Skip to main content

Securing Node-RED Applications

  • Chapter
  • First Online:
Protocols, Strands, and Logic

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13066))

  • 796 Accesses

Abstract

Trigger-Action Platforms (TAPs) play a vital role in fulfilling the promise of the Internet of Things (IoT) by seamlessly connecting otherwise unconnected devices and services. While enabling novel and exciting applications across a variety of services, security and privacy issues must be taken into consideration because TAPs essentially act as persons-in-the-middle between trigger and action services. The issue is further aggravated since the triggers and actions on TAPs are mostly provided by third parties extending the trust beyond the platform providers.

Node-RED, an open-source JavaScript-driven TAP, provides the opportunity for users to effortlessly employ and link nodes via a graphical user interface. Being built upon Node.js, third-party developers can extend the platform’s functionality through publishing nodes and their wirings, known as flows.

This paper proposes an essential model for Node-RED, suitable to reason about nodes and flows, be they benign, vulnerable, or malicious. We expand on attacks discovered in recent work, ranging from exfiltrating data from unsuspecting users to taking over the entire platform by misusing sensitive APIs within nodes. We present a formalization of a runtime monitoring framework for a core language that soundly and transparently enforces fine-grained allowlist policies at module-, API-, value-, and context-level. We introduce the monitoring framework for Node-RED that isolates nodes while permitting them to communicate via well-defined API calls complying with the policy specified for each node.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., Piessens, F.: JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. In: ACSAC (2012). https://doi.org/10.1145/2420950.2420952

  2. Ahmadpanah, M.M., Balliu, M., Hedin, D., Olsson, L.E., Sabelfeld, A.: Securing Node-RED Applications. Proofs. https://www.cse.chalmers.se/research/group/security/SandTrap/proofs.pdf (2021)

  3. Ahmadpanah, M.M., Hedin, D., Balliu, M., Olsson, L.E., Sabelfeld, A.: SandTrap: securing JavaScript-driven trigger-action platforms. In: USENIX Security (2021). https://www.usenix.org/conference/usenixsecurity21/presentation/ahmadpanah

  4. Alpernas, K., et al.: Secure serverless computing using dynamic information flow control. In: OOPSLA (2018). https://doi.org/10.1145/3276488

  5. Ancona, D., Franceschini, L., Delzanno, G., Leotta, M., Ribaudo, M., Ricca, F.: Towards runtime monitoring of node.js and its application to the internet of things. In: ALP4IoT@iFM (2017). https://doi.org/10.4204/EPTCS.264.4

  6. Andreasen, E., et al.: A survey of dynamic analysis and test generation for JavaScript. ACM Comput. Surv. (2017). https://doi.org/10.1145/3106739

    Article  Google Scholar 

  7. Balliu, M., Bastys, I., Sabelfeld, A.: Securing IoT Apps. IEEE S&P Magazine (2019). https://doi.org/10.1109/MSEC.2019.2914190

  8. Balliu, M., Merro, M., Pasqua, M., Shcherbakov, M.: Friendly fire: cross-app interactions in IoT platforms. ACM Trans. Priv. Secur. (2021). https://doi.org/10.1145/3444963

    Article  Google Scholar 

  9. Bastys, I., Balliu, M., Sabelfeld, A.: If this then what? controlling flows in IoT apps. In: CCS (2018). https://doi.org/10.1145/3243734.3243841

  10. Bastys, I., Piessens, F., Sabelfeld, A.: Tracking information flow via delayed output - addressing privacy in IoT and emailing apps. In: NordSec (2018). https://doi.org/10.1007/978-3-030-03638-6_2

  11. Bettini, L., et al.: The klaim project: theory and practice. In: Global Computing (2003). https://doi.org/10.1007/978-3-540-40042-4_4

  12. Blackstock, M., Lea, R.: Toward a distributed data flow platform for the web of things (distributed node-RED). In: WoT (2014). https://doi.org/10.1145/2684432.2684439

