Stories
Slash Boxes
Comments

SoylentNews is people

Secure Apps Exposed to Hacking via Flaws in Underlying Programming Languages

posted by takyon on Tuesday December 12 2017, @03:51AM   Printer-friendly
from the fuzzy-illogic dept.

MrPlow writes:

Submitted via IRC for SoyCow8317

Research presented this week at the Black Hat Europe 2017 security conference has revealed that several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks.

The author of this research is IOActive Senior Security Consultant Fernando Arnaboldi. The expert says he used an automated software testing technique named fuzzing to identify vulnerabilities in the interpreters of five of today's most popular programming languages: JavaScript, Perl, PHP, Python, and Ruby.

[...] The researcher released XDiFF as an open source project on GitHub. A more detailed presentation of the testing procedure and all the vulnerabilities is available in Arnaboldi's research paper named "Exposing Hidden Exploitable Behaviors in Programming Languages Using Differential Fuzzing."

Source: https://www.bleepingcomputer.com/news/security/secure-apps-exposed-to-hacking-via-flaws-in-underlying-programming-languages/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Secure Apps Exposed to Hacking via Flaws in Underlying Programming Languages | Log In/Create an Account | Top | 34 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by The Mighty Buzzard on Tuesday December 12 2017, @11:41PM (3 children)

    by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Tuesday December 12 2017, @11:41PM (#609014) Homepage Journal

    Clearly there are other forces at work against perfection than merely it's own intrinsic difficultypractical impossibility.

    FTFY. Looking for perfection will have you producing nothing. Getting "hello world" out the door in assembly without an OS wouldn't even be viable because you can't trust the silicon it runs on unless you created the chip using the same perfect security standard.

    Looking for "better without becoming a massive time sink" is what you want to be doing as a base. If your particular situation calls for more than that, do more than that.

    --
    My rights don't end where your fear begins.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by Arik on Wednesday December 13 2017, @12:24AM (2 children)

    by Arik (4543) on Wednesday December 13 2017, @12:24AM (#609023) Journal
    That's a view that makes perfect sense - if you have a very narrow field of vision.

    But if you zoom back out to the macro scope, it's a disaster in progress.
    --
    If laughter is the best medicine, who are the best doctors?

    • (Score: 2) by The Mighty Buzzard on Wednesday December 13 2017, @02:54AM (1 child)

      by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Wednesday December 13 2017, @02:54AM (#609061) Homepage Journal

      I'm not by any stretch saying not to keep on top of things as best you're able and write secure code to the best of your ability. That's one of the programming givens for me. Spending months or years making double-super-certain that under no circumstances can your program ever fail in an unfortunate way is not helpful to anyone though unless you work in a national security capacity.

      --
      My rights don't end where your fear begins.

      • (Score: 2) by Arik on Wednesday December 13 2017, @03:55AM

        by Arik (4543) on Wednesday December 13 2017, @03:55AM (#609076) Journal
        "I'm not by any stretch saying not to keep on top of things as best you're able and write secure code to the best of your ability. That's one of the programming givens for me."

        That's great and I think you are misunderstanding me a little.

        I'm not criticizing your personal practices, which I am sure are better than industry standard and nothing to be ashamed about.

        I'm talking about the broader eco-system. You're working inside a system where you have no choice but to rely on the foundations that others built. And it's not your fault that those foundations were not built to be reliable.

        But it still might concern you.
        --
        If laughter is the best medicine, who are the best doctors?