native function check

Why It Matters

Native function checks are crucial for security-sensitive applications where detecting tampering or obfuscation is important. They provide a way to maintain trust in core JavaScript functions and ensure that security features are not bypassed through manipulation of the runtime environment.

For developers working with security-critical code, these checks prevent bypasses of built-in protections. For example, if an application relies on eval for dynamic code execution, a native function check can detect if an attacker has replaced it with a modified version that logs or alters input.

In production systems, native function checks can be used to validate that code has not been tampered with during transit or execution, particularly in environments where code integrity is paramount.

How It Works

Native function checks work by comparing the expected behavior or representation of a function against its actual implementation. This process typically involves analyzing the function's source code, properties, or runtime behavior to determine if it matches the original browser implementation.

• Native function checks often rely on the toString() method of functions to compare their source code representation against known patterns.
• They may inspect the length property or other intrinsic attributes that should remain consistent for native functions.
• Some checks involve comparing function behavior under specific inputs to ensure it matches expected native behavior.
• Advanced checks might use Function.prototype.call or similar mechanisms to test whether the function acts as expected.
• These checks can be implemented using regular expressions or string comparison logic to detect obfuscated or modified code signatures.

Quick Reference

Basic Example

This basic example demonstrates how to check if a function is native by comparing its string representation.

function isNativeFunction(fn) {
  return /^function\s+\w+\s*\([^)]*\)\s*{\s*\[native code\]\s*}\s*$/.test(fn.toString());
}

const nativeFunction = setTimeout;
const modifiedFunction = function() { return "modified"; };

console.log(isNativeFunction(nativeFunction)); // true
console.log(isNativeFunction(modifiedFunction)); // false

The example uses a regular expression to detect the presence of [native code] in the function's string representation. Native functions will contain this string, while modified functions will not.

Production Example

In a production environment, native function checks are often part of a broader security framework. This example shows how to perform checks on multiple functions while handling edge cases.

function isNativeFunction(fn) {
  if (typeof fn !== 'function') return false;
  const str = fn.toString();
  return str.includes('[native code]') || str.includes('native code');
}

function validateSecurityFunctions() {
  const functionsToCheck = [setTimeout, clearTimeout, eval, Function];
  const results = {};

  functionsToCheck.forEach(fn => {
    results[fn.name] = isNativeFunction(fn);
  });

  return results;
}

const securityStatus = validateSecurityFunctions();
console.log(securityStatus);

This version is more suitable for production because it includes type checking, handles multiple functions, and avoids over-reliance on a single detection method. It also provides a structured result for monitoring security status.

Common Mistakes

• Assuming that all functions with [native code] in their toString() output are truly native. Some environments may simulate this string for compatibility.
• Using only one detection method, such as relying solely on toString(), which can be bypassed by certain obfuscators.
• Not handling edge cases like functions that are not functions or functions that have been wrapped in closures.
• Overlooking that some browsers may return different toString() representations for the same function across versions.
• Ignoring that native functions can still be modified or replaced in certain contexts, such as in test environments or by polyfills.

Security And Production Notes

• Native function checks should not be the sole defense mechanism in security-sensitive applications, as they can be circumvented by sophisticated obfuscation.
• Always validate function behavior, not just their string representation, to ensure robust detection.
• Be aware that some environments may return false positives for native function detection due to polyfill libraries or development tools.
• Native function checks can introduce performance overhead in applications that frequently validate function integrity.
• Use native function checks in conjunction with other integrity validation techniques for stronger protection.

Related Concepts

Native function checks are closely related to several other concepts in JavaScript security and obfuscation:

Function Obfuscation: The practice of modifying function names, parameters, or code to prevent reverse engineering. Native function checks help detect when such obfuscation has occurred.

Anti-Tampering: Techniques used to detect or prevent modification of code or data. Native function checks are one tool in the anti-tampering toolkit.

Debugging Protection: Methods to prevent or detect debugging tools from being used on code. These checks can help identify when debugging tools are being used to inspect or modify functions.

Code Integrity: Ensuring that code remains unmodified from its original state. Native function checks help validate that core functions have not been altered.

Runtime Environment Detection: Techniques to identify the execution environment, including whether the code is running in a browser or a test environment. Native function checks can help distinguish between these contexts.

Further Reading

• MDN Web Docs
• WHATWG HTML Standard