Citation Context

...ented by macros in Scheme). For JavaScript, Anderson et al. proposed a type system with definite and potential types [2, 1, 3], while Heidegger and Thiemann following up on some of their earlier work =-=[24, 18]-=- propose recency types in [13], and Furr et al. proposed a related system for DRuby [9]. While all of these type systems acknowledge some minor simplifications to the target language, they rely on fai...

Citation Context

...e JavaScript provides a few other entry points to code injection, such as setInterval, setTimeout and Function, we refer to this class of features as eval for much of our discussion. 2 http://javascript.crockford.com/code.html 3 http://blogs.msdn.com/b/ericlippert/archive/2003/11/01/53329.aspx to simply ignore it [2,11,20,1], claim it is hardly used (only in 6% of 8,000 programs in [8]), assume that usage is limited to a relatively innocuous subset of the language such as JSON deserialization and occasional loading of library code [9], or produce a simple warning while ignoring eval’s effects [13]. The security literature views eval as a serious threat [19]. Although some systems have unique provisions for eval and integrate it into their analysis [7], most either forbid it completely [15], assume that its inputs must be filtered [5] or wrapped [12], or pair a dynamic analysis of eval with an otherwise static analysis [4]. True Eval. The goal of this study is to thoroughly characterize the real-world use of eval in JavaScript. We wish to quantify the frequency of dynamic and static occurrences of eval in web applications. To this end, we have built an infrastructure that automatically ...

Citation Context

...cially true in cases where JavaScript has a familiar syntax but an unconventional semantics. Duetoitspopularityandshortcomings,companiesandresearchershavetried to tame JavaScript via program analyses =-=[4,9,10,13]-=-, sub-language [5,7,17], and more. These works claim but do not demonstrate soundness, partly because we lackatractableaccountofthelanguage.TheJavaScriptstandard[6]iscapacious and informal, while one ...

Citation Context

...t type annotations are correct. Since all functions have type annotations, our flow analysis problem is significantly more tractable than in an untyped language with optional contracts. Jensen et al. =-=[13,14]-=- and MrSpidey [4] use flow analysis to recover precise type-like information for arbitrary JavaScript and Scheme programs, respectively. A significant advantage of flow analysis is that it does not re...

Citation Context

... idea has also been used in a semi-automated approach to state-based testing by Marchetto et al. [14, 15]. Static analysis for JavaScript has emerged as a complementary technique for detecting errors =-=[8, 9, 12]-=-, however this direction of work is still at an early stage. The dynamic nature of JavaScript [20], such as runtime code generation with eval and runtime HTML parsing with innerHTML, makes it difficul...

Citation Context

...avaScript. Our type system cannot specify information flows, although we do use it to discover that ADsafe fails to enforce a desirable information flow property. Other static analyses for JavaScript =-=[16, 21, 22]-=- are not specifically designed to encode and check security. Type Systems Our type checker is based on that of Guha, et al. [18]. Theirs has a very restrictive type system for objects that we fully re...

Citation Context

... functions, objects with modifiable prototype chains, and implicit type coercions that all must be carefully modeled to ensure sufficient precision. While developing a program analysis for JavaScript =-=[15]-=- aiming to statically infer type information we encountered the following challenge: How can we obtain a flow- and context-sensitive interprocedural dataflow analysis that accounts for mutable heap st...

Citation Context

...l evaluation, we found that correlation tracking often dramatically improved analysis scalability and precision on popular JavaScript frameworks, though in some cases scalability challenges remain. Keywords: Points-to analysis, call graph construction, JavaScript 1 Introduction JavaScript is rapidly gaining in popularity because it enables programmers to write rich web applications with full-featured user interfaces and portability across desktop and mobile platforms. Recently, pointer analysis for JavaScript has been used to enable applications such as security analysis [10, 12], bug finding [14], and automated refactoring [8]. Real-world web applications increasingly make use of framework libraries like jquery1 that abstract away browser incompatibilities and provide advanced DOM manipulation and user interface libraries. A recent survey [27] found that more than half of all surveyed sites use one of the nine most popular frameworks. These frameworks present a formidable challenge to static analysis, since they are relatively large and make frequent use of highly dynamic language features. In particular, JavaScript’s flexible object model presents a major challenge for scalable and p...