Prevent Code Injection in Electron Apps
Block Chrome remote debugging ports and Electron inspect flags to stop attackers from injecting malicious code into already-approved applications.
Idea
Code injection is the bane of binary allowlisting because a process that was previously approved can be extended to provide additional features or behaviors. As Wojciech Regula demonstrated at Objective by the Sea, Electron apps are some of the most susceptible applications because they're built on Chromium and Node.js, which provide easy scripting and debugging capabilities.
For example, Chromium-based apps can often be run with the --remote-debugging-port option to enable the Chrome Dev Tools for debugging, and Electron apps can be run with the ELECTRON_RUN_AS_NODE environment variable and/or --inspect arg to enable debugging. Attackers can use this to inject new malicious code in approved applications.
Workshop and Santa's CEL rules can help control this by preventing these debugging flags from being used.
Solutions
- Signing ID
- CEL Expression
- Custom Message
- Signing ID
- CEL Expression
- Custom Message
Mitre Attack
Tags
Deployment Notes
These rules prevent common code injection vectors in Chromium and Electron apps:
For Chrome: Blocks the --remote-debugging-port flag which enables remote debugging that can be used to inject code.
For Electron apps like VS Code: Blocks the --inspect and --inspect-brk flags which enable Node.js debugging. You can also block the ELECTRON_RUN_AS_NODE environment variable, though this requires additional configuration.
Create similar rules for other Chromium-based apps (Slack, Discord, etc.) by changing the signing_id.
False Positive Guidance
Developers may legitimately need to use these debugging features:
- Web developers debugging Chrome extensions or web apps
- Electron app developers debugging their applications
- Security researchers analyzing application behavior
Consider using Workshop tags to exempt developers or create approval workflows for debugging use cases.