Now you C me, now you don't: An introduction to the hidden attack surface of interpreted languages

The exploration of memory safety illusions in interpreted languages reveals how vulnerabilities in the underlying C/C++ code can expose higher-level applications to security threats. Despite the perceived safety offered by higher-level languages, fragile attack surfaces often exist in the C/C++-based runtime systems and third-party libraries accessed via Foreign Function Interfaces (FFIs). Historical cases, such as Perl's format string vulnerabilities and PHP's unserialization attacks, highlight how bugs at the lower level can escalate into exploitable vulnerabilities. Similarly, Python's CVE-2014-1912 demonstrates how memory safety assumptions can be misleading, as developers might inadvertently introduce vulnerabilities by trusting the language's inherent safety mechanisms. This series aims to educate developers on recognizing potential attack surfaces and implementing defensive programming practices to mitigate risks, promising future installments that will delve into contemporary attack vectors within modern interpreted language ecosystems.