Re: [JS-internals] Taint analysis in SpiderMonkey

Thu, 15 Aug 2013 17:54:54 -0700 

On 08/15/2013 11:29 AM, Nicolas B. Pierron wrote:

On 08/09/2013 02:59 PM, Jim Blandy wrote:
Ivan Alagenchev and Mark Goodwin asked me to take a look at their project to 
bring DOMinator, a taint analysis for SpiderMonkey, […]



On Tuesday, Koushik Sen made a presentation which is available on Air 
Mozilla[1] where he presented some JavaScript instrumentation which 
use some parser-hook to rewrite the original script with some 
extensible instrumentation.

I think it's important to consider both the scale of the effort required 
and the results produced. Implementing something like the StringLabeller 
(pace Brendan) hooks would be a different order of magnitude of effort 
than the alternatives suggested here.



I need to watch that presentation, but I did see Sen's presentation at 
JSTools 2013 in Montpellier. Without any intent to contradict, Jalangi's 
record-and-reply-with-shadow-execution approach did not seem to me like 
a low-maintenance tooling approach. Certainly, using shadow execution to 
recover the details of execution drastically reduces what one needs to 
record, and thus its runtime impact. But the combination of the 
recording annotations and the shadow interpreter do not seem like a 
light maintenance burden. Am I being pessimistic?



Further: having thought a bit more, I'm not sure that source-rewriting 
techniques are going to be much better. Perhaps there's a beautiful 
trick I'm not noticing, but it seems to me that making finer-grained 
distinctions between strings than the language supports entails nothing 
less than a self-hosted JavaScript interpreter, because you can't use 
strings (meta-level) to represent strings (debuggee level).



Certainly, we could resuscitate Zaphod (a project that made it possible 
to switch between SpiderMonkey and Narcissus-on-SpiderMonkey in live 
browsing), and have a Narcissus that tracks taint. But the burden of 
keeping that working seems a lot more than the burden of keeping 
something like StringLabeller working.


_______________________________________________
dev-tech-js-engine-internals mailing list
dev-tech-js-engine-internals@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals























					Reply via email to