The Case of the Poisoned Event Handler: Weaknesses in the Node.js Event-Driven Architecture

Node.js has seen rapid adoption in industry and the open-source community. Unfortunately, its event-driven architecture exposes Node.js applications to Event Handler-Poisoning denial of service attacks. Our evaluation of the state of practice in Node.js--- combining a study of 353 publicly reported security vulnerabilities and a survey of 151 representative npm modules --- demonstrates that the community is not equipped to combat this class of attack. We recommend several changes to the state of practice and propose both programming language and runtime approaches to defend against Event Handler-Poisoning attacks.

[1]  Zhenyu Wu,et al.  Energy Attack on Server Systems , 2011, WOOT.

[2]  Dan S. Wallach,et al.  Denial of Service via Algorithmic Complexity Attacks , 2003, USENIX Security Symposium.

[3]  Andres Ojamaa,et al.  Assessing the security of Node.js platform , 2012, 2012 International Conference for Internet Technology and Secured Transactions.

[4]  Abraham Silberschatz,et al.  Operating System Concepts , 1983 .

[5]  Kosaburo Hashiguchi,et al.  Algorithms for Determining Relative Star height and Star Height , 1988, IFIP Congress.

[6]  Hayo Thielecke,et al.  Static Analysis for Regular Expression Exponential Runtime via Substructural Logics , 2014, ArXiv.

[7]  Richard E. Sweet The Mesa programming environment , 1985, SLIPE '85.

[8]  Rick Rogers,et al.  Android Application Development - Programming with the Google SDK , 2009 .

[9]  Yu Lin,et al.  Retrofitting concurrency for Android applications through refactoring , 2014, FSE 2014.

[10]  Danny Goodman,et al.  Dynamic Html: The Definitive Reference , 1998 .

[11]  Ivan Beschastnikh,et al.  Don't Call Us, We'll Call You: Characterizing Callbacks in Javascript , 2015, 2015 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM).

[12]  Maurizio Aiello,et al.  Taxonomy of Slow DoS Attacks to Web Applications , 2012, SNDS.

[13]  Raja Lavanya,et al.  Fog Computing and Its Role in the Internet of Things , 2019, Advances in Computer and Electrical Engineering.

[14]  Jakob Engblom,et al.  The worst-case execution-time problem—overview of methods and survey of tools , 2008, TECS.

[15]  Willy Zwaenepoel,et al.  Flash: An efficient and portable Web server , 1999, USENIX Annual Technical Conference, General Track.