Not that I am aware of, and I spent a lot of time looking last year. I was looking from the perspective of finding vulnerabilities though, not maliciousness. The only thing I know of that is close is a tool called “semmle” which is an eclipse based tool for static analysis. They added support for javascript, and I was working with one of their engineers to look at a taint based approach to find vulnerabilities. (In the end, we took a different approach :
https://bugzilla.mozilla.org/show_bug.cgi?id=1155131 <
https://bugzilla.mozilla.org/show_bug.cgi?id=1155131>)
My conclusion was that static analysis alone for detecting maliciousness wasn’t feasible (for me at least!). It seems like the options for obfuscation (even legitimate ones, asm.js?) are too enumerable to develop a tool that would cover more than just basic obfuscation. But I’d love to hear about it if anyone knows of anything.
Maybe we need to invest in dynamic analysis based tooling as well if we want to make progress towards automated/semi-automated verification though? Again keen to hear anyones experiences in this area.
> _______________________________________________
> dev-security mailing list
>
dev-se...@lists.mozilla.org
>
https://lists.mozilla.org/listinfo/dev-security