Augur: Dynamic Taint Analysis for Asynchronous JavaScript

JavaScript dominates the online world [8], powering everything from client-side web apps to server back-ends. Web applications are frequently the target of cyberattacks, and subtle bugs in JavaScript can lead to many dangerous vulnerabilities, including format-string attacks, SQL injection, cross-site scripting, command- and shell-code injection, and directory traversal.

Dynamic taint analysis (DTA) has a long history of detecting the above vulnerabilities. It is particularly effective in finding vulnerabilities in dynamic languages like JavaScript, as their dynamic behavior is difficult to analyze using static program analysis. Unfortunately, many existing DTA tools for JavaScript [1, 3, 4, 5, 10] do not support the JavaScript language features introduced in ECMAScript 7, and have significant overhead on the versions of JavaScript that they do support, ranging from 3.38 ×  [6] to 1,680 ×  [1].

In this paper, we present Augur, a dynamic taint analysis tool for JavaScript. The technique underpinning Augur is one of VM-supported instrumentation; Augur is implemented in the NodeProf [9] framework for GraalVM [11], which exposes a stable instrumentation API upon which to build a dynamic analysis. This scheme allows Augur to achieve low overhead (median 1.77 × over 20 benchmark applications), and avoiding the need to modify the VM itself significantly reduces engineering effort and increases the likelihood of adoption. Augur builds upon the abstract-machine approach introduced by Ichnaea [5], expanding upon it to handle the new asynchronous features of JavaScript ES7.

DTA is a program analysis technique to track the flow of sensitive information and ensure it does not reach an untrusted operation. Confidential or sensitive information is considered tainted when it comes from a taint source, and leaked when it enters a taint sink. While the technique was originally intended to detect privacy leaks, it has many additional applications such as detecting security vulnerabilities. For example, SQL injection attacks can be detected using DTA by marking user input as taint sources, and SQL commands as sinks. If user input flows into an SQL command without sanitization, even indirectly, a user can potentially exploit this vulnerability by writing raw SQL code.

DTA is particularly effective for JavaScript, as the dynamic nature of the language can make it difficult to determine these vulnerabilities statically. However, JavaScript's design presents some unique challenges for DTA. Modern JavaScript is Just-In-Time (JIT) compiled and optimized. This greatly improves its performance, but makes it infeasible to take advantage of lower-level x86 binary DTAs [2]. This necessitates a higher-level instrumentation mechanism. However, JavaScript code utilizes an extensive standard library implemented in native code, meaning any DTA implementation needs to precisely track data flow in both JavaScript and native code. Existing JavaScript DTAs implement the instrumentation in one of two ways: either via program rewriting [1, 3, 4, 5], or VM modification [6, 10], and most (besides TruffleTaint [6]) do not support the asynchronous features introduced in JavaScript ES6 and ES7.

Introduced in ES6, promises are a popular method of implementing asynchronous computations in JavaScript. A promise can be thought of as an object which wraps an asynchronous computation; reaction callbacks can be registered on promises that are invoked when the underlying asynchronous computation is completed, either with the return value if execution was successful, or with an error if a problem occurred. The ES7 version of JavaScript has introduced the async/await feature which is not supported by most DTA tools. At a high level, async/await is syntactic sugar for promises: by marking functions as async and await-ing calls to such async functions, programmers can write asynchronous code with linear-looking control flow. Augur leverages the analysis technique used in Ichnaea with a modern implementation to support the latest version of JavaScript, and offers improved performance through to VM-supported instrumentation.

Augur is a dynamic taint analysis platform for JavaScript. It is implemented in the NodeProf [9] instrumentation framework for GraalVM [11]. It supports the latest version of JavaScript, including async/await, native Promises, classes, as well as new syntax: let, const, for/of, and arrow functions. Taint can be tracked through native functions, with built-in models for many popular functions. Augur is equipped with a default specification that searches for common injection vulnerabilities in JavaScript: file contents and process arguments are marked as sources, and exec and eval (which can execute arbitrary strings as code) are marked as sinks (this spec is fully customizable). Detailed instructions on how to run Augur and how to configure a taint specification are available in the open-source repository¹; as a simple example of how to run Augur on the command line, consider Figure 1.

Augur follows in the footsteps of Ichnaea [5], where code is first instrumented to produce instructions for a stack machine. The stack machine is then responsible for finding the information flows.

Run Time Analysis. A JavaScript program is loaded into GraalVM for execution. As it runs, GraalVM, through the NodeProf framework, informs Augur of every operation happening in the program—e.g., variable assignments, function calls, etc.—via hooks. Augur’s run time analysis takes this information and produces instructions for Augur’s stack machine that describe how information flows while executing the operation. These instructions represent an execution trace which Augur can later analyze for data flow.

Offline Analysis. Here, Augur runs the stack machine instructions in the execution trace w.r.t. a taint specification, describing which program locations are sources of taint and which are sinks.

