Securing Software in the Presence of Third-Party Modules
Licentiate thesis, 2021

Modular programming is a key concept in software development where the program consists of code modules that are designed and implemented independently. This approach accelerates the development process and enhances scalability of the final product. Modules, however, are often written by third parties, aggravating security concerns such as stealing confidential information, tampering with sensitive data, and executing malicious code.
Trigger-Action Platforms (TAPs) are concrete examples of employing modular programming. Any user can develop TAP applications by connecting trigger and action services, and publish them on public repositories. In the presence of malicious application makers, users cannot trust applications written by third parties, which can threaten users’ and platform’s security.
We present SandTrap, a novel runtime monitor for JavaScript that can be used to securely integrate third-party applications. SandTrap enforces fine-grained access control policies at the levels of module, API, value, and context. We instantiate SandTrap to IFTTT, Zapier, and Node-RED, three popular JavaScript-driven TAPs, and illustrate how it enforces various policies on a set of benchmarks while incurring a tolerable runtime overhead. We also prove soundness and transparency of the monitoring framework on an essential model of Node-RED.
Furthermore, nontransitive policies have been recently introduced as a natural fit for coarse-grained information-flow control where labels are specified at the level of modules. The flow relation does not need to be transitive, resulting in nonstandard noninterference and enforcement mechanism. We develop a lattice encoding to prove that nontransitive policies can be reduced to classical transitive policies. We also devise a lightweight program transformation that leverages standard flow-sensitive information-flow analyses to enforce nontransitive policies more permissively.

Third-Party Modules

JavaScript Runtime Monitor

Trigger-Action Platforms

Nontransitive Noninterference

Information-Flow Control

online - CSE EDIT 8103
Opponent: Deian Stefan, University of California, San Diego, USA


Seyed Mohammad Mehdi Ahmadpanah

Chalmers, Computer Science and Engineering (Chalmers), Information Security

SandTrap: Securing JavaScript-driven Trigger-Action Platforms

Proceedings of the 30th USENIX Security Symposium,; (2021)p. 2899-2916

Paper in proceeding

Securing Node-RED Applications

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),; (2021)p. 1-21

Book chapter

Nontransitive Policies Transpiled

Proceedings - 2021 IEEE European Symposium on Security and Privacy, Euro S and P 2021,; (2021)p. 543-561

Paper in proceeding

WebSec: Securing Web-driven Systems

Swedish Foundation for Strategic Research (SSF) (RIT17-0011), 2018-03-01 -- 2023-02-28.

Subject Categories

Computer Science

Computer Systems



online - CSE EDIT 8103


Opponent: Deian Stefan, University of California, San Diego, USA

More information

Latest update