Protect Electron Apps from Heap Snapshot Backdoors
Restrict writes to Electron heap snapshot files to the app's own signed process, blocking the Trail of Bits backdoor against Slack and 1Password.
Idea
Electron apps have compile-time feature flags called "fuses" which verify the integrity of bundled resources. Until recently, those integrity checks would skip V8 heap snapshot files and allow an attacker to run arbitrary JavaScript when the application was opened. The team at Trail of Bits discovered this, and high-profile Electron apps like Slack and 1Password have been updated, but older Electron apps or apps without the integrity fuses enabled can still be backdoored.
But why should any process outside the application be able to write its heap snapshot file? With Santa's file access authorization (FAA) rules, you can make sure that, say, only 1Password can write to the heap snapshot in its application bundle.
Solutions
- Path Literals
- •
- Options
- Allow Read Access:Audit Only:Rule Type:
- Processes
- •Signing ID:
- •
- Custom Message
Mitre Attack
Tags
Deployment Notes
Apply this pattern to any Electron app you want to protect. Replace the app path and signing ID with the appropriate values for each application.