检索结果-内蒙古大学图书馆

Collecting Type Information Using Unit Tests for Customizing javascript Virtual Machines 12

Collecting Type Information Using Unit Tests for Customizing...

14th Workshop on Implementation, Compilation and Optimization of Object-Oriented Languages, Programs and Systems (ICOOOLPS)

作者： Ugawa, Tomoharu Iwasaki, Hideya Kataoka, Takafumi Kochi Univ Technol Kami Kochi Japan Univ Electrocommun Chofu Tokyo Japan

ISBN: (纸本)9781450368629

To use javascript for Internet of Things (IoT), it is essential to reduce the size of the virtual machine (VM). Although operators in javascript are polymorphic, many applications apply operators to only a limited set of datatypes. Thus, customizing a VM to include only implementations of operators of datatypes used can reduce the size of the VM. In this research, we determine the set of operand datatypes that are possibly given to each operator for individual applications. Because javascript is a dynamically typed programming language, it is difficult to infer types accurately. Instead, as a practical approach, we obtain type information from executions of unit tests of the application. We implemented a prototype system to record datatypes that are given to each operator in executions of unit tests for Jasmine. The system does not record operands of operators executed by the Jasmine's code but only those by the application's code. We applied this system to two small applications and found that it determined type information with high accuracy.

关键词： virtual machine javascript embedded systems type

来源：评论

学校读者我要写书评

暂无评论

Challenging Machine Learning Algorithms in Predicting Vulnerable javascript Functions 7

Challenging Machine Learning Algorithms in Predicting Vulner...

引用

7th IEEE/ACM International Workshop on Realizing Artificial Intelligence Synergies in Software Engineering (RAISE)

作者： Ferenc, Rudolf Hegedus, Peter Gyimesi, Peter Antal, Gabor Ban, Denes Gyimothy, Tibor MTA SZTE Res Grp Artificial Intelligence Szeged Hungary Univ Szeged Dept Software Engn Szeged Hungary

ISBN: (纸本)9781728122724

The rapid rise of cyber-crime activities and the growing number of devices threatened by them place software security issues in the spotlight. As around 90% of all attacks exploit known types of security issues, finding vulnerable components and applying existing mitigation techniques is a viable practical approach for fighting against cyber-crime. In this paper, we investigate how the state-of-the-art machine learning techniques, including a popular deep learning algorithm, perform in predicting functions with possible security vulnerabilities in javascript programs. We applied 8 machine learning algorithms to build prediction models using a new dataset constructed for this research from the vulnerability information in public databases of the Node Security Project and the Snyk platform, and code fixing patches from GitHub. We used static source code metrics as predictors and an extensive grid-search algorithm to find the best performing models. We also examined the effect of various re-sampling strategies to handle the imbalanced nature of the dataset. The best performing algorithm was KNN, which created a model for the prediction of vulnerable functions with an F-measure of 0.76 (0.91 precision and 0.66 recall). Moreover, deep learning, tree and forest based classifiers, and SVM were competitive with F-measures over 0.70. Although the F-measures did not vary significantly with the re-sampling strategies, the distribution of precision and recall did change. No re-sampling seemed to produce models preferring high precision, while re-sampling strategies balanced the IR measures.

关键词： vulnerability javascript machine learning deep learning code metrics dataset

来源：评论

学校读者我要写书评

暂无评论

Mime Artist: Bypassing Whitelisting for the Web with javascript Mimicry Attacks 24th

Mime Artist: Bypassing Whitelisting for the Web with JavaScr...

