A Symbolic Execution Framework for JavaScript
In Proc. of the 31st IEEE Symposium on Security and Privacy (Oakland 2010)
@Misc{saxena10kudzu,
author = {Prateek Saxena and Devdatta Akhawe and
Steve Hanna and Feng Mao and Stephen McCamant and Dawn Song},
title = {A Symbolic Execution Framework for JavaScript},
booktitle = {Proc. of the 31st IEEE Symposium on Security and Privacy (Oakland 2010)},
}
Abstract
As AJAX applications gain popularity, client-side JavaScript code is becoming increasingly complex. However, few automated vulnerability analysis tools for JavaScript exist. In this paper, we describe the first system for exploring the execution space of JavaScript code using symbolic execution. To handle JavaScript code's complex use of string operations, we design a new language of string constraints and implement a solver for it. We build an automatic end-to-end tool, Kudzu, and apply it to the problem of finding client-side code injection vulnerabilities. In experiments on 18 live web applications, Kudzu automatically discovers 2 previously unknown vulnerabilities and 9 more than that were previously found only with a manually-constructed test suite.
Kaluza String Solver
Kaluza, a solver for strings, that we created as part of the project is described
here, and is also available as an
online demo.
Awards
This work has been awarded
the
AT&T
Best Applied Security Research Paper Award 2010.