Bilingual Problems: Studying the Security Risks Incurred by Native Extensions in Scripting Languages

by   Cristian-Alexandru Staicu, et al.

Scripting languages are continuously gaining popularity due to their ease of use and the flourishing software ecosystems that surround them. These languages offer crash and memory safety by design, hence developers do not need to understand and prevent most low-level security issues plaguing languages like C. However, scripting languages often allow native extensions, which are a way for custom C/C++ code to be invoked directly from the high-level language. While this feature promises several benefits such as increased performance or the reuse of legacy code, it can also break the guarantees provided by the language, e.g., crash-safety. In this work, we first provide a comparative analysis of the security risks of the existing native extension API in three popular scripting languages. Additionally, we discuss a novel methodology for studying vulnerabilities caused by misuse of the native extension API. We then perform an in-depth study of npm, an ecosystem which appears to be the most exposed to threats introduced by native extensions. We show that vulnerabilities in extensions can be exploited in their embedding library by producing a hard crash in 30 npm packages, simply by invoking their API. Moreover, we identify five open-source web applications in which such exploits can be deployed remotely. Finally, we provide a set of recommendations for language designers, users and for the research community.



page 2

page 3

page 5

page 6

page 10

page 12

page 14

page 15


Debugging Native Extensions of Dynamic Languages

Many dynamic programming languages such as Ruby and Python enable develo...

Small World with High Risks: A Study of Security Threats in the npm Ecosystem

The popularity of JavaScript has lead to a large ecosystem of third-part...

Next-generation Web Applications with WebAssembly and TruffleWasm

In modern software development, the JavaScript ecosystem of various fram...

Over 100 Bugs in a Row: Security Analysis of the Top-Rated Joomla Extensions

Nearly every second website is using a Content Management System (CMS) s...

Mind the Gap: Analyzing the Performance of WebAssembly vs. Native Code

All major web browsers now support WebAssembly, a low-level bytecode int...

Not So Fast: Analyzing the Performance of WebAssembly vs. Native Code

All major web browsers now support WebAssembly, a low-level bytecode int...

Gobi: WebAssembly as a Practical Path to Library Sandboxing

Software based fault isolation (SFI) is a powerful approach to reduce th...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.