research-article

Open access

Efficient module-level dynamic analysis for dynamic languages with module recontextualization

Authors:

Nikos Vasilakis,

Grigoris Ntousakis,

Martin C. RinardAuthors Info & Claims

ESEC/FSE 2021: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Pages 1202 - 1213

https://doi.org/10.1145/3468264.3468574

Published: 18 August 2021 Publication History

Abstract

Dynamic program analysis is a long-standing technique for obtaining information about program execution. We present module recontextualization, a new dynamic analysis approach that targets modern dynamic languages such as JavaScript and Racket, enabled by the fact that they feature a module-import mechanism that loads code at runtime as a string. This approach uses lightweight load-time code transformations that operate on the string representation of the module, as well as the context to which it is about to be bound, to insert developer-provided, analysis-specific code into the module before it is loaded. This code implements the dynamic analysis, enabling this approach to capture all interactions around the module in unmodified production language runtime environments. We implement this approach in two systems targeting the JavaScript and Racket ecosystems. Our evaluation shows that this approach can deliver order-of-magnitude performance improvements over state-of-the-art dynamic analysis systems while supporting a range of analyses, implemented on average in about 100 lines of code.

References

[1]

Peter Amidon, Eli Davis, Stelios Sidiroglou-Douskos, and Martin Rinard. 2015. Program fracture and recombination for efficient automatic code reuse. In 2015 IEEE High Performance Extreme Computing Conference (HPEC). 1–6.

[2]

Anirudh Anand. 2020. Sandbox Escape: Safe Eval. https://snyk.io/vuln/SNYK-JS-SAFEEVAL-608076

[3]

Esben Andreasen, Liang Gong, Anders Møller, Michael Pradel, Marija Selakovic, Koushik Sen, and Cristian-Alexandru Staicu. 2017. A survey of dynamic analysis and test generation for JavaScript. ACM Computing Surveys (CSUR), 50, 5 (2017).

[4]

José P. Cambronero, Thurston H. Y. Dang, Nikos Vasilakis, Jiasi Shen, Jerry Wu, and Martin C. Rinard. 2019. Active Learning for Software Engineering. In Proceedings of the 2019 ACM SIGPLAN International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software (Onward! 2019). Association for Computing Machinery, New York, NY, USA. 62–78. isbn:9781450369954 https://doi.org/10.1145/3359591.3359732

Digital Library

[5]

Laurent Christophe, Coen De Roover, and Wolfgang De Meuter. 2015. Poster: Dynamic Analysis Using JavaScript Proxies. In Proceedings of the 37th International Conference on Software Engineering - Volume 2 (ICSE ’15). IEEE Press, Piscataway, NJ, USA. 813–814. http://dl.acm.org/citation.cfm?id=2819009.2819180

[6]

Scott A. Crosby and Dan S. Wallach. 2003. Denial of Service via Algorithmic Complexity Attacks. In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12 (SSYM’03). USENIX Association, USA.

Digital Library

[7]

James C. Davis, Eric R. Williamson, and Dongyoon Lee. 2018. A Sense of Time for JavaScript and Node.Js: First-Class Timeouts as a Cure for Event Handler Poisoning. In Proceedings of the 27th USENIX Conference on Security Symposium (SEC’18). USENIX Association, USA. 343–359. isbn:9781931971461

[8]

Henri Maxime Demoulin, Isaac Pedisich, Nikos Vasilakis, Vincent Liu, Boon Thau Loo, and Linh Thi Xuan Phan. 2019. Detecting Asymmetric Application-layer Denial-of-Service Attacks In-Flight with FineLame. In 2019 USENIX Annual Technical Conference (USENIX ATC 19). USENIX Association, Renton, WA. 693–708. isbn:978-1-939133-03-8 https://www.usenix.org/conference/atc19/presentation/demoulin

[9]

Webkit Developers. 2020. SunSpider 1.0.2 JavaScript Benchmark. https://webkit.org/perf/sunspider/sunspider.html

[10]

Peter Dotchev. 2016. Parse hangs on some long urls. https://github.com/garycourt/uri-js/issues/12

