Download presentation
Presentation is loading. Please wait.
Published byDella Johnston Modified over 5 years ago
1
String Analysis for JavaScript Programs Using JSAI
Yves Engelmann Serena King Advisor: Lunjin Lu
2
Purpose of This Research
Design/implement domain of string properties on top of JSAI - an analysis engine that was developed at UCSB
3
How does it fit in with The Security Theme?
An increased precision of string static analyzer will help prevent XSS, MFE, and SQLI attacks to JavaScript based programs.
4
What is Program Analysis
In general terms, program analysis is an automated analysis of program behavior Program analysis is about developing tools and algorithms that help analyze other programs Hint: Static Analysis A short history of static program Analysis Early high-level programming languages were implemented on very small and very slow machine. Compilers needed to generate executables that were extremely efficient in space and time. Compiler writers invented efficiency- increasing program transformations, wrongly called optimizing transformations. Transformations must not change the semantics of programs. Enabling conditions guaranteed semantics preservation. Enabling conditions were checked by static analysis of programs (data-flow analysis). Theoretical foundations of static program analysis---Kleene (1930s), Tarski(1955) .Gary Kildall(1972) clarified the lattice-theoretic foundation of data flow analysis. . Patrick Cousot(1974) established the relation to the programming language semantics. Source: Static Program Analysis for Verification – an Introduction -
5
Static Program Analysis
Analyzes the source code of a given program Dynamic Program Analysis: Analyzes the program while its running The difference between Static and Dynamic program analysis is that static analysis gives you more execution reasons but it’s less precise and Dynamic is more precise, but result are limited to observed executions. A typical static analysis question: Given source code of program P and desired property Q, does P exhibit Q in all possible executions? What does precision mean here?
6
Static Program Analysis
Static analyses are either: Unsound: May say program is safe even though it is unsafe Sound, but incomplete: May say program is unsafe even though is safe Non-terminating: Always gives correct answer when it terminates, but may run forever Many static analysis techniques are sound but incomplete.
7
Timeline Week Literature survey Week 3 – 6 Design/Implementation Week 6 Mid – Summer Presentation Week 7 – 9 Writing Paper
8
Design/Implementation
TOOLS TO BE USED Understand the current constant propagation domain FA Software Current JSAI Analyzer Eclipse IDE to modify Scala source code
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.