Brigadier: A Datalog-based IAST framework for Node.js Applications

Angel Luis Scull Pupo; Jens Nicolay; Elisa Gonzalez Boix

doi:10.1109/SANER56733.2023.00054

Brigadier: A Datalog-based IAST framework for Node.js Applications

Angel Luis Scull Pupo, Jens Nicolay, Elisa Gonzalez Boix

Onderzoeksoutput: Conference paper

1 Citaat (Scopus)

Samenvatting

The NODE.JS runtime, in combination with Node Package Manager (NPM), is a popular ecosystem for building server-side web applications. Both JavaScript's flexible and dynamic character and the vast amount of NPM libraries available can speed up the development of web applications. However, JavaScript and NODE.JS lack security mechanisms and abstractions. Despite the numerous language-based approaches proposed to protect JavaScript applications, no work supports application- level and business-level security properties. This means that in order to achieve both application-level and business-level security, developers are forced to rely on multiple different, unintegrated and incompatible tools and mechanisms. In this paper, we present BRIGADIER, an interactive security testing framework for NODE.JS applications that enables the specification of both application-level and business-level security policies. BRIGADIER provides developers with a Datalog-based policy specification language that features close interoperability with running JavaScript programs under test. Input JavaScript programs are instrumented to emit relevant application events sent to a Datalog engine resulting from the compilation of the policies. We exhibit BRIGADIER's expressiveness by implementing three case studies from the literature. We also assess BRIGADIER's performance overhead on server-side applications. In our benchmarks, we observed a slowdown factor ranging from ~1.2x to ~3x, which is acceptable for a testing scenario.

Originele taal-2	English
Titel	2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)
Redacteuren	Tao Zhang, Xin Xia, Nicole Novielli
Plaats van productie	Taipa, Macau
Uitgeverij	IEEE
Pagina's	509-521
Aantal pagina's	13
ISBN van elektronische versie	978-1-6654-5278-6
ISBN van geprinte versie	978-1-6654-5279-3
DOI's	https://doi.org/10.1109/SANER56733.2023.00054
Status	Published - 21 mrt. 2023
Evenement	30th IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2023) - 28th Floor, Hotel Okura Macau, Macau SAR, China Duur: 21 mrt. 2023 → 24 mrt. 2023 Congresnummer: 30 https://saner2023.must.edu.mo/index

Publicatie series

Naam	Proceedings - 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2023

Conference

Conference	30th IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2023)
Verkorte titel	SANER'23
Land/Regio	China
Stad	Macau SAR
Periode	21/03/23 → 24/03/23
Internet adres	https://saner2023.must.edu.mo/index

Bibliografische nota

Publisher Copyright:
© 2023 IEEE.

Copyright:
Copyright 2023 Elsevier B.V., All rights reserved.

Toegang tot document

10.1109/SANER56733.2023.00054

ftp://prog.vub.ac.be/tech_report/2023/vub-tr-soft-23-03-scull.pdf

Andere bestanden en links

Link naar publicatie in Scopus

VLAAI2: Cybersecurity Onderzoeksprogramma Vlaanderen – tweede cyclus
De Meuter, W., Braeken, A., Devriese, D., Gonzalez Boix, E. & De Roover, C.
1/01/24 → 31/12/28
Project: Toegepast

Citeer dit

Scull Pupo, A. L., Nicolay, J., & Gonzalez Boix, E. (2023). Brigadier: A Datalog-based IAST framework for Node.js Applications. In T. Zhang, X. Xia, & N. Novielli (editors), 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER) (blz. 509-521). (Proceedings - 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2023). IEEE. https://doi.org/10.1109/SANER56733.2023.00054

Scull Pupo, Angel Luis ; Nicolay, Jens ; Gonzalez Boix, Elisa. / Brigadier: A Datalog-based IAST framework for Node.js Applications. 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). redacteur / Tao Zhang ; Xin Xia ; Nicole Novielli. Taipa, Macau : IEEE, 2023. blz. 509-521 (Proceedings - 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2023).

@inproceedings{cf9130f2162f4b379f4010172f5a4f18,

title = "Brigadier: A Datalog-based IAST framework for Node.js Applications",

abstract = "The NODE.JS runtime, in combination with Node Package Manager (NPM), is a popular ecosystem for building server-side web applications. Both JavaScript's flexible and dynamic character and the vast amount of NPM libraries available can speed up the development of web applications. However, JavaScript and NODE.JS lack security mechanisms and abstractions. Despite the numerous language-based approaches proposed to protect JavaScript applications, no work supports application- level and business-level security properties. This means that in order to achieve both application-level and business-level security, developers are forced to rely on multiple different, unintegrated and incompatible tools and mechanisms. In this paper, we present BRIGADIER, an interactive security testing framework for NODE.JS applications that enables the specification of both application-level and business-level security policies. BRIGADIER provides developers with a Datalog-based policy specification language that features close interoperability with running JavaScript programs under test. Input JavaScript programs are instrumented to emit relevant application events sent to a Datalog engine resulting from the compilation of the policies. We exhibit BRIGADIER's expressiveness by implementing three case studies from the literature. We also assess BRIGADIER's performance overhead on server-side applications. In our benchmarks, we observed a slowdown factor ranging from ~1.2x to ~3x, which is acceptable for a testing scenario.",

author = "{Scull Pupo}, {Angel Luis} and Jens Nicolay and {Gonzalez Boix}, Elisa",

