Your browser does not support JavaScript!
http://iet.metastore.ingenta.com
1887

access icon openaccess Systematic adaptation of dynamically generated source code via domain-specific examples

This is an open access article published by the IET under the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0/)
Received 30/08/2016, Accepted 14/06/2017, Revised 18/05/2017, Published 21/08/2017

In modern web-based applications, an increasing amount of source code is generated dynamically at runtime. Web applications commonly execute dynamically generated code (DGC) emitted by third-party, black-box generators, run at remote sites. Web developers often need to adapt DGC before it can be executed: embedded HTML can be vulnerable to cross-site scripting attacks; an API may be incompatible with some browsers; and the program's state created by DGC may not be persisting. Lacking any systematic approaches for adapting DGC, web developers resort to ad-hoc techniques that are unsafe and error-prone. This study presents an approach for adapting DGC systematically that follows the program-transformation-by-example paradigm. The proposed approach provides predefined, domain-specific before/after examples that capture the variability of commonly used adaptations. By approving or rejecting these examples, web developers determine the required adaptation transformations, which are encoded in an adaptation script operating on the generated code's abstract syntax tree. The proposed approach is a suite of practical JavaScript program adaptations and their corresponding before/after examples. The authors have successfully applied the approach to real web applications to adapt third-party generated JavaScript code for security, browser compatibility, and persistence.

Inspec keywords: trees (mathematics); source code (software); Internet; security of data; application program interfaces; Java; online front-ends; program processors; hypermedia markup languages

Other keywords: domain-specific before/after examples; DGC; systematic adaptation; code abstract syntax tree generation; third-party generator; security; cross-site scripting attacks; third-party generated JavaScript code; dynamically generated source code; program-transformation-by-example paradigm; browser compatibility; embedded HTML; black-box generators; ad-hoc techniques; practical JavaScript program adaptations; API; Web-based applications

Subjects: Combinatorial mathematics; Object-oriented programming; Data security; Internet software; Compilers, interpreters and other processors

