On Contracts, Sandboxes, and Proxies for JavaScript

Download On Contracts, Sandboxes, and Proxies for JavaScript

Post on 22-Jan-2018

1.684 views

Category:

Technology

0 download

TRANSCRIPT

  1. 1. On Contracts, Sandboxes, and Proxies for JavaScript Matthias Keil, Peter Thiemann University of Freiburg, Germany October 5, 2015, 18. Kolloquium Programmiersprachen und Grundlagen der Programmierung, KPS 2015 Portschach am Worthersee, Osterreich
  2. 2. TreatJS Language embedded contract system for JavaScript Enforced by run-time monitoring Standard abstractions for higher-order-contracts (base, function, and dependent contracts) [Findler,Felleisen02] Systematic blame calculation Contract constructors generalize dependent contracts Internal noninterference Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 2 / 14
  3. 3. Base Contract [Findler,Felleisen02] Base Contracts are built from predicates Specied by a plain JavaScript function Base Contract function isNumber (arg) { return (typeof arg) === number; }; var Number = Contract.Base(isNumber); assert(1, Number );assert(a, Number );blame the subject Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 3 / 14
  4. 4. Function Contract [Findler,Felleisen02] // Number Number Number function plus (x, y) { return (x + y); } Function Contract var Plus = Contract.Function([ Number , Number ], Number ); var plusNumber = assert(plus, Plus ); plusNumber(1, 1);plusNumber(a, a);blame the context Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 4 / 14
  5. 5. JavaScript Proxies Handler Proxy Target Shadow Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
  6. 6. JavaScript Proxies Handler Proxy Target Shadow proxy.x; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
  7. 7. JavaScript Proxies Handler Proxy Target Shadow proxy.x; handler.get(target, x, proxy); Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
  8. 8. JavaScript Proxies Handler Proxy Target Shadow proxy.x; handler.get(target, x, proxy); target[x]; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
  9. 9. JavaScript Proxies Handler Proxy Target Shadow proxy.x; proxy.y=1; ... handler.get(target, x, proxy); handler.set(target, y, 1, proxy); ... target[x]; target[y]=1; ... Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
  10. 10. Noninterference Noninterference The contract system should not interfere with the execution of application code. External Noninterference arises from the interaction of the contract system with the host program 1 Exceptions 2 Object equality Internal Noninterference arises from executing unrestricted code in predicates Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 6 / 14
  11. 11. Internal Noninterference No syntactic restrictions on predicates Predicates may try to write to data that is visible to the application Solution: Predicate evaluation takes place in a sandbox Faulty Predicate function isNumber (arg) { type = (typeof arg); return type === number; }; Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 7 / 14
  12. 12. Internal Noninterference No syntactic restrictions on predicates Predicates may try to write to data that is visible to the application Solution: Predicate evaluation takes place in a sandbox Faulty Predicate function isNumber (arg) { type = (typeof arg);access forbidden return type === number; }; Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 7 / 14
  13. 13. TreatJS Sandbox All contracts guarantee noninterference Read-only access is safe Predicate with Read-Access function isArray (arg) { return (arg instanceof Array);} Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 8 / 14
  14. 14. TreatJS Sandbox Predicate execution may violate contracts Solution: Sandbox redenes the responsibility Predicate with Read-Access function addOne (arg) { return plusNumber(arg, 1);blame the ? } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 9 / 14
  15. 15. TreatJS Sandbox Predicate execution may violate contracts Solution: Sandbox redenes the responsibility Predicate with Read-Access function addOne (arg) { return plusNumber(arg, 1);blame the contract } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 9 / 14
  16. 16. Sandbox Encapsulation Faulty Predicate function isNumber (arg) { type = (typeof arg); return type === number; }; 1 Place a write protection on objects (e.g. this, arg) 2 Remove external bindings of functions (e.g. type) Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 10 / 14
  17. 17. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
  18. 18. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC x Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
  19. 19. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC x x Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
  20. 20. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC x x Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
  21. 21. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC x y x y Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
  22. 22. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC x z y x z y Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
  23. 23. Shadow Objects Handler Proxy Target Shadow proxy.x; proxy.y=1; handler.get(target, x, proxy); handler.set(target, y, 1, proxy); target[x]; target[y]=1; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
  24. 24. Shadow Objects Handler Proxy Target Shadow Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
  25. 25. Shadow Objects Handler Proxy Target Shadow proxy.x; handler.get(target, x, proxy); target[x]; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
  26. 26. Shadow Objects Handler Proxy Target Shadow proxy.x; proxy.y=1; handler.get(target, x, proxy); handler.set(target, y, 1, proxy); target[x]; shadow[y]=1; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
  27. 27. Shadow Objects Handler Proxy Target Shadow proxy.x; proxy.y=1; proxy.y; handler.get(target, x, proxy); handler.set(target, y, 1, proxy); handler.get(target, y, proxy); target[x]; shadow[y]=1; shadow[y]; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
  28. 28. Function Recompilation var x = 1; function f (){ function g (y) { var z = 1; return x+y+z; } } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
  29. 29. Function Recompilation var x = 1; function f (){ function g (y) { var z = 1; return x+y+z; } } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
  30. 30. Function Recompilation var x = 1; with(sbxglobal){ eval( function g (y) { var z = 1; return x+y+z; }); } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
  31. 31. Function Recompilation var x = 1; with(sbxglobal){ function g (y) { var z = 1; return x+y+z; } } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
  32. 32. Conclusion TreatJS: Language embedded, dynamic, higher-order contract system for full JavaScript Guarantees noninterference Sandbox: Language embedded sandbox for full JavaScript Runs JavaScript code in isolation isolation Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 14 / 14