{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,22]],"date-time":"2026-01-22T06:29:37Z","timestamp":1769063377249,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":87,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,10,16]],"date-time":"2023-10-16T00:00:00Z","timestamp":1697414400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100000780","name":"European Commission","doi-asserted-by":"publisher","award":["101070141"],"award-info":[{"award-number":["101070141"]}],"id":[{"id":"10.13039\/501100000780","id-type":"DOI","asserted-by":"publisher"}]},{"name":"EU - NextGenerationEU","award":["PE00000018"],"award-info":[{"award-number":["PE00000018"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,10,16]]},"DOI":"10.1145\/3607199.3607233","type":"proceedings-article","created":{"date-parts":[[2023,10,3]],"date-time":"2023-10-03T22:30:51Z","timestamp":1696372251000},"page":"639-653","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":9,"title":["NatiSand: Native Code Sandboxing for JavaScript Runtimes"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7115-1867","authenticated-orcid":false,"given":"Marco","family":"Abbadini","sequence":"first","affiliation":[{"name":"Universit\u00e0 degli Studi di Bergamo, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7534-6055","authenticated-orcid":false,"given":"Dario","family":"Facchinetti","sequence":"additional","affiliation":[{"name":"Universit\u00e0 degli Studi di Bergamo, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5717-7101","authenticated-orcid":false,"given":"Gianluca","family":"Oldani","sequence":"additional","affiliation":[{"name":"Universit\u00e0 degli Studi di Bergamo, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6459-0810","authenticated-orcid":false,"given":"Matthew","family":"Rossi","sequence":"additional","affiliation":[{"name":"Universit\u00e0 degli Studi di Bergamo, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0399-1738","authenticated-orcid":false,"given":"Stefano","family":"Paraboschi","sequence":"additional","affiliation":[{"name":"Universit\u00e0 degli Studi di Bergamo, Italy"}]}],"member":"320","published-online":{"date-parts":[[2023,10,16]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/3579856.3592831"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/3579856.3595799"},{"key":"e_1_3_2_1_3_1","volume-title":"Proceeding of the USENIX Security Symposium (USENIX Security).","author":"Ahmadpanah M.","year":"2021","unstructured":"Mohammad\u00a0M. Ahmadpanah, Daniel Hedin, Musard Balliu, Lars\u00a0E. Olsson, and Andrei Sabelfeld. 2021. SandTrap: Securing JavaScript-driven Trigger-Action Platforms. In Proceeding of the USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_1_4_1","unstructured":"Alexei Starovoitov. 2020. Introduce CAP_BPF. https:\/\/lwn.net\/Articles\/820560\/"},{"key":"e_1_3_2_1_5_1","unstructured":"Nakryiko Andrii. 2020. BPF Portability and CO-RE. https:\/\/facebookmicrosites.github.io\/bpf\/blog\/2020\/02\/19\/bpf-portability-and-co-re.html"},{"key":"e_1_3_2_1_6_1","unstructured":"Apple. 2023. JavaScriptCore. https:\/\/developer.apple.com\/documentation\/javascriptcore"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453111"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/3412841.3442037"},{"key":"e_1_3_2_1_9_1","volume-title":"Proceedings of the USENIX Annual Technical Conference (USENIX ATC).","author":"Berman Andrew","year":"1995","unstructured":"Andrew Berman, Virgil Bourassa, and Erik Selberg. 