Results 1 -
3 of
3
JITPROF: Pinpointing JIT-unfriendly JavaScript Code
, 2014
"... personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires pri ..."
Abstract
-
Cited by 5 (3 self)
- Add to MetaCart
(Show Context)
personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission.
Understanding and Automatically Preventing Injection Attacks on Node.js Understanding and Automatically Preventing Injection Attacks on NODE.JS
"... Abstract-The NODE.JS ecosystem has lead to the creation of many modern applications, such as server-side web applications and desktop applications. Unlike client-side JavaScript code, NODE.JS applications can interact freely with the operating system without the benefits of a security sandbox. The ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract-The NODE.JS ecosystem has lead to the creation of many modern applications, such as server-side web applications and desktop applications. Unlike client-side JavaScript code, NODE.JS applications can interact freely with the operating system without the benefits of a security sandbox. The complex interplay between NODE.JS modules leads to subtle injection vulnerabilities being introduced across module boundaries. This paper presents a large-scale study across 235,850 NODE.JS modules to explore such vulnerabilities. We show that injection vulnerabilities are prevalent in practice, both due to eval, which was previously studied for browser code, and due to the powerful exec API introduced in NODE.JS. Our study shows that thousands of modules may be vulnerable to command injection attacks and that even for popular projects it takes long time to fix the problem. Motivated by these findings, we present SYNODE, an automatic mitigation technique that combines static analysis and runtime enforcement of security policies for allowing vulnerable modules to be used in a safe way. The key idea is to statically compute a template of values passed to APIs that are prone to injections, and to synthesize a grammar-based runtime policy from these templates. Our mechanism does not require the modification of the NODE.JS platform, is fast (sub-millisecond runtime overhead), and protects against attacks of vulnerable modules while inducing very few false positives (less than 10%).
Practical Analysis of the Dynamic Characteristics of JavaScript
, 2015
"... JavaScript is a dynamic object-oriented programming language, which is designed with flexi-ble programming mechanisms. JavaScript is widely used in developing sophisticated software systems, especially web applications. Despite of its popularity, there is a lack of software tools that support JavaSc ..."
Abstract
- Add to MetaCart
(Show Context)
JavaScript is a dynamic object-oriented programming language, which is designed with flexi-ble programming mechanisms. JavaScript is widely used in developing sophisticated software systems, especially web applications. Despite of its popularity, there is a lack of software tools that support JavaScript for software engineering clients. Dataflow analysis approxi-mates software behavior by analyzing the program code; it is the foundation for many soft-ware tools. However, several unique features of JavaScript render existing dataflow analysis techniques ineffective. Reflective constructs, generating code at runtime, make it difficult to acquire the complete program at compile time. Dynamic typing, resulting in changes in object behavior, poses a challenge for building accurate models of objects. Different functionalities can be observed when a function is variadic; the variance of the function behavior may be caused by the arguments whose values can only be known at runtime. Object constructors may be poly-morphic such that objects created by the same constructor may contain different properties. In addition to object-oriented programming, JavaScript supports paradigms of functional
