SAFE Formal Specification and Implementation of a Scalable Analysis - - PowerPoint PPT Presentation

SAFE

Formal Specification and Implementation of a Scalable Analysis Framework for ECMAscript

PLRG@KAIST Hongki Lee, Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu

Contents

• Introduction
• Big Picture
• Formal Specification
• Implementation
• Active Research
• Conclusion

Introduction

JavaScript

• ECMAScript Language Specification
• Prototype-based inheritance
• Dynamic Features
• eval function,with statement
• Security

Vulnerability Issues

• XSS

Previous Work

• Under-documented
• Not open to the public
• Handwritten Parser & AST nodes
• ECMAScript3 or Subset of Language
• λJS, TAJS, FBJS, Caja, Rhino, ...

SAFE

• Well-documented
• Open Source
• Auto-generated Parser & AST nodes
• Full ECMAScript5
• Formal Specification with Implementation

T h e v e r y fi r s t a t t e m p t !

Big Picture

JavaScript Parser AST withRewriter Disambiguator Hoister AST2IR IR IR2CFG CFG Interpreter Result CloneDetector CodeCoverage Analyzer

JavaScript Parser AST withRewriter Disambiguator Hoister AST2IR IR IR2CFG CFG Interpreter Result CloneDetector CodeCoverage Analyzer

Formal Specification

Levels of Representations

• AST (Abstract Syntax Tree)
• To analyze at code level
• IR (Intermediate Representation)
• To evaluate code
• CFG (Control Flow Graph)
• To trace control flows

IR Semantics

Translation Rule

AST to IR IR to CFG

var sum = 0; for(var i = 1; i <= 10; i++) sum+= i; _<>_print(sum); var i; var sum; sum = 0; for(i = 1; i <= 10; i++) sum+= i; _<>_print(sum);

Entry Exit ExitExc

JavaScript AST IR CFG

var i var sum sum = 0 i = 1 <>break<>1 : { while(i <= 10) { <>continue<>2 : sum = sum + i <>old<>3 = i <>new<>4 = <>Global<>toNumber(<>old<>3) i = <>new<>4 + 1 <>Global<>ignore = <>new<>4 }} <>Global<>ignore = <>Global<>print(sum)

Implementation

Implementation

• Automated tools
• Java and Scala
• Java Libraries
• Scala Pattern Matching
• Pluggable

AST Refinement

JavaScript Parser AST withRewriter Disambiguator Hoister AST2IR IR IR2CFG CFG Interpreter Result CloneDetector CodeCoverage Analyzer

Hoister

f(); function f() { x = 1 }; var x; // x = 1 function f() { x = 1 }; var x; f(); // x = 1

With Hoister, functions and variables are defined before use

Disambiguator

var x = 0; function g() { x; // x = ? var x = 1; } var x_1 = 0; function g() { var x_2; x_2; // x = ? x_2 = 1; }

Distinguish two ‘x’ variables

withRewriter

var o = {x:1, y:2, z:3};

• .p = {x:4, y:5, z:6};

with(o) { with(o.p) { x; } } var o = {x:1, y:2, z:3};

• .p = {x:4, y:5, z:6};

var $f_1 = o; var $f_2 = ("o" in $f_1 ? $f_1.o : o).p; ("x" in $f_2 ? $f_2.x : ("x" in $f_1 ? $f_1.x : x));

An Empirical Study on the Rewritability

• f the with Statement in JavaScript - FOOL2011

Evaluating Code

JavaScript Parser AST withRewriter Disambiguator Hoister AST2IR IR IR2CFG CFG Interpreter Result CloneDetector CodeCoverage Analyzer

Active Research

Calculate the ratio of tested code Perform type-based analysis Detect clone code in AST level

JavaScript Parser AST withRewriter Disambiguator Hoister AST2IR IR IR2CFG CFG Interpreter Result CloneDetector CodeCoverage Analyzer

• The very first attempt to provide both

formal specification and implementation

• Pluggable framework
• ECMAScript 5
• Open Source Project

available at http://plrg.kaist.ac.kr/research/safe

Conclusion

Thank You!