Abstract
Instrumentation platforms facilitate the development and deployment of dynamic analyses. The state-of-the-art instrumentation platforms for JavaScript rely on different weaving approaches for instrumentation, offering different levels of analysis expressiveness. The main issue is that they are unable to observe and reason about abstract operations, i.e. operations that are not exposed as language constructs but are used within the runtime. However, abstract operations are pivotal to understanding JavaScript's program behaviour. This paper demonstrates the importance of exposing the ToPrimitive abstract operation, which lies at the core of JavaScript's type coercion. We introduce BoaSpect, an interpreter-based instrumentation platform for JavaScript, which provides increased expressiveness by exposing the ToPrimitive trap through the instrumentation interface. We demonstrate its potential by implementing a novel analysis in BoaSpect to identify a potential security exploit, and a taint analysis which can track information flows precisely in the presence of implicit type coercions.
Original language | English |
---|---|
Title of host publication | Programming Companion 2024 - Proceedings of the 8th International Conference on on the Art, Science, and Engineering of Programming |
Editors | Emma Soderberg, Luke Church |
Publisher | ACM |
Pages | 47-51 |
Number of pages | 5 |
ISBN (Electronic) | 9798400706349 |
DOIs | |
Publication status | Published - 11 Mar 2024 |
Event | 2024 International Conference on the Art, Science, and Engineering of Programming (<Programming> 2024) - Lund, Sweden Duration: 11 Mar 2024 → 14 Mar 2024 |
Publication series
Name | Programming Companion 2024 - Proceedings of the 8th International Conference on on the Art, Science, and Engineering of Programming |
---|
Conference
Conference | 2024 International Conference on the Art, Science, and Engineering of Programming (<Programming> 2024) |
---|---|
Abbreviated title | Programming |
Country/Territory | Sweden |
City | Lund |
Period | 11/03/24 → 14/03/24 |
Bibliographical note
Funding Information:We would like to thank the anonymous reviewers for their comments which helped improve the paper. Angel Luis Scull Pupo is funded by the Flanders Innovation Entrepreneurship - Cybersecurity Initiative Flanders.
Publisher Copyright:
© 2024 Copyright held by the owner/author(s). Publication rights licensed to ACM.
Keywords
- JavaScript
- dynamic analysis
- instrumentation platform
- expressiveness