Zhiyuan Wan,Bo Zhou

DOI: https://doi.org/10.1109/ITAIC.2011.6030179

2011-01-01

Abstract:Recently automated test generation tools that implement variations of symbolic execution technology have demonstrated their ability to find subtle errors. However, one challenge they all face is how to effectively handle the exponential number of paths in large, realistic programs. This paper presents Directed Systematic Dynamic Testing approach, or DSDT for short, that combines compositional systematic dynamic testing with a search heuristic based on block-coverage. The approach tests program under test compositionally and directs the path exploration along the program point with the lowest block-coverage. We implemented our algorithm on top of jFuzz for testing Java program and evaluated our approach on testing a Java implementation of red-black tree. The preliminary experimental results show that Directed Systematic Dynamic Testing approach can efficiently achieve the code coverage of program under test. © 2011 IEEE.

Gregor Richards,Sylvain Lebresne,Brian Burg,Jan Vitek

DOI: https://doi.org/10.1145/1809028.1806598

2010-06-12

ACM SIGPLAN Notices

Abstract:The JavaScript programming language is widely used for web programming and, increasingly, for general purpose computing. As such, improving the correctness, security and performance of JavaScript applications has been the driving force for research in type systems, static analysis and compiler techniques for this language. Many of these techniques aim to reign in some of the most dynamic features of the language, yet little seems to be known about how programmers actually utilize the language or these features. In this paper we perform an empirical study of the dynamic behavior of a corpus of widely-used JavaScript programs, and analyze how and why the dynamic features are used. We report on the degree of dynamism that is exhibited by these JavaScript programs and compare that with assumptions commonly made in the literature and accepted industry benchmark suites.

José Miguel Moreno,Narseo Vallina-Rodriguez,Juan Tapiador

2024-10-28

Abstract:The JavaScript programming language, which began as a simple scripting language for the Web, has become ubiquitous, spanning desktop, mobile, and server applications. This increase in usage has made JavaScript an attractive target for nefarious actors, resulting in the proliferation of malicious browser extensions that steal user information and supply chain attacks that target the official <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> package registry. To combat these threats, researchers have developed specialized tools and frameworks for analyzing the behavior of JavaScript programs to detect malicious patterns. Static analysis tools typically struggle with the highly dynamic nature of the language and fail to process obfuscated sources, while dynamic analysis pipelines take several minutes to run and require more resources per program, making them unfeasible for large-scale analyses. In this paper, we present Fakeium, a novel, open source, and lightweight execution environment designed for efficient, large-scale dynamic analysis of JavaScript programs. Built on top of the popular V8 engine, Fakeium complements traditional static analysis by providing additional API calls and string literals that would otherwise go unnoticed without the need for resource-intensive instrumented browsers or synthetic user input. Besides its negligible execution overhead, our tool is highly customizable and supports hooks for advanced analysis scenarios such as network traffic emulation. Fakeium's flexibility and ability to detect hidden API calls, especially in obfuscated sources, highlights its potential as a valuable tool for security analysts to detect malicious behavior.

Cryptography and Security,Software Engineering

Yudi Zheng,Lubomír Bulej,Cheng Zhang,Stephen Kell,Danilo Ansaloni,Walter Binder

DOI: https://doi.org/10.1145/2542142.2542145

2013-01-01

Abstract:Accuracy, completeness, and performance are all major concerns in the context of dynamic program analysis. Emphasizing one of these factors may compromise the other factors. For example, improving completeness of an analysis may seriously impair performance. In this paper, we present an analysis model and a framework that enables reducing analysis overhead at runtime through adaptive instrumentation of the base program. Our approach targets analyses implemented with code instrumentation techniques on the Java platform. Overhead reduction is achieved by removing instrumentation from code locations that are considered unimportant for the analysis results, thereby avoiding execution of analysis code for those locations. For some analyses, our approach preserves result accuracy and completeness. For other analyses, accuracy and completeness may be traded for a major performance improvement. In this paper, we explore accuracy, completeness, and performance of our approach with two concrete analyses as case studies.