  13. Celik, Z.B., Fernandes, E., Pauley, E., Tan, G., McDaniel, P.D.: Program analysis of commodity IoT applications for security and privacy: challenges and opportunities. ACM Comput. Surv. (2019). https://doi.org/10.1145/3333501

    Article  Google Scholar 

  14. Celik, Z., Tan, G., McDaniel, P.: IoTGuard: dynamic enforcement of security and safety policy in commodity IoT. In: NDSS (2019). https://doi.org/10.14722/ndss.2019.23326

  15. Clerissi, D., Leotta, M., Reggio, G., Ricca, F.: Towards an approach for developing and testing node-RED IoT systems. In: EnSEmble@ESEC/SIGSOFT FSE (2018). https://doi.org/10.1145/3281022.3281023

  16. Clerissi, D., Leotta, M., Ricca, F.: A set of empirically validated development guidelines for improving node-RED flows comprehension. In: ENASE (2020). https://doi.org/10.5220/0009391101080119

  17. Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: S&P (2010). https://doi.org/10.1109/SP.2010.15

  18. Ferreira, G., Jia, L., Sunshine, J., Kästner, C.: Containing malicious package updates in NPM with a lightweight permission system. In: ICSE (2021). https://doi.org/10.1109/ICSE43902.2021.00121

  19. Gregg, B., Mauro, J.: DTrace: Dynamic Tracing in Oracle Solaris, Mac OS X, and FreeBSD. Prentice Hall Professional (2011)

    Google Scholar 

  20. Groef, W.D., Massacci, F., Piessens, F.: NodeSentry: least-privilege library integration for server-side JavaScript. In: ACSAC (2014). https://doi.org/10.1145/2664243.2664276

  21. Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: JSFlow: tracking information flow in JavaScript and its APIs. In: SAC (2014). https://doi.org/10.1145/2554850.2554909

  22. Hoare, C.A.R.: Communicating sequential processes. Commun. ACM (1978). https://doi.org/10.1145/359576.359585

    Article  MATH  Google Scholar 

  23. IBM Cloud (2021). https://cloud.ibm.com/

  24. IFTTT: If This Then That (2021). https://ifttt.com

  25. Jain, R., Klai, K., Tata, S.: Formal modeling and verification of scalable process-aware distributed iot applications. In: ISPA/BDCloud/SocialCom/SustainCom (2019). https://doi.org/10.1109/ISPA-BDCloud-SustainCom-SocialCom48970.2019.00047

  26. jcreedcmu: Escaping NodeJS vm (2018). https://gist.github.com/jcreedcmu/4f6e6d4a649405a9c86bb076905696af

  27. Kleinfeld, R., Steglich, S., Radziwonowicz, L., Doukas, C.: glue.things: a mashup platform for wiring the internet of things with the internet of services. In: WoT (2014). https://doi.org/10.1145/2684432.2684436

  28. Maffeis, S., Mitchell, J.C., Taly, A.: An operational semantics for JavaScript. In: APLAS (2008). https://doi.org/10.1007/978-3-540-89330-1_22

  29. Melara, M.S., Liu, D.H., Freedman, M.J.: Pyronia: intra-process access control for IoT applications. CoRR abs/1903.01950 (2019). http://arxiv.org/abs/1903.01950

  30. Miller, M.S.: Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. Ph.D. thesis, Johns Hopkins University (2006)

    Google Scholar 

  31. Milner, R. (ed.): A Calculus of Communicating Systems. LNCS, vol. 92. Springer, Heidelberg (1980). https://doi.org/10.1007/3-540-10235-3

    Book  MATH  Google Scholar 

  32. Nicola, R.D., Ferrari, G.L., Pugliese, R.: Programming access control: the KLAIM experience. In: CONCUR (2000). https://doi.org/10.1007/3-540-44618-4_5

