Understanding and Mitigating Remote Code Execution Vulnerabilities in Cross-platform Ecosystem

Abstract

JavaScript cross-platform frameworks are becoming increasingly popular. They help developers easily and conveniently build cross-platform applications while just needing only one JavaScript codebase. Recent security reports showed several high-profile cross-platform applications (e.g., Slack, Microsoft Teams, and Github Atom) suffered injection issues, which were often introduced by Cross-site Scripting (XSS) or embedded untrusted remote content like ads. These injections open security holes for remote web attackers, and cause serious security risks, such as allowing injected malicious code to run arbitrary local executables in victim devices (referred to as XRCE attacks). However, until now, XRCE vectors and behaviors and the root cause of XRCE were rarely studied and understood. Although the cross-platform framework developers and community responded quickly by offering multiple security features and suggestions, these mitigations were empirically proposed with unknown effectiveness. In this paper, we conduct the first systematic study of the XRCE vulnerability class in the cross-platform ecosystem. We first build a generic model for different cross-platform applications to reduce their semantic and behavioral gaps. We use this model to (1) study XRCE by comprehensively defining its attack scenarios, surfaces, and behaviors, (2) investigate and study the state-of-the-art defenses, and verify their weakness against XRCE attacks. Our study on 640 real-world cross-platform applications shows, despite the availability of existing defenses, XRCE widely affects the cross-platform ecosystem. 75% of applications may be impacted by XRCE, including Microsoft Teams. (3) Finally, we propose XGuard, a novel defense technology to automatically mitigate all XRCE variants derived from our concluded XRCE behaviors.