research-article

Static security evaluation of an industrial web application

Authors:
Gebrehiwet B. Welearegai

University of Potsdam, Potsdam, Germany

University of Potsdam, Potsdam, Germany
View Profile

,
Max Schlueter

University of Potsdam, Potsdam, Germany

University of Potsdam, Potsdam, Germany
View Profile

,
Christian Hammer

University of Potsdam, Potsdam, Germany

University of Potsdam, Potsdam, Germany
View Profile

SAC '19: Proceedings of the 34th ACM/SIGAPP Symposium on Applied ComputingApril 2019Pages 1952–1961https://doi.org/10.1145/3297280.3297471

Published:08 April 2019Publication History

SAC '19: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing

Pages 1952–1961

ABSTRACT

JavaScript is the most popular programming language for web applications. Static analysis of JavaScript applications is highly challenging due to its dynamic language constructs and event-driven asynchronous executions, which also give rise to many security-related bugs. Several static analysis tools to detect such bugs exist, however, research has not yet reported much on the precision and scalability trade-off of these analyzers. As a further obstacle, JavaScript programs structured in Node.js modules need to be collected for analysis, but existing bundlers are either specific to their respective analysis tools or not particularly suitable for static analysis.

In this paper we propose a novel approach to compare the precision, scalability and code coverage of two widely-used static analysis frameworks---WALA and SAFE---together with simplePack, which analyzer-agnostically bundles dependent modules, enabling a fair comparison. To appropriately evaluate the precision of the analyzers, we select all equivalent user object and variable references, and compute their properties' average points-to set sizes. Our evaluation indicates that SAFE provides higher precision and better code coverage at the cost of a somewhat lower scalability. Evaluating the simplePack bundler manifests that the static call graph of its bundle is more precise compared to the bundle produced by Browserify, one of the most popular module bundlers. Based on these results, we analyze the data flows of a hybrid app (JS & native) provided by an industrial partner via taint analysis. To that end we modeled the native (platform) functions of the app in a DSL for SAFE and extended its taint analysis to support tainted objects rather than only primitive type data. We show that there is potential for injection attacks, as tainted objects may reach the sink without being sanitized.

