摘要
由于语言特性导致的JavaScript引擎漏洞是当今应用软件软件安全的重要威胁之一,攻击者通常间接利用JavaScript引擎漏洞造成远程命令执行,获得系统的控制权。介绍了引擎的基本信息,对引擎中经常出现的漏洞进行了分类,分别综述了静态和动态分析检测的基本步骤和发展脉络,提出了针对JavaScript引擎漏洞的检测基本框架,讨论了制约检测效率瓶颈问题以及可能的解决方法,结合最新的技术应用指出了未来的发展趋势和亟待解决的问题。
JavaScript engine vulnerabilities caused by language features is one of the important threats to the security of today’s software. Attackers often use JavaScript engine vulnerabilities to demonstrate remote code execution and gain controllability of the operating system. This paper introduces the basic information of the JavaScript engine, classifies the vulnerabilities that often appear in the engine, and summarizes the basic steps and development of static and dynamic analysis methods. Then it proposes the basic framework for detecting vulnerabilities in JavaScript engines, and discusses the detection efficiency, bottlenecks and possible solutions. At last, it points out future trends and some issues.
作者
林宏阳
彭建山
赵世斌
朱俊虎
许航
LIN Hongyang;PENG Jianshan;ZHAO Shibin;ZHU Junhu;XU Hang(State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450002, China)
出处
《计算机工程与应用》
CSCD
北大核心
2019年第11期16-24,34,共10页
Computer Engineering and Applications
基金
国家自然科学基金(No.61502528)
