Informatik, TU Wien

Real-world Challenges in JavaScript Analysis

While JavaScript has become the most popular programming language today, tools that can automatically alert developers to unwanted behavior or security vulnerabilities are still lacking.

Abstract

While JavaScript has become the most popular programming language today, tools that can automatically alert developers to unwanted behavior or security vulnerabilities are still lacking. Such tools are either drastically limited (e.g., linter and checker tools) or fail to scale to real-world applications. This can in part be explained by the language they target. JavaScript is dynamically typed, has higher-order functions and supports reflective (string-based) access to the properties of objects. Even more difficult for static analysis is the excessive use of third-party libraries, meta-programming techniques (e.g., dynamic code generation), and event-driven frameworks.
The talk starts with a brief overview of the challenges we face when applying static analysis techniques to current systems built on JavaScript, especially modern web applica- tions. We continue by reporting on our work extending SAFE, an abstract interpretation framework for JavaScript, with (1) a light-weight taint analysis and (2) improved string abstract domains. Finally, we introduce a new domain-specific application of JavaScript static analysis that has shown to be effective: the detection of JavaScript-based malware embedded in PDF documents.

Biography

Alexander Jordan is a senior researcher at Oracle Labs Australia, where he has been working on program analysis techniques for Java- and JavaScript-based web applications. Before joining Oracle Labs in 2015, Alexander obtained his MSc and PhD degrees from TU Wien and has worked as a research assistant, with a focus on WCET analysis, at DTU (Denmark) and ENSTA ParisTech (France). His interests include program analysis, compilers and computer security.
 

Note

This talk is organized by the Compilers and Languages Group at the Institute of Computer Languages.
Tea at the library of E185/1, Argentinierstr. 8, 4th floor (central) at 13:30.