ABSTRACT
JavaScript is the most popular programming language for web applications. Static analysis of JavaScript applications is highly challenging due to its dynamic language constructs and event-driven asynchronous executions, which also give rise to many security-related bugs. Several static analysis tools to detect such bugs exist, however, research has not yet reported much on the precision and scalability trade-off of these analyzers. As a further obstacle, JavaScript programs structured in Node.js modules need to be collected for analysis, but existing bundlers are either specific to their respective analysis tools or not particularly suitable for static analysis.
In this paper we propose a novel approach to compare the precision, scalability and code coverage of two widely-used static analysis frameworks---WALA and SAFE---together with simplePack, which analyzer-agnostically bundles dependent modules, enabling a fair comparison. To appropriately evaluate the precision of the analyzers, we select all equivalent user object and variable references, and compute their properties' average points-to set sizes. Our evaluation indicates that SAFE provides higher precision and better code coverage at the cost of a somewhat lower scalability. Evaluating the simplePack bundler manifests that the static call graph of its bundle is more precise compared to the bundle produced by Browserify, one of the most popular module bundlers. Based on these results, we analyze the data flows of a hybrid app (JS & native) provided by an industrial partner via taint analysis. To that end we modeled the native (platform) functions of the app in a DSL for SAFE and extended its taint analysis to support tainted objects rather than only primitive type data. We show that there is potential for injection attacks, as tainted objects may reach the sink without being sanitized.
- Roberto Amadini, Alexander Jordan, Graeme Gange, François Gauthier, Peter Schachte, Harald Søndergaard, Peter J Stuckey, and Chenyi Zhang. 2017. Combining string abstract domains for JavaScript analysis: an evaluation. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 41--57. Google ScholarDigital Library
- Tim Ambler and Nicholas Cloud. 2015. Browserify. In JavaScript Frameworks for Modern Web Dev. Springer, 101--120.Google Scholar
- Lars Ole Andersen. 1994. Program analysis and specialization for the C programming language. Ph.D. Dissertation. University of Cophenhagen.Google Scholar
- Esben Andreasen, Liang Gong, Anders Møller, Michael Pradel, Marija Selakovic, Koushik Sen, and Cristian-Alexandru Staicu. 2017. A survey of dynamic analysis and test generation for JavaScript. ACM Computing Surveys (CSUR) 50, 5 (2017), 66. Google ScholarDigital Library
- M. Backes, C. Hammer, D. Pfaff, and M. Skoruppa. 2016. Implementation-level Analysis of the JavaScript Helios Voting Client. In 31st ACM Symposium on Applied Computing (SAC'16). Google ScholarDigital Library
- Gogul Balakrishnan and Thomas Reps. 2006. Recency-abstraction for heap-allocated storage. In International Static Analysis Symposium. Springer, 221--239. Google ScholarDigital Library
- Giulia Costantini, Pietro Ferrara, and Agostino Cortesi. 2011. Static analysis of string values. In International Conference on Formal Engineering Methods. Springer, 505--521. Google ScholarDigital Library
- Ryan Dahl. {n. d.}. Node.js. https://nodejs.org/Google Scholar
- Asger Feldthaus, Max Schäfer, Manu Sridharan, Julian Dolby, and Frank Tip. 2013. Efficient construction of approximate call graphs for JavaScript IDE services. In Proceedings of the 2013 International Conference on Software Engineering. IEEE Press, 752--761. Google ScholarDigital Library
- Asger Feldthaus, Max Schäfer, Manu Sridharan, Julian Dolby, and Frank Tip. 2013. Efficient construction of approximate call graphs for JavaScript IDE services. In Software Engineering (ICSE), 2013 35th International Conference on. IEEE, 752--761. Google ScholarDigital Library
- Simon Holm Jensen, Anders Møller, and Peter Thiemann. 2009. Type Analysis for JavaScript.. In SAS, Vol. 9. Springer, 238--255. Google ScholarDigital Library
- Prakasam Kannan, Thomas H Austin, Mark Stamp, Tim Disney, and Cormac Flanagan. 2016. Virtual values for taint and information flow analysis. In Workshop on Meta-Programming Techniques and Reflection, META. ACM.Google Scholar
- Vineeth Kashyap, Kyle Dewey, Ethan A Kuefner, John Wagner, Kevin Gibbons, John Sarracino, Ben Wiedermann, and Ben Hardekopf. 2014. JSAI: A static analysis platform for JavaScript. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. ACM, 121--132. Google ScholarDigital Library
- Vineeth Kashyap, Kyle Dewey, Ethan A Kuefner, John Wagner, Kevin Gibbons, John Sarracino, Ben Wiedermann, and Ben Hardekopf. 2014. JSAI: a static analysis platform for JavaScript. In Proceedings of the 22nd ACM SIGSOFT international symposium on Foundations of Software Engineering. ACM, 121--132. Google ScholarDigital Library
- Yoonseok Ko, Hongki Lee, Julian Dolby, and Sukyoung Ryu. 2015. Practically tunable static analysis framework for large-scale JavaScript applications (T). In Automated Software Engineering (ASE), 2015 30th IEEE/ACM International Conference on. IEEE, 541--551.Google ScholarDigital Library
- Hongki Lee, Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu. 2012. SAFE: Formal specification and implementation of a scalable analysis framework for ECMAScript. In International Workshop on Foundations of Object-Oriented Languages (FOOL), Vol. 10.Google Scholar
- Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Møller, and Dimitrios Vardoulakis. 2015. In Defense of Soundiness: A Manifesto. Commun. ACM 58, 2 (Jan. 2015), 44--46. Google ScholarDigital Library
- Magnus Madsen and Esben Andreasen. 2014. String analysis for dynamic field access. In International Conference on Compiler Construction. Springer, 197--217.Google ScholarCross Ref
- Changhee Park, Hongki Lee, and Sukyoung Ryu. 2014. All about the with statement in javascript: Removing with statements in javascript applications. ACM SIGPLAN Notices 49, 2 (2014), 73--84. Google ScholarDigital Library
- Changhee Park and Sukyoung Ryu. 2015. Scalable and precise static analysis of JavaScript applications via loop-sensitivity. In LIPIcs-Leibniz International Proceedings in Informatics, Vol. 37. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik.Google Scholar
- Jihyeok Park, Xavier Rival, and Sukyoung Ryu. 2017. Revisiting Recency Abstraction for JavaScript Towards an Intuitive, Compositional, and Efficient Heap Abstraction. In SOAP. Google ScholarDigital Library
- Jihyeok Park, Yeonhee Ryou, Joonyoung Park, and Sukyoung Ryu. 2017. Analysis of JavaScript web applications using SAFE 2.0. In Proceedings of the 39th International Conference on Software Engineering Companion. IEEE Press, 59--62. Google ScholarDigital Library
- IBM Research. {n. d.}. WALA The TJ Watson Libraries for Analysis. http://wala.sourceforge.net/Google Scholar
- Gregor Richards, Sylvain Lebresne, Brian Burg, and Jan Vitek. 2010. An analysis of the dynamic behavior of JavaScript programs. In ACM Sigplan Notices, Vol. 45. ACM, 1--12. Google ScholarDigital Library
- Sukyoung Ryu, Alexander Jordan, and Dongsun Kim. {n. d.}. SAFE Tutorial: Taint Analysis for Web Applications. http://plrg.kaist.ac.kr/lib/exe/fetch.php?media=research:publications:pldi2017_tutorial2.pdfGoogle Scholar
- Tejas Saoji, Thomas H Austin, and Cormac Flanagan. 2017. Using Precise Taint Tracking for Auto-sanitization. In Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security. ACM, 15--24. Google ScholarDigital Library
- Max Schäfer, Manu Sridharan, Julian Dolby, and Frank Tip. 2013. Dynamic determinacy analysis. In ACM SIGPLAN Notices, Vol. 48. ACM, 165--174. Google ScholarDigital Library
- Koushik Sen, Swaroop Kalasapur, Tasneem Brutch, and Simon Gibbs. 2013. Jalangi: a selective record-replay and dynamic analysis framework for JavaScript. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. ACM, 488--498. Google ScholarDigital Library
- Manu Sridharan, Shay Artzi, Marco Pistoia, Salvatore Guarnieri, Omer Tripp, and Ryan Berg. 2011. F4F: taint analysis of framework-based web applications. In ACM SIGPLAN Notices, Vol. 46. ACM, 1053--1068. Google ScholarDigital Library
- Manu Sridharan, Julian Dolby, Satish Chandra, Max Schäfer, and Frank Tip. 2012. Correlation tracking for points-to analysis of JavaScript. ECOOP 2012-Object-Oriented Programming (2012), 435--458. Google ScholarDigital Library
- Cristian-Alexandru Staicu, Michael Pradel, and Benjamin Livshits. 2016. Understanding and automatically preventing injection attacks on node. js. (2016).Google Scholar
- Kwangwon Sun and Sukyoung Ryu. 2017. Analysis of JavaScript Programs: Challenges and Research Trends. ACM Computing Surveys (CSUR) 50, 4 (2017), 59. Google ScholarDigital Library
- Omer Tripp, Marco Pistoia, Stephen J Fink, Manu Sridharan, and Omri Weisman. 2009. TAJ: effective taint analysis of web applications. In ACM Sigplan Notices, Vol. 44. ACM, 87--97. Google ScholarDigital Library
- Shiyi Wei and Barbara G Ryder. 2013. Practical blended taint analysis for JavaScript. In Proceedings of the 2013 International Symposium on Software Testing and Analysis. ACM, 336--346. Google ScholarDigital Library
- Shiyi Wei and Barbara G Ryder. 2015. Adaptive context-sensitive analysis for JavaScript. In LIPIcs-Leibniz International Proceedings in Informatics, Vol. 37. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik.Google Scholar
Index Terms
- Static security evaluation of an industrial web application
Recommendations
Systematic approaches for increasing soundness and precision of static analyzers
SOAP 2017: Proceedings of the 6th ACM SIGPLAN International Workshop on State Of the Art in Program AnalysisBuilding static analyzers for modern programming languages is difficult. Often soundness is a requirement, perhaps with some well-defined exceptions, and precision must be adequate for producing useful results on realistic input programs. Formally ...
Program analysis using WALA (tutorial)
ESEC/FSE 2022: Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software EngineeringStatic analysis is widely used in research and practice for multiple purposes such as fault localization, vulnerability detection, code clone identification, code refactoring, optimization, etc. Since implementing static analyzers is a non-trivial ...
Type refinement for static analysis of JavaScript
DLS '13: Proceedings of the 9th symposium on Dynamic languagesStatic analysis of JavaScript has proven useful for a variety of purposes, including optimization, error checking, security auditing, program refactoring, and more. We propose a technique called type refinement that can improve the precision of such ...
Comments