Eliott Robson Undergraduate Dissertation 2016/17

Analysing Control Flow Execution

Supervised by A.Brucker

Abstract

JavaScript is a common programming language primarily used in webpages to provide features and functionality to the user. However, it is not easily possible to find out how such a program is working without studying the code, due to a lack of supporting tools and research.

This project aims to research how a dynamic analysis framework and suitable analyses could be designed abstractly and implemented for JavaScript. By analysing popular websites and publicly available Chrome extensions, an evaluation of security was conducted. Crucially, the project was designed to support arbitrary analysis, in addition to security research.

The results revealed that even top websites use deprecated functions, eval is not always evil and stealing cookies is trivial. Fortunately, this report shows that security flaws are not commonplace but can easily be introduced accidentally.

The success of this project provides the research required to implement dynamic analysis in other languages for similar research. Furthermore, the applications have proven the case that dynamic analysis can be useful for security analysis.