Zobraziť v EDS

SandTrap: Securing JavaScript-driven Trigger-Action Platforms

Uložené v:
Podrobná bibliografia
Názov: SandTrap: Securing JavaScript-driven Trigger-Action Platforms
Autori: Ahmadpanah, Seyed Mohammad Mehdi, 1996, Hedin, Daniel, 1978, Balliu, Musard, 1985, Olsson, Eric, 1994, Sabelfeld, Andrei, 1974
Zdroj: WebSec: Säkerhet i webb-drivna system 30th USENIX Security Symposium, Virtual; online Proceedings of the 30th USENIX Security Symposium. :2899-2916
Popis: Trigger-Action Platforms (TAPs) seamlessly connect a wide variety of otherwise unconnected devices and services, ranging from IoT devices to cloud services and social networks. TAPs raise critical security and privacy concerns because a TAP is effectively a “person-in-the-middle” between trigger and action services. Third-party code, routinely deployed as “apps” on TAPs, further exacerbates these concerns. This paper focuses on JavaScript-driven TAPs. We show that the popular IFTTT and Zapier platforms and an open-source alternative Node-RED are susceptible to attacks ranging from exfiltrating data from unsuspecting users to taking over the entire platform. We report on the changes by the platforms in response to our findings and present an empirical study to assess the implications for Node-RED. Motivated by the need for a secure yet flexible way to integrate third-party JavaScript apps, we propose SandTrap, a novel JavaScript monitor that securely combines the Node.js vm module with fully structural proxy-based two-sided membranes to enforce fine-grained access control policies. To aid developers, SandTrap includes a policy generation mechanism. We instantiate SandTrap to IFTTT, Zapier, and Node-RED and illustrate on a set of benchmarks how SandTrap enforces a variety of policies while incurring a tolerable runtime overhead.
Popis súboru: electronic
Prístupová URL adresa: https://research.chalmers.se/publication/528122
https://research.chalmers.se/publication/526024
https://research.chalmers.se/publication/524202
https://research.chalmers.se/publication/528122/file/528122_Fulltext.pdf
Databáza: SwePub
FullText Text:
  Availability: 0
CustomLinks:
  – Url: https://research.chalmers.se/publication/528122#
    Name: EDS - SwePub (s4221598)
    Category: fullText
    Text: View record in SwePub
  – Url: https://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=EBSCO&SrcAuth=EBSCO&DestApp=WOS&ServiceName=TransferToWoS&DestLinkType=GeneralSearchSummary&Func=Links&author=Ahmadpanah%20SMM
    Name: ISI
    Category: fullText
    Text: Nájsť tento článok vo Web of Science
    Icon: https://imagesrvr.epnet.com/ls/20docs.gif
    MouseOverText: Nájsť tento článok vo Web of Science
Header DbId: edsswe
DbLabel: SwePub
An: edsswe.oai.research.chalmers.se.3309c162.4b9d.4f76.9e2e.5f33937ff9b4
RelevancyScore: 926
AccessLevel: 6
PubType: Conference
PubTypeId: conference
PreciseRelevancyScore: 926.003784179688
IllustrationInfo
Items – Name: Title
  Label: Title
  Group: Ti
  Data: SandTrap: Securing JavaScript-driven Trigger-Action Platforms
– Name: Author
  Label: Authors
  Group: Au
  Data: <searchLink fieldCode="AR" term="%22Ahmadpanah%2C+Seyed+Mohammad+Mehdi%22">Ahmadpanah, Seyed Mohammad Mehdi</searchLink>, 1996<br /><searchLink fieldCode="AR" term="%22Hedin%2C+Daniel%22">Hedin, Daniel</searchLink>, 1978<br /><searchLink fieldCode="AR" term="%22Balliu%2C+Musard%22">Balliu, Musard</searchLink>, 1985<br /><searchLink fieldCode="AR" term="%22Olsson%2C+Eric%22">Olsson, Eric</searchLink>, 1994<br /><searchLink fieldCode="AR" term="%22Sabelfeld%2C+Andrei%22">Sabelfeld, Andrei</searchLink>, 1974
– Name: TitleSource
  Label: Source
  Group: Src
