The Origin of Array Species - How Standards Drive Bugs in Script Engines

Explore the intricate relationship between web standards and security vulnerabilities in this 44-minute Black Hat conference talk. Delve into the evolution of JavaScript features and their unexpected impact on existing functionality, leading to bugs in popular software like Adobe Flash, Chrome, Microsoft Edge, and Safari. Gain insights into weakly typed languages, class inheritance, array properties, and object types. Understand how specifications can inadvertently introduce security risks, and learn valuable lessons for developers and security researchers alike. Presented by Natalie Silvanovich, this talk offers a comprehensive look at the challenges of implementing web standards and their potential consequences for script engine security.

Introduction
Why there are bugs
Outline
Early JavaScript
Specifications are difficult
What are the implementations
How do standards lead to vulnerabilities
JavaScript weakly typed
Microsoft MP vulnerability
Adobe Flash vulnerability
Flash vs ACMA3
How classing works
How classing causes confusion
How prototyping causes confusion
C class inheritance
Integer Array
Sparse Array
Array Properties
Array Configuration
Array Index Interceptor
Array Prototypes
Array Interceptors
Array Promotion
Array Flowchart
Objects
Object Examples
Object Types
Fun Question
Banana Length
Fast Paths
Fast Path Bug
Arrayspecies
What can we learn
Developer
Security Research
Questions