{"title":"立场文件:拳击的科学","authors":"M. Lester","doi":"10.1145/2465106.2465120","DOIUrl":null,"url":null,"abstract":"The ubiquity of Web 2.0 applications handling sensitive information means that static analysis of applications written in JavaScript has become an important security problem. The highly dynamic nature of the language makes this difficult. The eval construct, which allows execution of a string as program code, is particularly notorious in this regard. Eval is a form of metaprogramming construct: it allows generation and manipulation of program code at run time. Other metaprogramming formalisms are more principled in their behaviour and easier to reason about; consider, for example, Lisp-style code quotations, which we call staged metaprogramming. We argue that, instead of trying to reason directly about uses of eval, we should first transform them to staged metaprogramming, then analyse the transformed program. To demonstrate the feasibility of this approach, we describe an algorithm for transforming uses of eval on strings encoding program text into uses of staged metaprogramming with quoted program terms. We present our algorithm in the context of a JavaScript-like language augmented with staged metaprogramming.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"27 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"Position paper: the science of boxing\",\"authors\":\"M. Lester\",\"doi\":\"10.1145/2465106.2465120\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The ubiquity of Web 2.0 applications handling sensitive information means that static analysis of applications written in JavaScript has become an important security problem. The highly dynamic nature of the language makes this difficult. The eval construct, which allows execution of a string as program code, is particularly notorious in this regard. Eval is a form of metaprogramming construct: it allows generation and manipulation of program code at run time. Other metaprogramming formalisms are more principled in their behaviour and easier to reason about; consider, for example, Lisp-style code quotations, which we call staged metaprogramming. We argue that, instead of trying to reason directly about uses of eval, we should first transform them to staged metaprogramming, then analyse the transformed program. To demonstrate the feasibility of this approach, we describe an algorithm for transforming uses of eval on strings encoding program text into uses of staged metaprogramming with quoted program terms. We present our algorithm in the context of a JavaScript-like language augmented with staged metaprogramming.\",\"PeriodicalId\":119000,\"journal\":{\"name\":\"ACM Workshop on Programming Languages and Analysis for Security\",\"volume\":\"27 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2013-06-20\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"ACM Workshop on Programming Languages and Analysis for Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2465106.2465120\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Workshop on Programming Languages and Analysis for Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2465106.2465120","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
The ubiquity of Web 2.0 applications handling sensitive information means that static analysis of applications written in JavaScript has become an important security problem. The highly dynamic nature of the language makes this difficult. The eval construct, which allows execution of a string as program code, is particularly notorious in this regard. Eval is a form of metaprogramming construct: it allows generation and manipulation of program code at run time. Other metaprogramming formalisms are more principled in their behaviour and easier to reason about; consider, for example, Lisp-style code quotations, which we call staged metaprogramming. We argue that, instead of trying to reason directly about uses of eval, we should first transform them to staged metaprogramming, then analyse the transformed program. To demonstrate the feasibility of this approach, we describe an algorithm for transforming uses of eval on strings encoding program text into uses of staged metaprogramming with quoted program terms. We present our algorithm in the context of a JavaScript-like language augmented with staged metaprogramming.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
