Static Detection of User-specified Security Vulnerabilities in Client-side JavaScript

Program defects tend to surface late in the development of programs, and they are hard to detect. Security vulnerabilities are particularly important defects to detect. They may cause sensitive information to be leaked or the system on which the program is executed to be compromised. Existing approaches that use static analysis to detect security vulnerabilities in source code are often limited to a predetermined set of encoded security vulnerabilities. Although these approaches support a decent number of vulnerabilities by default, they cannot be configured for detecting vulnerabilities that are specific to the application domain of the analyzed program. In this paper we present JS-QL, a framework for detecting user-specified security vulnerabilities in JavaScript applications statically. The framework makes use of an internal domain-specific query language hosted by JavaScript. JS-QL queries are based on regular path expressions, enabling users to express queries over a flow graph in a declarative way. The flow graph represents the run-time behavior of a program and is computed by a static analysis. We evaluate JS-QL by expressing 9 security vulnerabilities supported by existing work and comparing the resulting specifications. We conclude that the combination of static analysis and regular path expressions lends itself well to the detection of user-specified security vulnerabilities.

[1]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[2]  Kris De Volder JQuery: A Generic Code Browser with a Declarative Configuration Language , 2006, PADL.

[3]  Eric Van Wyk,et al.  Universal Regular Path Queries , 2003, High. Order Symb. Comput..

[4]  Bruno Blanchet,et al.  Security Protocol Verification: Symbolic and Computational Models , 2012, POST.

[5]  Dan Suciu,et al.  A query language for a Web-site management system , 1997, SGMD.

[6]  Ken Thompson,et al.  Programming Techniques: Regular expression search algorithm , 1968, Commun. ACM.

[7]  Matthew Might,et al.  Pushdown control-flow analysis for free , 2016, POPL.

[8]  Matthias Felleisen,et al.  A calculus for assignments in higher-order languages , 1987, POPL '87.

[9]  Aruna Raja,et al.  Domain Specific Languages , 2010 .

[10]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[11]  Jim Welsh,et al.  Towards pattern-based design recovery , 2002, ICSE '02.

[12]  Jennifer Widom,et al.  The Lorel query language for semistructured data , 1997, International Journal on Digital Libraries.

[13]  Yanhong A. Liu,et al.  Parametric regular path queries , 2004, PLDI '04.

[14]  Coen De Roover,et al.  Detecting function purity in JavaScript , 2015, 2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[15]  Oege de Moor,et al.  JunGL: a scripting language for refactoring , 2006, ICSE.

[16]  Tony Field,et al.  A Declarative Framework for Analysis and Optimization , 2007, CC.

[17]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1987, TOPL.

[18]  Elnar Hajiyev,et al.  codeQuest: Scalable Source Code Queries with Datalog , 2006, ECOOP.

[19]  Roger F. Crew ASTLOG: A Language for Examining Abstract Syntax Trees , 1997, DSL.

[20]  Michael Eichberg,et al.  Defining and continuous checking of structural program dependencies , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[21]  Scott Moore,et al.  Exploring and enforcing security guarantees via program dependence graphs , 2015, PLDI.

[22]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[23]  Günter Kniesel,et al.  Fine-Grained Generic Aspects , 2006 .

[24]  Itay Maman,et al.  JTL: the Java tools language , 2006, OOPSLA '06.

[25]  David Sands,et al.  Safe Wrappers and Sane Policies for Self Protecting JavaScript , 2010, NordSec.

[26]  D. J. Lacey,et al.  Program transformation using temporal logic specifications , 2003 .

[27]  Sebastian Günther,et al.  Design principles for internal domain-specific languages: a pattern catalog illustrated by Ruby , 2010, PLOP '10.

[28]  Ambuj K. Singh,et al.  Graphs-at-a-time: query language and access methods for graph databases , 2008, SIGMOD Conference.

[29]  Andy Kellens,et al.  The SOUL tool suite for querying programs in symbiosis with Eclipse , 2011, PPPJ.

[30]  Dawson R. Engler,et al.  A few billion lines of code later , 2010, Commun. ACM.

[31]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[32]  Oege de Moor,et al.  Transforming the .NET intermediate language using path logic programming , 2002, PPDP '02.

[33]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[34]  Marko A. Rodriguez,et al.  The Gremlin graph traversal machine and language (invited talk) , 2015, DBPL.

[35]  Eugen-Nicolae Volanschi Condate: a proto-language at the confluence between checking and compiling , 2006, PPDP '06.

[36]  Günter Kniesel,et al.  Towards Concrete Syntax Patterns for Logic-based Transformation Rules , 2008, Electron. Notes Theor. Comput. Sci..