引用

24th European Symposium on Research in Computer Security (ESORICS)

作者： Chaliasos, Stefanos Metaxopoulos, George Argyros, George Mitropoulos, Dimitris Athens Univ Econ & Business Dept Management Sci & Technol Athens Greece Columbia Univ Dept Comp Sci New York NY 10027 USA

ISBN: (纸本)9783030299620;9783030299613

Despite numerous efforts to mitigate Cross-Site Scripting (xss) attacks, xss remains one of the most prevalent threats to modern web applications. Recently, a number of novel xss patterns, based on code-reuse and obfuscated payloads, were introduced to bypass different protection mechanisms such as sanitization frameworks, web application firewalls, and the Content Security Policy (csp). Nevertheless, a class of script-whitelisting defenses that perform their checks inside the javascript engine of the browser, remains effective against these new patterns. We have evaluated the effectiveness of whitelisting mechanisms for the web by introducing "javascript mimicry attacks". The concept behind such attacks is to use slight transformations (i.e. changing the leaf values of the abstract syntax tree) of an application's benign scripts as attack vectors, for malicious purposes. Our proof-of-concept exploitations indicate that javascript mimicry can bypass script-whitelisting mechanisms affecting either users (e.g. cookie stealing) or applications (e.g. cryptocurrency miner hijacking). Furthermore, we have examined the applicability of such attacks at scale by performing two studies: one based on popular application frameworks (e.g. WordPress) and the other focusing on scripts coming from Alexa's top 20 websites. Finally, we have developed an automated method to help researchers and practitioners discover mimicry scripts in the wild. To do so, our method employs symbolic analysis based on a lightweight weakest precondition calculation.

关键词： Cross-site Scripting javascript Whitelisting Mimicry attacks

来源：评论

学校读者我要写书评

暂无评论

An Empirical Study of Prioritizing javascript Engine Crashes via Machine Learning 19

An Empirical Study of Prioritizing JavaScript Engine Crashes...

引用

ACM Asia Conference on Computer and Communications Security (Asia CCS)

作者： Park, Sunnyeo Kim, Dohyeok Son, Sooel Korea Adv Inst Sci & Technol Daejeon South Korea

ISBN: (纸本)9781450367523

The early discovery of security bugs in javascript (JS) engines is crucial for protecting Internet users from adversaries abusing zero-day vulnerabilities. Browser vendors, bug bounty hunters, and security researchers have been eager to find such security bugs by leveraging state-of-the-art fuzzers as well as their domain expertise. They report a bug when observing a crash after executing their JS test since a crash is an early indicator of a potential bug. However, it is difficult to identify whether such a crash indeed invokes security bugs in JS engines. Thus, unskilled bug reporters are unable to assess the security severity of their new bugs with JS engine crashes. Today, this classification of a reported security bug is completely manual, depending on the verdicts from JS engine vendors. We investigated the feasibility of applying various machine learning classifiers to determine whether an observed crash triggers a security bug. We designed and implemented CRScope, which classifies security and non-security bugs from given crash-dump files. Our experimental results on 766 crash instances demonstrate that CRScope achieved 0.85, 0.89, and 0.93 Area Under Curve (AUC) for Chakra, V8, and SpiderMonkey crashes, respectively. CRScope also achieved 0.84, 0.89, and 0.95 precision for Chakra, V8, and SpiderMonkey crashes, respectively. This outperforms the previous study and existing tools including Exploitable and AddressSanitizer. CRScope is capable of learning domain-specific expertise from the past verdicts on reported bugs and automatically classifying JS engine security bugs, which helps improve the scalable classification of security bugs.

关键词： Crash analysis Machine learning Security bugs javascript Browser security

来源：评论

学校读者我要写书评

暂无评论

Evaluation and Comparison of Dynamic Call Graph Generators for javascript 14

Evaluation and Comparison of Dynamic Call Graph Generators f...

