第1页
Maciej Lasyk
AtmosphereConf 2014
Warsaw, 2014-05-19
scaling & securing node.js apps
第2页
$ whoami
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- not only sysadmin ;)
- 14+ years of exp software dev / sysop
- ops lead
- contributing to Fedora Project (and couple more)
- and...
第3页
$ whoami
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- not only sysadmin ;)
- 14+ years of exp software dev / sysop
- ops lead
- contributing to Fedora Project (and couple more)
- and...
- love AtmosphereConf – been to Velocity
第4页
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
第5页
So what do you think about JS?
- JS is for children!
- JS is slow!
- JS is not scalable!
- JS is insecure!
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
第6页
node.js: history
- 2008: Google V8 release
- 2009: Ryan Dahl & node.js
- 2011: node.js release
- later on – Joyent till today
- and ^liftsecurity / nodesecurity.io
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
第7页
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
第8页
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
(http://www.phloxblog.in)
第9页
node.js: developing ur code
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
raw node.js coding srsly?
第10页
node.js: developing ur code
maybe some frameworks?
- webserver: express
- client-server sync: backbone.js
- push: socket.io
- templates: swig
- i18n: babelfish
- client – side: jquery
- or...
- kraken.js does the all (almost)
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
第11页
node.js: developing ur code
Biggest win here?
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
第12页
node.js: developing ur code
Biggest win here?
One Language to Rule them all!
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
第13页
security: JS issues
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
eval() like fncs takes string argument and
evalute those as source code
第14页
security: JS issues
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
eval() like fncs takes string argument and
evalute those as source code
srsly – who does that?
第15页
security: JS issues
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
not only evals:
setInterval(code,2)
setTimeout(code,2)
str = new Function(code)
Content-Security-Policy knows about those
but we're talking about server side...
第16页
security: JS issues
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Global nameSpace Pollution
- node.js is single threaded
- all variable values are common
- one could thrtically change bhv of others reqs
- watch out for globals then!
第17页
security: JS issues
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
var auth = false;
app.get('/auth', function(req, res) {
if(legit) {auth = true; res.send("success");
});
app.get('/payments-db', function(req, res) {
if (auth) res.send("legit to see all payments data");
else res.send("not logged in");
})
app.listen(8080);
第18页
security: JS issues
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
So now imagine..
global namespace pollution + evals & co
第19页
security: JS issues
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
So now imagine..
global namespace pollution + evals & co
第20页
security: JS issues
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
object properties:
- writable: RO/RW
- enumerable: no loops enumeration
- configurable: deletion prohibited
- all default set to True so watch out
第21页
security: JS issues
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
var obj = {}; obj.prop = "LOL";
// OR:
Object.defineProperty(obj, "prop", {
writable: true,
enumerable: true,
configurable: true,
value: "LOL"
})
第22页
security: JS issues - prevention
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
strict mode:
- let's throw all errors!
- declare variables!
- global namespaces help
第23页
security: JS issues - prevention
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
"use strict";
function do_smt() {
do_smt.caller; // no way :)
do_smt.arguments; // no way :)
}
第24页
security: JS issues - prevention
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
"use strict";
eval("var smt = 123");
console.log(smt); // sorry – ReferenceError
第25页
security: JS issues - prevention
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
"use strict";
eval("var smt = 123");
console.log(smt); // sorry – ReferenceError
But watch out:
"use strict";
var smt = 0;
eval("smt = 123");
console.log(smt); // outputs “123” properly
第26页
security: JS issues - prevention
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
strict mode:
- evals & co are not that insecure now
- no access to caller and args props
- enable globally or for some scope
- what about strict mode in 3rd party mods?
第27页
security: JS issues - prevention
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Static code analysis
- If not doing it already – just do
- Commit hooks in (D)VCSes
- JSHint / JSLint
- Create policy for static code analysis
- Update & check this policy regularly
第28页
node.js – exploits anyone?
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- http://seclists.org/bugtraq – ? hits
- http://osvdb.org – ? hits
- http://1337day.com, http://www.exploitdb.com – ? hit
- http://nodesecurity.io/advisories – ? hits
第29页
node.js – exploits anyone?
