Secure Apps Exposed to Hacking via Flaws in Underlying Programming Languages

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Research presented this week at the Black Hat Europe 2017 security conference has revealed that several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks.

The author of this research is IOActive Senior Security Consultant Fernando Arnaboldi. The expert says he used an automated software testing technique named fuzzing to identify vulnerabilities in the interpreters of five of today's most popular programming languages: JavaScript, Perl, PHP, Python, and Ruby.

Programming-languages-fuzzing-t1.png


Fuzzing is an operation that involves providing invalid, unexpected, or random data as input to a software application. Fuzzing has been used for years in the software testing field but has recently become very popular with security researchers, especially with Google's security team and the Linux community.

The reason is that fuzzing can identify crashes, hangs, or memory corruption issues. Usually, some of these problems aren't just because the app's code needs optimization, but they also hide security-related issues.

Vulnerabilities could trickle down to even the most secure apps
Arnaboldi argues that attackers can exploit these flaws even in the most secure applications built on top of these programming languages.

"Software developers may unknowingly include code in an application that can be used in a way that the designer did not foresee," the expert says. "Some of these behaviors pose a security risk to applications that were securely developed according to guidelines."

"Assuming no malicious intentions, these vulnerabilities may be the result of mistakes or attempts to simplify software development. The vulnerabilities ultimately impact regular applications parsed by the affected interpreters; however, the fixes should be applied to the interpreters," Arnaboldi added.

The researcher released XDiFF as an open source project on GitHub. A more detailed presentation of the testing procedure and all the vulnerabilities is available in Arnaboldi's research paper named "Exposing Hidden Exploitable Behaviors in Programming Languages Using Differential Fuzzing."
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top