Evaluation and Comparison of Dynamic Call Graph Generators for JavaScript

JavaScript is the most popular programming language these days and it is also the core language of the node.js environment. Sharing code is a simple task in this environment and the shared code can be easily reused as building blocks to create new applications. This vibrant and ever growing environment is not perfect though. Due to the large amount of reused code, even simple applications can have a lot of indirect dependencies. Developers may not even be aware of the fact that some of these dependencies could contain malware, since harmful code can be hidden relatively easily due to the dynamic nature of JavaScript. Dynamic software analysis is one way of detecting suspicious activities. Call graphs can reveal the internal workings of an application and they have been used successfully for malware detection. In node.js, no tool has been available for directly generating JavaScript call graphs before. In this paper, we are going to introduce three tools that can be used to generate call graphs for further analysis. We show that call graphs contain a significant amount of engine-specific information but filters can be used to reduce such differences.