Write a Blog >>

Many web services and other attacker-facing code bases are written in high-level scripting languages like JavaScript, Python, and Ruby. By a construction, these languages prevent developers from introducing entire classes of bugs that plague low-level languages (e.g., buffer overflows, use-after-frees, and memory leaks). Unfortunately, high-level languages alsointroduce new classes of severe, exploitable flaws that are often less obvious than low-level code bugs. These bugs lie in the runtime systems themselves, often in the binding layer that bridges the high-level language itself and the low-level language used to implement the runtime system. In this talk, I will describe several classes of exploitable errors that plague the binding layer of JavaScript runtime systems, including Node.js and Chrome. We found over 80 exploitable bugs in these systems by developing a suite of easy-to-build static checkers using the new µchex framework. The ease of writing such bug checkers – a task I will demonstrate in this talk – and the potential to impact hundreds of millions of people make language runtimes especially attractive attack vectors. As a step towards addressing these concerns and building more secure runtime systems, I will describe the design of a new binding-layer API for the JavaScript V8 engine.

Tue 20 Jun
Times are displayed in time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

16:00 - 18:20: Curry On Talks - Tuesday - 16:00 - 18:20 - Auditorium at Auditorium, Vertex Building
curryon-2017-papers16:00 - 16:40
Sylvan ClebschImperial College London
curryon-2017-papers16:50 - 17:30
curryon-2017-papers17:40 - 18:20