Practical Dynamic Symbolic Execution for JavaScript

Abstract

In this thesis we develop a practical and scalable approach for dynamicsymbolic execution (DSE) of JavaScript programs and prove its effectiveness byimplementing ExpoSE, our new DSE engine. ExpoSE uses program instrumentation toimplement DSE, enabling analysis of both web applications and Node.js softwarewhile also allowing quick support for the latest JavaScript standards.We detail novel encodings for regular expressions, objects, and arrayswhich allow ExpoSE to analyze programs out of reach of prior work.In particular, we present the first complete encoding for ES6 regularexpressions, including symbolic support for capture groups and backreferences.We show the effectiveness of our design through two case studies. Inthe first study we show that our approach is able to generate a suite ofsupplementary conformance tests for JavaScript standard library methodsthat further the official JavaScript testing suite Test262. Test casesare generated through symbolic exploration of polyfill implementations andverified with differential testing. In the second case study we use DSE to automatically deduce what conditions trigger resource loading, enablingour new speculative loading approach Oblique, a proxy which reduces pageload times by sending resources before a client requests them