Vincenzo Arceri scite author profile

Vincenzo Arceri

4Publications

65Citation Statements Received

71Citation Statements Given

How they've been cited

How they cite others

120

Affiliations

University of Parma, University of Verona, Ca' Foscari University of Venice

Publications

Order By: Most citations

Static Analysis for ECMAScript String Manipulation Programs

Arceri

Mastroeni

2020

Applied Sciences

View full text Add to dashboard Cite

In recent years, dynamic languages, such as JavaScript or Python, have been increasingly used in a wide range of fields and applications. Their tricky and misunderstood behaviors pose a great challenge for static analysis of these languages. A key aspect of any dynamic language program is the multiple usage of strings, since they can be implicitly converted to another type value, transformed by string-to-code primitives or used to access an object-property. Unfortunately, string analyses for dynamic languages still lack precision and do not take into account some important string features. In this scenario, more precise string analyses become a necessity. The goal of this paper is to place a first step for precisely handling dynamic language string features. In particular, we propose a new abstract domain approximating strings as finite state automata and an abstract interpretation-based static analysis for the most common string manipulating operations provided by the ECMAScript specification. The proposed analysis comes with a prototype static analyzer implementation for an imperative string manipulating language, allowing us to show and evaluate the improved precision of the proposed analysis.

show abstract

Static Program Analysis for String Manipulation Languages

Arceri

Mastroeni

2019

Electron. Proc. Theor. Comput. Sci.

View full text Add to dashboard Cite

Analyzing Dynamic Code

Arceri

Mastroeni

2021

ACM Trans. Priv. Secur.

View full text Add to dashboard Cite

Dynamic languages, such as JavaScript, employ string-to-code primitives to turn dynamically generated text into executable code at run-time. These features make standard static analysis extremely hard if not impossible, because its essential data structures, i.e., the control-flow graph and the system of recursive equations associated with the program to analyze, are themselves dynamically mutating objects. Nevertheless, assembling code at run-time by manipulating strings, such as by eval in JavaScript, has been always strongly discouraged, since it is often recognized that “ eval is evil ,” leading static analyzers to not consider such statements or ignoring their effects. Unfortunately, the lack of formal approaches to analyze string-to-code statements pose a perfect habitat for malicious code, that is surely evil and do not respect good practice rules, allowing them to hide malicious intents as strings to be converted to code and making static analyses blind to the real malicious aim of the code. Hence, the need to handle string-to-code statements approximating what they can execute, and therefore allowing the analysis to continue (even in the presence of dynamically generated program statements) with an acceptable degree of precision, should be clear. To reach this goal, we propose a static analysis allowing us to collect string values and to soundly over-approximate and analyze the code potentially executed by a string-to-code statement.

show abstract

Abstract Domains for Type Juggling

Arceri

Maffeis

2017

Electronic Notes in Theoretical Computer Science

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Vincenzo Arceri

Static Analysis for ECMAScript String Manipulation Programs

Static Program Analysis for String Manipulation Languages

Analyzing Dynamic Code

Abstract Domains for Type Juggling

Contact Info

Product

Resources

About