Write a Blog >>

Many web services and other attacker-facing code bases are written in high-level scripting languages like JavaScript, Python, and Ruby. By a construction, these languages prevent developers from introducing entire classes of bugs that plague low-level languages (e.g., buffer overflows, use-after-frees, and memory leaks). Unfortunately, high-level languages alsointroduce new classes of severe, exploitable flaws that are often less obvious than low-level code bugs. These bugs lie in the runtime systems themselves, often in the binding layer that bridges the high-level language itself and the low-level language used to implement the runtime system. In this talk, I will describe several classes of exploitable errors that plague the binding layer of JavaScript runtime systems, including Node.js and Chrome. We found over 80 exploitable bugs in these systems by developing a suite of easy-to-build static checkers using the new µchex framework. The ease of writing such bug checkers – a task I will demonstrate in this talk – and the potential to impact hundreds of millions of people make language runtimes especially attractive attack vectors. As a step towards addressing these concerns and building more secure runtime systems, I will describe the design of a new binding-layer API for the JavaScript V8 engine.

Tue 20 Jun
Times are displayed in time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

16:00 - 18:20: Tuesday - 16:00 - 18:20 - AuditoriumCurry On Talks at Auditorium, Vertex Building
16:00 - 16:40
Talk
Curry On Talks
Sylvan ClebschImperial College London
16:50 - 17:30
Talk
Curry On Talks
17:40 - 18:20
Talk
Curry On Talks