@andromeda/mir-da
v0.0.15
Published
Dynamic Security Analysis
Downloads
55
Readme
mir-da
Dynamically analyze JavaScript programs to extract or enforce RWX sets.
mir-da [bfmp] [i=]
File to start analysis from; defaults to index.js if it exists
-h, --help: Output (this) help -V --version: Output version information -v, vv, vvv, --verbosity: Add (multiple) verbosity levels
-d, --depth : Object depth to analyze (default 3) -e, --enforce <f.json>: Run in enforcement mode, where mir enforces access rules in <f.json> -r, --report <f.json>: Run in reporting mode, where mir simply reports on invalid accesses in <f.json> -s, --save <f.json>: File to output resuslts -p, --print [<out, err>]: Stream to output results (defaults to file, see above)
--module-exclude : Comma-separated list of module IDs (absolute fs paths) to be excluded from the analysis --module-include : Comma-separated list of module IDs (absolute fs paths) to be included (assumes module-exclude='') --context-exclude : Comma-separated context starting points to exclude from tracking (for contexts, see below) --context-include : Comma-separated context starting points to include in tracking (assumes context-exclude='') --prop-exclude : Comma-separated property names to exclude from analysis (e.g., 'Promise,toString,escape,setImmediate') --prop-include : Comma-separated property names to include in the analysis (assumes prop-exclude='*')
Contexts are coarse groups of program elements that are tracked, and fall under these categories (can be included in their long or short form):
- module-locals, m: Module-local names such as 'require'
- node-globals, n: All Node.js-related globals, such as 'console' and 'process'
- es-globals, e: All EcmaScript 6 globals names such Math.sin or
- user-globals, g: User-defined globals accessed with a 'global' prefix, e.g., 'global.y = 3'
- with-globals, w: User-defined globals accessed without a prefix, e.g., 'y = 3' (expensive to track)