static verification for web scripting languages

Static Verification forWeb Scripting

Languages

Ravi Chugh

Web Platform

ScriptingLanguages

Untrusted

Web Platform

My Goal: Rigorous FoundationsStatic Types and Logic!

Untrusted

ScriptingLanguages

<html>

</html>

Username

Password

Web Page = Static HTMLWeb Page + LinksWeb Page + Client-Side Code

loginButton.onclick = function () {

if (passwordBox.value == “”) {

alert(“Enter password!”);

} else {

</script>

… an easy-to-use “scripting language”as a companion to Java

No Static Types

“Dynamic” Features Make itEasy to Experiment…

Brendan Eich,JavaScript creator

2013Asked whether Gmail would ever open up an API for developers to code add-ons and plug-ins with more official support and stability, Kowitz suggested it was unlikely. Gmail is based on “hundreds of thousands” of lines of JavaScript, Kowitz said, and it's a code base that “changes so quickly.” That said, Jackson said the Gmail team "loves" to see third-party functionality being developed, and the team tries to make developers aware of changes they know will affect those products. Article on LifeHacker

“Scripting”?!?

http://stackoverflow.com/tags02-03-13

Count Tag411,345 C#361,080 Java337,896 PHP321,757 JavaScript175,765 C++160,768 Python

83,486 C64,345 Ruby

9,827 Haskell1,347 OCaml

JavaScript isEverywhere

http://stackoverflow.com/tags02-03-13

Count Tag411,345 C#361,080 Java337,896 PHP321,757 JavaScript175,765 C++160,768 Python

83,486 C64,345 Ruby

9,827 Haskell1,347 OCaml

Popular Server-Side Scripting Languages

ShoppingBanking 2013

ShoppingBanking

Third-Party Ads

ShoppingBanking

Third-Party Ads

Third-Party Apps

Third-Party

No longerjust “scripting”

JavaScript ismuch harder than Java

No longerjust “scripting”

… New Yorker article, “The Itch,” …

“?printable=true”

“I want every article in print

mode”

Browser Extensions

Third-Party DevelopersCustomize

Browser

Browser Extensions

PRINTNEW YORKER

Browser Extensions

for (var elt in doc.getEltsByTagName(“a”)) {

var url = elt.getAttr(“href”);

if (url.match(/^newyorker.com/)) {

elt.setAttr(“href”, url + “?printable=true”);

Browser Extensions

PRINTNEW YORKER

Document (DOM)

host-site.com

?printable=true

newyorker.com

Browser Extensions

PRINTNEW YORKER

Document (DOM)

host-site.com

?printable=true

newyorker.comevil.com EVIL

PasswordsBank Accts

History

Network Manager

OtherSensitive

JavaScriptEngine

Dynamic Checking…Expensive

Misses AttacksCan Blame Wrong Party

Goal: Static Verification

Enforcing JavaScript Security?

My Dissertation

Static Types for JavaScriptfor Dynamic Languages

1. Reliability / Security2. Development Tools3. Performance

My Dissertation

Static Types for JavaScriptfor Dynamic Languages

Working with JavaScriptCan Have Long-Term Impact

Many Challenges of Web are Independent of Language

New Techniques Apply to Traditional Languages

Static Types for JavaScriptDescribe sets of run-time values

“integers”

“booleans”

“objects with foo field”

“non-nullpointers”

“urls that are safe to visit”

Static Types for JavaScriptPrevent classes of run-time errors

“integers”

“booleans”

“objects with foo field”

“non-nullpointers”

“urls that are safe to visit”

“multiplyint and bool” “foo field

not found”“foo fieldnot found”

“null pointer exception”

“navigating to evil.com”“redirect to evil.com”

“expected args”“actual args”

Type1 Type2

“function call produces no error”✓

Type1 Type2

“function call may produce error”✗

Type1 Type2{x|p }

{x|q }

{x|p }

{x|q }

Types + LogicRefinement Types

Refinement Types

Nested Refinements [POPL ’12]Key to Encode Dynamic Features

{x|p } f :: {y|q }

Expressiveness

Usability

VerificationHoare Logics

Model CheckingAbstract Interpretation

Theorem Proving…

+ Logic Dependent JavaScript (DJS)[POPL ’12, OOPSLA ’12]

Why is JavaScript Important?Why is JavaScript Hard?

Static Types via LogicSecurity via Logic

Looking Ahead

OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges

Why is JavaScript Important?

Why is JavaScript Hard?Static Types via Logic

Security via LogicLooking Ahead

Why is JavaScript Hard?

Lightweight ReflectionDictionary ObjectsAdditional Challenges

function negate(x) {

if (typeof x == “number”) {

Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic

xQ: What is my “type”?

All JavaScript Values

{x|tag(x) = “number” }

{x|tag(x) = “boolean” }

true false

{x|tag(x) = “object” }

{ } { “f”:17 }

{ “f”:42, “g”:true }...

Q: What is my “type”? x17 42

3.14-1

xQ: What is my “type”?A: Described by “tag”

return 0 - x;

} else {

return !x;

“expected args”

values with tag“number” OR “boolean”

Lightweight Reflection

Dictionary ObjectsAdditional Challenges

obj.f means obj[“f”]

a.k.a.“maps”“hash tables”“associative arrays”

Objects are “Dictionaries”that mapstring keysto values

methodto invoke

methodtable

function dispatch(table, op, i, j) { }

var integerOps = { “+” : function (n, m) { … } , “-” : function (n, m) { … } };

function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); }

dispatch (integerOps, “*”, 17, 42);

“foo fieldnot found”“*” key

not found

“expected args”

table object with an op key that stores a function on numbers

Dependencybetween types

of arguments

Lightweight ReflectionDictionary ObjectsAdditional Challenges

Lightweight ReflectionDictionary Objects Extensible ObjectsPrototype InheritanceArray Semantics

Unsupported in Prior Work

Lightweight ReflectionDictionary Objects Extensible ObjectsPrototype InheritanceArray Semantics

Looking Ahead

OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallengesChallenges Types via Logic

All JavaScript Values{x|tag(x) = “number” }

true false

{ } { “f”:17 }

{ “f”:42, “g”:true }...

3.14-1

All JavaScript Values{x|tag(x) = “number” }

3.14-1

true false

{ } { “f”:17 }

{ “f”:42, “g”:true }...

{ } { “f”:17 }

{ “f”:42, “g”:true }...{x|x = true }

true false

{x|integer(x) }

{x|x > 0 }

3.14-1

“set of values x s.t. formula p is true”

{x|p }Refinement Types

Type1 Type2

{x|p }

{x|q }

{x|p }

{x|q }

is Subtyping is Set Inclusion is Implication

Type1 Type2

{x|p }

{x|q }

{x|p }

{x|q }

Static Types via Logic

OutlineWhy JavaScript? Security via Logic Looking AheadChallenges Types via Logic

Lightweight ReflectionDictionary ObjectsKey Technical InnovationsEvaluation

Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges

return 0 - x;

} else {

return !x;

Type Annotation in Comments

//: negate :: (x:NumOrBool) NumOrBool

{v|tag(v) = “number” ∨ tag(v) = “boolean” }

NumOrBool

Syntactic Sugarfor Common Types

return 0 - x;

} else {

return !x;

“expected args”

{x|tag(x) = “number” }✓

return 0 - x;

} else {

return !x;

“expected args”

✓{x|not(tag(x) = “number”)

{x| ∧ (tag(x) = “number” ∨

{x| tag(x) = “boolean”) }

return 0 - x;

} else {

return !x;

Logic EnablesPath-SensitiveReasoning on

Branches

return 0 - x;

} else {

return !x;

Logic Enables Types to Depend on Values

//: negate :: (x:NumOrBool) { y|tag(y) = tag(x) }

OutlineWhy JavaScript? Security via Logic Looking AheadChallenges

Types via Logic

{ “f”:true }

{ “f”:17 }

{ “f”:42, “g”:null }

{x|tag(x) = “object” has(x,“f”) }

{ “f”:true }

{ “f”:17 }

{ “f”:42, “g”:null }

{x|tag(x) = “object” {x|has(x,“f”) {x|tag(sel(x,“f”)) = “number” }

{ “f”:true }

{ “f”:17 }

{ “f”:42, “g”:null }

{x|sel(x,“f”) = true {x|dom(x) = {“f”} }

{ “f”:true }

{ “f”:17 }

{ “f”:42, “g”:null }

//: dispatch ::

//: ({ table | tag(table) = “object” },

//: { op | tag(op) = “string”

//: { op | ∧ has(table,op)

//: { op | ∧ sel(table,op) :: (Num,Num) Num },

//: { i | tag(i) = “number” },

//: { j | tag(j) = “number” })

//: Num

//: dispatch ::

//: (table : { sel(table,op) :: (Num,Num) Num },

//: op : Str,

//: i : Num,

//: j : Num)

//: Num

var integerOps = { “+” : …, “-” : … };

dispatch (integerOps, “*”, 17, 42);

{op|op = “*” }

“actual args”{op|has(integerOps,op) }

Type Checking Prevents Run-Time Error

{op|op = “*” }

{op|has(integerOps,op) }✗

Types via Logic

PriorRefinement

✓✗

lightweight reflection

dictionary objects

extensible objects

prototype inheritance

array semantics

✗✗✗

Dependent JavaScript

(DJS)[POPL ’12, OOPSLA ’12]

✓✓✓✓✓

Key Challenge:Function Subtyping

as Logical Implication76

PriorRefinement

✗dictionary objects

42 + negate (17)

{f|f :: }(x:Num) Num “expected function”

{f|f :: } (x:NumOrBool) { y|tag(y) = tag(x) }

{f|f :: }

(x:NumOrBool) { y|tag(y) = tag(x) }

{f|f :: }(x:Num) Num

How to Prove

?How to Encode Type System Inside Logic?

Prior Refinement SystemsDisallow Function Types Inside Logic!

T ::= {x|p }

| T1 T2

Types Refinement Logic

Satisfiability Modulo Theories (SMT)

SAT + Decidable Theories

p q✓✗

SMT Solver(e.g. Z3)

[Prior State-of-the-Art]

T ::= {x|p }

| T1 T2

p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …

| tag(x) = “number” | …

| sel(x,k) = 17 | …

• Boolean Connectives• Equality• Linear Arithmetic• Uninterpreted Functions• McCarthy Arrays

T ::= {x|p }

| T1 T2

p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …

| sel(x,k) = 17 | …

{v|tag(v) = “number” ∨ tag(v) = “boolean” }NumOrBool

Enables Union Types and Lightweight Reflection

T ::= {x|p }

| T1 T2

p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …

| sel(x,k) = 17 | …

Enables Dictionary Types with Dynamic Keys …{d|tag(sel(d,k)) = “boolean” ∧

{d|tag(sel(d,“f”)) = “function” ∧

{d|sel(d,“f”) ??? }

But DisallowsFunctions inDictionaries!

p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …

| sel(x,k) = 17 | …

| sel(x,k) :: T1 T2 | …

Goal: Refer to Type System Inside LogicGoal: Without Giving up Decidability

T ::= {x|p }

| T1 T2

Solution: Nested Refinements!