1995. TRON: Process-Specific File Protection for the UNIX Operating System. In Proceedings of the USENIX Annual Technical Conference (USENIX ATC)."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.68"},{"key":"e_1_3_2_1_11_1","volume-title":"Proceeding of the USENIX Security Symposium (USENIX Security).","author":"Bui Thanh","year":"2018","unstructured":"Thanh Bui, Siddharth\u00a0Prakash Rao, Markku Antikainen, Viswanathan\u00a0Manihatty Bojan, and Tuomas Aura. 2018. Man-in-the-Machine: Exploiting Ill-Secured Communication Inside the Computer. In Proceeding of the USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_1_12_1","volume-title":"Proceeding of the USENIX Security Symposium (USENIX Security).","author":"Bulekov Alexander","year":"2021","unstructured":"Alexander Bulekov, Rasoul Jahanshahi, and Manuel Egele. 2021. Saphire: Sandboxing PHP Applications with Tailored System Call Allowlists. In Proceeding of the USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_1_13_1","unstructured":"Bun. 2023. Bun is a fast all-in-one JavaScript runtime. https:\/\/bun.sh\/"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/3579856.3590330"},{"key":"e_1_3_2_1_15_1","volume-title":"Proceedings of the USENIX Security Symposium (USENIX Security).","author":"Connor Joseph","year":"2020","unstructured":"R.\u00a0Joseph Connor, Tyler McDaniel, Jared\u00a0M. Smith, and Max Schuchard. 2020. PKU Pitfalls: Attacks on PKU-based Memory Isolation Systems. In Proceedings of the USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_1_16_1","unstructured":"containers. 2023. Bubblewrap. https:\/\/github.com\/containers\/bubblewrap"},{"key":"e_1_3_2_1_17_1","unstructured":"Jonathan Corbet. 2006. File-based capabilities. https:\/\/lwn.net\/Articles\/211883\/"},{"key":"e_1_3_2_1_18_1","unstructured":"Jonathan Corbet. 2014. BPF: the universal in-kernel virtual machine. https:\/\/lwn.net\/Articles\/599755\/"},{"key":"e_1_3_2_1_19_1","volume-title":"Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID).","author":"DeMarinis Nicholas","year":"2020","unstructured":"Nicholas DeMarinis, Kent Williams-King, Di Jin, Rodrigo Fonseca, and Vasileios\u00a0P Kemerlis. 2020. sysfilter: Automated System Call Filtering for Commodity Software. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID)."},{"key":"e_1_3_2_1_20_1","unstructured":"Deno Land. 2023. Deno Permission Model. https:\/\/deno.land\/manual\/getting_started\/permissions"},{"key":"e_1_3_2_1_21_1","unstructured":"Deno Land. 2023. Node compatibility mode. https:\/\/deno.land\/manual\/node\/compatibility_mode."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24224"},{"key":"e_1_3_2_1_23_1","unstructured":"Jake Edge. 2020. Seccomp and deep argument inspection. https:\/\/lwn.net\/Articles\/822256\/"},{"key":"e_1_3_2_1_24_1","unstructured":"Emscripten Contributors. 2023. Emscripten toolchain. https:\/\/emscripten.org\/"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00121"},{"key":"e_1_3_2_1_26_1","volume-title":"BPFContain: Fixing the Soft Underbelly of Container Security. ArXiv preprint","author":"Findlay William","year":"2021","unstructured":"William Findlay, David Barrera, and Anil Somayaji. 2021. BPFContain: Fixing the Soft Underbelly of Container Security. ArXiv preprint (2021)."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3411495.3421358"},{"key":"e_1_3_2_1_28_1","unstructured":"Google. 