Abstract
Transforming text into executable code with a function such as JavaScript’s eval endows programmers with the ability to extend applications, at any time, and in almost any way they choose. But, this expressive power comes at a price: reasoning about the dynamic behavior of programs that use this feature becomes challenging. Any ahead-of-time analysis, to remain sound, is forced to make pessimistic assumptions about the impact of dynamically created code. This pessimism affects the optimizations that can be applied to programs and significantly limits the kinds of errors that can be caught statically and the security guarantees that can be enforced. A better understanding of how eval is used could lead to increased performance and security. This paper presents a large-scale study of the use of eval in JavaScript-based web applications. We have recorded the behavior of 337 MB of strings given as arguments to 550,358 calls to the eval function exercised in over 10,000 web sites. We provide statistics on the nature and content of strings used in eval expressions, as well as their provenance and data obtained by observing their dynamic behavior.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Anderson, C., Drossopoulou, S.: BabyJ: From Object Based to Class Based Programming via Types. Electr. Notes in Theor. Comput. Sci. 82(7), 53–81 (2003)
Anderson, C., Giannini, P.: Type Checking for JavaScript. Electr. Notes Theor. Comput. Sci. 138(2), 37–58 (2005)
Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise Analysis of String Expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003)
Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged Information Flow for JavaScript. In: Conference on Programming Language Design and Implementation (PLDI), pp. 50–62 (2009)
Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 88–106. Springer, Heidelberg (2009)
European Association for Standardizing Information and Communication Systems (ECMA): ECMA-262: ECMAScript Language Specification. 5th edn. (December 2009)
Feinstein, B., Peck, D.: Caffeine Monkey: Automated Collection, Detection and Analysis of Malicious JavaScript. In: Black Hat USA 2007 (2007)
Guarnieri, S., Livshits, B.: Gatekeeper: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code. In: USENIX Security Symposium, pp. 151–197 (2009)
Guha, A., Krishnamurthi, S., Jim, T.: Using Static Analysis for Ajax Intrusion Detection. In: Conference on World Wide Web (WWW), pp. 561–570 (2009)
Holkner, A., Harland, J.: Evaluating the Dynamic Behaviour of Python Applications. In: Proceedings of the Thirty-Second Australasian Conference on Computer Science, ACSC 2009, vol. 91, pp. 19–28. Australian Computer Society, Inc., Darlinghurst (2009)
Jang, D., Choe, K.M.: Points-to Analysis for JavaScript. In: Proceedings of the 2009 ACM Symposium on Applied Computing, SAC 2009, pp. 1930–1937. ACM, New York (2009)
Jang, D., Jhala, R., Lerner, S., Shacham, H.: An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications. In: CCS 2010: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 270–283. ACM, New York (2010)
Jensen, S.H., Møller, A., Thiemann, P.: Type Analysis for JavaScript. In: Palsberg, J., Su, Z. (eds.) SAS 2009. LNCS, vol. 5673, pp. 238–255. Springer, Heidelberg (2009)
Livshits, B., Whaley, J., Lam, M.S.: Reflection Analysis for Java. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 139–160. Springer, Heidelberg (2005)
Maffeis, S., Mitchell, J.C., Taly, A.: Isolating JavaScript with Filters, Rewriting, and Wrappers. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 505–522. Springer, Heidelberg (2009)
McCarthy, J.: History of LISP. In: History of programming languages (HOPL) (1978)
Ratanaworabhan, P., Livshits, B., Zorn, B.: JSMeter: Comparing the Behavior of JavaScript Benchmarks with Real Web Applications. In: USENIX Conference on Web Application Development (WebApps) (June 2010)
Richards, G., Lebresne, S., Burg, B., Vitek, J.: An Analysis of the Dynamic Behavior of JavaScript Programs. In: Programming Language Design and Implementation Conference, PLDI (2010)
Rieck, K., Krueger, T., Dewald, A.: Cujo: Efficient Detection and Prevention of Drive-by-Download Attacks. In: Annual Computer Security Applications Conference, ACSAC (2010)
Thiemann, P.: Towards a Type System for Analyzing JavaScript Programs. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 408–422. Springer, Heidelberg (2005)
Yue, C., Wang, H.: Characterizing Insecure JavaScript Practices on the Web. In: World Wide Web Conference, WWW (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Richards, G., Hammer, C., Burg, B., Vitek, J. (2011). The Eval That Men Do. In: Mezini, M. (eds) ECOOP 2011 – Object-Oriented Programming. ECOOP 2011. Lecture Notes in Computer Science, vol 6813. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22655-7_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-22655-7_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22654-0
Online ISBN: 978-3-642-22655-7
eBook Packages: Computer ScienceComputer Science (R0)