Dr. Julian Dolby
IBM Thomas J. Watson Research Center
As the Web becomes the dominant interface to ever more aspects of life, we become ever more dependent upon Web technology to protect our security and privacy. However, the impossible dream refers to the difficulty of ensuring that current Web technology, which is heavily based on JavaScript, actually does this. In this talk, I shall discuss our experience at IBM Research in building static program analysis to check security properties.
Static program analysis for JavaScript must navigate between attempts at soundness that become intractable, and shortcuts that result in missing important parts of the program. While much progress has been made on traditional program analysis for JavaScript, doing conservative analysis remains challenging; our recent work has therefore focused on various forms of unsoundness to make analysis tractable. Such unsoundness impacts clients built on such analysis, both in terms of cost and precision.
Our focus is on security analysis, and to support our security analysis clients, we face two key challenges arising from the imprecise and incomplete data available from our approximate analysis: 1) Our imprecise call graph conflates methods with the same property name; however, e.g. toString is a source of taint in some cases and it is not acceptable to decide that all calls to such a ubiquitous method are sources of taint. 2) We do not have a complete pointer analysis approximation available, and hence we need to name sources of taint without relying on a heap abstraction. However, sources of taint in JavaScript are often complex paths in the heap.
To address these challenges, we use a flow-sensitive propagation of access paths and we generalize access paths to encompass method calls. I will present our analysis primarily through a series of examples, and discuss our experience so far that suggests this form of analysis is a practical approach that can, to a great extent, overcome the limitations of current static analysis technology.
Julian Dolby has been a Research Staff Member at IBM's Thomas J. Watson Research Center since 2000. He works on a range of topics, including static program analysis and software testing. His program analysis work has recently been focused on scripting languages like JavaScript and on security analysis of Web applications; this work has been included in IBM products, most notably Rational AppScan Source Edition 10, and he is one of the primary authors of the publicly-available Watson Libraries for Analysis (WALA) program analysis infrastructure. His testing work has been primarily focused on Web applications in the Apollo project, and on finding concurrency bugs using both dynamic execution and model checking. He was educated at the University of Wisconsin-Madison as an undergraduate, and at the University of Illinois at Urbana-Champaign as a graduate student where he worked with Professor Andrew Chien on programming systems for massively-parallel machines.