  33. Node-RED: Community Node Module Catalogue (2021). https://github.com/node-red/catalogue.nodered.org

  34. Node-RED: Cyclic Flows (2021). https://groups.google.com/g/node-red/c/C6M3HokoSTI/m/B2tqcb_cAQAJ

  35. Node-RED: Making Flows Asynchronous by Default (2021). https://nodered.org/blog/2019/08/16/going-async

  36. Node-RED (2021). https://nodered.org/

  37. Node-RED: Securing Node-RED (2021). https://nodered.org/docs/user-guide/runtime/securing-node-red

  38. Node-RED: The Core Nodes (2021). https://nodered.org/docs/user-guide/nodes

  39. Node-RED: The RED Object (2021). https://github.com/node-red/node-red/blob/master/packages/node_modules/node-red/lib/red.js

  40. Node-RED: Working with Context (2021). https://nodered.org/docs/user-guide/context

  41. Node-RED Library (2021). https://flows.nodered.org/

  42. Node.JS: VM (executing JavaScript) (2021). https://nodejs.org/api/vm.html#vm_vm_executing_javascript

  43. NPM: Node Package Manager (2021). https://www.npmjs.com/

  44. OWASP: NodeJS Security Cheat Sheet (2021). https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions

  45. Pfretzschner, B., ben Othmane, L.: Identification of Dependency-based Attacks on Node.js. In: ARES (2017). https://doi.org/10.1145/3098954.3120928

  46. Roscoe, A.W.: The Theory and Practice of Concurrency. Prentice Hall PTR (1997)

    Google Scholar 

  47. Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE (1975). https://doi.org/10.1109/PROC.1975.9939

    Article  Google Scholar 

  48. Schiavio, F., Sun, H., Bonetta, D., Rosà, A., Binder, W.: NodeMOP: runtime verification for node.js applications. In: SAC (2019). https://doi.org/10.1145/3297280.3297456

  49. Schreckling, D., Parra, J.D., Doukas, C., Posegga, J.: Data-centric security for the IoT. In: IoT 360 (2) (2015). https://doi.org/10.1007/978-3-319-47075-7_10

  50. Simek, P.: Proposal for VM2: advanced vm/sandbox for Node.js (2021). https://github.com/patriksimek/vm2

  51. Staicu, C., Torp, M.T., Schäfer, M., Møller, A., Pradel, M.: Extracting taint specifications for JavaScript libraries. In: ICSE (2020). https://doi.org/10.1145/3377811.3380390

  52. Sun, H., Bonetta, D., Humer, C., Binder, W.: Efficient dynamic analysis for Node.js. In: CC (2018). https://doi.org/10.1145/3178372.3179527

  53. Tata, S., Klai, K., Jain, R.: Formal model and method to decompose process-aware IoT applications. In: OTM (2017). https://doi.org/10.1007/978-3-319-69462-7_42

  54. Van Cutsem, T.: Isolating Application Sub-components with Membranes (2018). https://tvcutsem.github.io/membranes

  55. Ur, B., McManus, E., Ho, M.P.Y., Littman, M.L.: Practical trigger-action programming in the smart home. In: CHI (2014). https://doi.org/10.1145/2556288.2557420

  56. Wang, Q., Datta, P., Yang, W., Liu, S., Bates, A., Gunter, C.A.: Charting the attack surface of trigger-action IoT platforms. In: CCS (2019). https://doi.org/10.1145/3319535.3345662

  57. Zapier (2021). https://zapier.com

  58. Zimmermann, M., Staicu, C., Tenny, C., Pradel, M.: Small world with high risks: a study of security threats in the NPM ecosystem. In: USENIX Security (2019). https://dl.acm.org/doi/10.5555/3361338.3361407

Download references

Acknowledgments

This work was partially supported by the Swedish Foundation for Strategic Research (SSF), the Swedish Research Council (VR), and Digital Futures.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Mohammad M. Ahmadpanah .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Ahmadpanah, M.M., Balliu, M., Hedin, D., Olsson, L.E., Sabelfeld, A. (2021). Securing Node-RED Applications. In: Dougherty, D., Meseguer, J., Mödersheim, S.A., Rowe, P. (eds) Protocols, Strands, and Logic. Lecture Notes in Computer Science(), vol 13066. Springer, Cham. https://doi.org/10.1007/978-3-030-91631-2_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-91631-2_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-91630-5

  • Online ISBN: 978-3-030-91631-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics