JavaScript: Features, Trends, and Static Analysis Joonwon Choi ROPAS Show & Tell 01/25/2013 1
Contents What is JavaScript? Features Trends Static Analysis Conclusion & Future Works 2
What is JavaScript? Scripting language equipped with prototype, dynamic type, and first-class functions. Formalized in the ECMAScript ECMAScript JavaScript JScript ActionScript 3
Features Prototype Object Undefined / Null Type Conversion Primitive Types With / Eval Attributes Arguments First-class Function Inheritances are implemented by prototypes function Person(n) { this.setname(n); Person.prototype.setName = function(n) { this.name = n; function Student(n,s) { this.b = Person; this.b(n); delete this.b; this.studentid = s.tostring(); Student.prototype = new Person; Dynamic Type 4
Features Prototype Object Undefined / Null Type Conversion Primitive Types With / Eval Attributes Object is just a mapping from strings to values var a = new Object(); a.property = 3; assert(a.property === 3); // true assert(a[ property ] === 3); // true var s = prop ; s = s + erty ; assert(a[s] === 3); // true Arguments First-class Function Dynamic Type 5
Features Prototype Object Undefined / Null Type Conversion Primitive Types With / Eval Attributes Arguments First-class Function Dynamic Type Null is a value with a type null var a = null; assert (a === null); // true assert (a === undefined); // false var b; assert (b === null); // false assert (b === undefined); // true Pitfalls: should use appropriate operators var a = false; assert (a == null); // true assert (a === null); // false var b; assert (b == null); // true assert (b === null); // false 6
Features Prototype Object Undefined / Null Type Conversion Primitive Types With / Eval Attributes Arguments First-class Function Dynamic Type Null is a value with a type null var a = null; assert (a === null); // true assert (a === undefined); // false var b; assert (b === null); // false assert (b === undefined); // true Pitfalls: should use appropriate operators var a = false; assert (a == null); // true assert (a === null); // false var b; assert (b == null); // true assert (b === null); // false == compares only values, === compares values and types 7
Features Prototype Object Undefined / Null Type Conversion Primitive Types Type conversions are implicitly, frequently occurred, with no exceptions var a = Hello World! ; bar b = 12; a = a + b; assert (a === Hello World!12 ); // true With / Eval Attributes Arguments First-class Function Dynamic Type 8
Features Prototype Object Undefined / Null Type Conversion Primitive Types Primitive types are different from wrapped primitive types var a = Hello World ; var b = new String( Hello World ); assert (a == b); // true assert (a === b); // false With / Eval Attributes Arguments First-class Function Dynamic Type 9
Features Prototype Object Undefined / Null Type Conversion Primitive Types With / Eval Attributes Some TOO complicated features... var a = new Object(); a.property = Hello World ; with(a) { assert(property === Hello World ); // true a.eval_string = a.property = 13 ; eval(a.eval_string); assert(a.property === 13); // true Arguments First-class Function Dynamic Type 10
Features Prototype Object Undefined / Null Properties can have attributes var a = document.url; assert (a === document.url); // true document.url = Hello World ; // impossible, ReadOnly Type Conversion Primitive Types With / Eval Attributes Arguments First-class Function Dynamic Type 11
Features Prototype Object Undefined / Null Type Conversion Primitive Types With / Eval Attributes Functions can have arbitrary number of args function alerter() { var s = ; for (arg in arguments) { s = s + + arg; alert(s); alerter(1, Hello, 3, World ); // alerts 1 Hello 3 World Arguments First-class Function Dynamic Type 12
Features Prototype Object Undefined / Null Type Conversion Primitive Types With / Eval Attributes Functions are first-class objects function increase(i) { return (i+1); function executor(f, i) { return f(i); var func = increase; assert(executor(func, 1) === 2); // true Arguments First-class Function Dynamic Type 13
Features Prototype Object Undefined / Null Type Conversion Primitive Types With / Eval Attributes Types can be dynamically changed var X; if (unknown_statement) { X = Object; else { X = Array; var y = new X(5); // What is the type of y? Arguments First-class Function Dynamic Type 14
Trends Prototypes Frequently used Alternative for object-oriented inheritance Analysis problem: objects prototypes can be dynamically changed 15
Trends Properties Mostly initialized during object creation, like a constructor. function Person(n) { this.setname(n); Person.prototype.setName = function(n) { this.name = n; Rarely deleted, i.e., delete operator is rarely used. 16
Trends With / Eval Without with, eval is evil. Deprecated. 17
Trends Codes & Benchmarks Codes are not too long (in web, ~5,000 lines) Existence of well-known benchmarks Chrome Experiments Top 1,000 sites 18
Static Analysis Abstract Interpretation Anders Møller, Type Analysis for JavaScript JavaScript > IR Abstracted value Value= Undef Null Bool Num String P(L) Does not treat eval 19
Static Analysis Static Taint Analysis Salvatore Guarnieri, Saving the World Wide Web from Vulnerable JavaScript Supports prototype-chain property lookups Handles lexical scoping by SSA form 20
Static Analysis Our goal To find malicious behaviors in Tizen web apps, Using source/sink analysis, May design value analysis, if necessary. On SAFE 1 IR 1) H. Lee, S. Won, J. Jin, J. Cho, S. Ryu, "SAFE: Formal Specification and Implementation of a Scalable Analysis Framework for ECMAScript," 2012 International Workshop on Foundations of Object-Oriented Languages, October 2012. 21
Conclusion & Future Works Conclusion JavaScript has a lot of complicated features. But trends may make static analysis feasible. Future Works Design a big picture of analysis Take a look into SAFE structures 22