Figure 3 displays the stack machine instructions and state of Augur when instrumenting the code snippet under “Original Code”, configured with userInput as a taint source and input as a taint sink. When the first line of the stack machine instructions is executed, Augur pushes true onto the stack to indicate a tainted value (note the red arrows in the figure). The next instruction causes false to be pushed onto the stack, indicating an untainted literal value. Next, a binary operation corresponding to the addition in the original code causes Augur to merge the two values at the top of the stack: true and false are popped off the stack and combined into true with boolean or, which is pushed onto the stack (describing the taintedness of the combined string literal). In the next instruction, the stack machine assigns the taint value at the top of the stack to the input variable and reports any flows that occurred. Since the value at the top of the stack is true, Augur has now determined that the variable input is tainted, and since input is defined as a sink, the flow will be reported to the user.

This is the technique described in Ichnaea [5], and in the following subsections we describe extensions for handling ES7 features.

4.1 Async/Await Support

To support dynamically pausing and resuming asynchronous function calls, Augur is implemented with a taint tree rather than a taint stack. In a sense, there are separate taint stacks for each asynchronous function call, and Augur links up calls to asynchronous functions, their return values, and their callers with a unique ID associated with each execution of an asynchronous function. Halting execution of an async function will save the current taint stack and associated with the unique ID of that function execution; when execution later resumes, the saved stack is retrieved and instrumentation resumes with the appropriate taint stack in place. The taintedness of return values from async functions is also explicitly saved alongside the ID of the call so that once the caller of that function resumes execution, the appropriate taint can be retrieved.

As an example, consider the program in Figure 4. The asynchronous function cat calls the asynchronous read function twice. Each function call has its own independent taint stack, where the taint of arguments and return values are linked.

We ran Augur on the benchmarks used in the Ichnaea paper [5]. This benchmark suite is comprised of 22 real JavaScript applications known to present 2 common injection vulnerabilities in JavaScript: eval (evaluates arbitrary code) and exec (executes arbitrary shell commands). Note that two of the benchmark applications no longer execute, even on base Node.js, due to changes in the JavaScript standard library, so we focus on the 20 that do. The results of this experiment, alongside a comparison with Ichnaea overhead, can be found in Table 1. Overall, we found that Augur achieves a low median run time overhead of 1.77 × on the 20 benchmark applications that execute, and a median overhead of 3.35 × when executing generated stack machine instructions alongside program execution. Augur outperforms Ichnaea on 17 of the 20 benchmarks. We investigated the cases where Ichnaea outperformed Augur, and found no systematic reason; one possible reason is due to engineering differences, as Ichnaea is implemented using source code rewriting (running on V8), whereas Augur is implemented in the NodeProf framework for GraalVM. In both Augur and Ichnaea, the time to execute the stack machine instructions is negligible.

Additionally, we conducted extensive testing to validate the correctness of our taint tracking through async/await, Promises, and the interaction between the two. We found no instances where taint was lost when switching contexts.

Augur may not be able to analyze JavaScript code out of the box due to native functions. Although we have implemented 20 models for common native functions, JavaScript continues to enrich its standard library with each release. That said, only 76 different native models were invoked during our evaluation and no issues were observed, suggesting that the default model covers many unimplemented native models. Separately, Augur is built in the NodeProf dynamic analysis framework for Truffle and GraalVM. GraalVM fully supports the JavaScript language, but falls short of integrating directly with web browsers; to achieve that, mock browser environments (e.g., jsdom) should be used.

While there is a wealth of work on taint analysis in general, dynamic taint analysis is most closely related to Augur. In this section, we outline dynamic taint analysis tools for JavaScript specifically. Dynamic taint analysis can be broadly categorized as either rewriting the program, or by modifying a virtual machine.

Program Rewriting. Ichnaea [5] relies on Jalangi [7] to perform program rewriting; Ichnaea's stack machine approach is similar to the approach employed in Augur, but it is limited in that (1) Jalangi is no longer supported, and does not work on modern asynchronous JavaScript, and (2) Ichnaea has significantly more overhead than Augur (Ichnaea median overhead is 5.92 ×). Other work includes a Virtual Values approach [4] wherein taint flow semantics are declared for primitive JavaScript operations, and an approach where information flow controllers are explicitly inlined [1].

VM Modification. Recent work by Kreindl et al. [6] propose TruffleTaint, a platform-agnostic taint analysis for Truffle [11], the framework for implementing language runtimes in GraalVM [11]. While Augur is implemented in the NodeProf framework [9] and thus runs on unmodified GraalVM, TruffleTaint runs on a fork of GraalVM (reported overhead 3.32 × -7.30 ×). JSFlow [3] enhances the JavaScript interpreter to track fine-grained information flow (overhead of 1,680 × reported in other work [1]), and the XSS Prevention approach taken by Vogt et al. [10] relies on a modified browser.

The VM-supported approach outlined in this paper yields greater performance than program rewriting techniques [1, 3, 4, 5] as Augur does not modify source code and is more portable than techniques which require VM modifications [6, 10].

Dynamic taint analysis is an important technique to help secure JavaScript applications against security vulnerabilities. Many existing DTA techniques and tools for JavaScript have not been updated to handle the ES7 version of JavaScript, which introduced the async/await feature to the language. This paper presented Augur, the most performant DTA tool for JavaScript that supports JavaScript ES7; thanks to VM-supported instrumentation, Augur achieves a low median run time overhead of 1.77 × on 20 benchmark applications, and a median overhead of 3.35 × when executing generated stack machine instructions alongside program execution.