Data-flow Analysis of Programs with Associative Arrays
This work addresses a critical problem for developers and security analysts in web applications, as it improves static verification methods for dynamic languages, though it appears incremental by building upon existing analysis frameworks.
The paper tackles the challenge of performing sound and precise data-flow analysis on programs with associative arrays in dynamic languages like PHP, proposing a new approach that enables accurate value and points-to analysis for such structures.
Dynamic programming languages, such as PHP, JavaScript, and Python, provide built-in data structures including associative arrays and objects with similar semantics-object properties can be created at run-time and accessed via arbitrary expressions. While a high level of security and safety of applications written in these languages can be of a particular importance (consider a web application storing sensitive data and providing its functionality worldwide), dynamic data structures pose significant challenges for data-flow analysis making traditional static verification methods both unsound and imprecise. In this paper, we propose a sound and precise approach for value and points-to analysis of programs with associative arrays-like data structures, upon which data-flow analyses can be built. We implemented our approach in a web-application domain-in an analyzer of PHP code.