Enabling Secure Multi-Language Software Applications by Enumerating Cross-Language Attacks

Overview

This repository contains the source code behind the NDSS '22 paper "Cross-Language Attacks," available here.

The paper shows that adding code in "safe" languages, such as Rust, to applications in unsafe lanaguages, such as C/C++, may undermine hardening techniques that have been applied to the C/C++ code. This paradoxical result shows the importance of having well-thought-out and consistent threat models. Here we provide the proofs of concept referenced in the paper for both Rust and Go. We also provide the analysis scripts we used to gauge how prevalent these vulnerabilities might be in Firefox.

Objective

The objective of this project is to aid authors of multi-language software applications in hardening their code. Securing such applications effectively requires understanding the threat model that they face, and how different defenses compose. We hope that our exploration of this subject results in more secure software.