WFRF:(Hedin Daniel)
Sökning: WFRF:(Hedin Daniel) > SandTrap :
SandTrap : Securing javascript-driven trigger-action platforms
-
- Ahmadpanah, Seyed Mohammad Mehdi, 1996 (författare)
- Chalmers University of Technology, Sweden,Chalmers Univ Technol, Gothenburg, Sweden.,Chalmers tekniska högskola
-
- Hedin, Daniel (författare)
- Mälardalens högskola,Inbyggda system,Chalmers University of Technology, Sweden,Chalmers Univ Technol, Gothenburg, Sweden.;Mälardalen Univ, Västerås, Sweden.,Chalmers tekniska högskola
-
- Balliu, Musard (författare)
- KTH,Teoretisk datalogi, TCS,KTH Royal Institute of Technology, Sweden,Chalmers tekniska högskola,Chalmers University of Technology
- visa fler...
- visa färre...
- Chalmers University of Technology, Sweden Chalmers Univ Technol, Gothenburg, Sweden (creator_code:org_t)
- ISBN 9781939133243
- USENIX Association, 2021
- 2021
- Engelska.
- Ingår i: Proceedings of the 30th USENIX Security Symposium. - : USENIX Association. - 9781939133243 ; , s. 2899-2916
- Konferensbidrag (refereegranskat)
Abstract
Ämnesord
Stäng
- Trigger-Action Platforms (TAPs) seamlessly connect a wide variety of otherwise unconnected devices and services, ranging from IoT devices to cloud services and social networks. TAPs raise critical security and privacy concerns because a TAP is effectively a “person-in-the-middle” between trigger and action services. Third-party code, routinely deployed as “apps” on TAPs, further exacerbates these concerns. This paper focuses on JavaScript-driven TAPs. We show that the popular IFTTT and Zapier platforms and an open-source alternative Node-RED are susceptible to attacks ranging from exfiltrating data from unsuspecting users to taking over the entire platform. We report on the changes by the platforms in response to our findings and present an empirical study to assess the implications for Node-RED. Motivated by the need for a secure yet flexible way to integrate third-party JavaScript apps, we propose SandTrap, a novel JavaScript monitor that securely combines the Node.js vm module with fully structural proxy-based two-sided membranes to enforce fine-grained access control policies. To aid developers, SandTrap includes a policy generation mechanism. We instantiate SandTrap to IFTTT, Zapier, and Node-RED and illustrate on a set of benchmarks how SandTrap enforces a variety of policies while incurring a tolerable runtime overhead.
Ämnesord
- TEKNIK OCH TEKNOLOGIER -- Elektroteknik och elektronik -- Datorsystem (hsv//swe)
- ENGINEERING AND TECHNOLOGY -- Electrical Engineering, Electronic Engineering, Information Engineering -- Computer Systems (hsv//eng)
- NATURVETENSKAP -- Data- och informationsvetenskap -- Datavetenskap (hsv//swe)
- NATURAL SCIENCES -- Computer and Information Sciences -- Computer Sciences (hsv//eng)
Nyckelord
- Access control
- Access control policies
- Cloud services
- Empirical studies
- Open sources
- Policy generation
- Runtime overheads
- Security and privacy
- Third parties
- High level languages
Publikations- och innehållstyp
- ref (ämneskategori)
- kon (ämneskategori)
Hitta via bibliotek
- Proceedings of the 30th USENIX Security Symposium (Sök värdpublikationen i LIBRIS)
Till lärosätets databas
Hitta mer i SwePub
- Av författaren/redakt...
- Ahmadpanah, Seye ...
- Hedin, Daniel
- Balliu, Musard
- Olsson, L. E.
- Sabelfeld, Andre ...
- Om ämnet
-
- TEKNIK OCH TEKNOLOGIER
- TEKNIK OCH TEKNO ...
- och Elektroteknik oc ...
- och Datorsystem
-
- NATURVETENSKAP
- NATURVETENSKAP
- och Data och informa ...
- och Datavetenskap
- Artiklar i publikationen
- Proceedings of t ...
Sök utanför SwePub
- Sök vidare i:
- Google Book Search
- Google Scholar
Kungliga biblioteket hanterar dina personuppgifter i enlighet med EU:s dataskyddsförordning (2018), GDPR. Läs mer om hur det funkar här.
Så här hanterar KB dina uppgifter vid användning av denna tjänst.
- Copyright © LIBRIS - Nationella bibliotekssystem
- LIBRIS.kb.se
