Astraea is a high-performance, zero-trust security middleware for Node.js. It implements an Object-Capability (O-Cap) enforcement layer at the native C-ABI boundary, protecting applications from supply-chain attacks, RCE exploits, and unauthorized data access.
Important
Astraea is currently in active development. While functional, it is intended for security research and development environments.
- Native Interception: Hooks
libuvandlibcsystem calls (open,connect,dlopen, etc.) using dynamic linker hijacking. - Context-Aware Attribution: Automatically correlates native I/O and network requests back to the specific JavaScript module/package via V8 stack introspection.
- Modular Security Mesh: Cleanly separated architecture with dedicated managers for Filesystem, Networking, Attribution, and Kernel-level Hardening.
- Robust Globset Matching: High-performance, Regex-backed path matching via the
globsetcrate, ensuring absolute path canonicalization. - Smart Network Enforcement: Hybrid domain and CIDR-based filtering with a "Smart DNS Verifier" to solve the blind-IP problem on Android.
- Seccomp-BPF Protection: Kernel-level sandbox enforcing a strict syscall whitelist to prevent native bypasses and direct kernel escapes.
- Capability Spoofing: Seamlessly redirects unauthorized access to synthetic mock data instead of failing.
Astraea leverages a modular architecture:
- The Interceptor (Zig): A lightweight C-ABI wrapper that hijacks system calls and forwards context to the engine.
- The Engine (Rust): The core orchestrator, featuring:
- FsManager: Manages robust glob-based filesystem capabilities.
- NetManager: Handles CIDR-based networking and DNS-to-IP verification.
- Attribution Engine: Performs deep V8 stack introspection.
- Guardian: Generates and applies Seccomp-BPF filters.
Explore the technical specifications and research in the docs/ directory:
- Architectural Specification & Roadmap: Detailed overview of the O-Cap model, technical stack, and implementation phases.
- Performance Analysis: Formal benchmarking results and overhead breakdown for native interception and policy evaluation.
- Zig (0.13.0 or later)
- Rust (1.75.0 or later)
- Node.js
- Clang (for final linking)
To build the project in optimized release mode:
zig build -Doptimize=ReleaseFastThe resulting library will be located at zig-out/lib/libastraea.so.
Inject Astraea into any Node.js process using LD_PRELOAD:
RUST_LOG=astraea=info LD_PRELOAD=./zig-out/lib/libastraea.so node your-app.jsPolicies are defined in a simple TOML manifest. You can restrict access by package name or use the root package for the main application.
[packages.root]
fs = ["read:package.json", "read:src/**"]
native_addons = ["*.node"]
network = ["allow:api.github.com:443", "allow:127.0.0.1:53"]
[packages.axios]
network = ["allow:*.github.com:*"]
[seccomp]
allowed_syscalls = ["ptrace"] # Optional extra syscalls
[spoofs]
"config/secrets.json" = "{\"key\": \"mocked_value\"}"Astraea is designed for high-throughput environments. Current benchmarks show an average overhead of ~0.03ms per intercepted call, well within the requirements for high-performance Node.js applications.
Astraea is a security research project. While it provides strong protection at the libuv layer, it does not currently prevent direct syscall invocations if a malicious module loads its own native binary. Future versions will address this via Seccomp integration.