Skip to content

Native code sandboxing for JavaScript runtimes

License

Notifications You must be signed in to change notification settings

unibg-seclab/natisand

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

NatiSand

This repository collects additional material associated with the paper: NatiSand: Native Code Sandboxing for JavaScript Runtimes

Rationale

Modern runtimes render JavaScript code in a secure and isolated environment, but when they execute binary programs and shared libraries, no isolation guarantees are provided. This is an important limitation, and it affects many popular runtimes including Node.js, Deno, and Bun.

The paper proposes NatiSand, a component for JavaScript runtimes that leverages Landlock, eBPF, and Seccomp to control the filesystem, Inter-Process Communication (IPC), and network resources available to binary programs and shared libraries. NatiSand does not require changes to the application code and offers to the user an easy interface. To demonstrate the effectiveness and efficiency of our approach we implemented NatiSand and integrated it into Deno, a modern, security-oriented JavaScript runtime. We also reproduce vulnerabilities affecting third-party code and show how they can be mitigated by NatiSand. In the experimental evaluation we analyze the overhead associated with our approach and compare it with state of the art code sandboxing solutions.

Quickstart

  1. Initialize all submodules
git submodule update --init --recursive
  1. Clone all submodules
git pull --recurse-submodules
  1. Make sure the dependencies required to build V8 are available

  2. Build the project

V8_FROM_SOURCE=1 cargo build --release
  1. Grant the required file capabilities to the deno executable (the required capabilities vary based on the test and the kernel version, the following is an example):
sudo setcap cap_dac_override,cap_perfmon,cap_bpf=ep target/release/deno
  1. Tests
    • Ensure all additional dependencies are installed (e.g., native libraries like sqlite3, binary programs like GNU Tar)
    • Run the tests using make or the available Python scripts

Languages

  • Rust 58.9%
  • JavaScript 27.5%
  • TypeScript 12.0%
  • Python 0.4%
  • Go 0.4%
  • Makefile 0.3%
  • Other 0.5%