Finding and Preventing Bugs in Java Script Bindings

Finding and Preventing Bugs in Java. Script Bindings By Fraser Brown, Shravan Narayan, Riad S. Wahby, Dawson Engler, Ranjit Jhala, Deian Stefan at 2017 IEEE Symposium on Security and Privacy Presented By Callan Christophersen 1

The Chrome Model • The advantage to this is that Java. Script can Runtimes are written in C++, access significantly more features, such typed, as but which is statically Java. Script is dynamically typed. network and file system access. is also Type. C++ conversion happens in Binding layer. faster. Up calls from binding code to Java. Script are The problems also allowed. are here. 2

The Problem • Binding code bugs Hard (Crash-, Type-, Memory(Hard) Crash-Safety: crashing is when the low levelcause language that the runtime system is safety) security issues. written in crashes and fails ungracefully. This can lead to DOS attacks, breaking language-level security abstractions by introducing a new covert channel due to loss of information flow control. 3

Binding Is So Confusing Type-Safety: Type mismatches can be used to cause hard crashes so all of the type safety bugs apply here in addition to type confusion attacks. Type confusion attacks occur when a pointer refers to an object that has an incompatible type. For instance a pointer of type number* pointing to a function instead of a number object. 4

Is Memory Reliable? Memory-Safety: Since type confusion attacks are a form of memory-safety violation, all the type safety bugs apply here in addition to memory disclosure and corruption attacks. Due to Java. Scripts extreme flexibility to redefine functions, an up call (such as Symbol. to. Primitive) from the C++ binding layer can force the deallocation of objects still in use by C++ code. This gives rise to the potential for attackers to read from this deallocated memory. 5

Solutions: Static Checkers and An API • 5 checkers overall: Two Crash safety checkers, one for Node. js, the other for V 8. One Type. Safety checker. Two Memory-Safety checkers, one for V 8, the other for PDFium. 9

Do They Work? • Crash Safety: 128 Flagged, 70 Exploited, 36 Suspicious, 22 False positives. • Type Safety: 13 Flagged, 4 Exploited, 2 Suspicious, 7 False positives. • Memory Safety: 14 Flagged, 7 Exploited, 6 Suspicious, 1 False positive. • Suspicious results are inner helper binding functions that are more challenging to trigger than functions directly exposed to Java. Script. 10

The C++ API The marshal function converts values or raises a V 8 define error. The get. Prop function is like V 8’s get but instead of returning a Value it returns a JS<T> which is a maybe type. This forces the developer to deal with the possibility of an up call and the side effects of that. After marshal or get. Prop, on. Val can be used to execute the business logic otherwise on. Fail is used to handle unexpected fails. This is similar to a try/catch approach. 11

What's Wrong With This? • Narrow focus. The paper mentions many high level languages like Java. Script, Python, Ruby, and Java but it only deals with one and a subset of Java. Script engines at that. Mostly V 8 base systems, with checkers built for chromium's C++ code. • While making generalizations like “it would be remarkable if these languages did not contain essentially identical ﬂaws. Therefore, we believe that other high-level language runtimes [. . . ] stand to beneﬁt from lightweight checkers and more principled API design”. • It is plausible that there are similar bugs in other languages (Java and the never ending type confusion saga), but it is not immediately obvious that these checkers will work with the binding code of other languages. 12

What's Wrong With This? • The authors acknowledge themselves that their approach won’t handle bugs from native code. • Easy to use API but it wasn't tested with developers. What do you do On. Fail? • Results good enough for $6000 reward. Not good enough for API to be adopted by Google. • Could have been written better: They make a great topic seem really dull. This is a hard to read paper. 13

14