Huajie Chen,Tian Zhang,Lei Bu,Xuandong Li

DOI: https://doi.org/10.1109/ssiri-c.2011.20

2011-01-01

Abstract:Dynamic analysis has been widely used in program analysis. Instrumentation is a general technology used to trace dynamic behavior of software. This paper presents a java source code instrumentation tool, which supports making instrumentation manually and automatically according to rules based on AST analysis. On one hand, users can instrument source code manually. It supports to manage those instrumentation points. On the other hand, code snippets can be instrumented automatically in compliance with criteria defined by users. This tool defines some inside criteria and makes instrumentation automatically for them. What's more, these inside criteria can be expanded. By instrumentation, a dynamic execution report about the java source code can be obtained.

Tong WU,Yu-ting CHEN

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.10.013

2014-01-01

Abstract:Aiming at the problem of low precise and slow response in the state of JavaScript code recommendation technology,this paper introduces a JavaScript code recommendation method based on dynamic analysis and implements a code recommendation plug-in for Eclipse. This approach builds model offline for storing the simulated runtime environment,and creates indexes for all objects in the environment. It simulates executing user code, while applying abstract syntax tree of user code for blocking and updating undefined variables at runtime,to achieve a JavaScript code recommendation tool based on dynamic analysis. Compared with current code proposal tools with static analysis, experiments show the tool improves both the precise and response time.

LIANG Bin,GONG Weigang,YOU Wei,LI Zan,SHI Wenchang

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2017.26.043

2017-01-01

Abstract:Mainstream JavaScript engines have introduced optimizing compilers. These compilers generate more efficient executable code for frequently functions run, but these optimizing compilers brings new challenges to the dynamic taint analysis (DTA) method implemented via dynamic instrumentation. This paper focuses on the HTML5-based hybrid android App and presents a dynamic taint analysis method for the optimizing compilers in the V8 JavaScript engine using dynamic instrumentation. In this method, the taint box object is used to store the taint tags and the taint tracking code is instrumented at the hydrogen level of the optimizing compiler. Tests show that this dynamic taint analysis technique effectively tracks the taint information flow in the optimizing compiler with acceptable performance overhead.

Chang Da,Li Zhou-jun,Yang Tian-fang,Hu Chao-jian

DOI: https://doi.org/10.3969/j.issn.1674-9456.2011.09.009

2011-01-01

Abstract:The differences of system platform,compiler and compilation options are likely to lead semantic differences between source code and executable code,only source code analysis may omit vulnerabilities hidden in executable code.Even source code analysis has verified the nature of the need for security,but yet it can not assure the security nature in the executable code are satisfied not contrary to.This paper designed and implemented a program execution tracer based on dynamic binary instrumentation.The results show our prototype tool can accurately trace in the execution path,and be able to filter out 90% to 99% secondary instructions.At last,this paper discussed other technical solutions,the shortcoming of current prototype tool and the future work.

Joonyoung Park,Jihyeok Park,Dongjun Youn,Sukyoung Ryu

DOI: https://doi.org/10.1145/3468264.3468556

2021-06-01

Abstract:JavaScript has become one of the most widely used programming languages for web development, server-side programming, and even micro-controllers for IoT. However, its extremely functional and dynamic features degrade the performance and precision of static analysis. Moreover, the variety of built-in functions and host environments requires excessive manual modeling of their behaviors. To alleviate these problems, researchers have proposed various ways to leverage dynamic analysis during JavaScript static analysis. However, they do not fully utilize the high performance of dynamic analysis and often sacrifice the soundness of static analysis. In this paper, we present dynamic shortcuts, a new technique to flexibly switch between abstract and concrete execution during JavaScript static analysis in a sound way. It can significantly improve the analysis performance and precision by using highly-optimized commercial JavaScript engines and lessen the modeling efforts for opaque code. We actualize the technique via $\text{SAFE}_\textsf{DS}$, an extended combination of $\text{SAFE}$ and Jalangi, a static analyzer and a dynamic analyzer, respectively. We evaluated $\text{SAFE}_\textsf{DS}$ using 269 official tests of Lodash 4 library. Our experiment shows that $\text{SAFE}_\textsf{DS}$ is 7.81x faster than the baseline static analyzer, and it improves the precision to reduce failed assertions by 12.31% on average for 22 opaque functions.

Software Engineering

Richard A. Mould

DOI: https://doi.org/10.48550/arXiv.quant-ph/0309029

2003-09-03

Abstract:The effect of rule (4) on a series or parallel sequence of quantum mechanical steps is to insure that a conscious observer does not skip a step. This rule effectively places the observer in continuous contact with the system. Key Words: brain states, continuous observation, conscious observer, measurement, probability current, state reduction, wave collapse.

Quantum Physics

Koushik Sen,Swaroop Kalasapur,Tasneem Brutch,Simon Gibbs

DOI: https://doi.org/10.1145/2491411.2491447

2013-01-01

Abstract:JavaScript is widely used for writing client-side web applications and is getting increasingly popular for writing mobile applications. However, unlike C, C++, and Java, there are not that many tools available for analysis and testing of JavaScript applications. In this paper, we present a simple yet powerful framework, called Jalangi, for writing heavy-weight dynamic analyses. Our framework incorporates two key techniques: 1) selective record-replay, a technique which enables to record and to faithfully replay a user-selected part of the program, and 2) shadow values and shadow execution, which enables easy implementation of heavy-weight dynamic analyses. Our implementation makes no special assumption about JavaScript, which makes it applicable to real-world JavaScript programs running on multiple platforms. We have implemented concolic testing, an analysis to track origins of nulls and undefined, a simple form of taint analysis, an analysis to detect likely type inconsistencies, and an object allocation profiler in Jalangi. Our evaluation of Jalangi on the SunSpider benchmark suite and on five web applications shows that Jalangi has an average slowdown of 26X during recording and 30X slowdown during replay and analysis. The slowdowns are comparable with slowdowns reported for similar tools, such as PIN and Valgrind for x86 binaries. We believe that the techniques proposed in this paper are applicable to other dynamic languages.

Qi Wang,Jingyu Zhou,Yuting Chen,Yizhou Zhang,Jianjun Zhao

DOI: https://doi.org/10.1145/2491411.2494583

2013-01-01

Abstract:ABSTRACT With the extensive use of client-side JavaScript in web applications, web contents are becoming more dynamic than ever before. This poses significant challenges for search engines, because more web URLs are now embedded or hidden inside JavaScript code and most web crawlers are script-agnostic, significantly reducing the coverage of search engines. We present a hybrid approach that combines static analysis with dynamic execution, overcoming the weakness of a purely static or dynamic approach that either lacks accuracy or suffers from huge execution cost. We also propose to integrate program analysis techniques such as statement coverage and program slicing to improve the performance of URL mining.

Ben L. Titzer,Elizabeth Gilbert,Bradley Wei Jie Teo,Yash Anand,Kazuyuki Takayama,Heather Miller

2024-03-13

Abstract:A key strength of managed runtimes over hardware is the ability to gain detailed insight into the dynamic execution of programs with instrumentation. Analyses such as code coverage, execution frequency, tracing, and debugging, are all made easier in a virtual setting. As a portable, low-level bytecode, WebAssembly offers inexpensive in-process sandboxing with high performance. Yet to date, Wasm engines have not offered much insight into executing programs, supporting at best bytecode-level stepping and basic source maps, but no instrumentation capabilities. In this paper, we show the first non-intrusive dynamic instrumentation system for WebAssembly in the open-source Wizard Research Engine. Our innovative design offers a flexible, complete hierarchy of instrumentation primitives that support building high-level, complex analyses in terms of low-level, programmable probes. In contrast to emulation or machine code instrumentation, injecting probes at the bytecode level increases expressiveness and vastly simplifies the implementation by reusing the engine's JIT compiler, interpreter, and deoptimization mechanism rather than building new ones. Wizard supports both dynamic instrumentation insertion and removal while providing consistency guarantees, which is key to composing multiple analyses without interference. We detail a fully-featured implementation in a high-performance multi-tier Wasm engine, show novel optimizations specifically designed to minimize instrumentation overhead, and evaluate performance characteristics under load from various analyses. This design is well-suited for production engine adoption as probes can be implemented to have no impact on production performance when not in use.

Programming Languages

Ting Chen,Xiao-Song Zhang,Shi-Ze Guo,Hong-Yuan Li,Yue Wu

DOI: https://doi.org/10.1016/j.future.2012.02.006

IF: 7.307

2013-01-01

Future Generation Computer Systems

Abstract:Dynamic symbolic execution for automated test generation consists of instrumenting and running a program while collecting path constraint on inputs from predicates encountered in branch instructions, and of deriving new inputs from a previous path constraint by an SMT (Satisfiability Modulo Theories) solver in order to steer next executions toward new program paths. It has been introduced into several applications, such as automated test generation, automated filter generation and malware analysis mainly for its two intrinsic properties: low false positives and high code-coverage. In this paper, we focus on the topics that are closely related to automated test generation. Our contributions are five-fold. First, we summarize the theoretical foundation of dynamic symbolic execution. Second, we highlight the challenges when turning ideas into reality. Besides, we describe the state-of-the-art solutions including advantages and disadvantages for those challenges. In addition, twelve typical tools are analyzed and many properties of those tools are censused. Finally, we outline the prospects of this research field in detail.

Xincheng He,Chunliu Cha,Lei Xu

DOI: https://doi.org/10.1109/APSEC.2018.00051

2018-12-01

Abstract:JavaScript plays an important role in web applications and services, which is used by millions of web pages in optimizing interface design, embedding dynamic texts, reading and writing HTML elements, validating form data, responding to browser events, controlling cookies and much more. However, since JavaScript is cross-platform and can be executed dynamically, it has been a major vehicle for web-based attacks. Existing solutions work by performing static analysis or monitoring program execution dynamically. However, since the heavy use of obfuscation techniques, many methods no longer apply to malicious JavaScript code detection, and it has been a huge challenge to de-obfuscate obfuscated malicious JavaScript code accurately. In this paper, we propose a hybrid analysis method combining static and dynamic analysis for detecting malicious JavaScript code that works by first conducting syntax analysis and dynamic instrumentation to extract internal features that are related to malicious code and then performing classificationbased detection to distinguish attacks. In addition, based on code instrumentation, we propose a new method which can deobfuscate part of obfuscated malicious JavaScript code accurately. Ultimately, we implement a browser plug-in called MJDetector and perform evaluation on 450 real web pages. Evaluation results show that our method can detect malicious JavaScript code and de-obfuscate obfucation effectively and efficiently. Specifically, MJDetector can detect JavaScipt attacks in current web pages with high accuracy 94.76% and de-obfuscate obfuscate code of specific types with accuracy 100% whereas the base line method can only detect with accuracy 81.16% and has no capacity of de-obfuscation.

Computer Science

Nikolaos Pantelaios,Alexandros Kapravelos

2024-05-22

Abstract:Evasion techniques allow malicious code to never be observed. This impacts significantly the detection capabilities of tools that rely on either dynamic or static analysis, as they never get to process the malicious code. The dynamic nature of JavaScript, where code is often injected dynamically, makes evasions particularly effective. Yet, we lack tools that can detect evasive techniques in a challenging environment such as JavaScript.

Cryptography and Security

Mingzhe Wang,Jie Liang,Chijin Zhou,Zhiyong Wu,Xinyi Xu,Yu Jiang

DOI: https://doi.org/10.1145/3519939.3523428

2022-01-01

Abstract:Instrumentation is vital to fuzzing. It provides fuzzing directions and helps detect covert bugs, yet its overhead greatly reduces the fuzzing throughput. To reduce the overhead, compilers compromise instrumentation correctness for better optimization, or seek convoluted runtime support to remove unused probes during fuzzing. In this paper, we propose Odin, an on-demand instrumentation framework to instrument C/C++ programs correctly and flexibly. When instrumentation requirement changes during fuzzing, Odin first locates the changed code fragment, then re-instruments, re-optimizes, and re-compiles the small fragment on-the-fly. Consequently, with a minuscule compilation overhead, the runtime overhead of unused probes is reduced. Its architecture ensures correctness in instrumentation, optimized code generation, and low latency in recompilation. Experiments show that Odin delivers the performance of compiler-based static instrumentation while retaining the flexibility of binary-based dynamic instrumentation. When applied to coverage instrumentation, Odin reduces the coverage collection overhead by 3× and 17× compared to LLVM SanitizerCoverage and DynamoRIO, respectively.

Chengyu Song,Chao Zhang,Tielei Wang,Wenke Lee,David Melski

DOI: https://doi.org/10.14722/ndss.2015.23233

2015-01-01

Abstract:—Many mechanisms have been proposed and de-ployed to prevent exploits against software vulnerabilities. Amongthem, W X is one of the most effective and efficient. W Xprevents memory pages from being simultaneously writableand executable, rendering the decades old shellcode injectiontechnique infeasible.In this paper, we demonstrate that the traditional shellcodeinjection attack can be revived through a code cache injectiontechnique. Specifically, dynamic code generation, a techniquewidely used in just-in-time (JIT) compilation and dynamic binarytranslation (DBT), generates and modifies code on the fly in orderto promote performance or security. The dynamically generatedcode fragments are stored in a code cache, which is writableand executable either at the same time or alternately, resultingin an opportunity for exploitation. This threat is especiallyrealistic when the generated code is multi-threaded, becauseswitching between writable and executable leaves a time windowfor exploitation. To illustrate this threat, we have crafted a proof-of-concept exploit against modern browsers that support WebWorkers.To mitigate this code cache injection threat, we propose anew dynamic code generation architecture. This new architecturerelocates the dynamic code generator to a separate process,in which the code cache is writable. In the original processwhere the generated code executes, the code cache remains read-only. The code cache is synchronized across the writing processand the execution process through shared memory. Interactionbetween the code generator and the generated code is handledtransparently through remote procedure calls (RPC). We haveported the Google V8 JavaScript engine and the Strata DBTto this new architecture. Our implementation experience showedthat the engineering effort for porting to this new architectureis minimal. Evaluation of our prototype implementation showedthat this new architecture can defeat the code cache injectionattack with small performance overhead.

W. Xu,Fangfang Zhang,Sencun Zhu

DOI: https://doi.org/10.1145/2435349.2435364

2013-02-18

Abstract:The dynamic features of the JavaScript language not only promote various means for users to interact with websites through Web browsers, but also pose serious security threats to both users and websites. On top of this, obfuscation has become a popular technique among malicious JavaScript code that tries to hide its malicious purpose and to evade the detection of anti-virus software. To defend against obfuscated malicious JavaScript code, in this paper we propose a mostly static approach called JStill. JStill captures some essential characteristics of obfuscated malicious code by function invocation based analysis. It also leverages the combination of static analysis and lightweight runtime inspection so that it can not only detect, but also prevent the execution of the obfuscated malicious JavaScript code in browsers. Our evaluation based on real-world malicious JavaScript samples as well as Alexa top 50,000 websites demonstrates high detection accuracy (all in our experiment) and low false positives of JStill. Meanwhile, JStill only incurs negligible performance overhead, making it a practical solution to preventing obfuscated malicious JavaScript code.

Computer Science

Franciszek Piszcz

2024-02-01

Abstract:There is a vast gap in the quality of IDE tooling between static languages like Java and dynamic languages like Python or JavaScript. Modern frameworks and libraries in these languages heavily use their dynamic capabilities to achieve the best ergonomics and readability. This has a side effect of making the current generation of IDEs blind to control flow and data flow, which often breaks navigation, autocompletion and refactoring. In this thesis we propose an algorithm that can bridge this gap between tooling for dynamic and static languages by statically analyzing dynamic metaprogramming and runtime reflection in programs. We use a technique called abstract interpretation to partially execute programs and extract information that is usually only available at runtime. Our algorithm has been implemented in a prototype analyzer that can analyze programs written in a subset of JavaScript.

Programming Languages,Logic in Computer Science,Software Engineering