Submitted via IRC for SoyCow8317
Research presented this week at the Black Hat Europe 2017 security conference has revealed that several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks.
The author of this research is IOActive Senior Security Consultant Fernando Arnaboldi. The expert says he used an automated software testing technique named fuzzing to identify vulnerabilities in the interpreters of five of today's most popular programming languages: JavaScript, Perl, PHP, Python, and Ruby.
[...] The researcher released XDiFF as an open source project on GitHub. A more detailed presentation of the testing procedure and all the vulnerabilities is available in Arnaboldi's research paper named "Exposing Hidden Exploitable Behaviors in Programming Languages Using Differential Fuzzing."
(Score: 2) by LoRdTAW on Tuesday December 12 2017, @02:26PM (2 children)
Not really. The paper you speak of, Trusting Trust, has to do with a malicious compiler that secretly hides malicious code in an otherwise innocuous application without the developer's knowledge.
(Score: 1, Touché) by Anonymous Coward on Tuesday December 12 2017, @02:58PM (1 child)
Really. An interpreted program cannot avoid holes introduced by the interpreter, just as a compiled program cannot avoid holes introduced by the compiler.
(Score: 2) by LoRdTAW on Tuesday December 12 2017, @06:17PM
No, not really again. We're talking about two different scenarios. The article is talking about exploiting design or programming mistakes in the languages interpreter. Trusting Trust is about replacing an existing compiler with one that injects malicious code into binaries or other compilers. Very clear line between the two.