Bilingual Problems: Studying the Security Risks Incurred by Native Extensions in Scripting Languages

Scripting languages are continuously gaining popularity due to their ease of use and the flourishing software ecosystems that surround them. These languages offer crash and memory safety by design, thus, developers do not need to understand and prevent low-level security issues like the ones plaguin...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Staicu, Cristian-Alexandru, Rahaman, Sazzadur, Kiss, Ágnes, Backes, Michael
Format: Artikel
Sprache:eng
Schlagworte:
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page
container_issue
container_start_page
container_title
container_volume
creator Staicu, Cristian-Alexandru
Rahaman, Sazzadur
Kiss, Ágnes
Backes, Michael
description Scripting languages are continuously gaining popularity due to their ease of use and the flourishing software ecosystems that surround them. These languages offer crash and memory safety by design, thus, developers do not need to understand and prevent low-level security issues like the ones plaguing the C code. However, scripting languages often allow native extensions, which are a way for custom C/C++ code to be invoked directly from the high-level language. While this feature promises several benefits such as increased performance or the reuse of legacy code, it can also break the language's guarantees, e.g., crash-safety. In this work, we first provide a comparative analysis of the security risks of native extension APIs in three popular scripting languages. Additionally, we discuss a novel methodology for studying the misuse of the native extension API. We then perform an in-depth study of npm, an ecosystem which is most exposed to threats introduced by native extensions. We show that vulnerabilities in extensions can be exploited in their embedding library by producing reads of uninitialized memory, hard crashes or memory leaks in 33 npm packages, simply by invoking their API with well-crafted inputs. Moreover, we identify six open-source web applications in which such exploits can be deployed remotely by a weak adversary. Finally, we were assigned seven security advisories for the work presented in this paper, most labeled as high severity.
doi_str_mv 10.48550/arxiv.2111.11169
format Article
fullrecord <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_2111_11169</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2111_11169</sourcerecordid><originalsourceid>FETCH-LOGICAL-a679-3f06fcce532e1a4f9483b5c824a4fabc6cb4b65ccf3892a89f8ede51f5f046713</originalsourceid><addsrcrecordid>eNotj0tOwzAYhL1hgQoHYIUvkBDHjzrsoCpQKQJEuo9s53exSN3Kdqrm9iSFxWg0I81IH0J3pMiZ5Lx4UOHsTnlJCMknieoadc-ud343qB5_hoPuYR8fcZOGbpxanL4BN2CG4NKIv1z8iXjjpxigw3rE7yq5E-D1OYGP7uAjdh43Jrhjmte1mo93EG_QlVV9hNt_X6Dty3q7esvqj9fN6qnOlFhWGbWFsMYApyUQxWzFJNXcyJJNQWkjjGZacGMslVWpZGUldMCJ5bZgYknoAt3_3V4w22NwexXGdsZtL7j0F9LxUg0</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Bilingual Problems: Studying the Security Risks Incurred by Native Extensions in Scripting Languages</title><source>arXiv.org</source><creator>Staicu, Cristian-Alexandru ; Rahaman, Sazzadur ; Kiss, Ágnes ; Backes, Michael</creator><creatorcontrib>Staicu, Cristian-Alexandru ; Rahaman, Sazzadur ; Kiss, Ágnes ; Backes, Michael</creatorcontrib><description>Scripting languages are continuously gaining popularity due to their ease of use and the flourishing software ecosystems that surround them. These languages offer crash and memory safety by design, thus, developers do not need to understand and prevent low-level security issues like the ones plaguing the C code. However, scripting languages often allow native extensions, which are a way for custom C/C++ code to be invoked directly from the high-level language. While this feature promises several benefits such as increased performance or the reuse of legacy code, it can also break the language's guarantees, e.g., crash-safety. In this work, we first provide a comparative analysis of the security risks of native extension APIs in three popular scripting languages. Additionally, we discuss a novel methodology for studying the misuse of the native extension API. We then perform an in-depth study of npm, an ecosystem which is most exposed to threats introduced by native extensions. We show that vulnerabilities in extensions can be exploited in their embedding library by producing reads of uninitialized memory, hard crashes or memory leaks in 33 npm packages, simply by invoking their API with well-crafted inputs. Moreover, we identify six open-source web applications in which such exploits can be deployed remotely by a weak adversary. Finally, we were assigned seven security advisories for the work presented in this paper, most labeled as high severity.