The Eval that Men Do

Similar documents
The Eval that Men Do

User Interaction: jquery

An Empirical Study of PHP Feature Usage: A Static Analysis Perspective

RKN 2015 Application Layer Short Summary

Some Facts Web 2.0/Ajax Security

Copyright Descriptor Systems, Course materials may not be reproduced in whole or in part without prior written consent of Joel Barnum


JavaScript CS 4640 Programming Languages for Web Applications

iframe programming with jquery jquery Summit 2011

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

A Structural Operational Semantics for JavaScript

Discovery data feed for Eid 2.0

JavaScript CS 4640 Programming Languages for Web Applications

Ajax HTML5 Cookies. Sessions 1A and 1B

AJAX: From the Client-side with JavaScript, Back to the Server

Manipulating Web Application Interfaces a New Approach to Input Validation Testing. AppSec DC Nov 13, The OWASP Foundation

Run-time characteristics of JavaScript

CGS 3066: Spring 2015 JavaScript Reference

-- anonymous reviewer

Jquery Ajax Json Php Mysql Data Entry Example

Content Security Policy

Developer Entrepreneur Crazy person

MatJuice. Vincent Foley-Bourgon. April COMP Winter 2014 McGill University

HTML version of slides:

JavaScript. History. Adding JavaScript to a page. CS144: Web Applications

JavaScript: the Big Picture

JavaScript. History. Adding JavaScript to a page. CS144: Web Applications

Using TLC to Check Inductive Invariance

FOR MORE PAPERS LOGON TO

CSCE 120: Learning To Code

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

October 08: Introduction to Web Security

COMP 3400 Programming Project : The Web Spider

Jquery.ajax Call Returns Status Code Of 200 But Fires Jquery Error

JavaScript for PHP Developers

Project 2: After Image

COMP-520 GoLite Tutorial

CSC309 - Winter Lab 9 - Understanding JS Event Loops, Scopes and JSONP

Jinx Malware 2.0 We know it s big, we measured it! Itzik Kotler Yoni Rom

Lecture 8 (7.5?): Javascript

RESTful APIs ECS 189 WEB PROGRAMMING. Browser s view. Browser s view. Browser s view. Browser s view. Which will It be for photobooth?

A Small Interpreted Language

HTTP Security Headers Explained

Lesson 14 SOA with REST (Part I)

Design Document V2 ThingLink Startup

CSE 413 Languages & Implementation. Hal Perkins Winter 2019 Structs, Implementing Languages (credits: Dan Grossman, CSE 341)

JOE WIPING OUT CSRF

Principles of Programming Languages

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

JavaScript: Sort of a Big Deal,

Browser code isolation

Proposal: Judicial Case Law History Timeline viewer CPSC 547

Lab 4. Out: Friday, February 25th, 2005

JOE WIPING OUT CSRF

ethnio tm IMPLEMENTATION GUIDE ETHNIO, INC W SUNSET BLVD LOS ANGELES, CA TEL (888) VERSION NO. 3 CREATED JUL 14, 2017

Why Discuss JavaScript? CS312: Programming Languages. Lecture 21: JavaScript. JavaScript Target. What s a Scripting Language?

16. Objects & JSON. Dr. Dave Parker. Informa;on and the Web, 2014/15

WEB SECURITY: XSS & CSRF

Software Architecture and Engineering: Part II

Working with Database. Client-server sides AJAX JSON Data formats Working with JSON data Request Response Bytes Database

Paradox of Web Leeching

Using Development Tools to Examine Webpages

CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

Testing is a very big and important topic when it comes to software development. Testing has a number of aspects that need to be considered.

SEEM4570 System Design and Implementation Lecture 03 JavaScript

CS312: Programming Languages. Lecture 21: JavaScript

The Web of Confusion. Douglas Crockford Yahoo! Inc.

PyBossa.JS JavaScript library for PyBossa

John Coggeshall Copyright 2006, Zend Technologies Inc.

Debugging Your Python Code: For Dummies

Events & Callbacks (ESaaS 6.5)! 2013 Armando Fox & David Patterson, all rights reserved

Client Side JavaScript and AJAX

Human-Computer Interaction Design

Notes on JavaScript (aka ECMAScript) and the DOM

Using Tcl 8.5 Features to Build an OO System

Ajax. David Matuszek's presentation,

Project 3 Web Security Part 1. Outline

Intro To Javascript. Intro to Web Development

Misconceptions about W3C Widgets

Keys to Web Front End Performance Optimization

A.A. 2008/09. Why introduce JavaScript. G. Cecchetti Internet Software Technologies

6.001 Recitation 23: Register Machines and Stack Frames

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

/chapter/1 In the beginning there was request?

ENRICHING PRIMO RECORDS WITH INFORMATION FROM WORDPRESS. Karsten Kryger Hansen Aalborg University Library

The Interpreter + Calling Functions. Scheme was designed by people. The Interpreter + Calling Functions. Clickers. Parentheses Matter We asked scheme

How to approach the web platforms. Peter-Paul Koch Nordic Competence Conference, 12 September 2015

HTML 5 and CSS 3, Illustrated Complete. Unit L: Programming Web Pages with JavaScript

CSC 337. JavaScript Object Notation (JSON) Rick Mercer

KonaKart Shopping Widgets. 3rd January DS Data Systems (UK) Ltd., 9 Little Meadow Loughton, Milton Keynes Bucks MK5 8EH UK

DLint: Dynamically Checking Bad Coding Practices in JavaScript

Security. CSC309 TA: Sukwon Oh

COMS 359: Interactive Media

Software Testing Prof. Meenakshi D Souza Department of Computer Science and Engineering International Institute of Information Technology, Bangalore

CS61A Notes Week 6: Scheme1, Data Directed Programming You Are Scheme and don t let anyone tell you otherwise

APEX Unplugged Building Oracle Application Express Applications That Can Survive Without the Internet. Dan McGhan Senior Technical Consultant

Executive Summary. Performance Report for: The web should be fast. How does this affect me?

Site Audit SpaceX

Understanding Angular Directives By Jeffry Houser

Marketing Training User Guide Internal SharePoint Site. Introduction

Transcription:

The Eval that Men Do Gregor Richard Christian Hammer Brian Burg Jan Vitek Vincent Foley-Bourgon COMP-621 - Winter 2014 McGill University February 2014

The paper Information 3 authors from Purdue University (Go Boilermakers!) Presented at ECOOP 2011 Empirical study of the usage of eval 2 / 62

Plan 1. What is eval? 2. Methodology 3. Results 4. Conclusion 3 / 62

Disclaimers 1. Tables and figures are taken from the paper 4 / 62

Disclaimers 1. Tables and figures are taken from the paper 2. Won t show all the results 5 / 62

Disclaimers 1. Tables and figures are taken from the paper 2. Won t show all the results 3. Personal bias 6 / 62

What is eval? 7 / 62

What is eval? Question: Who can tell me what eval does? 1 1 Someone who is not part of the MCJS team 8 / 62

What is eval? eval takes a string as input and executes it Same as: var name = " bar "; eval ("o." + name + "= " + name + "!! ") ; o. bar = bar!! ; 9 / 62

What is eval? eval takes a string as input and executes it Same as: var name = " bar "; eval ("o." + name + "= " + name + "!! ") ; o. bar = bar!! ; You can pass any arbitrary string to eval: Assignments Conditionals and loops Functions Other calls to eval 10 / 62

What is eval? eval is evil. Avoid it. eval has aliases. Don t use them. Douglas Crockford 11 / 62

What is eval? Question: What are some problems with eval? 12 / 62

What is eval? Question: What are some problems with eval? How does it affect static analysis? 13 / 62

What is eval? eval is the black hole of static analysis It kills everything It generates nothing 15 / 62

What is eval? Example: Reaching defs Let s think about how eval would affect reaching defs. A definition d: x =... reaches a point p if there exits a path from d to p that does not pass through another definition of x. 16 / 62

What is eval? Example: Reaching defs d: x = 0 { d:x=0 } eval(s)? write(x) 17 / 62

What is eval? Example: Reaching defs out(s i ) = gen(s i ) (in(s i ) - kill(s i )) where: gen(s i ) = { d i } if S i is a statement that defines x kill(s i ) = { d j d j defines x } 18 / 62

What is eval? Example: Reaching defs d: x = 0 { d:x=0 } eval(s) write(x) 19 / 62

What is eval? The paper explores how eval is used in practice, and, hopefully, shows that we can replace some of eval s usages with more structured constructs. 20 / 62

Methodology 21 / 62

Methodology Infrastructure TracingSafari: records a trace containing most ops performed by the interpreter (reads, writes, deletes, calls, defines, etc.) Also records properties specific to eval: in particular the provenance of strings, since they could be used as an argument to eval. 22 / 62

Methodology Corpus Question: if you want to do any kind of research on the web, where do you go first? 23 / 62

Methodology Corpus Question: if you want to do any kind of research on the web, where do you go first? 24 / 62