[11]

Ayrton Sparling et al. 2018. Event-Stream, GitHub Issue 116: I don’t know what to say. https://github.com/dominictarr/event-stream/issues/116

[12]

Michael D. Ernst, Jeff H. Perkins, Philip J. Guo, Stephen McCamant, Carlos Pacheco, Matthew S. Tschantz, and Chen Xiao. 2007. The Daikon System for Dynamic Detection of Likely Invariants. Sci. Comput. Program., 69, 1–3 (2007), Dec., 35–45. issn:0167-6423 https://doi.org/10.1016/j.scico.2007.01.015

Digital Library

[13]

Cormac Flanagan and Stephen N. Freund. 2010. The RoadRunner Dynamic Analysis Framework for Concurrent Programs. In Proceedings of the 9th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE ’10). Association for Computing Machinery, New York, NY, USA. 1–8. isbn:9781450300827 https://doi.org/10.1145/1806672.1806674

Digital Library

[14]

Michael Greenberg, Konstantinos Kallas, and Nikos Vasilakis. 2021. Unix Shell Programming: The Next 50 Years. In Proceedings of the Workshop on Hot Topics in Operating Systems (HotOS ’21). Association for Computing Machinery, New York, NY, USA. 104–111. isbn:9781450384384 https://doi.org/10.1145/3458336.3465294

Digital Library

[15]

Hrishikesh. 2018. Dockerhub: Jalangi Docker Container. https://hub.docker.com/r/hrishikeshrt/jalangi

[16]

Matthias Keil and Peter Thiemann. 2013. Efficient Dynamic Access Analysis Using JavaScript Proxies. In Proceedings of the 9th Symposium on Dynamic Languages (DLS ’13). ACM, New York, NY, USA. 49–60. isbn:978-1-4503-2433-5 https://doi.org/10.1145/2508168.2508176

Digital Library

[17]

Gregor Kiczales, John Lamping, Anurag Mendhekar, Chris Maeda, Cristina Lopes, Jean-Marc Loingtier, and John Irwin. 1997. Aspect-oriented programming. In European conference on object-oriented programming. 220–242.

[18]

Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web.

[19]

Daniel Lehmann and Michael Pradel. 2019. Wasabi: A Framework for Dynamically Analyzing WebAssembly. In Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS ’19). Association for Computing Machinery, New York, NY, USA. 1045–1058. isbn:9781450362405 https://doi.org/10.1145/3297858.3304068

Digital Library

[20]

SS Jeremy Long. 2015. OWASP Dependency Check.

[21]

Snyk Ltd. 2018. [email protected]. https://snyk.io/test/npm/minimatch/2.0.10

[22]

Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. 2005. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’05). Association for Computing Machinery, New York, NY, USA. 190–200. isbn:1595930566 https://doi.org/10.1145/1065010.1065034

Digital Library

[23]

Michael Maass. 2016. A Theory and Tools for Applying Sandboxes Effectively. Ph.D. Dissertation. Carnegie Mellon University.

[24]

Lukáš Marek, Alex Villazón, Yudi Zheng, Danilo Ansaloni, Walter Binder, and Zhengwei Qi. 2012. DiSL: A Domain-Specific Language for Bytecode Instrumentation. In Proceedings of the 11th Annual International Conference on Aspect-Oriented Software Development (AOSD ’12). Association for Computing Machinery, New York, NY, USA. 239–250. isbn:9781450310925 https://doi.org/10.1145/2162049.2162077

Digital Library

[25]

James Mickens, Jeremy Elson, and Jon Howell. 2010. Mugshot: Deterministic Capture and Replay for Javascript Applications. In Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation (NSDI’10). USENIX Association, USA. 11.

Digital Library

[26]

Nicholas Nethercote and Julian Seward. 2007. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. SIGPLAN Not., 42, 6 (2007), June, 89–100. issn:0362-1340 https://doi.org/10.1145/1273442.1250746

Digital Library

[27]

Ravi Netravali, Ameesh Goyal, James Mickens, and Hari Balakrishnan. 2016. Polaris: Faster page loads using fine-grained dependency tracking. In 13th $USENIX$ Symposium on Networked Systems Design and Implementation ($NSDI$ 16).