引用

14th International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE)

作者： Herczeg, Zoltan Loki, Gabor Univ Szeged Dept Software Engn Dugon Ter 13 H-6720 Szeged Hungary

ISBN: (纸本)9789897583759

javascript is the most popular programming language these days and it is also the core language of the *** environment. Sharing code is a simple task in this environment and the shared code can be easily reused as building blocks to create new applications. This vibrant and ever growing environment is not perfect though. Due to the large amount of reused code, even simple applications can have a lot of indirect dependencies. Developers may not even be aware of the fact that some of these dependencies could contain malware, since harmful code can be hidden relatively easily due to the dynamic nature of javascript. Dynamic software analysis is one way of detecting suspicious activities. Call graphs can reveal the internal workings of an application and they have been used successfully for malware detection. In ***, no tool has been available for directly generating javascript call graphs before. In this paper, we are going to introduce three tools that can be used to generate call graphs for further analysis. We show that call graphs contain a significant amount of engine-specific information but filters can be used to reduce such differences.

关键词： javascript Call graph Node.js Comparison Security Complexity

来源：评论

学校读者我要写书评

暂无评论

Automatic Modeling of Opaque Code for javascript Static Analysis 22nd

Automatic Modeling of Opaque Code for JavaScript Static Anal...

引用

22nd International Conference on Fundamental Approaches to Software Engineering (FASE) held as part of the Annual European Joint Conferences on Theory and Practice of Software (ETAPS)

作者： Park, Joonyoung Jordan, Alexander Ryu, Sukyoung Oracle Labs Australia Brisbane Qld Australia Korea Adv Inst Sci & Technol Daejeon South Korea

ISBN: (纸本)9783030167226;9783030167219

Static program analysis often encounters problems in analyzing library code. Most real-world programs use library functions intensively, and library functions are usually written in different languages. For example, static analysis of javascript programs requires analysis of the standard built-in library implemented in host environments. A common approach to analyze such opaque code is for analysis developers to build models that provide the semantics of the code. Models can be built either manually, which is time consuming and error prone, or automatically, which may limit application to different languages or analyzers. In this paper, we present a novel mechanism to support automatic modeling of opaque code, which is applicable to various languages and analyzers. For a given static analysis, our approach automatically computes analysis results of opaque code via dynamic testing during static analysis. By using testing techniques, the mechanism does not guarantee sound over-approximation of program behaviors in general. However, it is fully automatic, is scalable in terms of the size of opaque code, and provides more precise results than conventional over-approximation approaches. Our evaluation shows that although not all functionalities in opaque code can (or should) be modeled automatically using our technique, a large number of javascript built-in functions are approximated soundly yet more precisely than existing manual models.

关键词： Automatic modeling Static analysis Opaque code javascript

来源：评论

学校读者我要写书评

暂无评论

Analyzing the Evolution of javascript Applications 14

Analyzing the Evolution of Javascript Applications

引用

14th International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE)

作者： Chatzimparmpas, Angelos Bibi, Stamatia Zozas, Ioannis Kerren, Andreas Linnaeus Univ Dept Comp Sci & Media Technol Vaxjo Sweden Univ Western Macedonia Dept Informat & Telecommun Engn Kozani Greece

ISBN: (纸本)9789897583759

Software evolution analysis can shed light on various aspects of software development and maintenance. Up to date, there is little empirical evidence on the evolution of javascript (JS) applications in terms of maintainability and changeability, even though javascript is among the most popular scripting languages for front-end web applications, including IoT applications. In this study, we investigate JS applications' quality and changeability trends over time by examining the relevant Laws of Lehman. We analyzed over 7,500 releases of JS applications and reached some interesting conclusions. The results show that JS applications continuously change and grow, there are no clear signs of quality degradation while the complexity remains the same over time, despite the fact that the understandability of the code deteriorates.

关键词： Software Evolution Lehman's Laws javascript Maintenance Software Quality

来源：评论

学校读者我要写书评

暂无评论

NL2Type: Inferring javascript Function Types from Natural Language Information 19

NL2Type: Inferring JavaScript Function Types from Natural La...

