< Back to previous page

Project

Securing the Interaction of Software Modules across Security Boundaries

In the current software development culture, software modules from different parties need to work together in a single application. While this culture allows for reuse of components, using third-party software modules adds security risks. A single malicious or buggy module can compromise the whole system, and thus compromise the security of all other modules.

In this thesis we investigate how we can better secure the interactions between different software modules. We study this problem in two settings. The first is that of C software modules compiled to Intel x86-64 assembly. The second setting considers Node.js web applications, comprised of different modules written in JavaScript.


In low-level applications, hardware technology such as Intel SGX can protect software modules from an untrusted context by isolating them in an enclave. This introduces new possibilities in the software trust model. It is however not trivial to securely integrate a software module protected with Intel SGX into an untrusted application. Such a software module should be able to detect and prevent an attacker from providing malicious input to the enclave.


In Node.js web applications, different JavaScript modules can be composed together to provide the functionality needed. If a single JavaScript module contains a bug or tries to interact with another module in a malicious way, the application should be able to detect this and prevent or modify the interaction.


The solution in both cases is to protect the border between security domains with extra checks. In this thesis we propose, implement and evaluate the automatic generation of border checks for Intel SGX enclaves by using separation logic specifications. We further investigate how to create provably safe enclaves, by formalizing the interactions between the enclave and its untrusted context.

In the web application domain, we evaluate and extend the NodeSentry security architecture, which uses the membrane pattern to isolate two object graphs, and can hence isolate a JavaScript module from its context. By applying the NodeSentry architecture to several use cases in the Tearless project, we can properly evaluate if NodeSentry is also applicable in the context of larger applications.  We discuss a few issues in the current implementation that prevent the current implementation from staying compatible with future versions of the ECMAScript standard without large modifications.

Date:28 Sep 2015 →  2 Oct 2020
Keywords:security
Disciplines:Applied mathematics in specific fields, Computer architecture and networks, Distributed computing, Information sciences, Information systems, Programming languages, Scientific computing, Theoretical computer science, Visual computing, Other information and computing sciences
Project type:PhD project