T ::= {x|p } p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …

| sel(x,k) = 17 | …

| sel(x,k) :: T1 T2 | …

Nested Refinements [POPL ’12]1. Decidable Encoding2. Precise Subtyping3. Type Soundness Proof

Decidable Encoding

Uninterpreted Predicate in Logic

Distinct UninterpretedConstants in Logic…

{f|f :: }

(x:NumOrBool) { y|tag(y) = tag(x) }

Decidable Encoding

Uninterpreted Predicate in Logic

w/ Types Nested Inside

Distinct UninterpretedConstants in Logic…

Decidable Encoding

✗SMTSolver

Trivially Decidable, but Imprecise

p f :: (x:S1) S2

{f|f :: }(x:T1) T2

{f|p }

Precise Subtyping

Step 1:

Step 2:

Find such that(x:S1) S2

SMTSolver✓

T1 S1 ✓✓S2 T2x:T1

Compare and(x:S1) S2 (x:T1) T2

“contra-variance”

“co-variance”

{f|f :: }(x:Num) Num{f|f = negate }

Precise Subtyping

Step 1:

Step 2:

f = negate

f :: (x:NumOrBool) { y|tag(y) = tag(x) }SMTSolver✓

{f|f :: }(x:Num) Num{f|f = negate }

Precise Subtyping

Step 1:

Step 2:

f = negate

f :: (x:NumOrBool) { y|tag(y) = tag(x) }

NumOrBool ✓✓{y|tag(y) = tag(x) } Nu

mx:Num

✓SMT

Solver✓

Precise Subtyping

Step 1:

Step 2:

Decidable Reasoningvia SMT

Precise Function Subtypingvia Syntactic Techniques

{f|f :: }{f|f = negate } ✓(x:Num) Num

Type Soundness Proof

Logic 0

Conventional ProofsRequire Logic to be an Oracle …

… but Nesting Introduces CircularityThat Prevents Typical Inductive Proofs

Type System 0

Type System ∞

Type Soundness Proof

Logic 0

Logic 1

Logic 2

Type System 1

Type System 2

Type System 0

… …

Proof Technique:Stratify into Infinite Hierarchy

T ::= {x|p } p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …

| sel(x,k) = 17 | …

| sel(x,k) :: T1 T2 | …

Nested Refinements [POPL ’12]

Key to Encode Dictionary Objects(Even in Statically Typed Languages!)

dictionary objects

extensible objects

array semantics

✓✓✓✓✓

PriorRefinement

✓✗✗✗✗

JavaScript

JavaScript, Python, Ruby

dictionary objects

extensible objects

array semantics

✓✓✓✓✓

Types via Logic

408(+33%)

LOCbefore/after

13 Excerpts from: JavaScript, Good Parts SunSpider Benchmark Suite Google Closure Library

Benchmarks

Chosen to Stretch the Limits of DJS

408(+33%)

LOCbefore/after

Benchmarks

9 Browser Extensions from: [Guha et al. Oakland ’11]

383(+19%)

1,003a

1,027(+2%)

2 Examples from: Google Gadgets

1,818(+12%)

TOTALS

1,818(+12%)

TOTALS

Already Improved by SimpleType Inference and Syntactic Sugar

Plenty of Room for Improvement• Iterative Predicate Abstraction• Bootstrap from Run-Time Traces [STOP ’11]

1,818(+12%)

TOTALS

Already Improved using SimpleType Inference and Syntactic Sugar

Plenty of Room for Improvement• Apply State-of-the-Art Techniques• Bootstrap from Run-Time Traces [STOP ’11]

Will Enable Larger Examples

LOCbefore/after

408(+33%)

Benchmarks

9 Browser Extensions from: [Guha et al. Oakland ’11]

383(+19%)

2 Examples from: Google Gadgets

1,003a

1,027(+2%)

1,818(+12%)

10 sec

Running Time

19 sec

32 sec

TOTALS

1,818(+12%)

32 sec

Already Improved by SimpleOptimizations• Avoid SMT Solver When Possible• Reduce Precision for Common Patterns

Plenty of Room for Improvement

TOTALS

32 sec

Types via Logic

Looking Ahead

OutlineWhy JavaScript? Security via Logic Looking AheadChallenges Types via Logic Security via Logic

