Static and dynamic combined analysis for bug detection of web apps

Abstract

JavaScript programs are prevalent and JavaScript developers need better tools to write high-quality programs. Static analysis is one of the powerful foundations underlying developer tools. However, dynamic features of the language obstruct the practical use of static analysis. Annual language updates require static analyzers to catch up constantly, and host environments require manual efforts to handle extra semantics. By leveraging concrete interpreters, static and dynamic combined analyses have alleviated such challenges. However, they have limitations to maximizing the benefits of dynamic analysis. In this thesis, we present a novel static and dynamic combined analysis framework for the bug detection of JavaScript web applications. It provides two perspectives of using dynamic analysis: improving analysis precision aggressively by sacrificing soundness or analysis performances soundly. In the first perspective, the dynamic analysis samples partial execution flows among all possible program behavior, and the static analysis utilizes the dynamically collected states. We present a staged combined analysis to precisely analyze the event loop of web applications with a novel analysis unit, the EventHandler. We automate modeling opaque code in static analysis via dynamic analysis as well. Although they cannot guarantee the soundness of the analysis, they can aggressively reduce false positives and manual modeling efforts in static analysis for the practical use of static analysis. In the other perspective, we soundly combine static and dynamic analyses to leverage the benefits of high-performance JavaScript engines. We study both directions of alternating abstract and concrete semantics: triggering dynamic analysis during static analysis and applying abstract semantics on dynamic analysis. Our experiment shows that SAFE_DS, the first direction of combined analysis, is 6.3x faster than the baseline static analyzer SAFE, and the other JSCA is 13.7x faster than SAFE_DS.