-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attack Review: Integrity of security critical strings #409
Comments
Good initiative.
Are any other known? |
Not everything itself is a Node application that we can make as an attack surface, however, I really like the idea of popping up a nicer exercise based tutorial if we go through things. https://rawgit.com/Agoric/SES/master/demo/?dateNow=enabled Is interesting in part because it is so explanatory (even if needing specialized knowledge a bit) and easy to show to others. I think some of the big things we are going to have to do is define what a valid attack will be fore these. I don't think mucking with the primordials is something we should really account for usually. All attempts at hygiene within an Agent require Realm isolation or frozen Realms. |
@vdeturckheim Yeah. I think a target app would be good. @bmeck Yeah, I think we have to assume good faith on the part of developers. That's pretty fuzzy, but out of bounds I think are custom C++ extensions, abuse of bindings, and attacking builtin modules via primordials. For modules like node-sec-patterns which should initialize early and preserve properties even in the face of hostile JS code, I have tests for the ability of late-running code to breach isolation via primordials. |
I'm working on a demo app that will tie these together and a script to run it locally so we can craft attacks. Tentatively,
The CODE and SMELLY-CODE victory conditions are unfortunately subjective but I've no better way to represent the need for security under maintenance when developers or reviewers are under time pressure. |
Status updateI've got a skeletal demo-app at github.com/mikesamuel/attack-review-testbed that has an intentionally high attack surface to allow testing the effectiveness of mitigations
I still have some work to increase the attack surface. I plan to
|
Anyone interested in a weekly call to sort out logistics for the attack review, and how to recruit attackers? |
@mikesamuel it looks interesting, thanks for sharing! I edited your post above to correct the link to github and I'm suggesting that you maybe copy the information you added in this thread comments (1, 2), to a README on the project? |
@lirantal Thanks for the fix.
Will do. I'm almost feature complete, then I'll focus on getting those disparate pieces of documentation organized. |
Status UpdateAs @lirantal mentioned, there's a draft README and a breach report template. The pre-launch issue tracker labels collects tasks that should be completed before inviting attack. I have a line on some attack reviewers, but would appreciate suggestions on where to recruit more. |
@mikesamuel I think we can use the Security WG Slack workspace to host a channel dedicated to this effort. I can spread the word among my team mates, they love a good challenge. |
Thanks @MarcinHoppe I created a channel on https://nodejs-security-wg.herokuapp.com/ and I changed the support links from
to
|
Status Update@MarcinHoppe @lirantal @deian Recent Changes
|
Seems it will be quite some undertaking of manual work to pentest the app, but the concept of a security-hardened Node.js is intriguing and I think that it is interesting to see how this will work with Anna's security policies PR as well as possibly @vdeturckheim efforts of fuzzing Node.js core to help with this test-bed. |
I think if I can get enough eyes on this, we can get coverage without any one person having to test the whole thing.
@addaleax IIUC, Anna's policies focus on controlling what process-external endpoints can be connected to, not the integrity of messages sent to those endpoints. If that's the case, then the message-integrity preserving goals of this could complement Anna's policies. This attack review focuses on:
IIUC, Anna's work is relevant to (2, 4, 5) but its goals do not include addressing (1, 3). |
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made. |
@bmeck @vdeturckheim @erights @MylesBorins
I'm nearing feature completeness on some security relevant Node packages, and would like to organize attack reviews.
These packages all relate to the integrity of messages that leave Node, for example HTML to the browser, SQL to a database, or strings to a shell.
I could use help coming up with attackable demo applications and help defining what constitutes a breach. Once that's done, I need people to attack the system and share any vulnerabilities found.
The packages that are in bounds are:
Contextual escaping for HTML : https://npmjs.com/package/pug-plugin-trusted-types
Safely composable SQL queries : https://npmjs.com/package/safesql
Safely composable Shell strings : https://npmjs.com/package/sh-template-tag
Module Keys : https://npmjs.com/package/module-keys
Contract Type Utilities : https://npmjs.com/package/node-sec-patterns
Web Contract Types : https://npmjs.com/package/web-contract-types
The text was updated successfully, but these errors were encountered: