Dynamic languages, such as JavaScript, employ string-to-code primitives to turn dynamically generated text into executable code at run-time. These features make standard static analysis extremely hard if not impossible, because its essential data structures, i.e., the control-flow graph and the system of recursive equations associated with the program to analyze, are themselves dynamically mutating objects. Nevertheless, assembling code at run-time by manipulating strings, such as by eval in JavaScript, has been always strongly discouraged, since it is often recognized that “ eval is evil ,” leading static analyzers to not consider such statements or ignoring their effects. Unfortunately, the lack of formal approaches to analyze string-to-code statements pose a perfect habitat for malicious code, that is surely evil and do not respect good practice rules, allowing them to hide malicious intents as strings to be converted to code and making static analyses blind to the real malicious aim of the code. Hence, the need to handle string-to-code statements approximating what they can execute, and therefore allowing the analysis to continue (even in the presence of dynamically generated program statements) with an acceptable degree of precision, should be clear. To reach this goal, we propose a static analysis allowing us to collect string values and to soundly over-approximate and analyze the code potentially executed by a string-to-code statement.

中文翻译：

---

分析动态代码

动态语言，如 JavaScript，使用字符串到代码原语在运行时将动态生成的文本转换为可执行代码。这些特性使标准静态分析即使不是不可能也非常困难，因为它的基本数据结构，即与要分析的程序相关的控制流图和递归方程系统，本身就是动态变化的对象。然而，在运行时通过操作字符串来组装代码，例如通过评估在 JavaScript 中，一直强烈反对，因为人们经常认识到“评估是邪恶的,” 导致静态分析人员不考虑此类陈述或忽略其影响。不幸的是，缺乏分析字符串到代码语句的正式方法为恶意代码提供了完美的栖息地，这肯定是邪恶的并且不尊重良好的实践规则，允许它们将恶意意图隐藏为要转换为代码的字符串并制作静态分析对代码的真正恶意目标视而不见。因此，处理字符串到代码语句的需求近似于它们可以执行的内容，因此允许分析以可接受的精度继续进行（即使存在动态生成的程序语句）应该是明确的。为了达到这个目标，