Understanding and Mitigating Remote Code Execution Vulnerabilities in Cross-platform Ecosystem

JavaScript cross-platform frameworks are becoming increasingly popular. They help developers easily and conveniently build cross-platform applications while just needing only one JavaScript codebase. Recent security reports showed several high-profile cross-platform applications (e.g., Slack, Microsoft Teams, and Github Atom) suffered injection issues, which were often introduced by Cross-site Scripting (XSS) or embedded untrusted remote content like ads. These injections open security holes for remote web attackers, and cause serious security risks, such as allowing injected malicious code to run arbitrary local executables in victim devices (referred to as XRCE attacks). However, until now, XRCE vectors and behaviors and the root cause of XRCE were rarely studied and understood. Although the cross-platform framework developers and community responded quickly by offering multiple security features and suggestions, these mitigations were empirically proposed with unknown effectiveness.