OutlineWhy JavaScript? Security via LogicTypes via Logic Looking AheadChallenges

Security via Logic Browser Extensions

Types for Fine-Grained Policies

Browser Extensions

PRINTNEW YORKER

host-site.com

Document (DOM)

PasswordsBank Accts

History

Network Manager

OtherSensitive

JavaScriptEngine

Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges

Policy Expressiveness

Access All Resources

Access Some Resources

cannot access DOM cannot access History

coarse-grainedand uninformative!

cannot access DOM cannot access History

coarse-grainedand uninformative!

similar situation forother app platforms

Fine-Grained PoliciesGOAL

can write “a” elementsbut only “href” attribute

when original “href” valuestarts with “newyorker.com”and is prefix of new value

Fine-Grained PoliciesGOAL

Security via Logic Browser Extensions

Types for Fine-Grained Policies

Types for Security+ JavaScript Verification

= Fine-Grained Web Security

[ESOP ’10, Guha et al. ’11]

[POPL ’12, OOPSLA ’12]

[current]

Static Verification (DJS)

Security Expert

reviews only policy

reads informative policy

Developerwrites policy in logic!

Network Manager

request, …

JS Engine

eval, …

getAttr, setAttr, …

request ::

url:Str

Network Manager

request, …

JS Engine

eval, …

request ::

{url:Str|WhiteListed(url)}

Network Manager

request, …

JS Engine

eval, …

eval ::

Network Manager

request, …

JS Engine

eval, …

eval ::

{s:Str|not(Tainted(s))}

Network Manager

request, …

JS Engine

eval, …

getAttr ::

elt:Element

attr:Str

Network Manager

request, …

JS Engine

eval, …

getAttr ::

elt:Element

{attr:Str|CanRead(elt,attr)}

Network Manager

request, …

JS Engine

eval, …

setAttr ::

elt:Element

attr:Str

Network Manager

request, …

JS Engine

eval, …

setAttr ::

elt:Element

attr:Str

{y:Str|CanWrite(elt,attr,y)}

Network Manager

request, …

JS Engine

eval, …

Refined APIs Mediate Access

Typecheck Extension with Policy

forall url.

not (url = “evil.com”)

WhiteListed (url)

var s = request(“evil.com”);

✗finite blacklist

//: url:Str

var s = request(url);

✗might beblacklisted!

forall url.

WhiteListed (url)

forall url.

WhiteListed (url)

if (url != “evil.com”) {

eval(s);

s:Str might be tainted!

forall url.

WhiteListed (url)

s = sanitize(s);

eval(s);

} ✓STATICALLY VERIFIED!

{s:Str|not(Tainted(s))}

forall url.

WhiteListed (url)

WhiteListed (“ny.com”)

WhiteListed (“golf.com”)

forall url.

WhiteListed (url)

not (Tainted (request (url)))

trust thatwhitelisted servers

return untainted strings

var s = request(“ny.com”);

eval(s);✓ no need to sanitize

WhiteListed (“ny.com”)

WhiteListed (“golf.com”)

forall url.

WhiteListed (url)

not (Tainted (request (url)))

STATICALLY VERIFIED!

forall e, oldUrl, newUrl.

ValueOf (e, “href”, oldUrl) ∧

StrPrefix (“newyorker.com”, oldUrl) ∧

StrPrefix (oldUrl, newUrl)

CanWrite (e, “href”, newUrl)

ValueOf (elt, “href”, url) ∧

StrPrefix (“newyorker.com”, url) ∧

StrPrefix (url, url + “?printable=true”)

CanWrite (e, “href”, url+“?printable=true”)

✓✓

✓✓✓

✓STATICALLY VERIFIED!

elt.setAttr(“href”, “evil.com”);

StrPrefix (url, “evil.com”)

CanWrite (e, “href”, “evil.com”)

StrPrefix (url, “evil.com”)

CanWrite (e, “href”, “evil.com”)

✓✓✗

Types for Security+ JavaScript Verification

= Fine-Grained Web Security

[ESOP ’10, Guha et al. ’11]