2023. Minijail. https:\/\/google.github.io\/minijail\/"},{"key":"e_1_3_2_1_29_1","unstructured":"Google. 2023. Sandbox2. https:\/\/developers.google.com\/code-sandboxing\/sandbox2\/"},{"key":"e_1_3_2_1_30_1","unstructured":"Brendan Gregg. 2021. BPF Internals. https:\/\/www.usenix.org\/conference\/lisa21\/presentation\/gregg-bpf USENIX Large Installation Systems Administration Conference (LISA)."},{"key":"e_1_3_2_1_31_1","unstructured":"Jake Edge. 2015. A seccomp overview. https:\/\/lwn.net\/Articles\/656307\/"},{"key":"e_1_3_2_1_32_1","unstructured":"Michael Kehoe. 2022. eBPF: The Next Power Tool of SREs. https:\/\/www.usenix.org\/conference\/srecon22americas\/presentation\/kehoe-ebpf USENIX SREcon Americas (SRECON)."},{"key":"e_1_3_2_1_33_1","volume-title":"Proceedings of the USENIX Annual Technical Conference (USENIX ATC).","author":"Kim Taesoo","year":"2013","unstructured":"Taesoo Kim and Nickolai Zeldovich. 2013. Practical and Effective Sandboxing for Non-root Users. In Proceedings of the USENIX Annual Technical Conference (USENIX ATC)."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3492321.3519582"},{"key":"e_1_3_2_1_35_1","unstructured":"Deno Land. 2022. Deno 1.24 Release Notes \u2013 Improved FFI call performance. https:\/\/deno.com\/blog\/v1.24#improved-ffi-call-performance"},{"key":"e_1_3_2_1_36_1","unstructured":"Deno Land. 2022. Deno 1.25 Release Notes \u2013 FFI API improvements. https:\/\/deno.com\/blog\/v1.25#ffi-api-improvements"},{"key":"e_1_3_2_1_37_1","volume-title":"Deno: A modern runtime for JavaScript and TypeScript. https:\/\/deno.land\/","author":"Land Deno","year":"2023","unstructured":"Deno Land. 2023. Deno: A modern runtime for JavaScript and TypeScript. https:\/\/deno.land\/"},{"key":"e_1_3_2_1_38_1","unstructured":"Deno Land. 2023. Deno API. https:\/\/doc.deno.land\/deno\/stable\/"},{"key":"e_1_3_2_1_39_1","unstructured":"Deno Land. 2023. Rusty V8 bindings. https:\/\/github.com\/denoland\/rusty_v8"},{"key":"e_1_3_2_1_40_1","unstructured":"Deno Land. 2023. sqlite3 bindings for Deno. https:\/\/deno.land\/x\/sqlite3"},{"key":"e_1_3_2_1_41_1","unstructured":"libbpf. 2023. libbpf. https:\/\/libbpf.readthedocs.io\/en\/latest\/index.html"},{"key":"e_1_3_2_1_42_1","unstructured":"Linux manual. 2023. accept. https:\/\/man7.org\/linux\/man-pages\/man2\/accept.2.html"},{"key":"e_1_3_2_1_43_1","unstructured":"Linux manual. 2023. bpf. https:\/\/man7.org\/linux\/man-pages\/man2\/bpf.2.html"},{"key":"e_1_3_2_1_44_1","unstructured":"Linux manual. 2023. ldd. https:\/\/man7.org\/linux\/man-pages\/man1\/ldd.1.html"},{"key":"e_1_3_2_1_45_1","unstructured":"Linux manual. 2023. listen. https:\/\/man7.org\/linux\/man-pages\/man2\/listen.2.html"},{"key":"e_1_3_2_1_46_1","unstructured":"Linux manual. 2023. pipe. https:\/\/man7.org\/linux\/man-pages\/man2\/pipe.2.html"},{"key":"e_1_3_2_1_47_1","unstructured":"Linux manual. 2023. socketpair. https:\/\/man7.org\/linux\/man-pages\/man2\/socketpair.2.html"},{"key":"e_1_3_2_1_48_1","unstructured":"Linux manual. 2023. strace. https:\/\/man7.org\/linux\/man-pages\/man1\/strace.1.html"},{"key":"e_1_3_2_1_49_1","volume-title":"Proceedings of the USENIX Winter Conference (USENIX).","author":"McCanne Steven","year":"1993","unstructured":"Steven McCanne and Van Jacobson. 1993. The BSD Packet Filter: A New Architecture for User-level Packet Capture. In Proceedings of the USENIX Winter Conference (USENIX)."