Affogato is a dynamic taint analysis engine for Node.js.

Project Details



Affogato is a dynamic taint analysis engine for Node.js.

Project Overview

Node.js is a JavaScript runtime environment that is popular for creating web applications. A typical Node.js application can be anything from a simple website to a large microservice-style application deployed to the cloud.

How it works

We build tools to detect security vulnerabilities in cutting-edge Node.js web applications. We analyse these applications at runtime (i.e., dynamic analysis) to detect and prevent bugs that could lead to security vulnerabilities, such as denial-of-service attacks, or confidential information being stolen from a database. 

Our challenges

The fast-evolving nature of the language and its environment make Node.js applications a challenging target for any program analysis. As part of our research, we aim to create analyses that are easy to use, precise, and fast enough to be deployed in production.

As part of our project, we collaborate with the Graal team to explore efficient dynamic analysis techniques applied to dynamic languages.

Principal Investigator

Francois Gauthier

Consulting Researcher

François Gauthier is a Principal Researcher for Oracle Labs, working in the Program Analysis Group. He is currently developing next-gen Runtime Application Self Protection (RASP) solutions.

His main research focus is automated security analysis, through fuzzing, static, and dynamic analysis. His research interests also include software engineering, testing, and machine learning.


* PhD Computer Engineering 2014, University of Montreal, Canada

* MSc Bioinformatics 2007, University of Montreal, Canada

* BSc Bioinformatics 2005, University of Montreal, Canada