Data flow/ taint analysis of Javascript Code

Question

Data flow/ taint analysis of Javascript Code

ZAhmaad opened this issue 4 years ago · comments

Hi:)

I started working on Jalangi2 couple of weeks ago. I could't find simple taint/data analysis in Jalangi2 as we have in Jalangi. Actually I want to track explicit flows using jalangi2 in JavaScript programs, and to define the set of sources (aka, APIs returning some user input/tainted data) and sinks (aka, APIs sending data to some "critical" components). As Jalangi is inactive now, can you please suggest some solution in this case? Thank you in advance.

Manu Sridharan · Answer 1 · Thu Apr 01 2021 01:49:33 GMT+0800 (China Standard Time)

@Zubairahmad09 thanks for the question. At a high level, I would suggest trying to use shadow memory to track extra metadata on which data is tainted:

https://github.com/Samsung/jalangi2/blob/master/src/js/runtime/SMemory.js

The issue you might run into is that with Jalangi2, you cannot directly associate metadata with strings, or any primitive values. So some thinking would be required as to how to track tainted strings.

@behnazh-w do you by any chance have any suggestions here based on your experience?

Behnaz Hassanshahi · Answer 2 · Thu Apr 01 2021 10:36:51 GMT+0800 (China Standard Time)

As @msridhar pointed out, it gets tricky when you need to track tainted primitive values. Jalangi2 does not support it out of the box and you need to use boxing and unboxing to associate the metadata. Note that boxing techniques should be used with care especially in the presence of external code that is not instrumented (such as libraries and runtime APIs), otherwise it's very easy to change the semantics and break the app.

Manu Sridharan · Answer 3 · Thu Apr 01 2021 23:35:09 GMT+0800 (China Standard Time)

Thanks @behnazh-w! Just in case, "boxing" refers to using the wrapper object types for primitives:

https://developer.mozilla.org/en-US/docs/Glossary/Primitive#primitive_wrapper_objects_in_javascript

@Zubairahmad09 hope this helps. I am closing for now, but if you have further questions let us know.

Zubairahmad09 · Answer 4 · Fri Apr 02 2021 00:22:34 GMT+0800 (China Standard Time)

Thank you so much @msridhar and @behnazh-w

Zubairahmad09 · Answer 5 · Tue Apr 06 2021 21:40:46 GMT+0800 (China Standard Time)

@msridhar I tried to use SMemory.js to track tainted data on some examples by using the following command but unfortunately it didn't result anything. Is there any problem with my command or something else is missing?

node ../src/js/commands/jalangi.js --inlineIID --inlineSource --analysis SMemory.js example.js

Please can you share with me some more examples so that i check the analysis. Waiting for your response. Thank you

Manu Sridharan · Answer 6 · Wed Apr 07 2021 00:19:17 GMT+0800 (China Standard Time)

@Zubairahmad09 sorry, SMemory.js is not a taint analysis, it is a library that could be helpful for you to build your own taint analysis. I do not know of an open-source dynamic taint analysis built on Jalangi2.