Presenter: Georgios Alexopoulos
Date: 13 May 2026

Modern JavaScript applications increasingly rely on native extensions and WebAssembly modules for performance-critical functionality. This multi-language architecture, however, introduces attack surfaces in native code that may be exploitable via JavaScript interfaces. Effective cross-language security analysis depends on accurately identifying bridges, i.e., connection points where JavaScript functions delegate to native or WebAssembly code. Yet, existing approaches often struggle to cover all such bridges or produce false positives, due to the diversity of foreign function interfaces in JavaScript.

We present GASKET, a novel dynamic analysis tool that effectively identifies bridges between JavaScript and low-level code. The key insight behind GASKET is that regardless of the binding framework or runtime used, all function objects are ultimately represented as uniform internal structures within the JavaScript engine (e.g., V8). By analyzing the memory layout of these structures, GASKET effortlessly identifies the native or WebAssembly functions bound to JavaScript high- level constructs, even across diverse binding frameworks and execution environments.

Our evaluation demonstrates that GASKET achieves perfect recall while incurring no false positives. When integrated with existing security tools across 1,266 npm packages, GASKET enables the detection of 54 additional vulnerable flows in 23 packages that were missed by prior approaches due to incomplete bridge identification. Among these flows, 19 are confirmed to be exploitable vulnerabilities. Beyond discovering new vulnerabilities, GASKET also benefits software supply chain analysis: in a systematic study of ∼2K dependent packages, we find that although many depend on vulnerable native extensions, only a small fraction actually invoke vulnerable functions. This allows for reduced alert fatigue and actionable security insights.