TU Wien Informatics

SandTrap: Securing JavaScript-driven Trigger-Action Platforms

  • By Claudia Vitt (edt.)
  • 2021-01-13
  • Event
  • Security & Privacy

The ViSP is launching its Lecture Series with Andrei Sabelfeld’s talk on critical security issues of TAPs.

  • This event takes place online.
    See description for details.

SandTrap: Securing JavaScript-driven Trigger-Action PlatformsAndrei Sabelfeld (Chalmers University of Technology, Gothenburg, Sweden)

Trigger-Action Platforms (TAPs) seamlessly connect a wide variety of otherwise unconnected devices and services, ranging from IoT devices to cloud services and social networks. While enabling novel and exciting applications, TAPs raise critical security and privacy concerns because a TAP is effectively a “person-in-the-middle” between trigger and action services. Third-party code, routinely deployed as “apps” on TAPs, further exacerbates these concerns.


 This talk focuses on JavaScript-driven TAPs. Andrei shows that the popular IFTTT and Zapier platforms and an open-source alternative, Node-RED, are susceptible to various attacks, ranging from massively exfiltrating data from unsuspecting users to taking over the entire platform. He reports on the changes made by the platforms in response to his findings and presents an empirical study to assess the security implications.


 Motivated by the need for a secure yet flexible way to integrate third-party JavaScript apps, Andrei Sabelfeld proposes SandTrap, a sandboxing approach that allows for isolating apps while letting them communicate via clearly defined interfaces. He presents a formalization for a core language that soundly and transparently enforces fine-grained allowlist policies at module-, API-, value-, and context-level and develops a novel proxy-based JavaScript monitor that encompasses a powerful policy generation mechanism and enables us to instantiate SandTrap to IFTTT, Zapier, and Node-RED. On a set of benchmarks, it is illustrated how SandTrap enforces various policies while incurring a tolerable runtime overhead. 


Access

Join our online lecture via Zoom here. 


About the Lecture Series

This year, the ViSP is launching the Distinguished Lecture Series with internationally renowned researchers from the field of Security & Privacy. They will be invited to give a lecture every month.   


About ViSP

ViSP, the Vienna Cybersecurity and Privacy Research Center, consists of researchers from IST Austria, TU Wien and Uni Wien. With these three institutes, Vienna offers an exceptional degree of excellence for research in the area of Security and Privacy. The mission of ViSP is to unlock the true potential of the location by fostering collaborations between different institutes in Vienna.