Characterizing Security-Related Commits of JavaScript Engines

Bruno Gonçalves de Oliveira; Andre Endo; Silvia Vergilio

doi:10.5220/0011966100003467

Characterizing Security-Related Commits of JavaScript Engines

Bruno Gonçalves de Oliveira, Andre Endo, Silvia Vergilio

2023

Abstract

JavaScript engines are security-critical components of Web browsers. Their different features bring challenges for practitioners that intend to detect and remove vulnerabilities. As these JavaScript engines are open-source projects, security insights could be drawn by analyzing the changes performed by developers. This paper aims to characterize security-related commits of open-source JavaScript engines. We identified and analyzed commits that involve some security aspects; they were selected from the widely used engines: V8, ChakraCore, JavaScriptCore, and Hermes. We compared the security-related commits with other commits using source code metrics and assessed how security-related commits modify specific modules of JavaScript engines. Finally, we classified a subset of commits and related them to potential vulnerabilities. The results showed that only six out of 44 metrics adopted in the literature are statistically different when comparing security-related commits to the others, for all engines. We also observed what files and, consequently, the modules, are more security-related modified. Certain vulnerabilities are more connected to security-related commits, such as Generic Crash, Type Confusion, Generic Leak, and Out-of-Bounds. The obtained results may help to advance vulnerability prediction and fuzzing of JavaScript engines, augmenting the security of the Internet.

Download

Paper Citation

in Harvard Style

Gonçalves de Oliveira B., Endo A. and Vergilio S. (2023). Characterizing Security-Related Commits of JavaScript Engines. In Proceedings of the 25th International Conference on Enterprise Information Systems - Volume 2: ICEIS, ISBN 978-989-758-648-4, SciTePress, pages 86-97. DOI: 10.5220/0011966100003467

in Bibtex Style

@conference{iceis23,
author={Bruno Gonçalves de Oliveira and Andre Endo and Silvia Vergilio},
title={Characterizing Security-Related Commits of JavaScript Engines},
booktitle={Proceedings of the 25th International Conference on Enterprise Information Systems - Volume 2: ICEIS,},
year={2023},
pages={86-97},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0011966100003467},
isbn={978-989-758-648-4},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 25th International Conference on Enterprise Information Systems - Volume 2: ICEIS,
TI - Characterizing Security-Related Commits of JavaScript Engines
SN - 978-989-758-648-4
AU - Gonçalves de Oliveira B.
AU - Endo A.
AU - Vergilio S.
PY - 2023
SP - 86
EP - 97
DO - 10.5220/0011966100003467
PB - SciTePress