Brown CS Blog

BinWrap: Safeguarding Node.js Applications From Native Library Risks


    Modern application development relies heavily on third-party libraries. These libraries are used by developers to add functionality, improve performance, and simplify the development process. At times, however, some libraries introduce significant risks in these applications — especially in cases in which libraries are written in what are known as low-level languages such as C and C++. Such "native" add-ons lack important safety and security guarantees provided by the runtime environments of high-level languages they are used in, and thus even a single such library — or even a single line of code! — can compromise the entire application's safety and security. 

    And due to their inherent insecurity, these libraries become a prominent target for malicious adversaries. These adversaries either analyze the native code to exploit any vulnerabilities they find or, increasingly, purposefully insert vulnerabilities that they can then later exploit — giving rise to what is known as software supply-chain attacks. Currently, there is no good way to counter these risks — given the large amount of reused open-source software and the limited engineering resources available to most organizations building on these open-source components, manual analysis or code reviews are simply inadequate for vetting open-source software.

    In a forthcoming paper that has received the ACM ASIA Conference on Computer and Communications Security (AsiaCCS 2023)’s Distinguished Paper Award, researchers at Brown and collaborators at Aarno Labs, FORTH, and TUC developed a new system that can automatically protect against these threats — while requiring minimal developer effort. The system, called BinWrap, combines protections of both the native portion of a library and its language-specific wrapper.

    "While working on a previous system," the researchers explain, "we realized that an application could still be exploited, even by a single line of code from a vulnerable native library. After searching the existing tools, we discovered that there had previously been no easy way to secure native libraries in the JavaScript ecosystem."

    The new system, BinWrap, defends against common vulnerabilities that occur in native libraries while imposing little overhead. 

    The paper is available at