Finding and Preventing Bugs in JavaScript Bindings
JavaScript, like many high-level languages, relies on runtime systems written in low-level C and C++. For example, the Node.js runtime system gives JavaScript code access to the underlying file system, networking, and I/O by implementing utility functions in C++. Since C++'s type system, memory...
Saved in:
| Published in: | Proceedings - IEEE Symposium on Security and Privacy pp. 559 - 578 |
|---|---|
| Main Authors: | , , , , , |
| Format: | Conference Proceeding |
| Language: | English |
| Published: |
IEEE
01.05.2017
|
| Subjects: | |
| ISSN: | 2375-1207 |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Abstract | JavaScript, like many high-level languages, relies on runtime systems written in low-level C and C++. For example, the Node.js runtime system gives JavaScript code access to the underlying file system, networking, and I/O by implementing utility functions in C++. Since C++'s type system, memory model, and execution model differ significantly from JavaScript's, JavaScript code must call these runtime functions via intermediate binding layer code that translates type, state, and failure between the two languages. Unfortunately, binding code isboth hard to avoid and hard to get right. This paper describes several types of exploitable errors that binding code creates, and develops both a suite of easily-to-build static checkers to detect such errors and a backwards-compatible, low-overhead API to prevent them. We show that binding flaws are a serious security problem byusing our checkers to craft 81 proof-of-concept exploits for security flaws in the binding layers of the Node.js and Chrome, runtime systems that support hundreds of millions of users. As one practical measure of binding bug severity, we were awarded 6,000 in bounties for just two Chrome bug reports. |
|---|---|
| AbstractList | JavaScript, like many high-level languages, relies on runtime systems written in low-level C and C++. For example, the Node.js runtime system gives JavaScript code access to the underlying file system, networking, and I/O by implementing utility functions in C++. Since C++'s type system, memory model, and execution model differ significantly from JavaScript's, JavaScript code must call these runtime functions via intermediate binding layer code that translates type, state, and failure between the two languages. Unfortunately, binding code isboth hard to avoid and hard to get right. This paper describes several types of exploitable errors that binding code creates, and develops both a suite of easily-to-build static checkers to detect such errors and a backwards-compatible, low-overhead API to prevent them. We show that binding flaws are a serious security problem byusing our checkers to craft 81 proof-of-concept exploits for security flaws in the binding layers of the Node.js and Chrome, runtime systems that support hundreds of millions of users. As one practical measure of binding bug severity, we were awarded 6,000 in bounties for just two Chrome bug reports. |
| Author | Engler, Dawson Narayan, Shravan Stefan, Deian Wahby, Riad S. Jhala, Ranjit Brown, Fraser |
| Author_xml | – sequence: 1 givenname: Fraser surname: Brown fullname: Brown, Fraser – sequence: 2 givenname: Shravan surname: Narayan fullname: Narayan, Shravan – sequence: 3 givenname: Riad S. surname: Wahby fullname: Wahby, Riad S. – sequence: 4 givenname: Dawson surname: Engler fullname: Engler, Dawson – sequence: 5 givenname: Ranjit surname: Jhala fullname: Jhala, Ranjit – sequence: 6 givenname: Deian surname: Stefan fullname: Stefan, Deian |
