Scalable Analysis Framework for ECMAScript (SAFE) Version 2.0
Copyright (c) 2016, KAIST
Older versions are still available at the SAFE1.0 branch.
For more information, please check out our user manual.
We assume you are using an operating system with a Unix-style shell (for example, Mac OS X, Linux, or Cygwin on Windows). Assuming SAFE_HOME points to the SAFE directory, you will need to have access to the following:
- J2SDK 1.8. See http://java.sun.com/javase/downloads/index.jsp
- Scala 2.12. See http://scala-lang.org/download
- sbt version 0.13 or later. See http://www.scala-sbt.org
- Bash version 2.5 or later, installed at /bin/bash. See http://www.gnu.org/software/bash/
In your shell startup script, add $SAFE_HOME/bin to your path. The shell scripts in this directory are Bash scripts. To run them, you must have Bash accessible in /bin/bash.
Type sbt compile and then sbt test in the SAFE directory to make sure that your installation successfully finishes the tests.
or with more explanation:
Some of the available commands are as follows:
Changes from SAFE 1.0
- SAFE 2.0 has been tested using Test262, the official ECMAScript (ECMA-262) conformance suite.
- SAFE 2.0 now uses sbt instead of ant to build SAFE.
- SAFE 2.0 now provides an HTML-based debugger for its analyzer.
- Most Java source files are replaced by Scala code and the only Java source code remained is the generated parser code.
- Several components from SAFE 1.0 may not be integrated into SAFE 2.0. Such components include interpreter, concolic testing, clone detector, clone refactoring, TypeScript support, Web API misuse detector, and several abstract domains like the string automata domain.
SAFE 2.0 Roadmap
- SAFE 2.0 will make monthly updates.
- The next update will include a SAFE document, browser benchmarks, and more Test262 tests.
- We plan to support some missing features from SAFE 1.0 incrementally such as a bug detector, DOM modeling, and jQuery analysis.
- Future versions of SAFE 2.0 will address various analysis techniques, dynamic features of web applications, event handling, modeling framework, compositional analysis, and selective sensitivity among others.
Details of the SAFE framework are available in our papers:
- SAFE_WAPI: Web API Misuse Detector for Web Applications (FSE 2014)
- SAFE: Formal Specification and Implementation of a Scalable Analysis Framework for ECMAScript (FOOL 2012)
SAFE has been used by:
- JSAI @ UCSB
- ROSAEC @ Seoul National University
- K Framework @ University of Illinois at Urbana-Champaign
- Ken Cheung @ HKUST
- Web-based Vulnerability Detection @ Oracle Labs
- Tizen @ Linux Foundation
The current developers of SAFE 2.0 are as follows:
and the following people have contributed to the source code: