Staged information flow for javascript
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
Language-Based Isolation of Untrusted JavaScript
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
ECOOP'10 Proceedings of the 24th European conference on Object-oriented programming
Static analysis of multi-staged programs via unstaging translation
Proceedings of the 38th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Program logics for homogeneous meta-programming
LPAR'10 Proceedings of the 16th international conference on Logic for programming, artificial intelligence, and reasoning
Formal modeling
A practical string analyzer by the widening approach
APLAS'06 Proceedings of the 4th Asian conference on Programming Languages and Systems
Reasoning about multi-stage programs
ESOP'12 Proceedings of the 21st European conference on Programming Languages and Systems
Remedying the eval that men do
Proceedings of the 2012 International Symposium on Software Testing and Analysis
Information-Flow Security for a Core of JavaScript
CSF '12 Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium
Semantics and analyses for javascript and the web
SAS'12 Proceedings of the 19th international conference on Static Analysis
Hi-index | 0.00 |
The ubiquity of Web 2.0 applications handling sensitive information means that static analysis of applications written in JavaScript has become an important security problem. The highly dynamic nature of the language makes this difficult. The eval construct, which allows execution of a string as program code, is particularly notorious in this regard. Eval is a form of metaprogramming construct: it allows generation and manipulation of program code at run time. Other metaprogramming formalisms are more principled in their behaviour and easier to reason about; consider, for example, Lisp-style code quotations, which we call staged metaprogramming. We argue that, instead of trying to reason directly about uses of eval, we should first transform them to staged metaprogramming, then analyse the transformed program. To demonstrate the feasibility of this approach, we describe an algorithm for transforming uses of eval on strings encoding program text into uses of staged metaprogramming with quoted program terms. We present our algorithm in the context of a JavaScript-like language augmented with staged metaprogramming.