},{"key":"e_1_3_2_1_50_1","unstructured":"Micka\u00ebl Sala\u00fcn. 2022. Landlock: unprivileged access control. https:\/\/docs.kernel.org\/userspace-api\/landlock.html"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/41457.37505"},{"key":"e_1_3_2_1_52_1","volume-title":"Proceeding of the USENIX Security Symposium (USENIX Security).","author":"Narayan Shravan","year":"2020","unstructured":"Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, and Deian Stefan. 2020. Retrofitting Fine Grain Isolation in the Firefox Renderer. In Proceeding of the USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_1_53_1","unstructured":"netblue30. 2023. Firejail. https:\/\/firejail.wordpress.com\/"},{"key":"e_1_3_2_1_54_1","unstructured":"npm. 2020. Npm packages. https:\/\/blog.npmjs.org\/post\/615388323067854848\/so-long-and-thanks-for-all-the-packages.html"},{"key":"e_1_3_2_1_55_1","unstructured":"npm. 2023. bcrypt. https:\/\/www.npmjs.com\/package\/bcrypt"},{"key":"e_1_3_2_1_56_1","unstructured":"npm. 2023. fluent-ffmpeg. https:\/\/www.npmjs.com\/package\/fluent-ffmpeg."},{"key":"e_1_3_2_1_57_1","unstructured":"npm. 2023. gm. https:\/\/www.npmjs.com\/package\/gm."},{"key":"e_1_3_2_1_58_1","unstructured":"npm. 2023. sharp. https:\/\/www.npmjs.com\/package\/sharp"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3485351"},{"key":"e_1_3_2_1_60_1","unstructured":"OpenJS Foundation. 2023. Node js API. https:\/\/nodejs.org\/docs\/latest\/api\/"},{"key":"e_1_3_2_1_61_1","unstructured":"OpenJS Foundation. 2023. Node Permissions. https:\/\/nodejs.org\/api\/permissions.html"},{"key":"e_1_3_2_1_62_1","unstructured":"OpenJS Foundation. 2023. Node.js. https:\/\/nodejs.org"},{"key":"e_1_3_2_1_63_1","unstructured":"OpenJS Foundation. 2023. Node.js V8 APIs. https:\/\/nodejs.org\/api\/v8.html"},{"key":"e_1_3_2_1_64_1","unstructured":"oven sh. 2023. Webcore bindings. https:\/\/github.com\/oven-sh\/bun\/tree\/main\/src\/bun.js\/bindings\/webcore"},{"key":"e_1_3_2_1_65_1","unstructured":"V8 project. 2023. WebAssembly compilation pipeline. https:\/\/v8.dev\/docs\/wasm-compilation-pipeline"},{"key":"e_1_3_2_1_66_1","unstructured":"Kyle Quest. 2023. SlimToolkit. https:\/\/github.com\/slimtoolkit\/slim"},{"key":"e_1_3_2_1_67_1","volume-title":"Proceeding of the USENIX Security Symposium (USENIX Security).","author":"Rossi Matthew","year":"2021","unstructured":"Matthew Rossi, Dario Facchinetti, Enrico Bacis, Marco Rosa, and Stefano Paraboschi. 2021. SEApp: Bringing Mandatory Access Control to Android Apps. In Proceeding of the USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_1_68_1","unstructured":"Ryan Dahl. 2018. 10 Things I Regret About Node.js. https:\/\/youtu.be\/M3BM9TB-8yA European JavaScript Community Conference (JSConf EU)."},{"key":"e_1_3_2_1_69_1","volume-title":"Proceeding of the USENIX Security Symposium (USENIX Security).","author":"Schwarz Fabian","year":"2020","unstructured":"Fabian Schwarz and Christian Rossow. 2020. SENG, the SGX-Enforcing Network Gateway: Authorizing Communication from Shielded Clients. In Proceeding of the USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978297"},{"key":"e_1_3_2_1_71_1","volume-title":"Implementing SELinux as a Linux security module. NAI Labs Report","author":"Smalley Stephen","year":"2001","unstructured":"Stephen Smalley, Chris Vance, and Wayne Salamon. 2001. Implementing SELinux as a Linux security module. NAI Labs Report (2001)."},{"key":"e_1_3_2_1_72_1","volume-title":"State of Open Source Security","year":"2022","unstructured":"Snyk. 2022. State of Open Source Security 2022. https:\/\/snyk.io\/reports\/open-source-security\/."