Security Middleware for Node.js
Important
Astraea is currently in active development and intended for security research and development environments.
Astraea is a high-performance security middleware for Node.js. It implements an Object-Capability (O-Cap) enforcement layer at the native C-ABI boundary, protecting applications from supply-chain attacks, Remote Code Execution (RCE) exploits, and unauthorized data access.
- Key Features
- Architecture
- Documentation
- Getting Started
- Configuration
- Performance
- Security Disclaimer
- Native Interception: Hooks
libuvandlibcsystem calls (open,connect,dlopen,execve, etc.) using dynamic linker hijacking. - Context-Aware Attribution: Automatically correlates native I/O and network requests back to the specific JavaScript module or package via V8 stack introspection.
- Modular Security Mesh: Separate managers for Filesystem, Networking, Process/Environment, Attribution, and Kernel-level Hardening.
- Path Matching: High-performance, Regex-backed path matching via the
globsetcrate, ensuring absolute path canonicalization. - Network Enforcement: Hybrid domain and CIDR-based filtering with granular protocol and port range rules.
- Seccomp-BPF Protection: Kernel-level sandbox enforcing a strict syscall whitelist to prevent native bypasses, direct kernel escapes, and unhandled behaviors.
- Process & Environment Control: Restricts unauthorized processes from executing subprocesses or altering the environment.
- Observability: Built-in asynchronous audit logging and telemetry streaming via
astraea-daemon. - Capability Spoofing: Redirection of unauthorized access to synthetic mock data instead of failing.
Astraea utilizes a modular design:
- Interceptor (Zig): A lightweight C-ABI wrapper that hijacks system calls and forwards context to the engine.
- Engine (Rust): The core orchestrator, featuring:
- FsManager: Manages robust glob-based filesystem capabilities.
- NetManager: Handles networking rules and socket bounds.
- ProcEnvManager: Controls child processes and environment variables.
- Attribution Engine: Performs deep V8 stack introspection.
- Guardian: Generates and applies Seccomp-BPF filters.
- Audit/Telemetry: Streams real-time enforcement logs.
Technical specifications and research documentation can be found in the docs/ directory:
- Architectural Specification & Roadmap: Detailed overview of the O-Cap model, technical stack, and implementation phases.
- Performance Analysis: Formal benchmarking results and overhead breakdown for native interception and policy evaluation.
- Zig: Version 0.17.0 (strictly required)
- Rust: Version 1.75.0 or later
- Node.js
- Clang (for final linking)
To build the project in optimized release mode:
zig build -Doptimize=ReleaseFastThe resulting library will be located at zig-out/lib/libastraea.so.
Inject Astraea into any Node.js process using LD_PRELOAD:
RUST_LOG=astraea=info LD_PRELOAD=./zig-out/lib/libastraea.so node your-app.jsPolicies are defined in a TOML manifest, allowing restriction by package name or the root application package.
[packages.root]
fs = ["read:package.json", "read:src/**"]
native_addons = ["*.node"]
network = ["allow:api.github.com:443", "allow:127.0.0.1:53"]
[packages.axios]
network = ["allow:*.github.com:*"]
[seccomp]
allowed_syscalls = ["ptrace"]
[spoofs]
"config/secrets.json" = "{\"key\": \"mocked_value\"}"Astraea is designed for high-throughput environments. Current benchmarks indicate an average overhead of ~0.03ms per intercepted call, fitting within high-performance Node.js requirements.
Astraea is a security research project. It provides robust protection at the libuv layer and enforces a Linux seccomp-bpf filter to block unauthorized direct syscalls at the kernel level, mitigating bypasses via custom native addons. It should be evaluated in staging environments prior to any production deployment.
Built with 🦀 & ⚡ by Seuriin