note = "Publisher Copyright: {\textcopyright} 2023 IEEE. Copyright: Copyright 2023 Elsevier B.V., All rights reserved.; 30th IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2023), SANER'23 ; Conference date: 21-03-2023 Through 24-03-2023",

year = "2023",

month = mar,

day = "21",

doi = "10.1109/SANER56733.2023.00054",

language = "English",

isbn = "978-1-6654-5279-3",

series = "Proceedings - 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2023",

publisher = "IEEE",

pages = "509--521",

editor = "Tao Zhang and Xin Xia and Nicole Novielli",

booktitle = "2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)",

url = "https://saner2023.must.edu.mo/index",

}

Scull Pupo, AL , Nicolay, J & Gonzalez Boix, E 2023, Brigadier: A Datalog-based IAST framework for Node.js Applications. in T Zhang, X Xia & N Novielli (redactie), 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). Proceedings - 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2023, IEEE, Taipa, Macau, blz. 509-521, 30th IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2023), Macau SAR, China, 21/03/23. https://doi.org/10.1109/SANER56733.2023.00054

Brigadier: A Datalog-based IAST framework for Node.js Applications. / Scull Pupo, Angel Luis ; Nicolay, Jens ; Gonzalez Boix, Elisa.
2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). redactie / Tao Zhang; Xin Xia; Nicole Novielli. Taipa, Macau: IEEE, 2023. blz. 509-521 (Proceedings - 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2023).

Onderzoeksoutput: Conference paper

TY - GEN

T1 - Brigadier: A Datalog-based IAST framework for Node.js Applications

AU - Scull Pupo, Angel Luis

AU - Nicolay, Jens

AU - Gonzalez Boix, Elisa

N1 - Conference code: 30

PY - 2023/3/21

Y1 - 2023/3/21

N2 - The NODE.JS runtime, in combination with Node Package Manager (NPM), is a popular ecosystem for building server-side web applications. Both JavaScript's flexible and dynamic character and the vast amount of NPM libraries available can speed up the development of web applications. However, JavaScript and NODE.JS lack security mechanisms and abstractions. Despite the numerous language-based approaches proposed to protect JavaScript applications, no work supports application- level and business-level security properties. This means that in order to achieve both application-level and business-level security, developers are forced to rely on multiple different, unintegrated and incompatible tools and mechanisms. In this paper, we present BRIGADIER, an interactive security testing framework for NODE.JS applications that enables the specification of both application-level and business-level security policies. BRIGADIER provides developers with a Datalog-based policy specification language that features close interoperability with running JavaScript programs under test. Input JavaScript programs are instrumented to emit relevant application events sent to a Datalog engine resulting from the compilation of the policies. We exhibit BRIGADIER's expressiveness by implementing three case studies from the literature. We also assess BRIGADIER's performance overhead on server-side applications. In our benchmarks, we observed a slowdown factor ranging from ~1.2x to ~3x, which is acceptable for a testing scenario.

AB - The NODE.JS runtime, in combination with Node Package Manager (NPM), is a popular ecosystem for building server-side web applications. Both JavaScript's flexible and dynamic character and the vast amount of NPM libraries available can speed up the development of web applications. However, JavaScript and NODE.JS lack security mechanisms and abstractions. Despite the numerous language-based approaches proposed to protect JavaScript applications, no work supports application- level and business-level security properties. This means that in order to achieve both application-level and business-level security, developers are forced to rely on multiple different, unintegrated and incompatible tools and mechanisms. In this paper, we present BRIGADIER, an interactive security testing framework for NODE.JS applications that enables the specification of both application-level and business-level security policies. BRIGADIER provides developers with a Datalog-based policy specification language that features close interoperability with running JavaScript programs under test. Input JavaScript programs are instrumented to emit relevant application events sent to a Datalog engine resulting from the compilation of the policies. We exhibit BRIGADIER's expressiveness by implementing three case studies from the literature. We also assess BRIGADIER's performance overhead on server-side applications. In our benchmarks, we observed a slowdown factor ranging from ~1.2x to ~3x, which is acceptable for a testing scenario.

UR - http://www.scopus.com/inward/record.url?scp=85160566135&partnerID=8YFLogxK

U2 - 10.1109/SANER56733.2023.00054

DO - 10.1109/SANER56733.2023.00054

M3 - Conference paper

SN - 978-1-6654-5279-3

T3 - Proceedings - 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2023

SP - 509

EP - 521

BT - 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)

A2 - Zhang, Tao

A2 - Xia, Xin

A2 - Novielli, Nicole

PB - IEEE

CY - Taipa, Macau

T2 - 30th IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2023)

Y2 - 21 March 2023 through 24 March 2023

ER -

Scull Pupo AL , Nicolay J , Gonzalez Boix E. Brigadier: A Datalog-based IAST framework for Node.js Applications. In Zhang T, Xia X, Novielli N, redacteurs, 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). Taipa, Macau: IEEE. 2023. blz. 509-521. (Proceedings - 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2023). doi: 10.1109/SANER56733.2023.00054

Brigadier: A Datalog-based IAST framework for Node.js Applications

Samenvatting

Publicatie series

Conference

Bibliografische nota

Toegang tot document

Andere bestanden en links

Vingerafdruk

Projecten

VLAAI2: Cybersecurity Onderzoeksprogramma Vlaanderen – tweede cyclus

Citeer dit