A Sense of Time for JavaScript and Node.js

Similar documents
A Sense of Time for Node.js: Timeouts as a Cure for Event Handler Poisoning

Event Handler Poisoning: Attacks and Defenses

Green Hills Software, Inc.

NODE.JS MOCK TEST NODE.JS MOCK TEST I

JS Event Loop, Promises, Async Await etc. Slava Kim

Micro-Architectural Attacks and Countermeasures

Web Application Development

EbbRT: A Framework for Building Per-Application Library Operating Systems

Microservices with Node.js

DNParallel - Version: 3. TPL Dataflow

C and C++ Secure Coding 4-day course. Syllabus

SMD149 - Operating Systems

SEDA: An Architecture for Well-Conditioned, Scalable Internet Services

Full Stack boot camp

Introduction to Asynchronous Programming Fall 2014

Inside core.async Channels. Rich Hickey

Smashing Node.JS: JavaScript Everywhere

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Threads, Synchronization, and Scheduling. Eric Wu

CS A331 Programming Language Concepts

node.js A quick tour (v4)

Evaluating BFT Protocols for Spire

Tutorial 8 Build resilient, responsive and scalable web applications with SocketPro

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Real-Time Operating Systems Issues. Realtime Scheduling in SunOS 5.0

DSP/BIOS Kernel Scalable, Real-Time Kernel TM. for TMS320 DSPs. Product Bulletin

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Curriculum 2013 Knowledge Units Pertaining to PDC

Orleans. Actors for High-Scale Services. Sergey Bykov extreme Computing Group, Microsoft Research

Threads. CS3026 Operating Systems Lecture 06

Thread Pools SE 441. Prof. Bullinger

Smart Attacks require Smart Defence Moving Target Defence

MANAGING ASYNCHRONY. An Application Perspective

AUTOBEST: A United AUTOSAR-OS And ARINC 653 Kernel. Alexander Züpke, Marc Bommert, Daniel Lohmann

Self Checking Network Protocols: A Monitor Based Approach

Embedded Systems Programming

CISQ Weakness Descriptions

PROCESSES AND THREADS THREADING MODELS. CS124 Operating Systems Winter , Lecture 8

Angular 2 Programming

Comprehensive AngularJS Programming (5 Days)

Multiprocessor and Real- Time Scheduling. Chapter 10

CS 160: Interactive Programming

CMSC 433 Programming Language Technologies and Paradigms. Concurrency

Engineering Your Software For Attack

Node.js. Node.js Overview. CS144: Web Applications

Multiprocessor and Real-Time Scheduling. Chapter 10

Design and Performance of an Asynchronous Method handling Mechanism for CORBA

AWS Lambda + nodejs Hands-On Training

OS Extensibility: SPIN and Exokernels. Robert Grimm New York University

Motivation. Threads. Multithreaded Server Architecture. Thread of execution. Chapter 4

Chapter 6 Concurrency: Deadlock and Starvation

7/20/2008. What Operating Systems Do Computer-System Organization

Java Concurrency in practice Chapter 9 GUI Applications

Produced by. Design Patterns. MSc in Computer Science. Eamonn de Leastar

A Scalable Event Dispatching Library for Linux Network Servers

Asynchronous I/O: A Case Study in Python

Threads Questions Important Questions

Lecture Notes: Unleashing MAYHEM on Binary Code

20480C: Programming in HTML5 with JavaScript and CSS3. Course Code: 20480C; Duration: 5 days; Instructor-led. JavaScript code.

3.1 Introduction. Computers perform operations concurrently

Process Description and Control

CS193X: Web Programming Fundamentals

SentinelOne Technical Brief

MRCP. Client Integration Manual. Developer Guide. Powered by Universal Speech Solutions LLC

Tasks. Task Implementation and management

Announcements. me your survey: See the Announcements page. Today. Reading. Take a break around 10:15am. Ack: Some figures are from Coulouris

Lightstreamer. The Streaming-Ajax Revolution. Product Insight

Copyright

Enhanced Ethernet Switching Technology. Time Applications. Rui Santos 17 / 04 / 2009

Page 1. Analogy: Problems: Operating Systems Lecture 7. Operating Systems Lecture 7

Threads Chapter 5 1 Chapter 5

sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor

Extensible Network Security Services on Software Programmable Router OS. David Yau, Prem Gopalan, Seung Chul Han, Feng Liang

Node.js. Could a few lines of code it all up? Head of AppSec Research

Priya Narasimhan. Assistant Professor of ECE and CS Carnegie Mellon University Pittsburgh, PA

Asynchronous JS. SWE 432, Fall Web Application Development

Outline. Introduction. Survey of Device Driver Management in Real-Time Operating Systems

