Position paper: the science of boxing

Abstract

The ubiquity of Web 2.0 applications handling sensitive information means that static analysis of applications written in JavaScript has become an important security problem. The highly dynamic nature of the language makes this difficult. The eval construct, which allows execution of a string as program code, is particularly notorious in this regard. Eval is a form of metaprogramming construct: it allows generation and manipulation of program code at run time. Other metaprogramming formalisms are more principled in their behaviour and easier to reason about; consider, for example, Lisp-style code quotations, which we call staged metaprogramming. We argue that, instead of trying to reason directly about uses of eval, we should first transform them to staged metaprogramming, then analyse the transformed program. To demonstrate the feasibility of this approach, we describe an algorithm for transforming uses of eval on strings encoding program text into uses of staged metaprogramming with quoted program terms. We present our algorithm in the context of a JavaScript-like language augmented with staged metaprogramming.