SAFEFormal Specification and Implementation of

a Scalable Analysis Framework for ECMAscript

PLRG@KAISTHongki Lee, Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu

Contents

• Introduction

• Big Picture

• Formal Specification

• Implementation

• Active Research

• Conclusion

Introduction

JavaScript

• ECMAScript Language Specification

• Prototype-based inheritance

• Dynamic Features

- eval function,with statement

• Security Vulnerability Issues

- XSS

Previous Work

• Under-documented

• Not open to the public

• Handwritten Parser & AST nodes

• ECMAScript3 or Subset of Language

• λJS, TAJS, FBJS, Caja, Rhino, ...

SAFE

• Well-documented

• Open Source

• Auto-generated Parser & AST nodes

• Full ECMAScript5

• Formal Specification with ImplementationThe very first attempt!

Big Picture

JavaScript Parser AST

withRewriter

Disambiguator

Hoister

AST2IR IR IR2CFG CFG

Interpreter Result

CloneDetector CodeCoverage Analyzer

JavaScript Parser AST

withRewriter

Disambiguator

Hoister

AST2IR IR IR2CFG CFG

Interpreter Result

CloneDetector CodeCoverage Analyzer

Formal Specification

Levels of Representations

• AST (Abstract Syntax Tree)

- To analyze at code level

• IR (Intermediate Representation)

- To evaluate code

• CFG (Control Flow Graph)

- To trace control flows

IR Semantics

Translation RuleAST to IR IR to CFG

var sum = 0;for(var i = 1; i <= 10; i++) sum+= i;_<>_print(sum);

var i;var sum;sum = 0;for(i = 1; i <= 10; i++) sum+= i;_<>_print(sum);

Entry

Exit ExitExc

JavaScript AST

IRCFGvar ivar sumsum = 0i = 1<>break<>1 : { while(i <= 10) { <>continue<>2 : sum = sum + i <>old<>3 = i <>new<>4 = <>Global<>toNumber(<>old<>3) i = <>new<>4 + 1 <>Global<>ignore = <>new<>4}} <>Global<>ignore = <>Global<>print(sum)

Implementation

Implementation

• Automated tools

• Java and Scala

- Java Libraries

- Scala Pattern Matching

• Pluggable

AST Refinement

JavaScript Parser AST

withRewriter

Disambiguator

Hoister

AST2IR IR IR2CFG CFG

Interpreter Result

CloneDetector CodeCoverage Analyzer

Hoister

f();function f() { x = 1 };var x;// x = 1

function f() { x = 1 };var x; f();// x = 1

With Hoister, functions and variables are defined before use

Disambiguator

var x = 0;function g() { x; // x = ? var x = 1;}

var x_1 = 0;function g() { var x_2; x_2; // x = ? x_2 = 1;}

Distinguish two ‘x’ variables

withRewriter

var o = {x:1, y:2, z:3};o.p = {x:4, y:5, z:6};

with(o) { with(o.p) { x; }}

var o = {x:1, y:2, z:3};o.p = {x:4, y:5, z:6};

var $f_1 = o;var $f_2 = ("o" in $f_1 ? $f_1.o : o).p;("x" in $f_2 ? $f_2.x : ("x" in $f_1 ? $f_1.x : x));

An Empirical Study on the Rewritabilityof the with Statement in JavaScript - FOOL2011

Evaluating Code

JavaScript Parser AST

withRewriter

Disambiguator

Hoister

AST2IR IR IR2CFG CFG

Interpreter Result

CloneDetector CodeCoverage Analyzer

Active Research

Calculate the ratio of tested codePerform type-based analysisDetect clone code in AST level

JavaScript Parser AST

withRewriter

Disambiguator

Hoister

AST2IR IR IR2CFG CFG

Interpreter Result

CloneDetector CodeCoverage Analyzer

• The very first attempt to provide both formal specification and implementation

• Pluggable framework

• ECMAScript 5

• Open Source Projectavailable at http://plrg.kaist.ac.kr/research/safe

Conclusion

Thank You!