The Nodesource Blog

#shoptalk Subscribe

Protect Yourself From Remote Memory Disclosure with N|Solid

Earlier this week, the Node Security Project released an advisory for the popular ws WebSockets module that can cause remote memory exposure.

​This sort of vulnerability is exactly why we built the ZeroFillAllocations feature into N|Solid.

​Using the advisory sample code and a vulnerable version of ws let me demonstrate how this feature protects you from any vulnerabilities out there like this, known or unknown. ​ First, I'm going to install a known vulnerable version of the library, according to the NSP disclosure:

npm install ws@1.0.0

​Next I'll run their example script without enabling the ZeroFillAllocations feature in N|Solid:

var ws = require('ws')
​
var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')
​
client.on('open', function () {
  console.log('open')
  client.ping(50) // this makes the server return a non-zeroed buffer of 50 bytes
​
  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // a non-zeroed out allocated buffer returned from the server
  })
})

$ nsolid example.js
open
got pong
<Buffer f0 67 c4 6c ff 7f 00 00 40 e3 3b 03 00 00 00 00 04 00 00 00 00 00 00 00 60 e3 3b 03 00 00 00 00 04 00 00 00 00 00 00 00 80 e3 3b 03 00 00 00 00 04 00>

​In that Buffer output, what we're seeing is contents already in the sections of memory that the OS provided to the Node.js runtime when it asked for memory. It might look like random noise, but it is simply left-over data that was never cleared. Allocate a large enough Buffer and you will absolutely see real information in it. ​

N|Solid adds a Policies feature that includes the ability to always zero-fill any memory allocated for Buffers. We enable this feature by providing a policies file at startup to N|Solid.

Here is our zero-filling policies.json file:

{
  "process": {
    "zeroFillAllocations": true
  }
}

​Now when we run N|Solid on the example specifying the policies file, all memory provided from the OS is always filled with zeros, preventing any memory disclosure:

$ nsolid --policies policies.json example.js
open
got pong
<Buffer 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00>

​The Policies feature can do even more to protect you from vulnerabilities in 3rd-party code, and we're currently working on even more security related features for N|Solid.

N|Solid is free for development, give it a try.