The binding layer connects JavaScript appliction code and the C++ runtime. It is used by systems such as Node.js, Chrome, PDFium, and the Chrome extension system to expose APIs otherwise not implementable in JavaScript (e.g., networking, filesystem, etc.). Unfortunately, writing binding code is error-prone and bugs in this layer can often have security implications. Our papers explore this topic in more detail:
- Fraser Brown, Shravan Narayan, Riad S. Wahby, Dawson Engler, Ranjit Jhala, and Deian Stefan. Finding and Preventing Bugs in JavaScript Bindings. In /Proceedings of the Symposium on Security and Privacy/, IEEE. May, 2017.
- Fraser Brown. Superhacks: Exploring and Preventing Vulnerabilities in Browser Binding Code. In /Workshop on Programming Languages and Analysis for Security/, ACM. October, 2016.
We developed static checkers to find bugs in the binding layers of Node.js, Chrome, PDFium, and the Chrome extension system. This repository contains the code that was used to confirm the bugs. Most of these bugs have been reported (see, e.g., this link). There are some Node.js crashing bugs that we've yet to report (Node.js doesn't consider these as security issues so these aren't zero-days).
We originally ran the checkers on a node version from early September 2016 and Chrome version 56.0.2915.0 (Developer build). We omit any files that have been removed (e.g., due to refactoring) from more recent versions of the runtimes (node 7.7.4 and Chrome 56.0.2924.87) to simplify the bug reporting process. Most of the node bugs can be triggered for node-chakracore as well.
We will periodically update this repository with the source for exploits we used to trigger flagged bugs and (soon) with the flagged data itself.
We developed a Safe V8 API to address the classes of bugs that arise due to the binding layer and ported node to this safe API. This API is backwards compatible (it doesn't break Node.js' tests nor the CITGM tests) and imposes little to no overhead (according to the node benchmarks).