Finding and Preventing Bugs in JavaScript Bindings

Brown, Fraser; Narayan, Shravan; Wahby, Riad S.; Engler, Dawson; Jhala, Ranjit; Stefan, Deian

doi:10.1109/sp.2017.68

Cited by 35 publications

(25 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We leave it as future work to extend our algorithm to test compilers of other programming languages. We also believe we can apply our technique to find bugs in JS bindings [5], which input is allowed to contain JS code snippets, such as Node.js and PDF readers.…”

Section: Discussionmentioning

confidence: 99%

CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines

Han¹,

Oh²,

Kil³

2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

JavaScript engines are an attractive target for attackers due to their popularity and flexibility in building exploits. Current state-of-the-art fuzzers for finding JavaScript engine vulnerabilities focus mainly on generating syntactically correct test cases based on either a predefined context-free grammar or a trained probabilistic language model. Unfortunately, syntactically correct JavaScript sentences are often semantically invalid at runtime. Furthermore, statically analyzing the semantics of JavaScript code is challenging due to its dynamic nature: JavaScript code is generated at runtime, and JavaScript expressions are dynamically-typed. To address this challenge, we propose a novel test case generation algorithm that we call semantics-aware assembly, and implement it in a fuzz testing tool termed CodeAlchemist. Our tool can generate arbitrary JavaScript code snippets that are both semantically and syntactically correct, and it effectively yields test cases that can crash JavaScript engines. We found numerous vulnerabilities of the latest JavaScript engines with CodeAlchemist and reported them to the vendors.

show abstract

Section: Discussionmentioning

confidence: 99%

CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines

Han¹,

Oh²,

Kil³

2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…PyArg_ParseTuple is a helper C function from the Python API converting the Python arguments wrapped in the tuple into C values. 4 It uses a format string to describe the conversion. The | character separates mandatory arguments from the optional ones, while i signals a conversion from a Python integer to a C int.…”

Section: Counter Creationmentioning

confidence: 99%

“…Two works [26,28] aim at detecting reference counting errors in C code using the CPython API. Brown et al [4] define specialized analyses for specific patterns of C++ interoperability that may jeopardize type or memory safety of JavaScript. Contrary to these works, we analyze both host and guest languages.…”

Section: Related Workmentioning

confidence: 99%

A Multilanguage Static Analysis of Python Programs with Native C Extensions

Monat

Ouadjaout

Miné

2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Modern programs are increasingly multilanguage, to benefit from each programming language's advantages and to reuse libraries. For example, developers may want to combine high-level Python code with low-level, performance-oriented C code. In fact, one in five of the 200 most downloaded Python libraries available on GitHub contains C code. Static analyzers tend to focus on a single language and may use stubs to model the behavior of foreign function calls. However, stubs are costly to implement and undermine the soundness of analyzers. In this work, we design a static analyzer by abstract interpretation that can handle Python programs calling C extensions. It analyses directly and fully automatically both the Python and the C source codes. It reports runtime errors that may happen in Python, in C, and at the interface. We implemented our analysis in a modular fashion: it reuses off-the-shelf C and Python analyses written in the same analyzer. This approach allows sharing between abstract domains of different languages. Our analyzer can tackle tests of real-world libraries a few thousand lines of C and Python long in a few minutes.

show abstract

“…The example shows benign inputs passed to a module that suffers from a known vulnerability. 6 Taser infers the following additional sink for the vulnerable module:…”

Section: Comparison With Coarse-grained Warningsmentioning

confidence: 99%

Extracting taint specifications for JavaScript libraries

Staicu

Torp

Schäfer³

et al. 2020

Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering

View full text Add to dashboard Cite

Modern JavaScript applications extensively depend on third-party libraries. Especially for the Node.js platform, vulnerabilities can have severe consequences to the security of applications, resulting in, e.g., cross-site scripting and command injection attacks. Existing static analysis tools that have been developed to automatically detect such issues are either too coarse-grained, looking only at package dependency structure while ignoring dataflow, or rely on manually written taint specifications for the most popular libraries to ensure analysis scalability.In this work, we propose a technique for automatically extracting taint specifications for JavaScript libraries, based on a dynamic analysis that leverages the existing test suites of the libraries and their available clients in the npm repository. Due to the dynamic nature of JavaScript, mapping observations from dynamic analysis to taint specifications that fit into a static analysis is non-trivial. Our main insight is that this challenge can be addressed by a combination of an access path mechanism that identifies entry and exit points, and the use of membranes around the libraries of interest.We show that our approach is effective at inferring useful taint specifications at scale. Our prototype tool automatically extracts 146 additional taint sinks and 7 840 propagation summaries spanning 1 393 npm modules. By integrating the extracted specifications into a commercial, state-of-the-art static analysis, 136 new alerts are produced, many of which correspond to likely security vulnerabilities. Moreover, many important specifications that were originally manually written are among the ones that our tool can now extract automatically. CCS CONCEPTS• Software and its engineering → Software notations and tools.

show abstract

Finding and Preventing Bugs in JavaScript Bindings

Cited by 35 publications

References 31 publications

CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines

CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines

A Multilanguage Static Analysis of Python Programs with Native C Extensions

Extracting taint specifications for JavaScript libraries

Contact Info

Product

Resources

About