Dynamic Analysis for JavaScript

Liang Gong

EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2018-155
December 1, 2018

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2018/EECS-2018-155.pdf

The effectiveness of the widely adopted static analysis tools is often limited by JavaScript’s dynamic nature and the need to over-approximate runtime behaviors. To tackle this challenge, we research robust dynamic analysis techniques for real-world JavaScript code.

To analyze front-end web applications, we first extend Jalangi which is a dynamic analysis framework based on source code instrumentation. Our extension of Jalangi intercepts and rewrites JavaScript code during network transmission. We also develop NodeSec, which is a dynamic instrumentation framework that traces and sandboxes the interactions between a Node.js program and the operating system. Based on the two frameworks, we research dynamic analysis techniques to detect correctness, performance, and security issues in JavaScript code. First, we present DLint, a dynamic analysis approach to check code quality rules in JavaScript. DLint consists of a generic framework and an extensible set of checkers that each addresses a particular rule. We formally describe and implement 28 checkers that address problems missed by state-of-the-art static approaches. Applying the approach in an empirical study on over 200 popular websites shows that static and dynamic checking complement each other. On average per website, DLint detects 49 problems that are missed statically, including visible bugs on the websites of IKEA, Hilton, eBay, and CNBC.

Second, we present JITProf, a profiling framework to dynamically identify JIT-unfriendly code, which prohibits profitable JIT optimizations. The key idea is to associate meta-information with JavaScript objects and code locations, to update this information whenever particular runtime events occur, and to use the meta-information to identify JIT-unfriendly operations. We use JITProf to analyze widely used JavaScript web applications and show that JIT-unfriendly code is prevalent in practice. We show that refactoring JIT-unfriendly code identified by JITProf leads to statistically significant performance improvements of up to 26.3% in 15 popular benchmarks.

Finally, we conduct the first large-scale empirical study of security issues on over 330,000 npm packages. We adopted an iterative approach to dynamically analyze those packages and identified 360 previously unknown malicious or vulnerable packages, 315 of which have been validated by the community so far; 258 of those issues are considered as highly severe. All those packages with security issues in aggregate have 2,138 downloads per day, stressing the risks for the Node.js ecosystem.

Advisor: Koushik Sen


BibTeX citation:

@phdthesis{Gong:EECS-2018-155,
    Author = {Gong, Liang},
    Title = {Dynamic Analysis for JavaScript},
    School = {EECS Department, University of California, Berkeley},
    Year = {2018},
    Month = {Dec},
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2018/EECS-2018-155.html},
    Number = {UCB/EECS-2018-155},
    Abstract = {The effectiveness of the widely adopted static analysis tools is often limited by JavaScript’s dynamic nature and the need to over-approximate runtime behaviors. To tackle this challenge, we research robust dynamic analysis techniques for real-world JavaScript code.

To analyze front-end web applications, we first extend Jalangi which is a dynamic analysis framework based on source code instrumentation. Our extension of Jalangi intercepts and rewrites JavaScript code during network transmission. We also develop NodeSec, which is a dynamic instrumentation framework that traces and sandboxes the interactions between a Node.js program and the operating system. Based on the two frameworks, we research dynamic analysis techniques to detect correctness, performance, and security issues in JavaScript code.
First, we present DLint, a dynamic analysis approach to check code quality rules in JavaScript. DLint consists of a generic framework and an extensible set of checkers that each addresses a particular rule. We formally describe and implement 28 checkers that address problems missed by state-of-the-art static approaches. Applying the approach in an empirical study on over 200 popular websites shows that static and dynamic checking complement each other. On average per website, DLint detects 49 problems that are missed statically, including visible bugs on the websites of IKEA, Hilton, eBay, and CNBC.

Second, we present JITProf, a profiling framework to dynamically identify JIT-unfriendly code, which prohibits profitable JIT optimizations. The key idea is to associate meta-information with JavaScript objects and code locations, to update this information whenever particular runtime events occur, and to use the meta-information to identify JIT-unfriendly operations. We use JITProf to analyze widely used JavaScript web applications and show that JIT-unfriendly code is prevalent in practice. We show that refactoring JIT-unfriendly code identified by JITProf leads to statistically significant performance improvements of up to 26.3% in 15 popular benchmarks.

Finally, we conduct the first large-scale empirical study of security issues on over 330,000 npm packages. We adopted an iterative approach to dynamically analyze those packages and identified 360 previously unknown malicious or vulnerable packages, 315 of which have been validated by the community so far; 258 of those issues are considered as highly severe. All those packages with security issues in aggregate have 2,138 downloads per day, stressing the risks for the Node.js ecosystem.}
}

EndNote citation:

%0 Thesis
%A Gong, Liang
%T Dynamic Analysis for JavaScript
%I EECS Department, University of California, Berkeley
%D 2018
%8 December 1
%@ UCB/EECS-2018-155
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2018/EECS-2018-155.html
%F Gong:EECS-2018-155