Towards secure web applications with static analysis

Abstract

Current static analysis techniques for JavaScript programs are often ineffective and inefficient in detecting security vulnerabilities in web applications due to the dynamic nature of the JavaScript language. One of the most challenging dynamic features that complicate the inference of static properties is read/write accesses to object fields the names of which are computed at runtime. Such code patterns are difficult to analyze precisely, due to weak updates and limitations of unrolling techniques. Furthermore, JavaScript programs are growing due to the complex logic and especially due to the extensive uses of multiple libraries

existing static analysis techniques cannot yet analyze such programs effectively.

In this dissertation, we observe that local reasoning about object copies can infer precise field correspondence relations, and we propose an abstraction which allows to separately reasoning about field read/write access patterns in different fields. We formalize and implement an analysis based on this technique, and evaluate the performance and precision of the analysis on the computation of call-graph information for examples from jQuery tutorials. Then, we present a novel approach to analyze large-scale JavaScript programs statically by tuning the analysis scalability possibly giving up its soundness. We formally describe our framework, present two instances of the framework, and implement them using two open-source JavaScript analyzers. We evaluate the performance and precision of two instances for large-scale real-world JavaScript applications. At last, we implement a static taint analysis, which can detect security vulnerabilities in web applications, as a client analysis, and evaluate the usefulness of our analysis techniques on detection of security vulnerabilities for jQuery examples and real-world programs. Our analysis tool automatically proved the absence of security vulnerability from 60 out of 71 jQuery tutorial programs. Our tuned analysis tool detected nine alarms of security vulnerability from 16 websites, and only one of nine alarms was false positive.