Scripting languages are continuously gaining popularity due to their ease of use and the flourishing software ecosystems that surround them. These languages offer crash and memory safety by design, thus, developers do not need to understand and prevent low-level security issues like the ones plaguing the C code. However, scripting languages often allow native extensions, which are a way for custom C/C++ code to be invoked directly from the high-level language. While this feature promises several benefits such as increased performance or the reuse of legacy code, it can also break the language's guarantees, e.g., crash-safety. In this work, we first provide a comparative analysis of the security risks of native extension APIs in three popular scripting languages. Additionally, we discuss a novel methodology for studying the misuse of the native extension API. We then perform an in-depth study of npm, an ecosystem which is most exposed to threats introduced by native extensions. We show that vulnerabilities in extensions can be exploited in their embedding library by producing reads of uninitialized memory, hard crashes or memory leaks in 33 npm packages, simply by invoking their API with well-crafted inputs. Moreover, we identify six open-source web applications in which such exploits can be deployed remotely by a weak adversary. Finally, we were assigned seven security advisories for the work presented in this paper, most labeled as high severity.

翻译：脚本语言因其易用性和围绕它们构建的繁荣软件生态系统而持续受到欢迎。这些语言在设计上提供了崩溃安全和内存安全，因此开发者无需理解并防范诸如困扰C代码的低级安全问题。然而，脚本语言通常允许原生扩展，即通过高级语言直接调用自定义C/C++代码的方式。尽管这一功能具有提升性能或复用遗留代码等优势，但它也可能打破语言的安全保障，例如崩溃安全。在本研究中，我们首先对三种主流脚本语言中原生扩展API的安全风险进行了比较分析。此外，我们提出了一种研究原生扩展API误用的新型方法论。随后，我们对npm生态系统进行了深入分析——该生态最易受原生扩展引入威胁的影响。研究表明，通过精心构造的输入调用扩展API，可在33个npm包中利用其嵌入库的漏洞，导致未初始化内存读取、程序崩溃或内存泄漏。进一步地，我们发现六个开源Web应用中，弱攻击者能够远程部署此类利用。最后，我们因本文工作获得了七个安全公告，其中多数被标记为高严重性。