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- http://seclists.org/bugtraq – 0 hits
- http://osvdb.org – 2 hits
- http://1337day.com, http://www.exploitdb.com – 1 hit
- http://nodesecurity.io/advisories – 4 hits
第30页
node.js – exploits anyone?
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- http://seclists.org/bugtraq – 0 hits
- http://osvdb.org – 2 hits
- http://1337day.com, http://www.exploitdb.com – 1 hit
- http://nodesecurity.io/advisories – 4 hits
Such security big?
第31页
node.js – exploits anyone?
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- http://seclists.org/bugtraq – 0 hits
- http://osvdb.org – 2 hits
- http://1337day.com, http://www.exploitdb.com – 1 hit
- http://nodesecurity.io/advisories – 4 hits
Such security big?
not exactly
第32页
node.js – what's wrong than?
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
node.js security is a blank page
http://www.slideshare.net/ASF-WS/asfws-2012-nodejs-security-old-vulnerabilities-in-new-dresses-par-sven-vetsch
第33页
node.js – exceptions / callbacks
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
callbacks Error object – remember to handle those
var fs = require("fs");
fs.readFile("/some/file", "utf8", function (err, contents) {
// err will be null if no error occured
// ... otherwise there will be info about error
});
forget about handling and die debugging
第34页
node.js – eventemitter
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
EventEmitter: emitting events 4 async actions
var http = require("http");
http.get("http://nodejs.org/", function (res) {
res.on("data", function (chunk) {
do_something_with_chunk;
});
res.on("error", function (err) {
// listener handling error
});
});
Attach listeners to errors events or
welcome unhandled exception!
第35页
node.js – uncaught exceptions
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- by default node.js will print stack trace and terminate thread
- EventEmitter / process / uncaughtException
// it looks like this by default:
process.on("uncaughtException", function (err) {
console.error(err);
console.trace();
process.exit();
});
第36页
node.js – uncaught exceptions
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- by default node.js will print stack trace and terminate thread
- EventEmitter / process / uncaughtException
// it looks like this by default:
process.on("uncaughtException", function (err) {
console.error(err);
console.trace();
process.exit();
});
So do you really want to comment out
the 'process.exit()' line?
第37页
node.js – domains
- error handling mechanism
- group I/O operations
- when err event -> domain is notified not process
- context clarity
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
第38页
node.js – domains
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Using Express take look at that:
https://github.com/brianc/node-domain-middleware
Assigning each Express request to a separate domain?
第39页
node.js – npm modules
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- npm install (-g)
- who creates modules?
- who verifies those?
- how to update?
- semantic versioning in package.json
- "connect":"~1.8.7" -> 1.8.7 - 1.9
第40页
node.js – npm modules
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
--ignore-scripts
stop preinstall/prepublish scripts
- mods auditing: https://nodesecurity.io/
第41页
node.js – npm modules
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
The scale of npm modules
第42页
node.js – npm modules
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Comparison to other langs (mods/day):
第43页
node.js – npm modules
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Remember:
- use strict?
- static analysis?
- does include some test suite?
- what is the dependency tree?
第44页
node.js – express
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Express – web dev framework
Built on top of connect
第45页
node.js – express – basic auth
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
var express = require('express'),
app = express();
app.use(express.basicAuth("user", "pwd"));
app.get("/", function (req, res) {
res.send('Hello World');
});
app.listen(8080);
Plain text and simple auth issues
第46页
node.js – express – SSL auth
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
var express = require('express'), routes = require('./routes'), fs = require('fs')
var opts = {
key: fs.readFileSync('ssl/server/keys/server.key'),
cert: fs.readFileSync('ssl/server/certificates/server.crt'),
ca: fs.readFileSync('ssl/ca/ca.crt'),
crl: fs.readFileSync('ssl/ca/ca.crl'),
requestCert: true,
rejectUnauthorized: true
passphrase: "pwd" // <<<< really here?
};
var app = module.exports = express.createServer(opts);
app.configure(function(){
app.set('views', __dirname + '/views');
...
