Security bugs in embedded interpreters Citation
نویسندگان
چکیده
Because embedded interpreters offer flexibility and performance, they are becoming more prevalent, and can be found at nearly every level of the software stack. As one example, the Linux kernel defines languages to describe packet filtering rules and uses embedded interpreters to filter packets at run time. As another example, the RAR archive format allows embedding bytecode in compressed files to describe reversible transformations for decompression. This paper presents an analysis of common pitfalls in embedded interpreter implementations, which can lead to security vulnerabilities, and their impact. We hope that these results are useful both in augmenting existing embedded interpreters and in aiding developers in building new, more secure embedded interpreters.
منابع مشابه
Jitk: A Trustworthy In-Kernel Interpreter Infrastructure
Modern operating systems run multiple interpreters in the kernel, which enable user-space applications to add new functionality or specialize system policies. The correctness of such interpreters is critical to the overall system security: bugs in interpreters could allow adversaries to compromise user-space applications and even the kernel. Jitk is a new infrastructure for building in-kernel i...
متن کاملSulong, and Thanks For All the Bugs
In C, memory errors, such as buffer overflows, are among the most dangerous software errors; as we show, they are still on the rise. Current dynamic bug-finding tools that try to detect such errors are based on the low-level execution model of the underlying machine. They insert additional checks in an adhoc fashion, which makes them prone to omitting checks for corner cases. To address this, w...
متن کاملAnalyzing Sandboxed Interpreters with Abstract Interpretation
The Android platform provides a coarse-grained per-application permission policy. While this approach works in general, applications that contain multiple subprograms would benefit from more fine-grained permission guarantees. For instance, an advertisementserving GPS app requires both Internet and Location permissions, but provides no guarantee that your location won’t be leaked. Another examp...
متن کاملFIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution
Embedded systems increasingly use software-driven low-power microprocessors for security-critical settings, surfacing a need for tools that can audit the security of the software (often called firmware) running on such devices. Despite the fact that firmware programs are often written in C, existing source-code analysis tools do not work well for this setting because of the specific architectur...
متن کاملDismal Code: Studying the Evolution of Security Bugs
Background. Security bugs are critical programming errors that can lead to serious vulnerabilities in software. Such bugs may allow an attacker to take over an application, steal data or prevent the application from working at all. Aim. We used the projects stored in the Maven repository to study the characteristics of security bugs individually and in relation to other software bugs. Specifica...
متن کامل