Gasket: Identify bridges from JavaScript to Native code

Gasket is a command-line tool for uncovering bridges between JavaScript and low-level native code such as C, Rust, or WebAssembly. It performs a dynamic analysis that systematically inspects the in-memory layout of JavaScript function objects to identify functions that cross the language boundary.

Detecting these cross-language links, Gasket enables powerful cross-language analyses, including:

• Vulnerability detection in native bindings

• Cross-language call graph construction

• Supply-chain and dependency security auditing through reachability analysis

• Requirements
• Build/Install from Source
  • Gasket
  • Deno (w/ Gasket patch)
• Use a Prebuilt Docker Image
• Build Docker Image From Source
• Usage
  • Node.js
  • Deno
• Optional Arguments
• Related Publications

• Node.js >= 21.x, Deno >=1.46.x (with Gasket patch, see below)
• wget, unzip (for installing precompiled deno)
• git, sudo, make, g++, c++filt, GNU Debugger (GDB)
• wasm-objdump (offered by the wabt package on Debian)

These instructions assume building on Debian-based system.

1. Clone this repository:

2. Build and install Gasket:

Gasket's source code is organized as an npm package, and running npm install will also trigger compilation of Gasket's C++ backend.

3. (Recommended: Option A) Download and Install a Precompiled Deno Binary (w/ Gasket patch):

3. (Option B) Build and Install Deno (w/ Gasket patch) from Source:

See docs/deno-build.md for instructions.

The cap-add=SYS_PTRACE is necessary to allow Gasket to use GDB inside the container.

1. Clone the Gasket source code repository:

2. Build the Docker image:

3. Run a container using the image:

The cap-add=SYS_PTRACE is necessary to allow Gasket to use GDB inside the container.

The gasket executable provides a command-line interface that allows you to analyze a given installed npm package and identify its bridges:

1. (Optional) Install the target package from npm into a temporary directory:

Replace <dir> and <pkg> with your desired directory and package name.

For example, to install the sqlite3 package in /tmp, run:

2. Run Gasket:

In default mode, this will search for both Native and WASM bridges.

For example, to analyze the installed sqlite3 package, run:

3. Examine Gasket's output: Gasket stores its results in a JSON file that includes the following information:

• objects_examined: Number of objects examined by Gasket.
• callable_objects: Number of callable callable objects examined by Gasket.
• foreign_callbable_objects: Number of callable objects. with a foreign implementation (e.g., an implementation in C++).
• duration: Time in seconds spent analyzing the given package.
• count: Number of identified bridges.
• modules: Analyzed modules. These include both native extension binaries (.node) as well as JavaScript files.
• jump_libs: ELF binary and WASM files that identified bridges lead to. This is a set containing all distinct library fields identified in the bridges.
• bridges: A detailed list of identified bridges. Every bridge is a triple containing the following information:
  • type: Either js-to-native or js-to-wasm.
  • jsname: Name of the foreign callbable object on the JavaScript side.
  • cfunc: Name of the low-level function (binary/WASM) that implements the logic of the object exposed in JavaScript.
  • library: The library where this low-level function is found.

4. Sample output for the sqlite3 package (Native extension bridges):

In default mode, Gasket analyzes both native addon binaries and JavaScript source files. As such, it may output multiple JavaScript fully-qualified-names (FQNs) pointing to the same binary function. For example, sqlite3/build/Release/node_sqlite3.Database and sqlite3/lib/sqlite3.Database both correspond to the node_sqlite3::Database::Database binary function.

5. Sample output for the tiny-secp256k1 package (WASM bridges):

gasket-deno requires a deno binary with Gasket's patches available in $PATH.

1. Fetch the source code of the package you want to analyze (e.g., @db/sqlite):

Packages on deno.land/jsr.io contain links to the corresponding source code repositories.

3. Enter the source code directory:

3. Analyze the package using gasket-deno:

Only analyze .node native extension modules for js-to-native bridges.

Only analyze JavaScript source files for js-to-wasm bridges.

Before analysis, create modified copies of JavaScript source files with all variables explicitly exported. This exposes more objects to Gasket for introspection and may uncover otherwise missed bridges.

Setting this option significantly increases Gasket's execution time to ~10 minutes.

Take a snapshot of the V8 heap after importing the modules under analysis. This ensures that all objects are available to Gasket for introspection, whether they stem from native extension modules or JavaScript source files.

Only load and analyze a single module located at the provided path.

Load and analyze an internal Node.js module. For example, to analyze the fs module, you can run:

• Georgios Alexopoulos, Thodoris Sotiropoulos, Zhendong Su, and Dimitris Mitropoulos. Best of Both Worlds: Effective Foreign Bridge Identification in V8 Embedders for Security Analysis. In Proceedings of the 2026 IEEE Symposium on Security and Privacy (S&P'26). IEEE, 2026. To appear.