Implementing Scheduling Algorithms. Real-Time and Embedded Systems (M) Lecture 9

Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge

CHAPTER 2: PROCESS MANAGEMENT

AmbientTalk: Object-oriented Event-driven programming in Mobile Ad hoc Networks

Real-Time and Embedded Systems (M) Lecture 19

Guido van Rossum 9th LASER summer school, Sept. 2012

SentinelOne Technical Brief

Processes and Threads. Processes: Review

Messaging Framework Module Guide

Yielding, General Switching. November Winter Term 2008/2009 Gerd Liefländer Universität Karlsruhe (TH), System Architecture Group

Java vs JavaScript. For Enterprise Web Applications. Chris Bailey IBM Runtime Technologies IBM Corporation

Providing Real-Time and Fault Tolerance for CORBA Applications

1 About Web Security. What is application security? So what can happen? see [?]

ZiLOG Real-Time Kernel Version 1.2.0

Lecture 2 Process Management

Business Logic Attacks BATs and BLBs

18. Devices and Interrupts

2. Introduction to Software for Embedded Systems

CIS 5373 Systems Security

SpecPaxos. James Connolly && Harrison Davis

HPX. High Performance ParalleX CCT Tech Talk Series. Hartmut Kaiser

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Transcription:

A Sense of Time for JavaScript and Node.js First-Class Timeouts as a Cure for Event Handler Poisoning James C. Davis Eric R. Williamson Dongyoon Lee COMPUTER SCIENCE - 1 -

Contributions Attack: Event Handler Poisoning Definition Analysis Detect + recover: First-Class Timeouts Concept Prototype Engagement with the Node.js community Guide Core APIs: Documentation and repairs - 2 -

Node.js: A JS framework for web services 7M+ developers (2017) 2x YoY 760K+ modules (Aug. 2018) 2x YoY 24B+ module downloads/month (July 2018) 12x YoY - 3 -

Web server architectures - 4 -

One Thread per Client Architecture (OTPCA) Req A Req B Dispatcher Client A Thread pool (1000s of threads) Res A Res B Client B Each client gets its own worker thread Multithreading enables scalability Example: - 5 -

Event-Driven Architecture (EDA) Req A Req B Event Q Event loop (single-threaded) CB A1 Task Q Worker pool (k threads) Res B CB B1 Done Q Task B1 Res A CB A3 Clients multiplexed; shared threads reduce threading overhead Cooperative multitasking via (1) Partitioning and (2) Offloading Example: - 6 -

Server architecture dictates programming style OTPCA Preemptive multi-tasking Synchronous def servefile(req): cont = readfile(req.file) z = zip(cont) e = encrypt(z) return e EDA Cooperative multi-tasking Asynchronous def servefile(req): cont = await readfile(req.file) z = await zip(cont) e = await encrypt(z) return e - 7 -

Event Handler Poisoning Attacks (EHP) - 8 -

The EDA gains efficiency, loses isolation Architecture Threads # Threads Multi-tasking OTPCA Dedicated Thousands Preemptive EDA Shared Tens Cooperative Event Handlers = limited resource Exhaust resource à DoS - 9 -

Behavior during EHP attack on the Event Loop Req A Req B Event Q Event loop (single-threaded) CB A1 Task Q Worker pool (k threads) Done Q Event loop is poisoned Throughput drops to zero On the worker pool: k malicious requests - 10 -

Vulnerable server def servefile(name): if name.match(/(\/.+)+$/): readfile(name).then(... ) IO-DoS Arbitrary file read ReDoS Super-linear regex - 11 -

ReDoS-based EHP attack Throughput (reqs/sec) 3000 2500 2000 1500 1000 500 0 Inject malicious input during steady-state 0 1 2 3 4 5 6 Time (seconds) Baseline REDOS NodeCure REDOS TimeoutException delivered - 12 -

35% of NPM vulnerabilities enable EHP 266 IO-DoS Directory Traversal (CWE 22) Cross-Site Scripting (CWE 79) Man in the Middle (CWE 300) Denial of Service (CWE 400) Command Injection (CWE 77) Malicious Package (CWE 506) Information Exposure (CWE 201) Improper Authentication (CWE Other (CWEs 330, 208, 601, 90, ) EHP Not EHP 115 ReDoS 0 50 100 150 200 250 300-13 -

What should we do about EHP? - 14 -

Naïve 1: Restart the server Idea Heartbeat on each Event Handler If any heartbeats fail, restart the server Problems Every connected client gets DoS d Repeat attacks - 15 -

Naïve 2: Prevent through partitioning def sum(l): s = 0 for n in L: s += n return s Short L Long L async def sum(l): s = 0 until done: s += <10 numbers> yield return s Yield! Yield! + Long L = - 16 -

Partitioning is partial and ad hoc Only protects code under the application dev. s control Not modules Not framework Not language Good for algorithms but how to meaningfully partition I/O? Ongoing maintenance burden - 17 -

