计算机科学

计算机科学 ›› 2017, Vol. 44 ›› Issue (11): 22-26.doi: 10.11896/j.issn.1002-137X.2017.11.004

• 2016 年全国软件与应用学术会议 • 上一篇    下一篇

一种基于动态插桩的JavaScript反事实执行方法

龚伟刚,游伟,李赞,石文昌,梁彬   

  1. 数据工程与知识工程教育部重点实验室中国人民大学 北京100872 中国人民大学信息学院 北京100872,数据工程与知识工程教育部重点实验室中国人民大学 北京100872 中国人民大学信息学院 北京100872,数据工程与知识工程教育部重点实验室中国人民大学 北京100872 中国人民大学信息学院 北京100872,数据工程与知识工程教育部重点实验室中国人民大学 北京100872 中国人民大学信息学院 北京100872,数据工程与知识工程教育部重点实验室中国人民大学 北京100872 中国人民大学信息学院 北京100872
  • 出版日期:2018-12-01 发布日期:2018-12-01
  • 基金资助:
    本文受国家自然科学基金(61170240,6,61472429),国家科技重大专项(2012ZX01039-004)资助

JavaScript Counterfactual Execution Method Based on Dynamic Instrumentation

GONG Wei-gang, YOU Wei, LI Zan, SHI Wen-chang and LIANG Bin   

  • Online:2018-12-01 Published:2018-12-01

PDF (PC)

675

摘要: 目前,静态分析技术已被广泛用于JavaScript程序的安全性分析。但是由于JavaScript支持通过eval等方法在运行时动态生成代码,仅靠静态分析难以取得动态生成代码。一种可行的解决方法是通过动态运行目标程序取得动态生成代码,再对其进行静态分析。然而,动态运行目标程序只能覆盖有限的执行路径,会遗漏其他执行路径中的动态生成代码。针对这一问题,基于动态插桩实现了一个反事实执行方法。该方法通过修改JavaScript引擎,在其语法解析阶段动态插入反事实执行体,使条件不成立的分支路径和当前执行路径均能够得到执行。通过该插桩方式,即使嵌套调用eval等方法,也能在其动态生成代码中完成插桩。同时,还实现了一种按需undo方法,以消除反事实执行体中赋值操作带来的影响,且能够避免冗余操作。实验结果表明,实现的方法能够有效地扩大动态分析中执行路径的覆盖面。

关键词: 反事实执行,路径覆盖,动态分析,JavaScript

Abstract: The static analysis technique has been widely employed in the security analysis of JavaScript program.But the JavaScript program can leverage several functions such as eval to generate code at runtime,which is hard to obtain danamic generation code simply by static analysis.One feasible approach is to collect the code by running the target program dynamically and then make a static analysis on it.However,this approach can only explore a finite number of execution paths and will miss the dynamically generated code in other paths.This paper presented a counterfactual execution method based on dyna-mic instrumentation.In the method,the counterfactual execution structures are instrumented on-the-fly during the parse phase of JavaScript engine,to explore both the branch that would ordinarily be executed and the other branch that would not normally be run.In this way,even if the functions like eval are called nestedly,the dynamically generated code can also be instrumented.Besides,in order to undo the effect of any assignment in counterfactual execution structures,an on-demand undo method was implemented to avoid the redundant operations.The evaluation results show that the method implemented in this paper can effectively expand the coverage of execution paths in dynamic analysis.

Key words: Counterfactual execution,Path coverage,Dynamic analysis,JavaScript

[1] GUARNIERI S,LIVSHITS V B.GATEKEEPER:Mostly StaticEnforcement of Security and Reliability Policies for JavaScript Code[C]∥Proceedings of the 18th Conference on USENIX Security Symposium.New York,USA:ACM,2009:78-85.
[2] GUARNIERI S,PISTOIA M,TRIPP O,et al.Saving the world wide web from vulnerable JavaScript[C]∥Proceedings of the 2011 International Symposium on Software Testing and Analysis.New York,USA:ACM,2011:177-187.
[3] GUHA A,KRISHAMURTHI S,JIM T.Using static analysis for Ajax intrusion detection[C]∥Proceedings of the 18th International Conference on World Wide Web.New York,USA:ACM,2009:561-570.
[4] XU W,ZHANG F F,ZHU S C.The power of obfuscation techniques in malicious JavaScript code:A measurement study[C]∥Proceedings of the 2012 7th International Conference on Malicious and Unwanted Software.Washington DC,USA:IEEE,2012:9-16.
[5] RATANAWORABHAN P,LIVSHITS B,ZORN B G.JSMe-ter:Comparing the Behavior of JavaScript Benchmarks with Real Web Applications[C]∥Usenix Conference on Web Application Development.2010.
[6] RICHARDS G,HAMMER C,BURG B,et al.The eval that men do[M]∥ECOOP 2011-Object-Oriented Programming.Springer Berlin Heidelberg,2011:52-78.
[7] RICHARDS G,LEBRESNE S,BURG B,et al.An analysis of the dynamic behavior of JavaScript programs[J].ACM SIGPLAN Notices,2010,45(6):1-12.
[8] WEI S,RYDER B G.Practical blended taint analysis for Java-Script[C]∥Proceedings of the 2013 International Symposium on Software Testing and Analysis.New York,USA:ACM,2013:336-346.
[9] CHUGH R,MEISTER J A,JHALA R,et al.Staged informa-tion flow for JavaScript[C]∥Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation.New York,USA:ACM,2009:50-62.
[10] VOGT P,NENTWICH F,JOVANOVIC N,et al.Cross SiteScripting Prevention with Dynamic Data Tainting and Static Analysis[C]∥The 14th Annual Network & Distributed System Security Symposium.Reston,USA:ISOC,2007:12.
[11] SCHFER M,SRIDHARAN M,DOLBY J,et al.Dynamic determinacy analysis[C]∥Proceedings of the 2013 ACM SIGPLAN Conference on Programming Language Design and Implementation.New York,USA:ACM,2013:165-174.
[12] Google.Chrome V8[EB/OL].[2016-07-07].https://developers.google.com/v8.
[13] Adobe.Adobe PhoneGap[EB/OL].[2016-07-07].http://phonega p.com.
[14] CHUDNOV A,NAUMANN D A.Inlined information flow monitoring for JavaScript[C]∥Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security.New York,USA:ACM,2015:629-643.
[15] JANG D,JHALA R,LERNER S,et al.An empirical study of privacy-violating information flows in JavaScript Web applications[C]∥Proceedings of the 17th ACM Conference on Computer and Communication Security.New York,USA:ACM,2010:270-283.
No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发