Methodology Corpus Interactive PageLoad Random Manual interaction First 30 seconds PageLoad with with web of execution of a randomly gener- sites web page ated events Top 100 Top 10,000 Top 10,000 1-5 minutes 30 seconds At most 30 events, 1 ev/sec 25 / 62

Methodology Threats to validity Program coverage: they believe their corpus is representative of typical web browsing, even if they miss some functionality. Diversity: web applications in JS vastly out-number any other type of application written in JS. 26 / 62

Results 27 / 62

Are JavaScript and eval even used? 28 / 62

Are JavaScript and eval even used? All top 100 sites use JS and 82 of them use eval 90% of the top 10,000 use JS and 50% use eval Events trigger more calls to eval 29 / 62

What about JS frameworks? 30 / 62

What about JS frameworks? Manual inspection reveals that eval is not required for their operation Used mostly as a fallback for browsers lacking JSON.parse 31 / 62

Patterns of eval 32 / 62

Patterns of eval Many common patterns in the use of eval Some are accepted industry practices (e.g. JSON, async content and library loading) Many result from a poor understanding of JavaScript 33 / 62

Patterns of eval 34 / 62

Patterns of eval JSON m = eval ( {"a": " foo ", "b": [1,2,3]} ) ; Funny note: JSON was invented by Douglas Crockford, so that eval could be used to parse it. 35 / 62

Patterns of eval JSONP eval ( m = {"a": " foo ", "b": [1,2,3]} ) ; eval ( f ({" a": " foo ", "b": [1,2,3]}) ); Used for load balancing across domains (work around the same origin policiy) 36 / 62

Patterns of eval Library Libraries loaded with <script> tag are downloaded, parsed and evaluated synchronously. Workaround: download the library with AJAX, and load it with eval. Detection heuristic: any eval string longer than 512 bytes and definining at least one function. 37 / 62

Patterns of eval Read Field accesses and pseudo arrays. eval (" foo." + x) // foo [x] eval (" arr_ " + 3) An alias to eval can also be used to access a shadowed variable. 38 / 62

Patterns of eval Assign Patterns similar to Read, but with assignments. 39 / 62

Patterns of eval Typeof Strange patterns involving typeof. eval (" typeof (x) === undefined ") // typeof (x) === undefined // x in window 40 / 62

Patterns of eval Try Another case for which we have no satisfying explanation, labeled Try, is to eval try/catch blocks. From bbc.co.uk: eval ( try { throw v =4} catch (e){} ) // v = 4 Authors assume it s the result of a corner case of a code generator. 41 / 62

Patterns of eval Call Method invocations (typically, global functions strings) with parameters that are not padded JSON. eval ( meth + (x) ) // window [ meth ](x) 42 / 62

Patterns of eval Empty eval is called with empty string (or all blanks). eval ("") Likely the default case for eval strings in a code generator. 43 / 62

Patterns of eval Other Patterns not captured by the previous categories. eval (" img1. src = http :// f.ca/t. php?ip=xx ;") ; Encodes data in a URL and sends an HTTP GET request in order to circumvent the same origin policy imposed by the DOM. 44 / 62

Patterns of eval Patterns by websites 45 / 62

Patterns of eval Patterns distribution 46 / 62

Patterns of eval Impact on analysis Most eval call sites in categories other than Library, Other, Call are replaceable by less dynamic features such as JSON.parse, hashmap access, and proper use of JavaScript arrays. On Interactive, these categories account for 76% of all eval d strings; thus, a majority of eval uses are not necessary. 47 / 62

Pattern replacements 48 / 62

Pattern replacements 49 / 62

Provenance of eval strings 50 / 62

Provenance of strings Where do the strings passed to eval come from? Authors used TracingSafari to track their provenance: 51 / 62

Provenance of strings 52 / 62

Provenance of strings Notice how many eval ed strings are constant and composite! 53 / 62

Provenance of strings 54 / 62

Performance impact of eval 55 / 62

Performance impact of eval 56 / 62

Conclusion 57 / 62

Conclusion We started this work with the hope that it would show that eval can be replaced by other features. Unfortunately our data does not support this conclusion. 58 / 62

Conclusion eval is a convenient way of providing a range of features that weren t planned for by the language designers. For example, JSON was created to support (de-)serialization of JavaScript objects. 59 / 62

Conclusion Most accepted uses of eval have been transformed into libraries or new language features recently, and as such no best practices recommends usage of eval. 60 / 62

</presentation> 61 / 62

Big question How would you design an analysis to identify constant and composite strings, so that you could offer suggestions to a programmer that his usage of eval is perhaps not necessary? 62 / 62

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback