Year

Mod

ule

Coun

t

Third-party code can be dangerous

Recursive imports: 100s of third party packagesKLoCs: Understanding/verifying code is difficult impossible

Third-party code can be dangerous

Package LoClodash 44Krequest 48Kasync 55Kunderscore 1.5Kexpress 15K

natural 15Kwinston 6.6K

Popularity: can cause widespread problems; O(10K) apps

Towards Fine-grained, Automated Application Compartmentalization

Nikos Vasilakis, Ben Karel, Nick RoesslerNathan Dautenhahn, André DeHon, Jonathan M. Smith

0. Problem; 1. Opportunity; 2. Transformations; 3. Policies; 4. Discussion

University of Pennsylvania

Idea/Outline: put modules into boxes

?

Today: your device runs the app in a box● ..so that it doesn’t mess up with other apps

Automated Transformations: ● decompose app into multiple sub-apps● run each sub-app in its own box

boxes can be OS processes; arrows can be IPC pipes etc.

Runtime Policies:● control which features to “switch off”● developer decides, not library author

globals, compartment types, interconnects, etc.

A Blogging platform -- what could go wrong?

var dbc = require("./dbc.json");

var ejs = require("ejs");

function (req, res) {

var m = require("minimatch");

var res = m.test(/d/, req.body)

// do something with result and db

res.end()

}

Problem: ejs (module; client code) can read dbc:● Cache of loaded modules● Read globals/this (environment) ● Poison prototype chain (direct access)● Import filesystem module: fs.read()

Problem: minimatch (module; client code) can DoS:● Pathological regular expressions

Note: JS is a high-level, memory-safe language

Import database configuration

Import glob-to-regex

Import template rendering

TransformationsAutomated Parameterizable Decomposition

Problem: ejs (module; client code) can read dbc:● Read globals/this (environment) ● Poison prototype chain (direct access)● Cache of loaded modules● Import filesystem module: fs.read()

Problem: minimatch (module; client code) can DoS:● Pathological regular expressions

Automated Transformationsvar ba = require("breakapp")();

var dbc = require("./dbc.json");

var ejs = require("ejs");

function (req, res) {

var m = require("minimatch");

var res = m.test(/d/, req.body)

// do something with result and db

res.end()

}

Change what require does

Spawn a new compartment

Spawn a new compartmentTransform function calls to RPCs

?

var minim = require("minimatch") (before/default)

importstatement

pkg

var minim = require("minimatch") (after/breakapp-enabled)

importstatement

pkg

Transformations recap

Automated Decomposition at the Module BoundaryNo tracing, no inference, no annotations, no manual rewritesApplications run as (special cases of) distributed systems

PoliciesOptional Runtime Fine-Tuning

Optional Runtime Policiesvar ba = require("breakapp")({type: ba.type.SBX});

var dbc = require("./dbc.json", {type: ba.type.NONE});

var ejs = require("ejs", {type: ba.type.LXC});

function (req, res) {

var m = require("minimatch",

{type: ba.type.PROC, ctx: {dbc: dbc}});

var res = m.test(/d/, req.body)

// do something with result and db

res.end()

}

Change default compartmentalization

Do not spawn compartment

Spawn new process, share dbcTransform function calls to RPCs

?

Spawn in Linux Container

var minim = require("minimatch", {type: ba.type.PROC, ipc: ba.ipc.UDS})

importstatement

pkg per module policy(with defaults)

var ba = require("breakapp")({type: ba.type.SBX})

top-level policy(with defaults)

importstatement

pkg

Policies recap

Optional fine-tuning of performance/isolation trade-offNo reliance on discovered vulnerabilities; choice at deployment/runtimeBackwards- and forwards-compatible policy expressions

DiscussionDecomposition Potential; Performance

ApplicationDirectModules

TotalModules

“Home”LoC

3rd-partyLoC LoC/File

cash 15 84 1486 49201 13.84commands eslint 34 135 187801 187409 39.97

yo 30 301 107713 107564 18.45popcorn 46 765 14304 423558 12.34

desktop twitter 10 120 2514 167253 41.29atom 57 358 15939 562491 107.1hackernews 5 871 309 317261 6.42

mobile mattermost 17 521 6296 292149 21.37sockmarket 14 44 2440 201443 101.48express 26 42 10159 11920 54.93

server ghost 62 981 42467 426249 19.35strider 64 659 21090 314924 30.41chalk 3 4 217 166 18.44

utility natural 3 3 12483 15732 81.51winston 6 6 4274 6600 79.52avg. 26.13 326.27 28K 205K 43.09

verbs left-pad left-pad-L cash chalk debug ejs dns nacl nacl-L

Benchmarks

Late

ncy

(ms)

Conclusion

Opportunity: risky third-party modules but clear boundaries of trust

Summary/Takeaways

Summary/Takeaways

Idea: Automated Transformations + Runtime Policies

Summary/Takeaways

Contrast: {Static, Dynamic} Analysis

Summary/Takeaways

Questions?

Future: can we make apps with many, possibly dangerous, third-party packages be safer than their monolithic counterparts?

(more details in the paper)

Thank you!