Fuzzing and Securing the Server-Side Event-Driven Architecture

Abstract

The software development community is adopting the Event-Driven Architecture (EDA) to provide scalable web services, most prominently through Node.js. Though the EDA scales well, it comes with two inherent risks: concurrency errors and Event Handler Poisoning (EHP) Denial of Service attacks. Just as thread-based programs can have concurrency errors between unordered threads, event-driven programs may have them between un-ordered events. When an EDA-based server multiplexes many clients onto few threads, a blocked thread (EHP) renders the whole server unresponsive.

In this talk, I present Node.fz and Node.cure to address these problems. First, Node.fz provides a schedule fuzzing test tool that randomly perturbs the execution of a Node.js program, allowing Node.js developers to explore a variety of possible schedules during testing. Second, Node.cure proposes First-Class Timeouts, which incorporates timeouts at the EDA framework level, defending Node.js applications against all known EHP attacks.

Biography

Dongyoon Lee is an Assistant Professor in the Computer Science department at Virginia Tech. He obtained the M.S. (2009) and Ph.D. (2013) degrees in Computer Science and Engineering at the University of Michigan, Ann Arbor. Before joining Virginia Tech, he worked as an academic visitor in the next generation middleware platforms department at IBM T. J. Watson Research Center (Fall 2013). He also interned in the operating sys-tems group at Microsoft Research, Redmond (Summer 2012), and in the systems analysis and verification de-partment at NEC Laboratories America (Summer 2011). He received a Virginia Tech ICTAS Junior Faculty Award in 2017, a Google Research Award in 2015, a ProQuest Distinguished Dissertation Award in 2013, and a VMWare Graduate Fellowship in 2011. His co-authored papers won the best student paper finalist at SC 2016, and the best paper at ASPLOS 2011.