References

    1. 1)
      • 17. Mandelin, D., Xu, L., Bodk, R., et al: ‘Jungloid mining: helping to navigate the API jungle’. Int. Conf. Programming Language Design and Implementation, 2005, pp. 4861.
    2. 2)
      • 27. Necula, G.C., McPeak, S., Rahul, S.P., et al: ‘CIL: intermediate language and tools for analysis and transformation of C programs’. Int. Conf. Compiler Construction, 2002, pp. 213228.
    3. 3)
      • 31. Cobena, G., Abiteboul, S., Marian, A.: ‘Detecting changes in XML documents’. Int. Conf. Data Engineering, 2002, pp. 4152.
    4. 4)
      • 18. Galenson, J., Reames, P., Bodik, R., et al: ‘Codehint: dynamic and interactive synthesis of code snippets’. Int. Conf. Software Engineering ACM, 2014, pp. 653663.
    5. 5)
      • 30. Falleri, J.-R., Morandat, F., Blanc, X., et al: ‘Fine-grained and accurate source code differencing’. Int. Conf. Automated Software Engineering ACM, 2014, pp. 313324.
    6. 6)
      • 7. Grossman, J., Hansen, R., Petkov, P.D.,, et al: ‘XSS attacks: cross site scripting exploits and defense’ (Oxford, 2007).
    7. 7)
      • 28. Córdoba-Sánchez, I., de Lara, J.: ‘Ann: a domain-specific language for the effective design and validation of java annotations’, Comput. Lang., Syst. Struct., 2016, 45, pp. 164190.
    8. 8)
      • 39. Lerner, B.S., Venter, H., Grossman, D.: ‘Supporting dynamic, third-party code customizations in JavaScript using aspects’. Int. Conf. Object-oriented Programming Systems, Language and Applications, 2010, pp. 361376.
    9. 9)
      • 25. Cohen, T., Gil, J.Y., Maman, I.: ‘JTL: the java tools language’. Int. Conf. Object-oriented Programming, Systems, Languages, and Applications, 2006, pp. 89108.
    10. 10)
      • 15. Richards, G., Lebresne, S., Burg, B., et al: ‘An analysis of the dynamic behavior of JavaScript programs’. Int. Conf. Programming Language Design and Implementation, 2010, pp. 112.
    11. 11)
      • 22. Kappel, G., Langer, P., Retschitzegger, W., et al: ‘Model transformation by-example: a survey of the first wave’, in Düsterhöft, A., Klettke, M., Schewe, K.-D. (EDs.): ‘Conceptual modelling and its theoretical foundations’ (Springer, 2012), pp. 197215.
    12. 12)
      • 36. Leger, P., Tanter, É., Fukuda, H.: ‘An expressive stateful aspect language’, Sci. Comput. Prog., 2015, 102, pp. 108141.
    13. 13)
      • 4. Balogh, Z., Varró, D.: ‘Model transformation by example using inductive logic programming’, Softw. Syst. Model., 2009, 8, (3), pp. 347364.
    14. 14)
      • 21. Wimmer, M., Strommer, M., Kargl, H., et al: ‘Towards model transformation generation by-example’. Int. Conf. Annual Hawaii, 2007.
    15. 15)
      • 11. Compatibility overview. http://quirksmode.org/compatibility.html, accessed May 2017.
    16. 16)
      • 6. Richards, G., Hammer, C., Burg, B., et al: ‘The eval that men do: a large-scale study of the use of eval in JavaScript applications’. Int. Conf. Object-oriented Programming, 2011, pp. 5278.
    17. 17)
      • 10. Appendix to Systematic Adaptation of Dynamically Generated Source Code. http://faculty.ist.unomaha.edu/msong/adagejs/appendix.pdf.
    18. 18)
      • 33. Königs, A., Schürr, A.: ‘MDI – a rule-based multi-document and tool integration approach’, Int. J Softw. Syst. Model., 2006, 5, (4), pp. 349368.
    19. 19)
      • 20. Varró, D., Balogh, Z.: ‘Automating model transformation by example using inductive logic programming’. Int. Conf. Symp. Applied Computing, 2007, pp. 978984.
    20. 20)
      • 16. Cypher, A., Halbert, D.C., Kurlander, D., et al: ‘Watch what I do: programming by demonstration’ (MIT Press, 1993).
    21. 21)
      • 26. Markstrum, S., Marino, D., Esquivel, M., et al: ‘JavaCOP: declarative pluggable types for java’, ACM Trans. Prog. Lang. Syst., 2010, 32, (2), p. 4.
    22. 22)
      • 34. Washizaki, H., Kubo, A., Mizumachi, T., et al: ‘AOJS: aspect-oriented JavaScript programming framework for web development’. Int. Conf. Aspects, Components, and Patterns for Infrastructure Software, 2009, pp. 3136.
    23. 23)
      • 41. Yu, D., Chander, A., Islam, N., et al: ‘JavaScript instrumentation for browser security’. Int. Conf. Principles of Programming Languages, 2007, pp. 237249.
    24. 24)
      • 13. Escodegen: ECMAScript code generator from parser API AST. https://github.com/Constellation/escodegen, accessed May 2017.
    25. 25)
      • 19. Varró, D.: ‘Model transformation by example’. Int. Conf. Model Driven Engineering Languages and Systems, 2006, pp. 410424.
    26. 26)
      • 12. Esprima: ‘ECMAScript parsing infrastructure for multipurpose analysis’. http://esprima.org/, accessed May 2017.
    27. 27)
      • 35. Ofuonye, E., Miller, J.: ‘Securing web-clients with instrumented code and dynamic runtime monitoring’, J. Syst. Softw., 2013, 86, (6), pp. 16891711.
    28. 28)
      • 37. Kiciman, E., Livshits, B.: ‘Ajaxscope: a platform for remotely monitoring the client-side behavior of web 2.0 applications’. Int. Conf. Operating Systems Review, 2007, pp. 1730.
    29. 29)
      • 24. Alves, E.L., Song, M., Massoni, T., et al: ‘Refactoring inspection support for manual refactoring edits’, IEEE Trans. Softw. Eng., 2017, (accepted).
    30. 30)
      • 5. The top 10 programming languages. http://spectrum.ieee.org/at-work/tech-careers/the-top-10-programming-languages, accessed May 2017.
    31. 31)
      • 9. JsHtmlSanitizer. http://code.google.com/p/google-caja/wiki/JsHtmlSanitizer, accessed May 2017.
    32. 32)
      • 40. Reis, C., Dunagan, J., Wang, H.J., et al: ‘Browsershield: vulnerability-driven filtering of dynamic HTML’, ACM Trans. Web, 2007, 1, (3), pp. 11.
    33. 33)
      • 3. Meng, N., Kim, M., McKinley, K.S.: ‘LASE: locating and applying systematic edits by learning from examples’. Int. Conf. Software Engineering, 2013, pp. 502511.
    34. 34)
      • 8. Ohara, C.: ‘Node validator’. https://github.com/chriso/node-validator.
    35. 35)
      • 38. Toledo, R., Leger, P., Tanter, É.: ‘Aspectscript: expressive aspects for the web’. Int. Conf. Aspect-oriented Software Development, 2010, pp. 1324.
    36. 36)
      • 2. Lieberman, H. (Ed.): ‘Your wish is my command programming by example’ (Morgan Kaufmann, 2001).
    37. 37)
      • 32. Martin, E.: ‘Toward the automatic derivation of XML transformations’, in Jeusfeld, M.A. andPastor, O. (Eds) Conceptual Modeling for Novel Application Domains, 2003, pp. 342354.
    38. 38)
      • 14. PEG.js. http://pegjs.majda.cz/, accessed May 2017.
    39. 39)
      • 1. Deitel, P., Deitel, H.: ‘Ajax, rich internet applications, and web development for programmers’ (Prentice Hall PTR, 2008).
    40. 40)
      • 23. Strommer, M., Murzek, M., Wimmer, M.: ‘Applying model transformation by-example on business process modeling languages’. Int. Conf. Conceptual Modeling, 2007, pp. 116125.
    41. 41)
      • 29. Fluri, B., Wuersch, M., PInzger, M., et al: ‘Change distilling: tree differencing for fine-grained source code change extraction’, IEEE Trans. Softw. Eng., 2007, 33, (11), pp. 725743.
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-sen.2016.0211
Loading

Related content

content/journals/10.1049/iet-sen.2016.0211
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading
Print this page
This is a required field
Please enter a valid email address