Tech Pro Research
Even software that has been built with secure development procedures may still be vulnerable to attack, due to flaws in the interpreted programming languages they depend on.
IOActive researcher Fernando Arnaboldi revealed at last week's Black Hat Europe conference that serious flaws in interpreters for five popular programming languages put applications parsed by them at risk.
Arnaboldi found, for example, that Python has "undocumented methods and local environment variables that can be used for OS command execution".
TechRepublic: 7 programming languages that every developer should learn in 2018
NodeJS, a JavaScript interpreter, meanwhile could leak file contents through error messages it outputs, while JRuby, the Java implementation of Ruby, "loads and executes remote code on a function not designed for remote code execution".
For Perl, Arnaboldi cites the ability of its typemaps function, included in its default set of modules, to execute code. While in PHP, certain native functions can be passed a constant's name to perform a remote command execution.
He believes these vulnerabilities may have been caused by attempts to simplify software development.
The language vulnerabilities are suspected of having been caused by attempts to simplify software development.
"The vulnerabilities ultimately impact regular applications parsed by the affected interpreters; however, the fixes should be applied to the interpreters," he noted.
"With regards to the interpreted programming languages vulnerabilities, software developers may unknowingly include code in an application that can be used in a way that the designer did not foresee. Some of these behaviors pose a security risk to applications that were securely developed according to guidelines," wrote Arnaboldi.
The researcher discovered the flaws using the XDiFF, a 'differential fuzzer' he created and targeted at several interpreters for different languages.
For JavaScript, targets included Google's v8 JavaScript engine, and Microsoft's ChakraCore equivalent, Mozilla's SpiderMonkey, and NodeJS, and Node-ChakraCore.
In PHP, he fuzzed PHP and HHVM, while for Ruby the targets included Ruby and JRuby. He also fuzzed Perl, ActivePerl, CPython, PyPy, and Jython.
As he's previously pointed out, the research shows that applications can suffer from security issues when using certain features from programming languages.
"There are a number of possibilities to be abused in different implementations that could affect secure applications. There are unexpected scenarios for the interpreted programming languages parsing the code in JavaScript, Perl, PHP, Python and Ruby," Arnaboldi wrote.
Previous and related coverage
Most loathed programming language? Here's how developers cast their votes
Developers on Stack Overflow really don't want to work in Perl and don't like Microsoft much either.
Which programming languages earn you the most money? Use this calculator to check
Find out how much your skills are worth in North America and Europe.
Read more developer stories
- Developer documentation: How to get it right
- Microsoft unveils its next-generation AI developer tools
- GitHub makes its Developer Program free, adds new benefits
- Salesforce steps up developer efforts for Einstein
- Apple blames software bug for developer portal gaffe (CNET)
- The 10 hottest developer jobs of 2017 (TechRepublic)