});
app.get('/', routes.index);
app.listen(8443);
第47页
node.js – express – passport.js
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- provides API for authentication and authorization
- authentication:
- LocalStrategy
- OpenIDStrategy
- OAuth / FacebookStrategy
第48页
node.js – express – authorization
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
var users = [
{ id: 1, name: "user1", role: "admin" },
{ id: 2, name: "user2", role: "common" },
];
function loadUser(req, res, next) {
req.userData = users[req.params.user];
return next();
}
function requireRole(role) {
return function (req, res, next) {
if (req.user.role === role) {
return next();
} else {
return next(new Error("Unauthorized"));
}
};}
第49页
node.js – express – authorization
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
app.get("/users/:user", loadUser, function (req, res) {
res.send(req.user.name);
});
app.del("/users/:user", requireRole("admin"), loadUser, function (req,res) {
res.send("User deleted");
});
第50页
node.js – express – logging
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
OWASP will tell you what should be logged :)
https://www.owasp.org/index.php/Logging_Cheat_Sheet
- authentication & authorisation
- session management
- errors & weirdo events
- events (startups, shutdowns, slowdowns etc)
- high risk functionalities (payments, privileges, admins)
第51页
node.js – express – logging
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Try Winston module (Github -> flatiron/winston)
- logging to console
- logging to file
- sending logs over HTTP
- CouchDB, Redis, MongoDB, Riak etc
第52页
node.js – express – sessions
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
var express = require('express');
var app = express();
var RedisStore = require('connect-redis')(express);
app.use(express.cookieParser());
app.use(express.session({
store: new RedisStore({
host: '127.0.0.2',
port: 6379,
db: 3,
pass: 'pwd'
}),
secret: 'this-is-very-secret'
}));
app.get('/somewhere', function(req, res) {
res.send('In the middle of nowhere');
});
app.listen(process.env.PORT || 8080);
第53页
node.js – common threats
- CSRF
- input validation
- XSS
- DoS
- ReDoS
- HPP
- request size
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
第54页
node.js – monitoring anyone?
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- is app functional? :)
- is app overloaded?
- app should provide monitoring interface
- how many errors caught?
- are forks alive and OK?
第55页
node.js – sandboxing
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
第56页
node.js – sandboxing
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Such security..
Very fortress!!1
WOW :)
第57页
node.js – sandboxing
SElinux sandbox:
- legit r/w from stdin/out + only define FDs
- no network access
- no access to any other processes files
- cgroups friendly :)
- lightweight!
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
第58页
node.js – sandboxing
libvirtd sandbox:
- use LXC, Qemu or KVM
- provides high level API
- don't need to know virt internals
- integrates with systemd inside the sandbox
- virt-sandbox -c lxc:/// /bin/sh
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
第59页
node.js – sandboxing
Docker:
- very easy learning curve – just run & go
- it just works
- big community
- growing rapidly
- almost stable ;)
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
第60页
node.js – one more thing
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Just...
第61页
node.js – one more thing
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Just...
Don't run as `root`!!!
第62页
node.js – tracing execution
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- SmartOS / Joyent: debugging
- Bunyan / Dtrace
- strace of course...
第63页
node.js – testing
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- maybe some interface for white-box pentests?
- unit-testing 4 the sake! (Mocha, supertest, should.js)
- OWASP Zed Attack Proxy
第64页
scaling node.js – cluster module
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
http://aosabook.org
第65页
scaling node.js – cluster module
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
http://aosabook.org
第66页
scaling node.js – containers
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
第67页
scaling node.js – resources
Just use cgroups
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
第68页
node.js performance
- c10k problem!
- paypal – release the Kraken & stories
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
第69页
So what do you think about JS?
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Maciej Lasyk, scaling&securing node.js apps
Maciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- JS is for children? wrong, children aren't async ;)
- JS is slow? wrong – V8!
- JS is not scalable? wrong – we'll JS the world!
- JS is insecure? wrong – people do
第70页
node.js.learning
- Node Security Book
- OWASP Node Goat (top10)
- nodesecurity.io (Twitter, RSS)
Maciej Lasyk, Ganglia & Nagios
3/25
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
第71页
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Infosec & meet.js meetups @krakow
meetup.com
第72页
Maciej Lasyk, node.js security
1/25
Maciej Lasyk, node.js security
Docker workshops with node.js!
#dockerkrk #nodekrk
第73页
http://maciek.lasyk.info/sysop
maciek@lasyk.info
@docent-net
Any Qs?
Thank you :)