Secure Apps Exposed to Hacking via Flaws in Underlying Programming Languages

[LASER_oneXM]

Research presented this week at the Black Hat Europe 2017 security conference has revealed that several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks.

The author of this research is IOActive Senior Security Consultant Fernando Arnaboldi. The expert says he used an automated software testing technique named fuzzing to identify vulnerabilities in the interpreters of five of today's most popular programming languages: JavaScript, Perl, PHP, Python, and Ruby.

Fuzzing is an operation that involves providing invalid, unexpected, or random data as input to a software application. Fuzzing has been used for years in the software testing field but has recently become very popular with security researchers, especially with Google's security team and the Linux community.

The reason is that fuzzing can identify crashes, hangs, or memory corruption issues. Usually, some of these problems aren't just because the app's code needs optimization, but they also hide security-related issues.

Vulnerabilities could trickle down to even the most secure apps
Arnaboldi argues that attackers can exploit these flaws even in the most secure applications built on top of these programming languages.

"Software developers may unknowingly include code in an application that can be used in a way that the designer did not foresee," the expert says. "Some of these behaviors pose a security risk to applications that were securely developed according to guidelines."

"Assuming no malicious intentions, these vulnerabilities may be the result of mistakes or attempts to simplify software development. The vulnerabilities ultimately impact regular applications parsed by the affected interpreters; however, the fixes should be applied to the interpreters," Arnaboldi added.

The researcher released XDiFF as an open source project on GitHub. A more detailed presentation of the testing procedure and all the vulnerabilities is available in Arnaboldi's research paper named "Exposing Hidden Exploitable Behaviors in Programming Languages Using Differential Fuzzing."