Explore a groundbreaking approach to static vulnerability analysis for JavaScript in this 20-minute conference talk from PLDI 2024. Delve into the innovative Multiversion Dependency Graph (MDG), a novel graph-based data structure designed to capture object state evolution during program execution. Learn how this new technique improves upon existing Code Property Graph (CPG) methods, offering a balance between scalability and effectiveness in identifying vulnerability patterns. Discover the implementation of Graph.js, a specialized MDG-based static vulnerability scanner for npm packages, and its superior performance in detecting taint-style and prototype pollution vulnerabilities. Gain insights into how this approach significantly reduces false negatives and analysis time compared to current state-of-the-art tools, and uncover its potential in identifying previously undiscovered vulnerabilities in npm packages.
Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs
ACM SIGPLAN via YouTube
Overview
Syllabus
[PLDI24] Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs
Taught by
ACM SIGPLAN
Related Courses
-
ConDySTA - Context-Aware Dynamic Supplement to Static Taint Analysis
-
Reducing Static Analysis Unsoundness with Approximate Interpretation
-
Improving Dynamic Vulnerability Scanners with Static Code Analysis
-
A Static Tainting Analysis Method for Aspect-Oriented Programs
-
Going Beyond Metadata - Adopting Static Analysis in Dependency Tools
-
Real World Static Analysis for Real Humans
