HODOR: Shrinking the Attack Surface on Node.js via System Call Limitation

Node.js is a widely used, open‑source JavaScript runtime that powers many high‑traffic services such as PayPal, LinkedIn, Microsoft, and Netflix, but its ability to invoke system calls makes it vulnerable to arbitrary code execution attacks, especially through malicious npm packages.

Attackers can exploit vulnerable Node.js applications by injecting malicious commands via functions like vm.Script , eval , or child_process.exec , allowing them to execute arbitrary shell commands (e.g., echo Hacker ) and even gain root privileges.

To mitigate these threats, the authors propose HODOR, a runtime protection system that limits the set of system calls a Node.js process may invoke. HODOR builds a fine‑grained whitelist of required system calls for each application and enforces it with Seccomp at thread granularity.

The HODOR pipeline first constructs call graphs for both JavaScript (using static analysis combined with dynamic profiling via Nodeprof) and native C/C++ modules (using the SVF LLVM analysis tool). For native modules, a locally context‑sensitive analysis resolves switch‑case statements and function‑pointer arguments.

Next, the system maps Node.js APIs to the underlying system calls, creating a mapping for built‑in, binding, and dependency layers. This mapping yields the exact system calls needed at runtime, which are then split into separate whitelists for the main thread and thread‑pool threads.

HODOR installs thread‑specific Seccomp filters based on these whitelists. Because many Node.js workloads heavily use read/write calls, HODOR additionally employs Linux chroot and file‑ownership reduction to further narrow the attack surface.

Evaluation on 168 Node.js applications containing arbitrary‑code‑execution vulnerabilities shows that HODOR reduces the effective attack surface to an average of 19.42 % of its original size, while incurring negligible runtime overhead.

The paper concludes that system‑call‑level confinement via Seccomp provides an effective, low‑cost defense for Node.js services and opens new research directions for fine‑grained runtime protection.

References include prior work on reducing Node.js attack surfaces, sandboxing PHP applications, and privilege reduction for dynamic libraries.