BoaSpect: An Expressive Instrumentation Platform for JavaScript

Research output: Chapter in Book/Report/Conference proceedingConference paper

7 Downloads (Pure)

Abstract

Instrumentation platforms facilitate the development and deployment of dynamic analyses. The state-of-the-art instrumentation platforms for JavaScript rely on different weaving approaches for instrumentation, offering different levels of analysis expressiveness. The main issue is that they are unable to observe and reason about abstract operations, i.e. operations that are not exposed as language constructs but are used within the runtime. However, abstract operations are pivotal to understanding JavaScript's program behaviour. This paper demonstrates the importance of exposing the ToPrimitive abstract operation, which lies at the core of JavaScript's type coercion. We introduce BoaSpect, an interpreter-based instrumentation platform for JavaScript, which provides increased expressiveness by exposing the ToPrimitive trap through the instrumentation interface. We demonstrate its potential by implementing a novel analysis in BoaSpect to identify a potential security exploit, and a taint analysis which can track information flows precisely in the presence of implicit type coercions.
Original languageEnglish
Title of host publicationProgramming Companion 2024 - Proceedings of the 8th International Conference on on the Art, Science, and Engineering of Programming
EditorsEmma Soderberg, Luke Church
PublisherACM
Pages47-51
Number of pages5
ISBN (Electronic)9798400706349
DOIs
Publication statusPublished - 11 Mar 2024
Event2024 International Conference on the Art, Science, and Engineering of Programming (<Programming> 2024) - Lund, Sweden
Duration: 11 Mar 202414 Mar 2024

Publication series

NameProgramming Companion 2024 - Proceedings of the 8th International Conference on on the Art, Science, and Engineering of Programming

Conference

Conference2024 International Conference on the Art, Science, and Engineering of Programming (<Programming> 2024)
Abbreviated titleProgramming
Country/TerritorySweden
CityLund
Period11/03/2414/03/24

Bibliographical note

Funding Information:
We would like to thank the anonymous reviewers for their comments which helped improve the paper. Angel Luis Scull Pupo is funded by the Flanders Innovation Entrepreneurship - Cybersecurity Initiative Flanders.

Publisher Copyright:
© 2024 Copyright held by the owner/author(s). Publication rights licensed to ACM.

Keywords

  • JavaScript
  • dynamic analysis
  • instrumentation platform
  • expressiveness

Cite this