SAFE - College of Engineering & Applied Science · SAFE Formal Specification and Implementation of...
Transcript of SAFE - College of Engineering & Applied Science · SAFE Formal Specification and Implementation of...
SAFEFormal Specification and Implementation of
a Scalable Analysis Framework for ECMAscript
PLRG@KAISTHongki Lee, Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu
Contents
• Introduction
• Big Picture
• Formal Specification
• Implementation
• Active Research
• Conclusion
Introduction
JavaScript
• ECMAScript Language Specification
• Prototype-based inheritance
• Dynamic Features
- eval function,with statement
• Security Vulnerability Issues
- XSS
Previous Work
• Under-documented
• Not open to the public
• Handwritten Parser & AST nodes
• ECMAScript3 or Subset of Language
• λJS, TAJS, FBJS, Caja, Rhino, ...
SAFE
• Well-documented
• Open Source
• Auto-generated Parser & AST nodes
• Full ECMAScript5
• Formal Specification with ImplementationThe very first attempt!
Big Picture
JavaScript Parser AST
withRewriter
Disambiguator
Hoister
AST2IR IR IR2CFG CFG
Interpreter Result
CloneDetector CodeCoverage Analyzer
JavaScript Parser AST
withRewriter
Disambiguator
Hoister
AST2IR IR IR2CFG CFG
Interpreter Result
CloneDetector CodeCoverage Analyzer
Formal Specification
Levels of Representations
• AST (Abstract Syntax Tree)
- To analyze at code level
• IR (Intermediate Representation)
- To evaluate code
• CFG (Control Flow Graph)
- To trace control flows
IR Semantics
Translation RuleAST to IR IR to CFG
var sum = 0;for(var i = 1; i <= 10; i++) sum+= i;_<>_print(sum);
var i;var sum;sum = 0;for(i = 1; i <= 10; i++) sum+= i;_<>_print(sum);
Entry
Exit ExitExc
JavaScript AST
IRCFGvar ivar sumsum = 0i = 1<>break<>1 : { while(i <= 10) { <>continue<>2 : sum = sum + i <>old<>3 = i <>new<>4 = <>Global<>toNumber(<>old<>3) i = <>new<>4 + 1 <>Global<>ignore = <>new<>4}} <>Global<>ignore = <>Global<>print(sum)
Implementation
Implementation
• Automated tools
• Java and Scala
- Java Libraries
- Scala Pattern Matching
• Pluggable
AST Refinement
JavaScript Parser AST
withRewriter
Disambiguator
Hoister
AST2IR IR IR2CFG CFG
Interpreter Result
CloneDetector CodeCoverage Analyzer
Hoister
f();function f() { x = 1 };var x;// x = 1
function f() { x = 1 };var x; f();// x = 1
With Hoister, functions and variables are defined before use
Disambiguator
var x = 0;function g() { x; // x = ? var x = 1;}
var x_1 = 0;function g() { var x_2; x_2; // x = ? x_2 = 1;}
Distinguish two ‘x’ variables
withRewriter
var o = {x:1, y:2, z:3};o.p = {x:4, y:5, z:6};
with(o) { with(o.p) { x; }}
var o = {x:1, y:2, z:3};o.p = {x:4, y:5, z:6};
var $f_1 = o;var $f_2 = ("o" in $f_1 ? $f_1.o : o).p;("x" in $f_2 ? $f_2.x : ("x" in $f_1 ? $f_1.x : x));
An Empirical Study on the Rewritabilityof the with Statement in JavaScript - FOOL2011
Evaluating Code
JavaScript Parser AST
withRewriter
Disambiguator
Hoister
AST2IR IR IR2CFG CFG
Interpreter Result
CloneDetector CodeCoverage Analyzer
Active Research
Calculate the ratio of tested codePerform type-based analysisDetect clone code in AST level
JavaScript Parser AST
withRewriter
Disambiguator
Hoister
AST2IR IR IR2CFG CFG
Interpreter Result
CloneDetector CodeCoverage Analyzer
• The very first attempt to provide both formal specification and implementation
• Pluggable framework
• ECMAScript 5
• Open Source Projectavailable at http://plrg.kaist.ac.kr/research/safe
Conclusion
Thank You!