</description><identifier>DOI: 10.48550/arxiv.2111.11169</identifier><language>eng</language><subject>Computer Science - Cryptography and Security</subject><creationdate>2021-11</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,780,885</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/2111.11169$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.2111.11169$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Staicu, Cristian-Alexandru</creatorcontrib><creatorcontrib>Rahaman, Sazzadur</creatorcontrib><creatorcontrib>Kiss, Ágnes</creatorcontrib><creatorcontrib>Backes, Michael</creatorcontrib><title>Bilingual Problems: Studying the Security Risks Incurred by Native Extensions in Scripting Languages</title><description>Scripting languages are continuously gaining popularity due to their ease of use and the flourishing software ecosystems that surround them. These languages offer crash and memory safety by design, thus, developers do not need to understand and prevent low-level security issues like the ones plaguing the C code. However, scripting languages often allow native extensions, which are a way for custom C/C++ code to be invoked directly from the high-level language. While this feature promises several benefits such as increased performance or the reuse of legacy code, it can also break the language's guarantees, e.g., crash-safety. In this work, we first provide a comparative analysis of the security risks of native extension APIs in three popular scripting languages. Additionally, we discuss a novel methodology for studying the misuse of the native extension API. We then perform an in-depth study of npm, an ecosystem which is most exposed to threats introduced by native extensions. We show that vulnerabilities in extensions can be exploited in their embedding library by producing reads of uninitialized memory, hard crashes or memory leaks in 33 npm packages, simply by invoking their API with well-crafted inputs. Moreover, we identify six open-source web applications in which such exploits can be deployed remotely by a weak adversary. Finally, we were assigned seven security advisories for the work presented in this paper, most labeled as high severity.</description><subject>Computer Science - Cryptography and Security</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2021</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNotj0tOwzAYhL1hgQoHYIUvkBDHjzrsoCpQKQJEuo9s53exSN3Kdqrm9iSFxWg0I81IH0J3pMiZ5Lx4UOHsTnlJCMknieoadc-ud343qB5_hoPuYR8fcZOGbpxanL4BN2CG4NKIv1z8iXjjpxigw3rE7yq5E-D1OYGP7uAjdh43Jrhjmte1mo93EG_QlVV9hNt_X6Dty3q7esvqj9fN6qnOlFhWGbWFsMYApyUQxWzFJNXcyJJNQWkjjGZacGMslVWpZGUldMCJ5bZgYknoAt3_3V4w22NwexXGdsZtL7j0F9LxUg0</recordid><startdate>20211122</startdate><enddate>20211122</enddate><creator>Staicu, Cristian-Alexandru</creator><creator>Rahaman, Sazzadur</creator><creator>Kiss, Ágnes</creator><creator>Backes, Michael</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20211122</creationdate><title>Bilingual Problems: Studying the Security Risks Incurred by Native Extensions in Scripting Languages</title><author>Staicu, Cristian-Alexandru ; Rahaman, Sazzadur ; Kiss, Ágnes ; Backes, Michael</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a679-3f06fcce532e1a4f9483b5c824a4fabc6cb4b65ccf3892a89f8ede51f5f046713</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2021</creationdate><topic>Computer Science - Cryptography and Security</topic><toplevel>online_resources</toplevel><creatorcontrib>Staicu, Cristian-Alexandru</creatorcontrib><creatorcontrib>Rahaman, Sazzadur</creatorcontrib><creatorcontrib>Kiss, Ágnes</creatorcontrib><creatorcontrib>Backes, Michael</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Staicu, Cristian-Alexandru</au><au>Rahaman, Sazzadur</au><au>Kiss, Ágnes</au><au>Backes, Michael</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Bilingual Problems: Studying the Security Risks Incurred by Native Extensions in Scripting Languages</atitle><date>2021-11-22</date><risdate>2021</risdate><abstract>Scripting languages are continuously gaining popularity due to their ease of use and the flourishing software ecosystems that surround them. These languages offer crash and memory safety by design, thus, developers do not need to understand and prevent low-level security issues like the ones plaguing the C code. However, scripting languages often allow native extensions, which are a way for custom C/C++ code to be invoked directly from the high-level language. While this feature promises several benefits such as increased performance or the reuse of legacy code, it can also break the language's guarantees, e.g., crash-safety. In this work, we first provide a comparative analysis of the security risks of native extension APIs in three popular scripting languages. Additionally, we discuss a novel methodology for studying the misuse of the native extension API. We then perform an in-depth study of npm, an ecosystem which is most exposed to threats introduced by native extensions. We show that vulnerabilities in extensions can be exploited in their embedding library by producing reads of uninitialized memory, hard crashes or memory leaks in 33 npm packages, simply by invoking their API with well-crafted inputs. Moreover, we identify six open-source web applications in which such exploits can be deployed remotely by a weak adversary. Finally, we were assigned seven security advisories for the work presented in this paper, most labeled as high severity.</abstract><doi>10.48550/arxiv.2111.11169</doi><oa>free_for_read</oa></addata></record>
fulltext fulltext_linktorsrc
identifier DOI: 10.48550/arxiv.2111.11169
ispartof
issn
language eng
recordid cdi_arxiv_primary_2111_11169
source arXiv.org
subjects Computer Science - Cryptography and Security
title Bilingual Problems: Studying the Security Risks Incurred by Native Extensions in Scripting Languages
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-02T07%3A30%3A52IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Bilingual%20Problems:%20Studying%20the%20Security%20Risks%20Incurred%20by%20Native%20Extensions%20in%20Scripting%20Languages&rft.au=Staicu,%20Cristian-Alexandru&rft.date=2021-11-22&rft_id=info:doi/10.48550/arxiv.2111.11169&rft_dat=%3Carxiv_GOX%3E2111_11169%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true