[28]

Ravi Netravali and James Mickens. 2019. Reverb: Speculative Debugging for Web Applications. In Proceedings of the ACM Symposium on Cloud Computing.

Digital Library

[29]

Flemming Nielson, Hanne R. Nielson, and Chris Hankin. 2010. Principles of Program Analysis. Springer Publishing Company, Incorporated. isbn:3642084745

[30]

npm, Inc. 2018. Details about the event-stream incident. https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

[31]

Andrea Parodi. 2020. Awesome Micro npm Packages. https://github.com/parro-it/awesome-micro-npm-packages

[32]

Niels Provos. 2003. Improving Host Security with System Call Policies. In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12 (SSYM’03). USENIX Association, USA. 18.

[33]

Koushik Sen, Swaroop Kalasapur, Tasneem Brutch, and Simon Gibbs. 2013. Jalangi: A Selective Record-replay and Dynamic Analysis Framework for JavaScript. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2013). ACM, New York, NY, USA. 488–498. isbn:978-1-4503-2237-9 https://doi.org/10.1145/2491411.2491447

Digital Library

[34]

Stelios Sidiroglou-Douskos, Eric Lahtinen, Fan Long, and Martin Rinard. 2015. Automatic Error Elimination by Horizontal Code Transfer across Multiple Applications. SIGPLAN Not., 50, 6 (2015), June, 43–54. issn:0362-1340 https://doi.org/10.1145/2813885.2737988

Digital Library

[35]

Snyk. 2016. Find, fix and monitor for known vulnerabilities in Node.js and Ruby packages. https://snyk.io/

[36]

Haiyang Sun, Daniele Bonetta, Christian Humer, and Walter Binder. 2018. Efficient Dynamic Analysis for Node.Js. In Proceedings of the 27th International Conference on Compiler Construction (CC 2018). ACM, New York, NY, USA. 196–206. isbn:978-1-4503-5644-2 https://doi.org/10.1145/3178372.3179527

Digital Library

[37]

The gRPC Authors. 2018. gRPC. https://grpc.io/ Accessed: 2019-04-16.

[38]

Nikos Vasilakis, Ben Karel, Yash Palkhiwala, John Sonchack, André DeHon, and Jonathan M. Smith. 2019. Ignis: Scaling Distribution-Oblivious Systems with Light-Touch Distribution. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2019). Association for Computing Machinery, New York, NY, USA. 1010–1026. isbn:9781450367127 https://doi.org/10.1145/3314221.3314586

Digital Library

[39]

Nikos Vasilakis, Ben Karel, Nick Roessler, Nathan Dautenhahn, André DeHon, and Jonathan M. Smith. 2018. BreakApp: Automated, Flexible Application Compartmentalization. In Networked and Distributed Systems Security (NDSS’18). https://doi.org/10.14722/ndss.2018.23131

[40]

Nikos Vasilakis, Cristian-Alexandru Staicu, Grigoris Ntousakis, Konstantinos Kallas, Ben Karel, André DeHon, and Michael Pradel. 2021. Preventing Dynamic Library Compromise on Node.js via RWX-Based Privilege Reduction. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS ’21). Association for Computing Machinery, New York, NY, USA.

Digital Library

[41]

Thomas Würthinger, Christian Wimmer, Christian Humer, Andreas Wöundefined, Lukas Stadler, Chris Seaton, Gilles Duboscq, Doug Simon, and Matthias Grimmer. 2017. Practical Partial Evaluation for High-Performance Dynamic Language Runtimes. SIGPLAN Not., 52, 6 (2017), June, 662–676. issn:0362-1340 https://doi.org/10.1145/3140587.3062381

Digital Library

[42]