},{"key":"e_1_3_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23071"},{"key":"e_1_3_2_1_74_1","volume-title":"Proceeding of the USENIX Security Symposium (USENIX Security).","author":"Staicu Cristian-Alexandru","year":"2023","unstructured":"Cristian-Alexandru Staicu, Sazzadur Rahaman, \u00c1gnes Kiss, and Michael Backes. 2023. Bilingual Problems: Studying the Security Risks Incurred by Native Extensions in Scripting Languages. In Proceeding of the USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_1_75_1","volume-title":"Proceedings of the USENIX Conference on Web Application Development (WebApps).","author":"Terrace Jeff","unstructured":"Jeff Terrace, Stephen\u00a0R. Beard, and Naga P.\u00a0K. Katta. 2012. JavaScript in JavaScript(js.js): Sandboxing Third-Party Scripts. In Proceedings of the USENIX Conference on Web Application Development (WebApps)."},{"key":"e_1_3_2_1_76_1","unstructured":"tesseract-ocr. 2023. Tesseract. https:\/\/github.com\/tesseract-ocr\/tesseract"},{"key":"e_1_3_2_1_77_1","unstructured":"The kernel development community. 2023. LSM BPF Programs. https:\/\/docs.kernel.org\/bpf\/prog_lsm.html"},{"key":"e_1_3_2_1_78_1","unstructured":"The kernel development community. 2023. Seccomp BPF (SECure COMPuting with filters). https:\/\/docs.kernel.org\/userspace-api\/seccomp_filter.html"},{"key":"e_1_3_2_1_79_1","unstructured":"TryGhost. 2023. Asynchronous non-blocking SQLite3 bindings for Node.js. https:\/\/www.npmjs.com\/package\/sqlite3"},{"key":"e_1_3_2_1_80_1","unstructured":"V8 project. 2020. Unsafe fast JS calls. https:\/\/v8.dev\/blog\/v8-release-87#unsafe-fast-js-calls"},{"key":"e_1_3_2_1_81_1","unstructured":"V8 project. 2023. What is V8?https:\/\/v8.dev\/"},{"key":"e_1_3_2_1_82_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23131"},{"key":"e_1_3_2_1_83_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484535"},{"key":"e_1_3_2_1_84_1","unstructured":"WebAssembly. 2023. Wasi SDK. https:\/\/github.com\/WebAssembly\/wasi-sdk"},{"key":"e_1_3_2_1_85_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-33167-1_49"},{"key":"e_1_3_2_1_86_1","doi-asserted-by":"publisher","DOI":"10.1145\/3488932.3523262"},{"key":"e_1_3_2_1_87_1","volume-title":"Proceeding of the USENIX Security Symposium (USENIX Security).","author":"Zimmermann Markus","year":"2019","unstructured":"Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Smallworld with High Risks: A Study of Security Threats in the Npm Ecosystem. In Proceeding of the USENIX Security Symposium (USENIX Security)."}],"event":{"name":"RAID 2023: The 26th International Symposium on Research in Attacks, Intrusions and Defenses","location":"Hong Kong China","acronym":"RAID 2023"},"container-title":["Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3607199.3607233","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3607199.3607233","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:37:35Z","timestamp":1750178255000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3607199.3607233"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,16]]},"references-count":87,"alternative-id":["10.1145\/3607199.3607233","10.1145\/3607199"],"URL":"https:\/\/doi.org\/10.1145\/3607199.3607233","relation":{},"subject":[],"published":{"date-parts":[[2023,10,16]]},"assertion":[{"value":"2023-10-16","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}