Wei Lu and Min-Yen Kan
AIRS 2005 (Jeju Island, Korea)
14/22
Object Communication Analysis
• Execution can reveal crucial information not   
  accounted for in previous analyses
- Static analysis executes every possible path
- Dynamic analysis simulates actual execution
•var msg = "Welcome to this page";
•banner(0);
•function banner (index){
•  var newWin = window.open();
•  frm.txt.value="ok";
•  window.status = msg.substring(0, index);
•  index = index++;
•  if (index >= msg.length) index = 0;
•  window.setTimeout("banner("+index+" ) " , 100);
•}
(Static analysis) Opens up a new window
NEW::WINDOW
(Static analysis) Sets value of an INPUT field in a form
SET::INPUT.value
(Static analysis) Set value to status bar of current window
SET::WINDOW.status
(Static analysis) Call a window function
CALL::WINDOW.setTimeout
(Dynamic analysis extracts advanced
features during execution)
The status bar of current window changes
with time:
CHANGES::WINDOW.status
There are typically two types of approaches in a program analysis task – static analysis and dynamic analysis.
Static analysis assumes every path is executed, while dynamic analysis will perform an actual execution.
We have examined both approaches.
With the help of these analysis, we can extract useful object communication features. For example, in the following code, “window.open()” refers to a creation of a new window, so we can extract a feature “NEW::WINDOW” from static analysis. “frm.txt” actually refers to an “INPUT” object. Here it is to set the value of an input field, so we can extract a feature “SET::INPUT.value”. Similarly, we can extract many other features from static analysis.
As for dynamic analysis, we focus on finding more advanced features that only reveals during runtime. This example code is actually designed to perform a banner task. The message appearing in the status bar changes with time, which performs like a banner. A feature “CHANGES::WINDOW.status” can therefore get extracted with dynamic analysis.