Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

README.md

The binding layer connects JavaScript appliction code and the C++ runtime. It is used by systems such as Node.js, Chrome, PDFium, and the Chrome extension system to expose APIs otherwise not implementable in JavaScript (e.g., networking, filesystem, etc.). Unfortunately, writing binding code is error-prone and bugs in this layer can often have security implications. Our papers explore this topic in more detail:

We developed static checkers to find bugs in the binding layers of Node.js, Chrome, PDFium, and the Chrome extension system. This repository contains the code that was used to confirm the bugs. Most of these bugs have been reported (see, e.g., this link). There are some Node.js crashing bugs that we've yet to report (Node.js doesn't consider these as security issues so these aren't zero-days).

We originally ran the checkers on a node version from early September 2016 and Chrome version 56.0.2915.0 (Developer build). We omit any files that have been removed (e.g., due to refactoring) from more recent versions of the runtimes (node 7.7.4 and Chrome 56.0.2924.87) to simplify the bug reporting process. Most of the node bugs can be triggered for node-chakracore as well.

We will periodically update this repository with the source for exploits we used to trigger flagged bugs and (soon) with the flagged data itself.

We developed a Safe V8 API to address the classes of bugs that arise due to the binding layer and ported node to this safe API. This API is backwards compatible (it doesn't break Node.js' tests nor the CITGM tests) and imposes little to no overhead (according to the node benchmarks).

About

Exploits from the Finding and Preventing Bugs in JavaScript Bindings paper

Resources

Releases

No releases published

Packages

No packages published
You can’t perform that action at this time.