From 307826e8bb95e06f03cde009d3063009a759f306 Mon Sep 17 00:00:00 2001 From: mwaldrich <30734086+mwaldrich@users.noreply.github.com> Date: Tue, 7 Nov 2023 10:50:00 -0500 Subject: [PATCH 1/4] Update README.md --- tests-unit/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests-unit/README.md b/tests-unit/README.md index 611273d..e1ea082 100644 --- a/tests-unit/README.md +++ b/tests-unit/README.md @@ -80,6 +80,11 @@ and `TaintType` is of the form: | "functionReturn" | "literal" | "declaration"; ``` +and `TrackingType` is of the form: +```typescript +"Boolean" | "SourcedBoolean" | "Expression" +``` + ## `output-expected` For each unit test in `tests-unit/input` named `test`, there should be a From 4d9b1828df2f3b76e68321168a56a6de09620ade Mon Sep 17 00:00:00 2001 From: mwaldrich <30734086+mwaldrich@users.noreply.github.com> Date: Tue, 7 Nov 2023 10:58:28 -0500 Subject: [PATCH 2/4] Update README.md --- README.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0a3e511..210cb84 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ This file tells Augur the *sources* and *sinks* of the flows you want to track. The spec above tells Augur to alert you if any value returned from `readFileSync` flows into the function `exec`. It also tells Augur how to run your project: by executing the file `test.js`. -[Here](./tests-unit/README.md) are all the options for `spec.json`. +[Here](./tests-unit/README.md#specjson) are all the options for `spec.json`. Let's say we analyze the following program, `test.js`: ```javascript @@ -135,6 +135,15 @@ You've now analyzed your first application using Augur! to full dependency information between variables 5. Support for tracking taint through native code (see below) +## Tracking Type +Augur supports *three* methods for tracking taint across your application: + +1. `Boolean`: the simplest (and fastest) tracker you can use. During your application's runtime, it simply determines whether a value came from *any* source. It doesn't keep track of which source it came from, or where the flow was introduced. This is not very useful in practice, because you will likely want to use... +2. `SourcedBoolean`: a more practical tracker. For each value in your program, Augur determines if it came from a *source*, and if so, which source and on what line the taint was introduced. +3. `Expression`: the most general tracker. In this mode, Augur will save all the information it finds during your application's runtime. For any given expression, its full set of dependent expressions is recorded. In other words, regardless your specified sources and sinks, Augur will save *every* flow between *every* expression. Expect slowdowns and large output files (on the order of MBs). + +The method you choose should be placed in your [`spec.json`](./tests-unit/README.md#specjson). + ## Native function models Modern JavaScript relies on a wide variety of native functions to improve its usability and performance. Common operations on data structures and From d865325b767a67e3bf2844a53ee4da7c8a01b44c Mon Sep 17 00:00:00 2001 From: mwaldrich <30734086+mwaldrich@users.noreply.github.com> Date: Mon, 4 Dec 2023 15:37:23 -0500 Subject: [PATCH 3/4] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 210cb84..acbda3f 100644 --- a/README.md +++ b/README.md @@ -3,9 +3,9 @@ **Augur** is a dynamic taint analysis for Node.js implemented in TypeScript using -[NodeProf](https://github.com/Haiyang-Sun/nodeprof.js). Augur is a clean-room -implementation of Ichnaea, the taint analysis described in the -[IEEE TSE paper: Platform-Independent Dynamic Taint Analysis for JavaScript](https://www.franktip.org/pubs/tse2020.pdf). +[NodeProf](https://github.com/Haiyang-Sun/nodeprof.js). Check out the [paper](https://dl.acm.org/doi/pdf/10.1145/3551349.3559522)! + +Augur builds upon the technique described in [Ichnaea](https://www.franktip.org/pubs/tse2020.pdf). It is more performant, supports the latest version of JavaScript, and is highly configurable to support any type of dynamic data-flow analysis. --- From 0aa881179751a0958117c357fbd167325fab8e26 Mon Sep 17 00:00:00 2001 From: mwaldrich <30734086+mwaldrich@users.noreply.github.com> Date: Thu, 7 Dec 2023 23:04:28 -0500 Subject: [PATCH 4/4] try using github's action runners --- .github/workflows/Augur.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Augur.yml b/.github/workflows/Augur.yml index c499ce2..cd24c97 100644 --- a/.github/workflows/Augur.yml +++ b/.github/workflows/Augur.yml @@ -10,7 +10,7 @@ jobs: build: - runs-on: self-hosted + runs-on: ubuntu-latest timeout-minutes: 4320 env: working-directory: ./ts