一种基于动态插桩的JavaScript反事实执行方法  被引量：2

作　　者：龚伟刚 游伟[1,2] 李赞 石文昌[1,2] 梁彬 

机构地区：[1]数据工程与知识工程教育部重点实验室(中国人民大学),北京100872 [2]中国人民大学信息学院,北京100872

出　　处：《计算机科学》2017年第11期22-26,49,共6页Computer Science

基　　金：国家自然科学基金(61170240;91418206;61472429);国家科技重大专项(2012ZX01039-004)资助

摘　　要：目前,静态分析技术已被广泛用于JavaScript程序的安全性分析。但是由于JavaScript支持通过eval等方法在运行时动态生成代码,仅靠静态分析难以取得动态生成代码。一种可行的解决方法是通过动态运行目标程序取得动态生成代码,再对其进行静态分析。然而,动态运行目标程序只能覆盖有限的执行路径,会遗漏其他执行路径中的动态生成代码。针对这一问题,基于动态插桩实现了一个反事实执行方法。该方法通过修改JavaScript引擎,在其语法解析阶段动态插入反事实执行体,使条件不成立的分支路径和当前执行路径均能够得到执行。通过该插桩方式,即使嵌套调用eval等方法,也能在其动态生成代码中完成插桩。同时,还实现了一种按需undo方法,以消除反事实执行体中赋值操作带来的影响,且能够避免冗余操作。实验结果表明,实现的方法能够有效地扩大动态分析中执行路径的覆盖面。The static analysis technique has been widely employed in the security analysis of JavaScript program.But the JavaScript program can leverage several functions such as eval to generate code at runtime,which is hard to obtain danamic generation code simply by static analysis.One feasible approach is to collect the code by running the target program dynamically and then make a static analysis on it.However,this approach can only explore a finite number of execution paths and will miss the dynamically generated code in other paths.This paper presented a counterfactual execution method based on dyna-mic instrumentation.In the method,the counterfactual execution structures are instrumented onthe-fly during the parse phase of JavaScript engine,to explore both the branch that would ordinarily be executed and the other branch that would not normally be run.In this way,even if the functions like eval are called nestedly,the dynamically generated code can also be instrumented.Besides,in order to undo the effect of any assignment in counterfactual execution structures,an on-demand undo method was implemented to avoid the redundant operations.The evaluation results show that the method implemented in this paper can effectively expand the coverage of execution paths in dynamic analysis.

关 键 词：反事实执行 路径覆盖 动态分析 JAVASCRIPT 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]