Research presented this week at the Black Hat Europe 2017 security conference has revealed that several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks.
Fuzzing is an operation that involves providing invalid, unexpected, or random data as input to a software application. Fuzzing has been used for years in the software testing field but has recently become very popular with security researchers, especially with Google’s security team and the Linux community.
The reason is that fuzzing can identify crashes, hangs, or memory corruption issues. Usually, some of these problems aren’t just because the app’s code needs optimization, but they also hide security-related issues.
Custom fuzzer finds flaws in all five programming languages
For his research, Arnaboldi built his own “differential fuzzer” named XDiFF (Extended Differential Fuzzing Framework) that was specifically adapted to target the structure and modus operandi of programming languages.
The researcher dissected each programming language down to its most basic functions and then used XDiFF to feed various types of input (called payloads) to each one.
“Finding interesting vulnerabilities is entirely dependent on choosing the correct input,” Arnaboldi says. “For…