Security-wg: Node.js code integrity demo and discussion from folks at Microsoft

Created on 7 Apr 2021  路  15Comments  路  Source: nodejs/security-wg

Hi folks,

We previously invited Lee Holmes to participate in one of the monthly updates, where he shared some early work the folks at Microsoft are doing with regards to Node.js code integrity.

Lee has some updates that he'd be happy to share with us. This is likely more Node.js-core than the ecosystem security for a lack of a WG that handles Node.js core specifically I am sharing here first. It'll likely get some interest from folks at TSC maybe?

I'm also happy to have Lee further share more information on what he'd like to present and discuss with the wider team.

All 15 comments

I think if Lee shares what he wants to present that would be good and then we can publicize to see who is interested.

Hi all,

I'm working with Lee on this project. Let me start off with some background info on our general goals and then how they apply to Node.js. I'm not sure how deep into technical details I should get, so I'll leave things fairly high level and can answer any questions you have.

We're investigating ways to harden language interpreters for use in secure environments. Since the code which a language interpreter executes is typically just text read from a file, it is difficult for the underlying platform to determine if the contents of the file are code or data. This makes it relatively easy to modify the intended behavior of an application and bypass the integrity checks systems have in place for executable files.

We're looking into 2 ways to add more layers of defense. The first builds on top of the experimental-policy feature by integrating it with OS code integrity systems. The idea here is that even if a malicious actor is able to gain access to the command line, they wouldn't be able to modify policy.json and the launch args for the experimental-policy feature. Instead, the policy can be signed by a trusted key and Node can ask the system if the signed policy passes whatever trust checks the system is enforcing.

The second is integration with Windows Antimalware Scan Interface (AMSI). AMSI scans a buffer for known malicious content and returns a value indicating how "trustworthy" the buffer is. For most use cases the trust value is akin to "100% guaranteed bad", "very likely bad", or "OK".

I currently have a prototype of the first proposal (on Windows) which I can demo if you'd like. I don't yet have a working version of the second proposal, as I'm not quite sure where in the Node stack this would be placed (ideally right before the interpreter executes it, but I don't know if it's more appropriate to place this in v8).

Let me know if you have any questions or comments. I'd be happy make adjustments, or demo things, etc.

Edit: I realize this is a pretty barren github account. Please email Lee if you want to verify that I'm legit :)

Thanks for elaborating Robert.

@bmeck sounds like at least one of these example cases above is focused on experimental policies feature. Would we be interested to see how this integrates more inline with core Node.js capabilities?

I'd love to get together sometime and see how we can plan to upstream the features discussed above. In particular the expectation of what the upstream needs to do for future proofing.

@rdwaite would you like to jump on the next team meeting video and share that? it's aired publicly on YouTube. Is that ok?

Hey, sorry for the delayed response, I was out of office.

@lirantal , that sounds good to me. When will your next team meeting be held?

We have it monthly but I think it's worth to tune to one which @bmeck will be on for sure.
Next one I see on the calendar is 22nd of July 3PM UK time.

That meeting should work for me.

That time works for me too. Do you have any recorded meetings or other information (agendas, notes, etc.) that I could look over so I know what to expect?

Hey @lirantal @bmeck - do you have any instructions on how to join the monthly meeting? I see it's hosted on Zoom and broadcast on youtube. Will there be a link to join the meeting posted somewhere I can access?

@mhdawson can you please post the details for the upcoming Node.js security meeting this week and making sure that we have someone to kick it off?

@bmeck another ping for you to check that you're still able to join it :-)
also FYI @nodejs/security-wg

i should be there

I was planning to come for the demo so I can kick it off. @lirantal, @esarafianou I'll assume one of you two will chair.

Thanks Michael!

Was this page helpful?
0 / 5 - 0 ratings