Write a Blog >>
Tue 10 Nov 2020 01:05 - 01:06 at Virtual room 2 - Analysis 1

JavaScript is widely used for implementing client-side web applications, and it is common to include JavaScript code from many different hosts. However, in a web browser, all the scripts loaded in the same frame share a single global namespace. As a result, a script may read or even overwrite the global objects or functions in other scripts, causing unexpected behaviors. For example, a script can redefine a function in a different script as an object, so that any call of that function would cause an exception at run time.

We systematically investigate the client-side JavaScript code integrity problem caused by JavaScript global identifier conflicts in this paper. We developed a browser-based analysis framework, JSObserver, to collect and analyze the write operations to global memory locations by JavaScript code. We identified three categories of conflicts using JSObserver on the Alexa top 100K websites, and detected 145,918 conflicts on 31,615 websites.

We reveal that JavaScript global identifier conflicts are prevalent and could cause behavior deviation at run time. In particular, we discovered that 1,611 redefined functions were called after being overwritten, and many scripts modified the value of cookies or redefined cookie-related functions. Our research demonstrated that JavaScript global identifier conflict is an emerging threat to both the web users and the integrity of web applications.

Tue 10 Nov
Times are displayed in time zone: (UTC) Coordinated Universal Time change

01:00 - 01:02
Talk
A Behavioral Notion of Robustness for Software Systems
Research Papers
Changjian ZhangCarnegie Mellon University, USA, David GarlanCarnegie Mellon University, USA, Eunsuk KangCarnegie Mellon University, USA
Link to publication DOI Media Attached
01:03 - 01:04
Talk
C2S: Translating Natural Language Comments to Formal Program Specifications
Research Papers
Juan ZhaiRutgers University, USA, Yu ShiPurdue University, USA, Minxue PanNanjing University, China, Guian ZhouNanjing University, China, Yongxiang LiuNanjing University, China, Chunrong FangNanjing University, China, Shiqing MaRutgers University, USA, Lin TanPurdue University, USA, Xiangyu ZhangPurdue University
DOI
01:05 - 01:06
Talk
Detecting and Understanding JavaScript Global Identifier Conflicts on the Web
Research Papers
Mingxue ZhangChinese University of Hong Kong, China, Wei MengChinese University of Hong Kong, China
DOI
01:07 - 01:08
Talk
PAClab: A Program Analysis Collaboratory
Tool Demos
Rebecca BrunnerBowling Green State University, USA, Robert DyerUniversity of Nebraska - Lincoln, Maria PaquinBoise State University, Elena ShermanBoise State University
DOI
01:09 - 01:10
Talk
Towards Learning Visual Semantics
Visions and Reflections
Haipeng CaiWashington State University, USA, Shiv Raj PantWashington State University, USA, Wen Li
DOI
01:11 - 01:12
Talk
WebJShrink: A Web Service for Debloating Java Bytecode
Tool Demos
Konner MaciasUniversity of California at Los Angeles, USA, Mihir MathurUniversity of California, Los Angeles, Bobby BruceUniversity of California at Davis, USA, Tianyi ZhangHarvard University, USA, Miryung KimUniversity of California at Los Angeles, USA
DOI
01:13 - 01:30
Talk
Conversations on Analysis 1
Research Papers
Juan ZhaiRutgers University, USA, Changjian ZhangCarnegie Mellon University, USA, Konner MaciasUniversity of California at Los Angeles, USA, Haipeng CaiWashington State University, USA, Mingxue ZhangChinese University of Hong Kong, China, Robert DyerUniversity of Nebraska - Lincoln, M: Shin Hwei TanSouthern University of Science and Technology