Thomas Würthinger, Christian Wimmer, Andreas Wöundefined, Lukas Stadler, Gilles Duboscq, Christian Humer, Gregor Richards, Doug Simon, and Mario Wolczko. 2013. One VM to Rule Them All. In Proceedings of the 2013 ACM International Symposium on New Ideas, New Paradigms, and Reflections on Programming & Software (Onward! 2013). Association for Computing Machinery, New York, NY, USA. 187–204. isbn:9781450324724 https://doi.org/10.1145/2509578.2509581

Digital Library

[43]

Serdar Yegulalp. 2016. How one yanked JavaScript package wreaked havoc. http://www.infoworld.com/article/3047177/javascript/how-one-yanked-javascript-package-wreaked-havoc.html

[44]

Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Smallworld with High Risks: A Study of Security Threats in the Npm Ecosystem. In Proceedings of the 28th USENIX Conference on Security Symposium (SEC’19). USENIX Association, USA. 995–1010. isbn:9781939133069

Cited By

Oh WOh HFilkov VRay BZhou M(2024)Towards Effective Static Type-Error Detection for PythonProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695545(1808-1820)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695545
Christou GNtousakis GLahtinen EIoannidis SKemerlis VVasilakis N(2023)BinWrap: Hybrid Protection against Native Node.js Add-onsProceedings of the ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590330(429-442)Online publication date: 10-Jul-2023
https://doi.org/10.1145/3579856.3590330

Index Terms

Efficient module-level dynamic analysis for dynamic languages with module recontextualization
1. Software and its engineering
  1. Software notations and tools
    1. General programming languages
      1. Language features
        Frameworks
    2. Software maintenance tools
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Dynamic analysis

Recommendations

Efficient dynamic analysis for Node.js
CC '18: Proceedings of the 27th International Conference on Compiler Construction

Due to its popularity, there is an urgent need for dynamic program-analysis tools for Node.js, helping developers find bugs, performance bottlenecks, and bad coding practices. Frameworks based on code-level instrumentation enable dynamic analyses close ...
An Instrumentation Tool for Program Dynamic Analysis in Java
SSIRI-C '11: Proceedings of the 2011 Fifth International Conference on Secure Software Integration and Reliability Improvement - Companion

Dynamic analysis has been widely used in program analysis. Instrumentation is a general technology used to trace dynamic behavior of software. This paper presents a java source code instrumentation tool, which supports making instrumentation manually ...
A tracing technique using dynamic bytecode instrumentation of Java applications and libraries at basic block level
ICOOOLPS '11: Proceedings of the 6th Workshop on Implementation, Compilation, Optimization of Object-Oriented Languages, Programs and Systems

Implementing a profiler to trace a program execution is non-trivial. One way to do this on running Java programs is through bytecode instrumentation. Nowadays, tools exist that ease the instrumentation process itself, but as far as we know, none offers ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEC/FSE 2021: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

August 2021

1690 pages

ISBN:9781450385626

DOI:10.1145/3468264

General Chairs:
Diomidis Spinellis
Athens University of Economics and Business, Greece
,
Georgios Gousios
Facebook, Netherlands / Delft University of Technology, Netherlands
,
Program Chairs:
Marsha Chechik
University of Toronto, Canada
,
Massimiliano Di Penta
University of Sannio, Italy

Copyright © 2021 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 August 2021

Check for updates

Badges

Author Tags

Qualifiers

Research-article

Funding Sources

Defense Advanced Research Projects Agency

Conference

ESEC/FSE '21

Sponsor:

SIGSOFT

ESEC/FSE '21: 29th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

August 23 - 28, 2021

Athens, Greece

Acceptance Rates

Overall Acceptance Rate 112 of 543 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
741
Total Downloads

Downloads (Last 12 months)142
Downloads (Last 6 weeks)20

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Oh WOh HFilkov VRay BZhou M(2024)Towards Effective Static Type-Error Detection for PythonProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695545(1808-1820)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695545
Christou GNtousakis GLahtinen EIoannidis SKemerlis VVasilakis N(2023)BinWrap: Hybrid Protection against Native Node.js Add-onsProceedings of the ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590330(429-442)Online publication date: 10-Jul-2023
https://doi.org/10.1145/3579856.3590330

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents