Security Bulletin: Debug Mode and Ports
Recommendation Summary
For production workloads, we strongly recommend the following:
- run your production application under the control of a CAS security policy (see policy language),
- do NOT tolerate
debug-mode
in the attestation section of your security policy, - do NOT enable debug mode in your application,
- close all unnecessary ports, and
- disable all unnecessary signals.
Details
Recommendations:
-
For production workloads, all enclaves should be in production mode, i.e., one does not include
debug-mode
in the list of tolerations in the attestation section. -
Some common frameworks, like NodeJS and Java, provides debug ports. A debugger can attach to these ports to inspect the internal state of the application.
Example. NodeJS can expose a debug port. This is enabled with command line options like --inspect
and --inspect-brk
. Do not enable debugging via these command line options. Protect the arguments to your application using key command in your application's CAS security policy.
- Do not permit host arguments in case these host arguments can expose secrets, e.g., by opening a debug port.
Example. Some frameworks like NodeJS permit to enable debug mode dynamically by sending a signal to a process. For production workloads one should disable programmatically the debugger (e.g., in NodeJs by executing inspector.close();
) and also disable all unnecessary signals in the NodeJS program (e.g., process.on('SIGUSR1',...
).
- Disable all unnecessary network ports using the SCONE network shield and ensure that only authorized clients can connect.
Example. NodeJs exposes the default debug port is 9229. One can change the port via the NodeJS launch option. Set the network shield to SCONE_NETWORK_SHIELD=protected
in your security policy. This will suppress all network/socket communication. Explicitly enable ports that are required by the application. Protect these ports either by using the SCONE network shield or by enabling mTLS in your application. In this way, one can ensure that only authorized entities, i.e., known certain private keys, can communicate with your application.