SandTrap: Securing JavaScript-driven Trigger-Action Platforms
Paper i proceeding, 2021

Trigger-Action Platforms (TAPs) seamlessly connect a wide variety of otherwise unconnected devices and services, ranging from IoT devices to cloud services and social networks. TAPs raise critical security and privacy concerns because a TAP is effectively a “person-in-the-middle” between trigger and action services. Third-party code, routinely deployed as “apps” on TAPs, further exacerbates these concerns. This paper focuses on JavaScript-driven TAPs. We show that the popular IFTTT and Zapier platforms and an open-source alternative Node-RED are susceptible to attacks ranging from exfiltrating data from unsuspecting users to taking over the entire platform. We report on the changes by the platforms in response to our findings and present an empirical study to assess the implications for Node-RED. Motivated by the need for a secure yet flexible way to integrate third-party JavaScript apps, we propose SandTrap, a novel JavaScript monitor that securely combines the Node.js vm module with fully structural proxy-based two-sided membranes to enforce fine-grained access control policies. To aid developers, SandTrap includes a policy generation mechanism. We instantiate SandTrap to IFTTT, Zapier, and Node-RED and illustrate on a set of benchmarks how SandTrap enforces a variety of policies while incurring a tolerable runtime overhead.

Författare

Seyed Mohammad Mehdi Ahmadpanah

Chalmers, Data- och informationsteknik, Informationssäkerhet

Daniel Hedin

Chalmers, Data- och informationsteknik, Informationssäkerhet

Musard Balliu

Chalmers, Data- och informationsteknik, Informationssäkerhet

Lars Eric Olsson

Chalmers, Data- och informationsteknik, Datavetenskap

Andrei Sabelfeld

Chalmers, Data- och informationsteknik, Informationssäkerhet

Proceedings of the 30th USENIX Security Symposium

2899-2916
9781939133243 (ISBN)

30th USENIX Security Symposium
Virtual; online, ,

WebSec: Säkerhet i webb-drivna system

Stiftelsen för Strategisk forskning (SSF) (RIT17-0011), 2018-03-01 -- 2023-02-28.

Ämneskategorier

Datorsystem

ISBN

9781939133243

Mer information

Senast uppdaterat

2023-04-21