HODOR: Shrinking Attack Surface on Node.js via System Call Limitation

TL;DR

HODOR is a lightweight runtime system that reduces Node.js attack surface by enforcing precise system call restrictions through optimized call graph analysis and seccomp whitelists, effectively protecting real-world applications.

Contribution

This work introduces HODOR, a novel system that constructs high-quality call graphs and applies Linux seccomp to limit system calls in Node.js, filling a gap in existing JavaScript-level protections.

Findings

Reduces attack surface to 16.75% on average

Protects 83 real-world applications from code execution attacks

Imposes less than 3% runtime overhead

Abstract

Node.js provides Node.js applications with system interaction capabilities using system calls. However, such convenience comes with a price, i.e., the attack surface of JavaScript arbitrary code execution (ACE) vulnerabilities is expanded to the system call level. There lies a noticeable gap between existing protection techniques in the JavaScript code level (either by code debloating or read-write-execute permission restriction) and a targeted defense for emerging critical system call level exploitation. To fill the gap, we design and implement HODOR, a lightweight runtime protection system based on enforcing precise system call restrictions when running a Node.js application. HODOR achieved this by addressing several nontrivialial technical challenges. First, HODOR requires to construct high-quality call graphs for both the Node.js application (in JavaScript) and its underlying Node.js framework (in JavaScript and C/C++). Specifically, HODOR incorporates several important optimizations in both the JavaScript and C/C++ level to improve the state-of-the-art tools for building more precise call graphs. Then, HODOR creates the main-thread whitelist and the thread-pool whitelist respectively containing the identified necessary system calls based on the call graphs mappings. Finally, with the whitelists, HODOR implements lightweight system call restriction using the Linux kernel feature Secure Computing Mode (seccomp) to shrink the attack surface. We utilize HODOR to protect 83 real-world Node.js applications compromised by arbitrary code/command execution attacks. HODOR could reduce the attack surface to 16.75% on average with negligible runtime overhead (i.e., <3%).