Untitled

Objective is to identify security value of static code assessment of Slang scripts
Securities Language (SLANG)
 SLANG is an interpreted language based on C code. Slang code repository is monorepo supported using CVs. SLANG includes functions for accessing SecDB objects, analysing securities, performing qualitative calculations, generating 2-dimensional and 3 dimensional graphs, working with files, managing sockets, creating regular expressions, and much more. Monthly GS developers write more than 1 million lines of SLANG code. Baseline coverage for static code scan – Checkmarx scan coverage Buffer overflow was identified as 



SLANG Applications - . 

In-house-built ecosystem using SLANG – Millions of lines of business-essential code are written in SLANG.

Preferred Discount - Line items whose line item task contains GF98,97,95,94,93,91

Single Line Item Invoices - Line Items that correspond to an invoice whose total number of line items is three or less

Context
Goldman Sachs operates an in-house-built ecosystem of an own programming language, SLANG. Millions of lines of the most business-essential code are written in it. SLANG is an interpreted language, conceptually similar to Python, developed just before Python. SLANG code is very tightly coupled with SecDB - a heavily optimized, key-value database (not SQL), initially acquired, then developed in-house for decades).

(Disclaimer: I know very little about the below - anyone: please correct me where I'm wrong) SLANG code runs in various different contexts, ranging from swarms of data change-triggered jobs recalculating stuff (heavy mathematical computations), down to web servers, with a fully-in-house developed HTTP stack and SLANG-based web frameworks (that are possibly fully of fundamental vulnerabilities from 90's).

There are two contexts where the SLANG code runs: users' Windows NDS workstations and server jobs. When working with SLANG on NDS, one either uses the ancient-looking UI of 'secview', or commandline-based SLANG execution engine of 'secexpr'. On servers, SLANG code would run as 'secexpr' jobs in the Linux environment. The Windows vs. Linux context will be significant in this project – while early interactions will be on Windows, the exploitation will be expected against Linux-based implementations. 

There are nuances around origin of the SLANG source code - millions of lines of various libraries, written in SLANG, are dynamically loaded from the single ?monorepo? of the SLANG code stored in a specific SecDB database. SLANG libraries are pulled mostly invisibly to the developer/user. 

Beyond SLANG libraries developed in SLANG, there are language-native functions, baked into the SLANG interpreter. It might be seen as a standard library of a language, exposing OS-native capabilities like file operations. Those functions are written in C, like the entire SLANG interpreter - they are part of the interpreter after all. Scope of those C-based functions go way beyond just Operating System integrations however. They include very specific business capabilities like Excel file parsing, Base64 encoding, etc. One might speculate them to be a form of performance optimization - to move IO/compute-heavy operations to a native-speed code. Those C-based functions are then available to the SLANG code as any other function. 

Security analysis of SLANG & SecDB by Tech Risk has very short history. This project is a result of observations from ~2022-based pentests. A mostly unchartered territory is exposed to the project owner, a dream case for any security researcher. 

Problem Statement / Goal
SLANG implementation is known to suffer from multitude of buffer overflow vulnerabilities. The project is to take one such vulnerability and exploit it down to remote code execution on a representative Linux-based (PSRP-based?) environment. Practical exploitation will confirm impact of those vulnerabilities, or discover tangible challenges in lining up exploitation gadgets. 

Additionally, the project may become a training vehicle for the broader pentesting community at GS – when all prerequisites are setup, more testers may join the exploit development / research. 

The Tech Risk team is aware of at least one SLANG function with a buffer overflow allowing arbitrary write past the buffer (heap buffer overflow), but the practical exploitation of it has not been attempted. Heap overflow exploitation gadgets of the SLANG interpreter have never been analyzed.