This repository collects additional material associated with the paper: NatiSand: Native Code Sandboxing for JavaScript Runtimes
Modern runtimes render JavaScript code in a secure and isolated environment, but when they execute binary programs and shared libraries, no isolation guarantees are provided. This is an important limitation, and it affects many popular runtimes including Node.js, Deno, and Bun.
The paper proposes NatiSand, a component for JavaScript runtimes that leverages Landlock, eBPF, and Seccomp to control the filesystem, Inter-Process Communication (IPC), and network resources available to binary programs and shared libraries. NatiSand does not require changes to the application code and offers to the user an easy interface. To demonstrate the effectiveness and efficiency of our approach we implemented NatiSand and integrated it into Deno, a modern, security-oriented JavaScript runtime. We also reproduce vulnerabilities affecting third-party code and show how they can be mitigated by NatiSand. In the experimental evaluation we analyze the overhead associated with our approach and compare it with state of the art code sandboxing solutions.
- Initialize all submodules
git submodule update --init --recursive
- Clone all submodules
git pull --recurse-submodules
-
Make sure the dependencies required to build V8 are available
-
Build the project
V8_FROM_SOURCE=1 cargo build --release
- Grant the required file capabilities to the deno executable (the required capabilities vary based on the test and the kernel version, the following is an example):
sudo setcap cap_dac_override,cap_perfmon,cap_bpf=ep target/release/deno
- Tests
- Ensure all additional dependencies are installed (e.g., native
libraries like
sqlite3
, binary programs likeGNU Tar
) - Run the tests using
make
or the available Python scripts
- Ensure all additional dependencies are installed (e.g., native
libraries like