[POPL ’12, OOPSLA ’12]

[current]

Secure Extensions Written in OCaml

Preliminary Benchmarks

Guha et al. ’11]

Secure Extensions Written in OCamlPreliminary Benchmarks

Ported to DJS ~400 LOC so far

Well-typed programsdon’t have run-time errorsand conform to security policies

Security via Logic

Browser ExtensionsTypes for Fine-Grained Policies

Looking Ahead

OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges Security via Logic Looking Ahead

Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead

Untrusted

ScriptingLanguages

Web Platform

Expressiveness

Usability

Verification

Dependent JavaScript (DJS)

TypeScriptLightweight (unsound) static checking tools becoming popular

Translate for additional checking

and IDE support

Untrusted

ScriptingLanguages

Web Platform

ToolSupport

Web Development ToolsWay Behind Tools for Java, etc.

• Static Types in DJS Enable Refactoring,• Documentation Tools, Code Completion

• Web-Based Interfaces to Collect Statistics• about Programming Patterns, Errors

Untrusted

ScriptingLanguages

ToolSupport

PolicySpecification

Web Platform

Security Expert

Developer must write policy

must read policy

Developer must write policy

• Infer from traces• Incentives from platform

must read policyUser

• Traces to demonstrate behavior• Community review-and-recommend services

must read policySecurity Expert

• Modeling tools to analyze policies

Untrusted

ScriptingLanguages

ToolSupport

PolicySpecification

DynamicEnforcement

Web Platform

Security Expert

Developer

eval(“…”);

…Dynamic

Code Loading

Impossible to statically analyzecode you don’t have!

Security Expert

Developer

DynamicEnforcement

eval(“…”);

//: #assume

New Types

Old Types

New Types

eval(“…”);

//: #assume New Types

• Dynamic Checking• Staged Analysis [PLDI ’09]

DynamicEnforcement

Untrusted

ScriptingLanguages

ToolSupport

PolicySpecification

DynamicEnforcement

Trust Base

Web Platform

Security Expert

reviews only policy

Developer

DynamicEnforcement

Security Expertreviews only policy

trust SMTSolver

Eliminate from TCB à laProof-Carrying Code [PLDI ’10]

Eliminate from TCB via Formal Verification

Security Expert

SMTSolver

Untrusted

ScriptingLanguages

ToolSupport

PolicySpecification

DynamicEnforcement

Trust Base

Web PlatformStatic Types and Logic!

Static Types and Logic!

Static Types for:Reliability / SecurityDevelopment ToolsPerformance• Additional Just-in-Time Optimizations• Compile to Custom Architectures

Static Types and Logic!

Untrusted

ScriptingLanguages

Concurrent Programs

Program Analysis via Set Constraints

[PLDI ’09]Run-Time Instrumentation[STOP ’11]

Dataflow Analysis and Race Detection

[PLDI ’08]

[ESOP ’10, PLDI ’10][POPL ’12, OOPSLA ’12]

Thanks!

Scripting Languages are Pervasive

DJS: Precise Static Types via Logic

Towards Fine-Grained Web Security

ravichugh.com

static verification for web scripting languages

Documents

scripting languages

introduction to scripting...

introduction to scripting languages - ceci · introduction...

tex and scripting languages

im 215 intro to scripting languages

scripting languages. client side scripting languages server...

introduction to scripting languages and perl basics

using scripting languages for hardware/software co...

csce 431: scripting languages and rapid prototyping

java scriptingjava scripting: one vm, many languages

comp284 scripting languages - handouts

overview and evolution of scripting languages

declarative programming - scripting languages · 2011. 4....

13~chapter 13. scripting languages

mpi over scripting languages: usability and performance

embedding pig in scripting languages

architectural support for scripting languages

scripting languages perl 2012-11-17

unit-1 introduction to scripting languages · unit-1...

programming language concepts scripting languagesscripting...