In this paper, we systematically evaluate the effectiveness of existing tools for the dynamic security analysis of client-side JavaScript, focusing in particular on information flow control. Each tool is evaluated in terms of: (𝑖) compatibility, i.e., the ability to process and analyze existing scripts without breaking; (𝑖𝑖) transparency, i.e., the ability to preserve the original script semantics when security enforcement is not necessary; (𝑖𝑖𝑖) coverage, i.e., the effectiveness in terms of number of detected information flows; (𝑖𝑣) performance, i.e., the computational overhead introduced by the analysis. Our investigation shows that most of the existing analysis tools are incompatible with the modern Web and the compatibility issues affecting them are not easily fixed. Moreover, transparency issues abound and make us question analysis correctness. This is also confirmed by our coverage evaluation, showing that some tools are unable to detect any information flow on real-world websites, while the remaining tools report significantly different outputs. Finally, we observe that the computational overhead of analysis tools may be significant and can exceed 30x. In the end, out of all the evaluated tools, just one of them (Project Foxhound) is effective enough for practical adoption at scale.
Dynamic security analysis of JavaScript: are we there yet? / Calzavara, Stefano; Casarin, Samuele; Focardi, Riccardo. - (2025), pp. 1105-1115. ( WWW '25 - The ACM Web Conference 2025 Sydney, Australia 28/04-2/05/2025) [10.1145/3696410.3714614].
Dynamic security analysis of JavaScript: are we there yet?
Casarin Samuele
;
2025
Abstract
In this paper, we systematically evaluate the effectiveness of existing tools for the dynamic security analysis of client-side JavaScript, focusing in particular on information flow control. Each tool is evaluated in terms of: (𝑖) compatibility, i.e., the ability to process and analyze existing scripts without breaking; (𝑖𝑖) transparency, i.e., the ability to preserve the original script semantics when security enforcement is not necessary; (𝑖𝑖𝑖) coverage, i.e., the effectiveness in terms of number of detected information flows; (𝑖𝑣) performance, i.e., the computational overhead introduced by the analysis. Our investigation shows that most of the existing analysis tools are incompatible with the modern Web and the compatibility issues affecting them are not easily fixed. Moreover, transparency issues abound and make us question analysis correctness. This is also confirmed by our coverage evaluation, showing that some tools are unable to detect any information flow on real-world websites, while the remaining tools report significantly different outputs. Finally, we observe that the computational overhead of analysis tools may be significant and can exceed 30x. In the end, out of all the evaluated tools, just one of them (Project Foxhound) is effective enough for practical adoption at scale.| File | Dimensione | Formato | |
|---|---|---|---|
|
Dynamic_Security_Analysis_JavaScript_WWW25.pdf
accesso aperto
Descrizione: Dynamic Security Analysis of JavaScript: Are We There Yet?
Tipologia:
Versione Editoriale (PDF)
Licenza:
Creative commons
Dimensione
579.49 kB
Formato
Adobe PDF
|
579.49 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
