JasFree: Grammar-free Program Analysis for JavaScript Bytecode

JavaScript is rapidly being deployed as binaries in security-critical embedded domains, including IoT devices, edge computing, and smart automotive applications. Ensuring the security of JavaScript binaries in these domains necessitates comprehensive binary code analysis. However, despite the urgent...

Celý popis

Uložené v:
Podrobná bibliografia
Vydané v:IEEE ... International Conference on Trust, Security and Privacy in Computing and Communications (Online) s. 326 - 337
Hlavní autori: Jiang, Hao, Lai, Haiwei, Wu, Si, Hua, Baojian
Médium: Konferenčný príspevok..
Jazyk:English
Vydavateľské údaje: IEEE 17.12.2024
Predmet:
Fuzzing
Grammar-Free
Heuristic algorithms
JavaScript Bytecode
Privacy
Program Analysis
Prototypes
Security
Software
Software algorithms
Transforms
Translation
Vehicle dynamics
ISSN:2324-9013
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Popis
Shrnutí:JavaScript is rapidly being deployed as binaries in security-critical embedded domains, including IoT devices, edge computing, and smart automotive applications. Ensuring the security of JavaScript binaries in these domains necessitates comprehensive binary code analysis. However, despite the urgent need, a universal approach to analyzing JavaScript binaries is lacking due to the bytecode heterogeneity across the various JavaScript virtual machines.In this paper, to fill this gap, we present the first grammar-free, universal program analysis approach tailored for JavaScript binaries. We first design a syntax-independent intermediate representation called JasByte to encode diverse JavaScript binaries. We then develop a universal translator equipped with a set of APIs to transform JavaScript binaries into JasByte. We design a suit of program analysis algorithms for error detection, debugging, and fuzzing, to identify bugs in JavaScript VMs. We design and implement a software prototype JasFree and conduct extensive evaluations. Our results show that JasFree effectively enables construction of diverse static and dynamic analysis by reducing the overhead from 660.38% to 290.84%, outperforming the state-of-the-art tool Jalangi2. Moreover, JAS-FREE facilitates effective mutation of JasByte, resulting in the detection of 25 new vulnerabilities, all of which were missed by existing methods.
ISSN:2324-9013
DOI:10.1109/TrustCom63139.2024.00066