Towards secure web applications with static analysis안전한 웹 어플리케이션 개발을 위한 JavaScript 정적 분석 디자인 및 응용

Cited 0 time in webofscience Cited 0 time in scopus
  • Hit : 383
  • Download : 0
Current static analysis techniques for JavaScript programs are often ineffective and inefficient in detecting security vulnerabilities in web applications due to the dynamic nature of the JavaScript language. One of the most challenging dynamic features that complicate the inference of static properties is read/write accesses to object fields the names of which are computed at runtime. Such code patterns are difficult to analyze precisely, due to weak updates and limitations of unrolling techniques. Furthermore, JavaScript programs are growing due to the complex logic and especially due to the extensive uses of multiple libraries; existing static analysis techniques cannot yet analyze such programs effectively. In this dissertation, we observe that local reasoning about object copies can infer precise field correspondence relations, and we propose an abstraction which allows to separately reasoning about field read/write access patterns in different fields. We formalize and implement an analysis based on this technique, and evaluate the performance and precision of the analysis on the computation of call-graph information for examples from jQuery tutorials. Then, we present a novel approach to analyze large-scale JavaScript programs statically by tuning the analysis scalability possibly giving up its soundness. We formally describe our framework, present two instances of the framework, and implement them using two open-source JavaScript analyzers. We evaluate the performance and precision of two instances for large-scale real-world JavaScript applications. At last, we implement a static taint analysis, which can detect security vulnerabilities in web applications, as a client analysis, and evaluate the usefulness of our analysis techniques on detection of security vulnerabilities for jQuery examples and real-world programs. Our analysis tool automatically proved the absence of security vulnerability from 60 out of 71 jQuery tutorial programs. Our tuned analysis tool detected nine alarms of security vulnerability from 16 websites, and only one of nine alarms was false positive.
Advisors
Ryu, Sukyoungresearcher류석영researcher
Description
전산학부,
Publisher
한국과학기술원
Issue Date
2018
Identifier
325007
Language
eng
Description

학위논문(박사) - 전산학부, 2018.8,[v, 77 p. :]

Keywords

Static analysis▼aabstract interpretation▼aJavaScript▼aprivate information leakage▼asecurity; 정적 분석▼a요약 해석▼a자바 스크립트▼a개인 정보 유출▼a보안

URI
http://hdl.handle.net/10203/265324
Link
http://library.kaist.ac.kr/search/detail/view.do?bibCtrlNo=828229&flag=dissertation
Appears in Collection
CS-Theses_Ph.D.(박사논문)
Files in This Item
There are no files associated with this item.

qr_code

  • mendeley

    citeulike


rss_1.0 rss_2.0 atom_1.0