Comprehensive Protection for Dynamically-typed Languages: Avoiding the Pitfalls of Language-level Sandboxing
Dynamically-typed languages have improved programming experience in software development, leading to widespread adoption in the modern software ecosystem. As dynamically- typed languages continue to evolve, their implementations inevitably become more complex and error-prone. As a result, many bugs in the language implementations are found every year, and attackers try to exploit them for code-injection or code-reuse attacks. Prior work has attempted to defend against these attacks by using technologies such as data execution prevention (DEP), software diversity, control-flow integrity (CFI), etc. However, interactive scripting environments provide attackers with a unique attack surface, capable of bypassing existing defenses.