0

I have a problem where I need to see if a particular JavaScript source code takes a lot of heap space. Ideally I would like to have access to heap memory usage and data type of objects in the heap. The trouble is that it seems I'll have to execute the code to have access to heap mem allocation information.

The code, however, are malicious (heap spray attacks) so I would like to avoid full execution. Is there a way for me to simulate the execution instead? I've read that I can use sbrk or API hook (MSFT Detours) to get memory usage for a particular process (usually the JS interpreter/engine), but it looks like these use cases actually executed the code.

EDIT: I would need to access heap memory as part of a pipeline for multiple JS files so it would be ideal having memory info via a command or through an API.

Improve this question

2 Answers 2

Reset to default
2

If you use Chrome you can use the Perfomance tab of Developer Tools. Just press record refresh the page or apply JS script: enter image description here

If you want to see JS memory you can also use Task Manager. enter image description here -> More Tools -> Task Manager enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Sorry, I should've mentioned that I need to access heap memory as part of a pipeline for multiple JS files. I would need to access memory info via a command. Is there an API that exposes V8 memory info without having to access the browser UI? Thanks for your answer.
Try shift + esc or the Task Manager from 3 dots -> More Tools -> Task Manager. You can put Memory and Javascript Memory (V8) in that case.
Note that this approach does rely on actually executing all the code, contrary to what the OP wishes for.
1

What does it mean to "simulate execution"?

Generally speaking: JavaScript engines are made to execute JavaScript. For real.

For analyzing malicious code, you'll probably want to look into sandboxing/isolating it as much as possible. In theory, executing it normally in a browser should be enough -- in practice though, security bugs do sometimes exist in browsers, and malicious code will attempt to exploit those, so for this particular purpose that probably won't be enough.

One approach is to add a whole other layer of sandboxing. Find yourself a JavaScript-on-JavaScript interpreter. Or pick a non-JIT-compiling JavaScript engine, and compile it to WebAssembly, and run that from your app. You can then inspect the memory of the WebAssembly instance running the malicious code; this memory is exposed as an ArrayBuffer to your JavaScript app. (I don't have a particular recommendation for such a JS engine, but I'm sure they exist.) It might be a bit of effort to get such a setup going (not sure; haven't tried), but it'd give you perfect isolation from evil code.

Improve this answer

2 Comments

It seems like Node/V8 provides a sandbox mode using its VM api. V8 seems to support tracing as well. Is it possible to hook to a Node app using C++ and capture heap statistics as the unsafe source code is executed in a sandbox?
Yes, as I said: by their very nature, all JavaScript engines provide some sandboxing. But if you already know that the code is malicious, I expect you'll want another layer of security. Node apps can monitor their own memory usage; I don't know about C++ hooks, please refer to the Node API for that. However: DO NOT run untrusted or even known-malicious JS in Node on your real system! Node e.g. provides file system interaction that browsers don't -- malicious code could delete or infect your hard disk's contents! Node is made for running code that you wrote yourself and hence trust.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.