| BookMark | eNotjM1KAzEURqMo2NZu3LrJC8w0ufm9S1usVgoWquuSmbkpEY1lMhZ8e5W6-DgcOHxjdpE_MzF2I0UtpcDZdlODkK62_oxN0XlpBApjlFLnbATKmUqCcFdsXMqbECAU6hGDZcpdynsecsc3PR0pD386_9oXnjJ_Csewbft0GPj8VJZrdhnDe6HpPyfsdXn_snis1s8Pq8XdukrSmaEKEbpoY2v171ADQDSBWtTkgiKU5FA7CGijxxhVQ-SatgMgYSxRo9SE3Z5-ExHtDn36CP33zqHxBr36AWfORUA |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IH CBEJK RIE RIO |
| DOI | 10.1109/SP.2017.68 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan (POP) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE/IET Electronic Library (IEL) (UW System Shared) IEEE Proceedings Order Plans (POP) 1998-present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE/IET Electronic Library (IEL) (UW System Shared) url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 9781509055333 1509055339 |
| EISSN | 2375-1207 |
| EndPage | 578 |
| ExternalDocumentID | 7958598 |
| Genre | orig-research |
| GroupedDBID | 23M 29O 6IE 6IF 6IH 6IL 6IN AAJGR AAWTH ABLEC ACGFS ADZIZ ALMA_UNASSIGNED_HOLDINGS BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK IJVOP M43 OCL RIE RIL RIO RNS |
| ID | FETCH-LOGICAL-i175t-af2df6fc64fc694222f5aec94e7a3e91e79472a96f89ff3bee7bcd22e056eeb33 |
| IEDL.DBID | RIE |
| ISICitedReferencesCount | 29 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000413081300031&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| IngestDate | Wed Aug 27 02:46:57 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i175t-af2df6fc64fc694222f5aec94e7a3e91e79472a96f89ff3bee7bcd22e056eeb33 |
| PageCount | 20 |
| ParticipantIDs | ieee_primary_7958598 |
| PublicationCentury | 2000 |
| PublicationDate | 2017-May |
| PublicationDateYYYYMMDD | 2017-05-01 |
| PublicationDate_xml | – month: 05 year: 2017 text: 2017-May |
| PublicationDecade | 2010 |
| PublicationTitle | Proceedings - IEEE Symposium on Security and Privacy |
| PublicationTitleAbbrev | SP |
| PublicationYear | 2017 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssj0020394 |
| Score | 2.231223 |
| Snippet | JavaScript, like many high-level languages, relies on runtime systems written in low-level C and C++. For example, the Node.js runtime system gives JavaScript... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 559 |
| SubjectTerms | C++ languages Computer bugs Engines Indexes Runtime Security |
| Title | Finding and Preventing Bugs in JavaScript Bindings |
| URI | https://ieeexplore.ieee.org/document/7958598 |
| WOSCitedRecordID | wos000413081300031&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LSwMxEB7a4sFT1VZ8k4NHt91uXptrxSIeSqEKvZVsMpG9bKWv32-S3VYPXjwEkhAImTCZR2a-AXi0QuRCezPVutQmjFudeCWWJZYqlzFHnbV5LDYhp9N8sVCzFjwdc2EQMQaf4SB041--XZldcJUNpfLKrcrb0JZS1LlaR-MqpYo18KOjVA3nsxC2JQcBQvVX2ZQoNSbd_-13Bv2f9DsyOwqWc2hhdQHdQ_0F0rBjD7JJGXNSiK4sOWAx-eF497khZUXe9F7P46tAxvXKTR8-Ji_vz69JUwMhKb1g3ybaZdYJZwTzTQV_jeMajWIoNUU1Qs9PMtNKuFw5RwtEWRibZegVG_SGMr2ETrWq8AoIp4wz5EYamTLjdKF0WkhacMOp4NxdQy-QYPlVw1wsm9Pf_D19C6eBwHXs3x10tusd3sOJ2W_Lzfoh3s03xreSLQ |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LTwIxEJ4gmugJFYxve_DowtrHdnvFSFCRkIAJN9Jtp2Yvi-H1--0-QA9ePDRpmyZNp5nOozPfANzbKIoj7c1U60IbcGF14JVYHlimHOWOOWvjotiEHA7j6VSNavCwy4VBxCL4DNt5t_jLt3Ozzl1lHam8cqviPdgXnNOwzNbamVchU7wCIH0MVWc8ygO3ZDsHUf1VOKWQG73G_3Y8htZPAh4Z7UTLCdQwO4XGtgIDqRiyCbSXFlkpRGeWbNGY_LC7_lySNCOveqPHxbtAuuXKZQs-es-Tp35QVUEIUi_aV4F21LrImYj7pnKPjRMajeIoNUP1iJ6jJNUqcrFyjiWIMjGWUvSqDXpTmZ1BPZtneA5EMC44CiONDLlxOlE6TCRLhBEsEsJdQDMnweyrBLqYVae__Hv6Dg77k_fBbPAyfLuCo5zYZSTgNdRXizXewIHZrNLl4ra4p2-RrZV0 |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=Proceedings+-+IEEE+Symposium+on+Security+and+Privacy&rft.atitle=Finding+and+Preventing+Bugs+in+JavaScript+Bindings&rft.au=Brown%2C+Fraser&rft.au=Narayan%2C+Shravan&rft.au=Wahby%2C+Riad+S.&rft.au=Engler%2C+Dawson&rft.date=2017-05-01&rft.pub=IEEE&rft.eissn=2375-1207&rft.spage=559&rft.epage=578&rft_id=info:doi/10.1109%2FSP.2017.68&rft.externalDocID=7958598 |