  Data: <i>WebSec: Säkerhet i webb-drivna system 30th USENIX Security Symposium, Virtual; online Proceedings of the 30th USENIX Security Symposium</i>. :2899-2916
– Name: Abstract
  Label: Description
  Group: Ab
  Data: Trigger-Action Platforms (TAPs) seamlessly connect a wide variety of otherwise unconnected devices and services, ranging from IoT devices to cloud services and social networks. TAPs raise critical security and privacy concerns because a TAP is effectively a “person-in-the-middle” between trigger and action services. Third-party code, routinely deployed as “apps” on TAPs, further exacerbates these concerns. This paper focuses on JavaScript-driven TAPs. We show that the popular IFTTT and Zapier platforms and an open-source alternative Node-RED are susceptible to attacks ranging from exfiltrating data from unsuspecting users to taking over the entire platform. We report on the changes by the platforms in response to our findings and present an empirical study to assess the implications for Node-RED. Motivated by the need for a secure yet flexible way to integrate third-party JavaScript apps, we propose SandTrap, a novel JavaScript monitor that securely combines the Node.js vm module with fully structural proxy-based two-sided membranes to enforce fine-grained access control policies. To aid developers, SandTrap includes a policy generation mechanism. We instantiate SandTrap to IFTTT, Zapier, and Node-RED and illustrate on a set of benchmarks how SandTrap enforces a variety of policies while incurring a tolerable runtime overhead.
– Name: Format
  Label: File Description
  Group: SrcInfo
  Data: electronic
– Name: URL
  Label: Access URL
  Group: URL
  Data: <link linkTarget="URL" linkTerm="https://research.chalmers.se/publication/528122" linkWindow="_blank">https://research.chalmers.se/publication/528122</link><br /><link linkTarget="URL" linkTerm="https://research.chalmers.se/publication/526024" linkWindow="_blank">https://research.chalmers.se/publication/526024</link><br /><link linkTarget="URL" linkTerm="https://research.chalmers.se/publication/524202" linkWindow="_blank">https://research.chalmers.se/publication/524202</link><br /><link linkTarget="URL" linkTerm="https://research.chalmers.se/publication/528122/file/528122_Fulltext.pdf" linkWindow="_blank">https://research.chalmers.se/publication/528122/file/528122_Fulltext.pdf</link>
PLink https://erproxy.cvtisr.sk/sfx/access?url=https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=edsswe&AN=edsswe.oai.research.chalmers.se.3309c162.4b9d.4f76.9e2e.5f33937ff9b4
RecordInfo BibRecord:
  BibEntity:
    Languages:
      – Text: English
    PhysicalDescription:
      Pagination:
        PageCount: 18
        StartPage: 2899
    Titles:
      – TitleFull: SandTrap: Securing JavaScript-driven Trigger-Action Platforms
        Type: main
  BibRelationships:
    HasContributorRelationships:
      – PersonEntity:
          Name:
            NameFull: Ahmadpanah, Seyed Mohammad Mehdi
      – PersonEntity:
          Name:
            NameFull: Hedin, Daniel
      – PersonEntity:
          Name:
            NameFull: Balliu, Musard
      – PersonEntity:
          Name:
            NameFull: Olsson, Eric
      – PersonEntity:
          Name:
            NameFull: Sabelfeld, Andrei
    IsPartOfRelationships:
      – BibEntity:
          Dates:
            – D: 01
              M: 01
              Type: published
              Y: 2021
          Identifiers:
            – Type: issn-locals
              Value: SWEPUB_FREE
            – Type: issn-locals
              Value: CTH_SWEPUB
          Titles:
            – TitleFull: WebSec: Säkerhet i webb-drivna system 30th USENIX Security Symposium, Virtual; online Proceedings of the 30th USENIX Security Symposium
              Type: main
ResultId 1