Our proposed solution: First-Class Timeouts - 18 -

First-Class Timeouts Analogy Buffer overflow à Out of bounds exception EDA time overflow à Timeout exception Idea Time-aware cooperative multi-tasking Bound the synchronous time of every Callback and Task Deliver a TimeoutException if this bound is exceeded Analysis Soundly defeats EHP attacks Straightforward refactoring: try-catch in Promise chains Non-destructive: Existing clients unharmed - 19 -

Node.cure Design and Evaluation - 20 -

Desired behavior Event Handler Old behavior New behavior Event Loop Unbounded execution Throw TimeoutException Worker Pool '' Return TimeoutException - 21 -

Adding first-class timeouts to Node.js V8 Application JS Engine Node.js libs JS Time-aware JS TimeoutException Interrupt handler C++ Event-ing Event loop libuv Worker pool Time-aware Event Loop Timeout Watchdog Monitor CB entry/exit Set T.E. interrupt Time-aware Worker Pool Managers watch for timeouts - 22 - Disposable Workers

Node.cure prototype Built on Node.js v8.8.1 (LTS) 4 KLoC across 50 files Compatible Passes Node.js core test suite* Available on GitHub - 23 -

Security guarantees Every vulnerable Language and Framework API is safe Applications built with these APIs are safe, too! Passes our EHP test suite All vulnerable Node.js APIs Including all used in the npm vulnerabilities However Detect: Must choose timeout thresholds (Goldilocks problem) Respond: Tight threshold or blacklisting - 24 -

Performance penalty Micro-benchmarks Macro-benchmarks (summary) Component Overhead App. type Overhead New interrupt 0% Instr. CBs 1.01-2.4 x I/O buffers 1.3 x Server 0-2 % Utility 0-8 % Middleware 6-24 % - 25 -

Community Engagement - 26 -

Guide on nodejs.org Don t Block the Event Loop (or the Worker Pool) Reviews Node.js architecture EHP attacks + examples Advice about npm module safety - 27 -

Changes to Node.js core Documentation fs readfile crypto randombytes randomfill child_process spawn Code fs.readfile - 28 -

Closing Remarks - 29 -

The EDA has an EHP problem. First-class timeouts can cure it. We: Defined an attack Demonstrated its presence in the wild Designed and prototyped a defense Disseminated to the practitioner community Thank you for your attention! COMPUTER SCIENCE - 30 -

Bonus Material - 31 -

Choosing a timeout The tighter the timeout, the less effective the EHP attack Loose timeouts à blacklist attackers No DDoS (threat model) Blacklisting is relatively easy with First-Class Timeouts because the TimeoutException is delivered in the context of the malicious request - 32 -

Programming with First-Class Timeouts Choose timeout minimize CB variance during tuning Goldilocks problem Add error handling a global exception handler and per-request handlers New first-class asynchronous primitives like async/await and Promises make this possible We only support global timeouts but could refine thresholds on a per-cb and per-task basis - 33 -

Various ideas towards EHP-safety Heartbeat Partitioning First-class timeouts Larger worker pool Preemptible callbacks and tasks Speculative concurrent execution Serverless Within the EDA paradigm Dedicating resources to each client: OTPCA - 34 -

Threat model Attacker can trigger worst-case behavior No DDoS Thus: Include EHP, a problem unique to EDA Exclude DDoS, a general problem for problem web servers - 35 -

Dangling Worke More details on time-aware Event Handlers Event Loop Worker Pool Priority Executor uv_queue_work_prio uv_queue_work Executors Hangman Manager Always has a Worker Worker Disposable - 36 -

Implementation details Layer Changes Language Framework Add TimeoutException Add interrupt Timeout Watchdog Handle T.E. from async APIs Offload sync. APIs Time-aware C++ add-ons Application Handle T.E. - 37 -

C++ add-ons Node.js applications can contain: Pure JavaScript C++ add-ons e.g. for performance or using systems libraries Application-defined C++ add-ons are unprotected by F.C.T Must be made time-aware, similar to how we made Node.js s own C++ bindings time-aware Only 0.7% of npm modules have C++ add-ons - 38 -

Experimental slides - 39 -

Node.js attack with ReDoS and IO-DoS Throughput (req/sec) 3000 2500 2000 1500 1000 500 0 0 1 2 3 4 5 6 Time (seconds) Baseline REDOS Baseline ReadDOS NodeCure REDOS NodeCure ReadDOS - 40 -

One-thread-per-client architecture (OTPCA) Handle request Handle request Dispatcher Thread pool - 41 -

Event-driven architecture (EDA) Pending events Event Loop Worker Pool offloads returns completed work - 42 -

Long-running request in OTPCA Handle request Handle request Dispatcher Thread pool - 43 -

Long-running request in EDA Pending events Event Loop Worker Pool offloads returns completed work - 44 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback