skip to main content
10.1145/2993600.2993602acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
short-paper
Public Access

Short Paper: Superhacks: Exploring and Preventing Vulnerabilities in Browser Binding Code

Published: 24 October 2016 Publication History

Abstract

In this paper, we analyze security vulnerabilities in the binding layer of browser code, and propose a research agenda to prevent these weaknesses with (1) static bug checkers and (2) new embedded domain specific languages (EDSLs). Browser vulnerabilities may leak browsing data and sometimes allow attackers to completely compromise users' systems. Some of these security holes result from programmers' difficulties with managing multiple tightly-coupled runtime systems-typically JavaScript and C++. In this paper, we survey the vulnerabilities in code that connects C++ and JavaScript, and explain how they result from differences in the two languages' type systems, memory models, and control flow constructs. With this data, we design a research plan for using static checkers to catch bugs in existing binding code and for designing EDSLs that make writing new, bug-free binding code easier.

References

[1]
AddressSanitizer. Chromium. https://www.chromium.org/developers/testing/addresssanitizer, 2016.
[2]
A. Barth. The web origin concept. Technical report, IETF, 2011. URL https://tools.ietf.org/html/rfc6454.
[3]
A. Bessey, K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C. Henri-Gros, A. Kamsky, S. McPeak, and D. Engler. A few billion lines of code later: Using static analysis to find bugs in the real world. phCommun. ACM, 53 (2), 2010.
[4]
li, and Engler}brown2016buildF. Brown, A. Nötzli, and D. Engler. How to build static checking systems using orders of magnitude less code. In phASPLOS. ACM, 2016.
[5]
M. Bubak, D. Kurzyniec, and P. Luszczek. Creating Java to native code interfaces with Janet extension. In phWorldwide SGI Users' Conference, 2000.
[6]
C. Cadar, D. Dunbar, and D. R. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In phOSDI, 2008.
[7]
Chromium. Stable channel update for chrome os: Friday, march 14, 2014. http://googlechromereleases.blogspot.com/2014/03/stable-channel-update-for-chrome-os_14.html, 2016.
[8]
Chromium. IDL compiler. https://www.chromium.org/developers/design-documents/idl-compiler, 2016.
[9]
Chromium. Issue 18639 and CVE-2009--2935. https://bugs.chromium.org/p/chromium/issues/detail?id=18639, 2016.
[10]
Chromium. Issue 352374. https://bugs.chromium.org/p/chromium/issues/detail?id=352374, 2016.
[11]
Chromium. Side by side diff for issue 196343011. https://codereview.chromium.org/196343011/diff/20001/Source/bindings/templates/attributes.cpp, 2016.
[12]
Chromium. Issue 395411 and CVE-2014--3199. https://bugs.chromium.org/p/chromium/issues/detail?id=395411, 2016.
[13]
Chromium. Side by side diff for issue 424813007. https://codereview.chromium.org/424813007/diff/40001/Source/bindings/core/v8/custom/V8EventCustom.cpp, 2016.
[14]
Chromium. Issue 456192 and CVE-2015--1217. https://bugs.chromium.org/p/chromium/issues/detail?id=456192, 2016.
[15]
Chromium. Side by side diff for issue 906193002. https://codereview.chromium.org/906193002/diff/20001/Source/bindings/core/v8/V8LazyEventListener.cpp, 2016.
[16]
Chromium. Issue 449610 and CVE-2015--1230. https://bugs.chromium.org/p/chromium/issues/detail?id=449610, 2016.
[17]
Chromium. Issue 554946 and CVE-2015--6764. https://bugs.chromium.org/p/chromium/issues/detail?id=554946, 2016.
[18]
Chromium. Side by side diff for issue 1440223002. https://codereview.chromium.org/1440223002/diff/1/src/json-stringifier.h, 2016.
[19]
Chromium. Issue 534923 and CVE-2015--6769. https://bugs.chromium.org/p/chromium/issues/detail?id=534923, 2016.
[20]
Chromium. Issue 529012 and CVE-2015--6775. https://bugs.chromium.org/p/chromium/issues/detail?id=529012, 2016.
[21]
Chromium. Issue 497632 and CVE-2016--1612. https://bugs.chromium.org/p/chromium/issues/detail?id=497632, 2016.
[22]
Chromium. Issue 594574 and CVE-2016--1646. https://bugs.chromium.org/p/chromium/issues/detail?id=594574, 2016.
[23]
Chromium. Issues 606390 and CVE-2016--1679. https://bugs.chromium.org/p/chromium/issues/detail?id=606390, 2016.
[24]
Chromium. Out-of-process iframes. http://www.chromium.org/developers/design-documents/oop-iframes, 2016.
[25]
C. Details. Google Chrome: CVE security vulnerabilities, versions and detailed reports. https://www.cvedetails.com/product/15031/Google-Chrome.html vendor_id=1224.
[26]
B. English. łev4: process.hrtime() segfaults on arrays with error-throwing accessors. https://github.com/nodejs/node/issues/7902.
[27]
M. Furr and J. S. Foster. Checking type safety of foreign function calls. In phPLDI. ACM, 2005.
[28]
M. Furr and J. S. Foster. Polymorphic type inference for the JNI. In phESOP. Springer, 2006.
[29]
M. Hablich. API changes upcoming to make writing exception safe code more easy. https://groups.google.com/forum/#!topic/v8-users/gQVpp1HmbqM.
[30]
K. Hara. A generational GC for DOM nodes. https://docs.google.com/presentation/d/1uifwVYGNYTZDoGLyCb7sXa7g49mWNMW2gaWvMN5NLk8.
[31]
K. Hara. Oilpan: GC for Blink. https://docs.google.com/presentation/d/1YtfurcyKFS0hxPOnC3U6JJroM8aRP49Yf0QWznZ9jrk, 2016.
[32]
M. Hirzel and R. Grimm. Jeannie: Granting Java native interface developers their wishes. In ACM SIGPLAN Notices, volume 42. ACM, 2007.
[33]
B. Holley. Typed arrays supported in XPConnect. https://bholley.wordpress.com/2011/12/13/typed-arrays-supported-in-xpconnect/.
[34]
D. Jang, Z. Tatlock, and S. Lerner. Establishing browser security guarantees through formal shim verification. In USENIX Security, 2012.
[35]
P. Klinkoff, E. Kirda, C. Kruegel, and G. Vigna. Extending .NET security to unmanaged code. Journal of Information Security, 6 (6), 2007.
[36]
G. Kondoh and T. Onodera. Finding bugs in Java native interface programs. In Symposium on Software Testing and Analysis. ACM, 2008.
[37]
A. Larmuseau and D. Clarke. Formalizing a secure foreign function interface. In SEFM. Springer, 2015.
[38]
C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In CGO. IEEE, 2004.
[39]
B. Lee, B. Wiedermann, M. Hirzel, R. Grimm, and K. S. McKinley. Jinn: synthesizing dynamic bug detectors for foreign language interfaces. In ACM SIGPLAN Notices, volume 45. ACM, 2016.
[40]
S. Li and G. Tan. Finding bugs in exceptional situations of JNI programs. In CCS. ACM, 2009.
[41]
S. Li and G. Tan. Finding reference-counting errors in Python/C programs with affine analysis. In ECOOP. Springer, 2014.
[42]
P. Linos, W. Lucas, S. Myers, and E. Maier. A metrics tool for multi-language software. In SEA, 2007.
[43]
J. Matthews and R. B. Findler. Operational semantics for multi-language programs. TOPLAS, 31 (3), 2009.
[44]
C. McCormack. Web IDL. World Wide Web Consortium, 2012.
[45]
G. C. Necula, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy code. In ACM SIGPLAN Notices, volume 37. ACM, 2002.
[46]
M. D. Network. Split object. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Split_object.
[47]
B. O'Sullivan, J. Goerzen, and D. B. Stewart. Real world Haskell: Code you can believe in. " O'Reilly Media, Inc.", 2008.
[48]
J. G. Politz, M. J. Carroll, B. S. Lerner, J. Pombrio, and S. Krishnamurthi. A tested semantics for getters, setters, and eval in javascript. ACM SIGPLAN Notices, 48 (2): 1--16, 2013.
[49]
A. Ranganathan, J. Sicking, and M. Kruisselbrink. File API. World Wide Web Consortium, 2015.
[50]
G. A. Security. Chrome rewards. https://www.google.com/about/appsecurity/chrome-rewards/index.html.
[51]
J. Siefers, G. Tan, and G. Morrisett. Robusta: Taming the native beast of the JVM. In CCS. ACM, 2010.
[52]
G. Tan. Jni light: An operational model for the core JNI. In ASPLAS. Springer, 2010.
[53]
G. Tan and J. Croft. An empirical security study of the native code in the JDK. In Usenix Security, 2008.
[54]
G. Tan and G. Morrisett. ILEA: Inter-language analysis across Java and C. In ACM SIGPLAN Notices, volume 42. ACM, 2007.
[55]
G. Tan, A. W. Appel, S. Chakradhar, A. Raghunathan, S. Ravi, and D. Wang. Safe Java native interface. In Secure Software Engineering, volume 97, 2006.
[56]
S. Tang, H. Mai, and S. T. King. Trust and protection in the illinois browser operating system. In OSDI, 2010.
[57]
V. Trifonov and Z. Shao. Safe and principled language interoperation. In ESOP. Springer, 1999.
[58]
L. Tung. Android bugs made up 10 percent of Google's 2m bounty payouts - in just five months. http://www.zdnet.com/article/android-bugs-made-up-10-percent-of-googles-2m-bounty-payouts-in-just-five-months/, January 2016.
[59]
v8-users maling list. What is the difference between Arguments::Holder() and Arguments::This() https://groups.google.com/forum/#!topic/v8-users/Axf4hF_RfZo.
[60]
H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal OS construction of the Gazelle Web Browser. In USENIX security, 2009.
[61]
B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A sandbox for portable, untrusted x86 native code. In Security and Privacy. IEEE, 2009.

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
PLAS '16: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security
October 2016
116 pages
ISBN:9781450345743
DOI:10.1145/2993600
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. binding code
  2. browser security
  3. browser vulnerabilities
  4. domain-specific languages
  5. static checking

Qualifiers

  • Short-paper

Funding Sources

Conference

CCS'16
Sponsor:

Acceptance Rates

PLAS '16 Paper Acceptance Rate 6 of 11 submissions, 55%;
Overall Acceptance Rate 43 of 77 submissions, 56%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 432
    Total Downloads
  • Downloads (Last 12 months)104
  • Downloads (Last 6 weeks)16
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media