引用

41st IEEE/ACM International Conference on Software Engineering (ICSE)

作者： Malik, Rabee Sohail Patra, Jibesh Pradel, Michael Tech Univ Darmstadt Darmstadt Germany

ISBN: (纸本)9781728108698

javascript is dynamically typed and hence lacks the type safety of statically typed languages, leading to suboptimal IDE support, difficult to understand APIs, and unexpected run-time behavior. Several gradual type systems have been proposed, e.g., Flow and TypeScript, but they rely on developers to annotate code with types. This paper presents NL2Type, a learning-based approach for predicting likely type signatures of javascript functions. The key idea is to exploit natural language information in source code, such as comments, function names, and parameter names, a rich source of knowledge that is typically ignored by type inference algorithms. We formulate the problem of predicting types as a classification problem and train a recurrent, LSTM-based neural model that, after learning from an annotated code base, predicts function types for unannotated code. We evaluate the approach with a corpus of 162,673 javascript files from real-world projects. NL2Type predicts types with a precision of 84.1% and a recall of 78.9% when considering only the top-most suggestion, and with a precision of 95.5% and a recall of 89.6% when considering the top-5 suggestions. The approach outperforms both JSNice, a state-of-the-art approach that analyzes implementations of functions instead of natural language information, and DeepTyper, a recent type prediction approach that is also based on deep learning. Beyond predicting types, NL2Type serves as a consistency checker for existing type annotations. We show that it discovers 39 inconsistencies that deserve developer attention (from a manual analysis of 50 warnings), most of which are due to incorrect type annotations.

关键词： javascript deep learning type inference comments identifiers

来源：评论

学校读者我要写书评

暂无评论

Clone Detection Techniques for javascript and Language Independence: Review

引用

INTERNATIONAL JOURNAL OF ADVANCED COMPUTER SCIENCE AND APPLICATIONS 2020年第4期11卷 787-795页

作者： Alfageh, Danyah Alhakami, Hosam Baz, Abdullah Alanazi, Eisa Alsubait, Tahani Umm Al Qura Univ Coll Comp & Informat Syst Mecca Saudi Arabia

Code clone detection is an active field of study in computer science. Despite its rich history, it lacks focus on web scripting languages. Due to the expansion of web applications and web development amongst developers of varying education and experience levels, they inevitably resort to cloning through out the web. The spread of code clones is further increased by websites like StackOverflow and GitHub. In this paper, we will be focusing on clone detection research done to target clones in javascript code and discuss its areas of concern. Also, we will summarize language independent research done and possibility of its application on javascript and web applications.

关键词： Clone detection code clones javascript language independent clone detection web applications

来源：评论

学校读者我要写书评

暂无评论

Scalable Comparison of javascript V8 Bytecode Traces 11

Scalable Comparison of JavaScript V8 Bytecode Traces

引用

11th ACM SIGPLAN International Workshop on Virtual Machines and Intermediate Languages (VMIL)

作者： Arteaga, Javier Cabrera Monperrus, Martin Baudry, Benoit KTH Royal Inst Technol Stockholm Sweden

ISBN: (纸本)9781450369879

The comparison and alignment of runtime traces are essential, e.g., for semantic analysis or debugging. However, naive sequence alignment algorithms cannot address the needs of the modern web: (i) the bytecode generation process of V8 is not deterministic;(ii) bytecode traces are large. We present STRAC, a scalable and extensible tool tailored to compare bytecode traces generated by the V8 javascript engine. Given two V8 bytecode traces and a distance function between trace events, STRAC computes and provides the best alignment. The key insight is to split access between memory and disk. STRAC can identify semantically equivalent web pages and is capable of processing huge V8 bytecode traces whose order of magnitude matches today's web like https: //***, which generates approx. 150k of V8 bytecode instructions.

关键词： V8 Sequence alignment javascript Bytecode Similarity measurement

来源：评论

学校读者我要写书评

暂无评论

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案：

请选择收藏分类：

通借通还

建议与咨询 留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案： 新增检索档案 确定 取消

请选择收藏分类： 新增自定义分类 确定 取消

通借通还

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

请选择保存的检索档案：

请选择收藏分类：