 48Kasync 55Kunderscore 1.5Kexpress 15K
natural 15Kwinston 6.6K
Popularity: can cause widespread problems; O(10K) apps
Towards Fine-grained, Automated Application Compartmentalization
Nikos Vasilakis, Ben Karel, Nick RoesslerNathan Dautenhahn, André DeHon, Jonathan M. Smith
0. Problem; 1. Opportunity; 2. Transformations; 3. Policies; 4. Discussion
University of Pennsylvania
Idea/Outline: put modules into boxes
?
Today: your device runs the app in a box● ..so that it doesn’t mess up with other apps
Automated Transformations: ● decompose app into multiple sub-apps● run each sub-app in its own box
boxes can be OS processes; arrows can be IPC pipes etc.
Runtime Policies:● control which features to “switch off”● developer decides, not library author
globals, compartment types, interconnects, etc.
A Blogging platform -- what could go wrong?
var dbc = require("./dbc.json");
var ejs = require("ejs");
function (req, res) {
var m = require("minimatch");
var res = m.test(/d/, req.body)
// do something with result and db
res.end()
}
Problem: ejs (module; client code) can read dbc:● Cache of loaded modules● Read globals/this (environment) ● Poison prototype chain (direct access)● Import filesystem module: fs.read()
Problem: minimatch (module; client code) can DoS:● Pathological regular expressions
Note: JS is a high-level, memory-safe language
Import database configuration
Import glob-to-regex
Import template rendering
TransformationsAutomated Parameterizable Decomposition
Problem: ejs (module; client code) can read dbc:● Read globals/this (environment) ● Poison prototype chain (direct access)● Cache of loaded modules● Import filesystem module: fs.read()
Problem: minimatch (module; client code) can DoS:● Pathological regular expressions
Automated Transformationsvar ba = require("breakapp")();
var dbc = require("./dbc.json");
var ejs = require("ejs");
function (req, res) {
var m = require("minimatch");
var res = m.test(/d/, req.body)
// do something with result and db
res.end()
}
Change what require does
Spawn a new compartment
Spawn a new compartmentTransform function calls to RPCs
?
var minim = require("minimatch") (before/default)
importstatement
pkg
var minim = require("minimatch") (after/breakapp-enabled)
importstatement
pkg
Transformations recap
Automated Decomposition at the Module BoundaryNo tracing, no inference, no annotations, no manual rewritesApplications run as (special cases of) distributed systems
PoliciesOptional Runtime Fine-Tuning
Optional Runtime Policiesvar ba = require("breakapp")({type: ba.type.SBX});
var dbc = require("./dbc.json", {type: ba.type.NONE});
var ejs = require("ejs", {type: ba.type.LXC});
function (req, res) {
var m = require("minimatch",
{type: ba.type.PROC, ctx: {dbc: dbc}});
var res = m.test(/d/, req.body)
// do something with result and db
res.end()
}
Change default compartmentalization
Do not spawn compartment
Spawn new process, share dbcTransform function calls to RPCs
?
Spawn in Linux Container
var minim = require("minimatch", {type: ba.type.PROC, ipc: ba.ipc.UDS})
importstatement
pkg per module policy(with defaults)
var ba = require("breakapp")({type: ba.type.SBX})
top-level policy(with defaults)
importstatement
pkg
Policies recap
Optional fine-tuning of performance/isolation trade-offNo reliance on discovered vulnerabilities; choice at deployment/runtimeBackwards- and forwards-compatible policy expressions
DiscussionDecomposition Potential; Performance
ApplicationDirectModules
TotalModules
“Home”LoC
3rd-partyLoC LoC/File
cash 15 84 1486 49201 13.84commands eslint 34 135 187801 187409 39.97
yo 30 301 107713 107564 18.45popcorn 46 765 14304 423558 12.34
desktop twitter 10 120 2514 167253 41.29atom 57 358 15939 562491 107.1hackernews 5 871 309 317261 6.42
mobile mattermost 17 521 6296 292149 21.37sockmarket 14 44 2440 201443 101.48express 26 42 10159 11920 54.93
server ghost 62 981 42467 426249 19.35strider 64 659 21090 314924 30.41chalk 3 4 217 166 18.44
utility natural 3 3 12483 15732 81.51winston 6 6 4274 6600 79.52avg. 26.13 326.27 28K 205K 43.09
verbs left-pad left-pad-L cash chalk debug ejs dns nacl nacl-L
Benchmarks
Late
ncy
(ms)
Conclusion
Opportunity: risky third-party modules but clear boundaries of trust
Summary/Takeaways
Summary/Takeaways
Idea: Automated Transformations + Runtime Policies
Summary/Takeaways
Contrast: {Static, Dynamic} Analysis
Summary/Takeaways
Questions?
Future: can we make apps with many, possibly dangerous, third-party packages be safer than their monolithic counterparts?
(more details in the paper)
Thank you!