References

Roberto Amadini, Alexander Jordan, Graeme Gange, François Gauthier, Peter Schachte, Harald Søndergaard, Peter J Stuckey, and Chenyi Zhang. 2017. Combining string abstract domains for JavaScript analysis: an evaluation. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 41--57. Google ScholarDigital Library
Tim Ambler and Nicholas Cloud. 2015. Browserify. In JavaScript Frameworks for Modern Web Dev. Springer, 101--120.Google Scholar
Lars Ole Andersen. 1994. Program analysis and specialization for the C programming language. Ph.D. Dissertation. University of Cophenhagen.Google Scholar
Esben Andreasen, Liang Gong, Anders Møller, Michael Pradel, Marija Selakovic, Koushik Sen, and Cristian-Alexandru Staicu. 2017. A survey of dynamic analysis and test generation for JavaScript. ACM Computing Surveys (CSUR) 50, 5 (2017), 66. Google ScholarDigital Library
M. Backes, C. Hammer, D. Pfaff, and M. Skoruppa. 2016. Implementation-level Analysis of the JavaScript Helios Voting Client. In 31st ACM Symposium on Applied Computing (SAC'16). Google ScholarDigital Library
Gogul Balakrishnan and Thomas Reps. 2006. Recency-abstraction for heap-allocated storage. In International Static Analysis Symposium. Springer, 221--239. Google ScholarDigital Library
Giulia Costantini, Pietro Ferrara, and Agostino Cortesi. 2011. Static analysis of string values. In International Conference on Formal Engineering Methods. Springer, 505--521. Google ScholarDigital Library
Ryan Dahl. {n. d.}. Node.js. https://nodejs.org/Google Scholar
Asger Feldthaus, Max Schäfer, Manu Sridharan, Julian Dolby, and Frank Tip. 2013. Efficient construction of approximate call graphs for JavaScript IDE services. In Proceedings of the 2013 International Conference on Software Engineering. IEEE Press, 752--761. Google ScholarDigital Library
Asger Feldthaus, Max Schäfer, Manu Sridharan, Julian Dolby, and Frank Tip. 2013. Efficient construction of approximate call graphs for JavaScript IDE services. In Software Engineering (ICSE), 2013 35th International Conference on. IEEE, 752--761. Google ScholarDigital Library
Simon Holm Jensen, Anders Møller, and Peter Thiemann. 2009. Type Analysis for JavaScript.. In SAS, Vol. 9. Springer, 238--255. Google ScholarDigital Library
Prakasam Kannan, Thomas H Austin, Mark Stamp, Tim Disney, and Cormac Flanagan. 2016. Virtual values for taint and information flow analysis. In Workshop on Meta-Programming Techniques and Reflection, META. ACM.Google Scholar
Vineeth Kashyap, Kyle Dewey, Ethan A Kuefner, John Wagner, Kevin Gibbons, John Sarracino, Ben Wiedermann, and Ben Hardekopf. 2014. JSAI: A static analysis platform for JavaScript. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. ACM, 121--132. Google ScholarDigital Library
Vineeth Kashyap, Kyle Dewey, Ethan A Kuefner, John Wagner, Kevin Gibbons, John Sarracino, Ben Wiedermann, and Ben Hardekopf. 2014. JSAI: a static analysis platform for JavaScript. In Proceedings of the 22nd ACM SIGSOFT international symposium on Foundations of Software Engineering. ACM, 121--132. Google ScholarDigital Library
Yoonseok Ko, Hongki Lee, Julian Dolby, and Sukyoung Ryu. 2015. Practically tunable static analysis framework for large-scale JavaScript applications (T). In Automated Software Engineering (ASE), 2015 30th IEEE/ACM International Conference on. IEEE, 541--551.Google ScholarDigital Library
Hongki Lee, Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu. 2012. SAFE: Formal specification and implementation of a scalable analysis framework for ECMAScript. In International Workshop on Foundations of Object-Oriented Languages (FOOL), Vol. 10.Google Scholar
Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Møller, and Dimitrios Vardoulakis. 2015. In Defense of Soundiness: A Manifesto. Commun. ACM 58, 2 (Jan. 2015), 44--46. Google ScholarDigital Library
Magnus Madsen and Esben Andreasen. 2014. String analysis for dynamic field access. In International Conference on Compiler Construction. Springer, 197--217.Google ScholarCross Ref
Changhee Park, Hongki Lee, and Sukyoung Ryu. 2014. All about the with statement in javascript: Removing with statements in javascript applications. ACM SIGPLAN Notices 49, 2 (2014), 73--84. Google ScholarDigital Library
Changhee Park and Sukyoung Ryu. 2015. Scalable and precise static analysis of JavaScript applications via loop-sensitivity. In LIPIcs-Leibniz International Proceedings in Informatics, Vol. 37. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik.Google Scholar
Jihyeok Park, Xavier Rival, and Sukyoung Ryu. 2017. Revisiting Recency Abstraction for JavaScript Towards an Intuitive, Compositional, and Efficient Heap Abstraction. In SOAP. Google ScholarDigital Library
Jihyeok Park, Yeonhee Ryou, Joonyoung Park, and Sukyoung Ryu. 2017. Analysis of JavaScript web applications using SAFE 2.0. In Proceedings of the 39th International Conference on Software Engineering Companion. IEEE Press, 59--62. Google ScholarDigital Library
IBM Research. {n. d.}. WALA The TJ Watson Libraries for Analysis. http://wala.sourceforge.net/Google Scholar
Gregor Richards, Sylvain Lebresne, Brian Burg, and Jan Vitek. 2010. An analysis of the dynamic behavior of JavaScript programs. In ACM Sigplan Notices, Vol. 45. ACM, 1--12. Google ScholarDigital Library
Sukyoung Ryu, Alexander Jordan, and Dongsun Kim. {n. d.}. SAFE Tutorial: Taint Analysis for Web Applications. http://plrg.kaist.ac.kr/lib/exe/fetch.php?media=research:publications:pldi2017_tutorial2.pdfGoogle Scholar
Tejas Saoji, Thomas H Austin, and Cormac Flanagan. 2017. Using Precise Taint Tracking for Auto-sanitization. In Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security. ACM, 15--24. Google ScholarDigital Library
Max Schäfer, Manu Sridharan, Julian Dolby, and Frank Tip. 2013. Dynamic determinacy analysis. In ACM SIGPLAN Notices, Vol. 48. ACM, 165--174. Google ScholarDigital Library
Koushik Sen, Swaroop Kalasapur, Tasneem Brutch, and Simon Gibbs. 2013. Jalangi: a selective record-replay and dynamic analysis framework for JavaScript. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. ACM, 488--498. Google ScholarDigital Library
Manu Sridharan, Shay Artzi, Marco Pistoia, Salvatore Guarnieri, Omer Tripp, and Ryan Berg. 2011. F4F: taint analysis of framework-based web applications. In ACM SIGPLAN Notices, Vol. 46. ACM, 1053--1068. Google ScholarDigital Library
Manu Sridharan, Julian Dolby, Satish Chandra, Max Schäfer, and Frank Tip. 2012. Correlation tracking for points-to analysis of JavaScript. ECOOP 2012-Object-Oriented Programming (2012), 435--458. Google ScholarDigital Library
Cristian-Alexandru Staicu, Michael Pradel, and Benjamin Livshits. 2016. Understanding and automatically preventing injection attacks on node. js. (2016).Google Scholar
Kwangwon Sun and Sukyoung Ryu. 2017. Analysis of JavaScript Programs: Challenges and Research Trends. ACM Computing Surveys (CSUR) 50, 4 (2017), 59. Google ScholarDigital Library
Omer Tripp, Marco Pistoia, Stephen J Fink, Manu Sridharan, and Omri Weisman. 2009. TAJ: effective taint analysis of web applications. In ACM Sigplan Notices, Vol. 44. ACM, 87--97. Google ScholarDigital Library
Shiyi Wei and Barbara G Ryder. 2013. Practical blended taint analysis for JavaScript. In Proceedings of the 2013 International Symposium on Software Testing and Analysis. ACM, 336--346. Google ScholarDigital Library
Shiyi Wei and Barbara G Ryder. 2015. Adaptive context-sensitive analysis for JavaScript. In LIPIcs-Leibniz International Proceedings in Informatics, Vol. 37. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik.Google Scholar

