cispa_all_3908.pdf (359.92 kB)

SandDriller: A Fully-Automated Approach for Testing Language-Based JavaScript Sandboxes

Download (359.92 kB)
conference contribution
posted on 2023-11-29, 18:24 authored by Abdullah AlhamdanAbdullah Alhamdan, Cristian-Alexandru StaicuCristian-Alexandru Staicu
Language-based isolation offers a cheap way to restrict the privileges of untrusted code. Previous work proposes a plethora of such techniques for isolating JavaScript code on the client-side, enabling the creation of web mashups. While these solutions are mostly out of fashion among practitioners, there is a growing trend to use analogous techniques for JavaScript code running outside of the browser, e.g., for protecting against supply chain attacks on the server-side. Irrespective of the use case, bugs in the implementation of language-based isolation can have devastating consequences. Hence, we propose SandDriller, the first dynamic analysis-based approach for detecting sandbox escape vulnerabilities. Our core insight is to design testing oracles based on two main objectives of language-based sandboxes: Prevent writes outside the sandbox and restrict access to privileged operations. Using instrumentation, we interpose oracle checks on all the references exchanged between the host and the guest code to detect foreign references that allow the guest code to escape the sandbox. If at run time, a foreign reference is detected by an oracle, SandDriller proceeds to synthesize an exploit for it. We apply our approach to six sandbox systems and find eight unique zero-day sandbox breakout vulnerabilities and two crashes. We believe that SandDriller can be integrated in the development process of sandboxes to detect security vulnerabilities in the pre-release phase.


Preferred Citation

Abdullah AlHamdan and Cristian-Alexandru Staicu. SandDriller: A Fully-Automated Approach for Testing Language-Based JavaScript Sandboxes. In: Usenix Security Symposium (USENIX-Security). 2023.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

Usenix Security Symposium (USENIX-Security)

Legacy Posted Date


Open Access Type

  • Green


@inproceedings{cispa_all_3908, title = "SandDriller: A Fully-Automated Approach for Testing Language-Based JavaScript Sandboxes", author = "AlHamdan, Abdullah and Staicu, Cristian-Alexandru", booktitle="{Usenix Security Symposium (USENIX-Security)}", year="2023", }

Usage metrics


    No categories selected


    Ref. manager