Vulnerabilities in popular programming languages ​​call into question the security of applications

According to a study conducted by IOActive senior security consultant Fernando Arnaboldi, protected applications are vulnerable to attacks due to vulnerabilities in the interpreted programming languages ​​on which they are written. The interpreted programming language differs in that the source code is not converted into a machine code for direct execution by the central processor (as in compiled languages), but is executed using a special interpreter program.

Using an automated technique known as fuzzing, the expert tested the interpreters of five popular programming languages ​​- JavaScript, Perl, PHP, Python and Ruby. For observations, XDiFF (Extended Differential Fuzzing Framework) was used, which is sharpened for analysis of the structure of programming languages ​​and their behavior.

The expert found vulnerabilities in the interpreters of such popular programming languages ​​as JavaScript, Perl, PHP, Python and Ruby etc..

The essence of fuzzing as a testing technique is that the system passes incorrect, unexpected or random data to the application on the output. This method is effective for preventing memory leaks that lead to the hangup or crash of programs. Typically, such problems are easily solved by optimizing the source code, but sometimes they are fraught with security-related problems and do not depend on the developers of the final software.

To test the Arnaboldi languages, less than thirty primitive quantities (number, letter, etc.) combined with special examples of the payload were used so that it could be determined when the software tries to access external resources. The researcher “disassembled” the languages ​​to basic functions, and then tested each of them: JavaScript – 450 functions; PHP – 1405; Ruby – 2483; Perl – 3105; Python is 3814.

It was found that Python contains undocumented methods and local environment variables that can be used to execute commands at the operating system level, and Perl contains a typemaps function that can execute the eval () code. As for NodeJS, it produces errors that partially reveal the contents of the file. JRuby loads and executes extraneous code for functions that do not expect this, and PHP constant names can be used to execute commands remotely.

“Software developers can unintentionally inject code into the application, which will then be used differently than the authors of the application assumed. Some variants of its behavior can pose a serious risk for the security of applications, even if their development was conducted in full compliance with the safety standards, “Arnaboldi said.

Experts found vulnerabilities in programming languages ​​before. So, Veracode published the results of a study of the dependence of the number of vulnerabilities in the code from the programming language used. The study performed a static analysis of more than 200 thousand applications, which showed that the greatest number of security-related errors are present in the code of projects in ASP, ColdFusion and PHP.

In 2013, a massive attack was recorded on sites using obsolete editions of the Ruby on Rails framework containing the undefined vulnerability CVE-2013-0156. Given that PHP and Ruby on Rails are written platforms Drupal, Joomla and WordPress, whose share among content management systems is about 70% and with a quarter of the largest sites on the Web, the PHP language is listed as causing the greatest security problems.

Leave a Reply