This article is more than 1 year old
Language bugs infest downstream software, fuzzer finds
And you worked so hard to make it secure
Developers working in secure development guidelines can still be bitten by upstream bugs in the languages they use.
That's the conclusion of research presented last week at Black Hat Europe by IOActive's Fernando Arnaboldi.
As Arnaboldi wrote in his Black Hat Europe paper [PDF]: “software developers may unknowingly include code in an application that can be used in a way that the designer did not foresee. Some of these behaviors pose a security risk to applications that were securely developed according to guidelines.”
Arnaboldi found bugs in the major programming languages JavaScript, Perl, PHP, Python and Ruby, and in all cases, he said the vulnerabilities could expose software written using those languages.
To run his test, Arnaboldi created a differential fuzzer, XDiFF, which compares behaviour of different inputs, versions, implementations and operating system implementations of the same piece of software.
For this project, he ran XDiFF against JavaScript v8, ChakraCore, Spidermonkey, NodeJS v8 and Node (ChakraCore); PHP and the HHVM variant; Ruby and JRuby; Perl and ActivePerl; and CPython, PyPy, and Jython.
| Category | Number of Functions Tested |
|---|---|
| JavaScript | 450 |
| PHP | 1,405 |
| Ruby | 2,483 |
| Perl | 3,105 |
| Python | 3,814 |
The kinds of bugs revealed in the tests included undocumented features in Python, which provided OS-level command execution; information disclosure in NodeJS via error messages, a JRuby function that loads remote code for execution (RCE), and an RCE in PHP using the names of constants. ®
Biting the hand that feeds IT