Index Terms

Static security evaluation of an industrial web application

Recommendations

Systematic approaches for increasing soundness and precision of static analyzers
SOAP 2017: Proceedings of the 6th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis

Building static analyzers for modern programming languages is difficult. Often soundness is a requirement, perhaps with some well-defined exceptions, and precision must be adequate for producing useful results on realistic input programs. Formally ...
Read More
Program analysis using WALA (tutorial)
ESEC/FSE 2022: Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Static analysis is widely used in research and practice for multiple purposes such as fault localization, vulnerability detection, code clone identification, code refactoring, optimization, etc. Since implementing static analyzers is a non-trivial ...
Read More
Type refinement for static analysis of JavaScript
DLS '13: Proceedings of the 9th symposium on Dynamic languages

Static analysis of JavaScript has proven useful for a variety of purposes, including optimization, error checking, security auditing, program refactoring, and more. We propose a technique called type refinement that can improve the precision of such ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SAC '19: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing
April 2019
2682 pages
ISBN:9781450359337
DOI:10.1145/3297280
Conference Chairs:
Chih-Cheng Hung
Kennesaw State University, Marietta, Georgia
,
George A. Papadopoulos
University of Cyprus, Nicosia, Cyprus
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 8 April 2019
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
JavaScript
SAFE
WALA
comparison
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate1,650of6,669submissions,25%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 1
  Total Citations
  View Citations
- 182
  Total Downloads
- Downloads (Last 12 months)7
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Static security evaluation of an industrial web application

SAC '19: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing

ABSTRACT

References

Cited By

Index Terms

Recommendations

Systematic approaches for increasing soundness and precision of static analyzers

Program analysis using WALA (tutorial)

Type refinement for static analysis of JavaScript