Brigadier: A Datalog-based IAST framework for Node.js Applications

Onderzoeksoutput: Conference paper

Samenvatting

The NODE.JS runtime, in combination with Node Package Manager (NPM), is a popular ecosystem for building server-side web applications. Both JavaScript's flexible and dynamic character and the vast amount of NPM libraries available can speed up the development of web applications. However, JavaScript and NODE.JS lack security mechanisms and abstractions. Despite the numerous language-based approaches proposed to protect JavaScript applications, no work supports application- level and business-level security properties. This means that in order to achieve both application-level and business-level security, developers are forced to rely on multiple different, unintegrated and incompatible tools and mechanisms. In this paper, we present BRIGADIER, an interactive security testing framework for NODE.JS applications that enables the specification of both application-level and business-level security policies. BRIGADIER provides developers with a Datalog-based policy specification language that features close interoperability with running JavaScript programs under test. Input JavaScript programs are instrumented to emit relevant application events sent to a Datalog engine resulting from the compilation of the policies. We exhibit BRIGADIER's expressiveness by implementing three case studies from the literature. We also assess BRIGADIER's performance overhead on server-side applications. In our benchmarks, we observed a slowdown factor ranging from ~1.2x to ~3x, which is acceptable for a testing scenario.
Originele taal-2English
Titel2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)
RedacteurenTao Zhang, Xin Xia, Nicole Novielli
Plaats van productieTaipa, Macau
UitgeverijIEEE
Pagina's509-521
Aantal pagina's13
ISBN van elektronische versie978-1-6654-5278-6
ISBN van geprinte versie978-1-6654-5279-3
DOI's
StatusPublished - 21 mrt 2023
Evenement30th IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2023) - 28th Floor, Hotel Okura Macau, Macau SAR, China
Duur: 21 mrt 202324 mrt 2023
Congresnummer: 30
https://saner2023.must.edu.mo/index

Publicatie series

NaamProceedings - 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2023

Conference

Conference30th IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2023)
Verkorte titelSANER'23
Land/RegioChina
StadMacau SAR
Periode21/03/2324/03/23
Internet adres

Bibliografische nota

Publisher Copyright:
© 2023 IEEE.

Copyright:
Copyright 2023 Elsevier B.V., All rights reserved.

Vingerafdruk

Duik in de onderzoeksthema's van 'Brigadier: A Datalog-based IAST framework for Node.js Applications'. Samen vormen ze een unieke vingerafdruk.

Citeer dit