Toward Analysis and Bug Finding in JavaScript Web Applications in the Wild

We present our journey to analyze and find bugs in JavaScript web applications in the wild. We describe technical challenges in analyzing them and our solutions to address the challenges via a series of open source analysis frameworks, the scalable analysis framework for ECMAScript (SAFE) family.

[1]  Hyeonseung Im,et al.  Precise and scalable static analysis of jQuery using a regular expression domain , 2016, DLS.

[2]  Daejun Park,et al.  KJS: a complete formal semantics of JavaScript , 2015, PLDI.

[3]  Sukyoung Ryu,et al.  SAFEWAPI: web API misuse detector for web applications , 2014, SIGSOFT FSE.

[4]  Julian Dolby,et al.  Practically Tunable Static Analysis Framework for Large-Scale JavaScript Applications (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[5]  Sukyoung Ryu,et al.  Formal specification of a JavaScript module system , 2012, OOPSLA '12.

[6]  Ondrej Lhoták,et al.  In defense of soundiness , 2015, Commun. ACM.

[7]  Magnus Madsen,et al.  Modeling the HTML DOM and browser API in static analysis of JavaScript web applications , 2011, ESEC/FSE '11.

[8]  Sukyoung Ryu,et al.  Scalable and Precise Static Analysis of JavaScript Applications via Loop-Sensitivity , 2015, ECOOP.

[9]  Sukyoung Ryu,et al.  JavaScript module system: exploring the design space , 2014, MODULARITY.

[10]  Julian Dolby,et al.  HybriDroid: Static analysis framework for Android hybrid applications , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[11]  Sukyoung Ryu,et al.  All about the with statement in JavaScript: removing with statements in JavaScript applications , 2013, DLS '13.

[12]  Sukyoung Ryu,et al.  SAFE: Formal Specification and Implementation of a Scalable Analysis Framework for ECMAScript , 2012 .

[13]  Ben Hardekopf,et al.  JSAI: a static analysis platform for JavaScript , 2014, SIGSOFT FSE.

[14]  Sukyoung Ryu,et al.  Battles with False Positives in Static Analysis of JavaScript Web Applications in the Wild , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C).

[15]  Sukyoung Ryu,et al.  Static Analysis of JavaScript Web Applications in the Wild via Practical DOM Modeling (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).