Proceedings Article10.1109/SP.2017.68
Finding and Preventing Bugs in JavaScript Bindings
Fraser Brown,Shravan Narayan,Riad S. Wahby,Dawson Engler,Ranjit Jhala,Deian Stefan +5 more
- 22 May 2017
- pp 559-578
59
TL;DR: This paper describes several types of exploitable errors that bindingcode creates, and develops both a suite of easily-to-build static checkersto detect such errors and a backwards-compatible, low-overhead API toprevent them.
read more
Abstract: JavaScript, like many high-level languages, relies on runtime systemswritten in low-level C and C++. For example, the Node.js runtime systemgives JavaScript code access to the underlying filesystem, networking, and I/O by implementing utility functions in C++. Since C++'s typesystem, memory model, and execution model differ significantly fromJavaScript's, JavaScript code must call these runtime functions viaintermediate binding layer code that translates type, state, and failure between the two languages. Unfortunately, binding code isboth hard to avoid and hard to get right. This paper describes several types of exploitable errors that bindingcode creates, and develops both a suite of easily-to-build static checkersto detect such errors and a backwards-compatible, low-overhead API toprevent them. We show that binding flaws are a serious security problem byusing our checkers to craft 81 proof-of-concept exploits forsecurity flaws in the binding layers of the Node.js and Chrome, runtimesystems that support hundreds of millions of users. As one practical measure of binding bug severity, we were awarded $6,000 in bounties for just two Chrome bug reports.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines.
HyungSeok Han,DongHyeon Oh,Sang Kil Cha +2 more
- 01 Jan 2019
TL;DR: A novel test case generation algorithm that is semantics-aware assembly is proposed, and implemented in a fuzz testing tool termed CodeAlchemist, which can generate arbitrary JavaScript code snippets that are both semantically and syntactically correct, and it effectively yields test cases that can crash JavaScript engines.
128
How many of all bugs do we find? a study of static bug detectors
Andrew Habib,Michael Pradel +1 more
- 03 Sep 2018
TL;DR: The results of the study show that static bug detectors find a non-negligible amount of all bugs, different tools are mostly complementary to each other, and current bug detectors miss the large majority of the studied bugs.
115
•Posted Content
Small World with High Risks: A Study of Security Threats in the npm Ecosystem
TL;DR: In this article, the authors study security risks for users of npm by systematically analyzing dependencies between packages, the maintainers responsible for these packages, and publicly reported security issues, and find that individual packages could impact large parts of the entire ecosystem, while a small number of maintainer accounts could be used to inject malicious code into the majority of all packages, a problem that has been increasing over time.
68
Secure serverless computing using dynamic information flow control
Kalev Alpernas,Cormac Flanagan,Sadjad Fouladi,Leonid Ryzhyk,Mooly Sagiv,Thomas Schmitz,Keith Winstein +6 more
- 24 Oct 2018
TL;DR: In this article, the termination channel found in most existing IFC systems can be arbitrarily amplified via multiple concurrent requests, necessitating a stronger termination-sensitive noninterference guarantee, which is achieved using a combination of static labeling of serverless processes and dynamic faceted labeling of persistent data.
54
•Posted Content
Secure Serverless Computing Using Dynamic Information Flow Control.
Kalev Alpernas,Cormac Flanagan,Sadjad Fouladi,Leonid Ryzhyk,Mooly Sagiv,Thomas Schmitz,Keith Winstein +6 more
TL;DR: In this paper, the termination channel found in most existing IFC systems can be arbitrarily amplified via multiple concurrent requests, necessitating a stronger termination-sensitive noninterference guarantee, which is achieved using a combination of static labeling of serverless processes and dynamic faceted labeling of persistent data.
References
LLVM: a compilation framework for lifelong program analysis & transformation
Chris Lattner,Vikram Adve +1 more
- 20 Mar 2004
TL;DR: The design of the LLVM representation and compiler framework is evaluated in three ways: the size and effectiveness of the representation, including the type information it provides; compiler performance for several interprocedural problems; and illustrative examples of the benefits LLVM provides for several challenging compiler problems.
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs
Cristian Cadar,Daniel Dunbar,Dawson Engler +2 more
- 08 Dec 2008
TL;DR: A new symbolic execution tool, KLEE, capable of automatically generating tests that achieve high coverage on a diverse set of complex and environmentally-intensive programs, and significantly beat the coverage of the developers' own hand-written test suite is presented.
•Book
Types and Programming Languages
Benjamin C. Pierce
- 01 Jan 2002
TL;DR: This text provides a comprehensive introduction both to type systems in computer science and to the basic theory of programming languages, with a variety of approaches to modeling the features of object-oriented languages.
2.7K
The Matter of Heartbleed
Zakir Durumeric,Frank Li,James Kasten,Johanna Amann,Jethro G. Beekman,Mathias Payer,Nicolas Weaver,David Adrian,Vern Paxson,Michael Bailey,J. Alex Halderman +10 more
- 05 Nov 2014
TL;DR: A comprehensive, measurement-based analysis of the Heartbleed vulnerability's impact, including tracking the vulnerable population, monitoring patching behavior over time, assessing the impact on the HTTPS certificate ecosystem, and exposing real attacks that attempted to exploit the bug is performed.
SoftBound: highly compatible and complete spatial memory safety for c
Santosh Nagarakatte,Jianzhou Zhao,Milo M. K. Martin,Steve Zdancewic +3 more
- 15 Jun 2009
TL;DR: Inspired by HardBound, a previously proposed hardware-assisted approach, SoftBound similarly records base and bound information for every pointer as disjoint metadata, which enables SoftBound to provide spatial safety without requiring changes to C source code.
Related Papers (5)
Mohan Dhawan,Chung-chieh Shan,Vinod Ganapathy +2 more
- 10 Jun 2010
Mohan Dhawan,Chung-chieh Shan,Vinod Ganapathy +2 more
- 01 Apr 2010