static verification for web scripting languages

Static Verification forWeb Scripting

Languages

Ravi Chugh

2

Web Platform

3

Web Platform

ScriptingLanguages

Untrusted

Code

4

Web Platform

My Goal: Rigorous FoundationsStatic Types and Logic!

Untrusted

Code

ScriptingLanguages

5

1995

<html>

</html>

Username

Login

Password

Web Page = Static HTMLWeb Page + LinksWeb Page + Client-Side Code

<script type=“javascript”>

loginButton.onclick = function () {

if (passwordBox.value == “”) {

alert(“Enter password!”);

} else {

...

} }

</script>

6

1995

… an easy-to-use “scripting language”as a companion to Java

No Static Types

“Dynamic” Features Make itEasy to Experiment…

Brendan Eich,JavaScript creator

http://brendaneich.com/2008/04/popularity/

http://brendaneich.com/2008/04/popularity/

2013Asked whether Gmail would ever open up an API for developers to code add-ons and plug-ins with more official support and stability, Kowitz suggested it was unlikely. Gmail is based on “hundreds of thousands” of lines of JavaScript, Kowitz said, and it's a code base that “changes so quickly.” That said, Jackson said the Gmail team "loves" to see third-party functionality being developed, and the team tries to make developers aware of changes they know will affect those products. Article on LifeHacker

http://lifehacker.com/5493475/what-the-gmail-team-is-working-on

2013Asked whether Gmail would ever open up an API for developers to code add-ons and plug-ins with more official support and stability, Kowitz suggested it was unlikely. Gmail is based on “hundreds of thousands” of lines of JavaScript, Kowitz said, and it's a code base that “changes so quickly.” That said, Jackson said the Gmail team "loves" to see third-party functionality being developed, and the team tries to make developers aware of changes they know will affect those products. Article on LifeHacker

“Scripting”?!?

http://lifehacker.com/5493475/what-the-gmail-team-is-working-on

10

http://stackoverflow.com/tags02-03-13

Count Tag411,345 C#361,080 Java337,896 PHP321,757 JavaScript175,765 C++160,768 Python

83,486 C64,345 Ruby

9,827 Haskell1,347 OCaml

JavaScript isEverywhere

2013

http://stackoverflow.com/tags

11

http://stackoverflow.com/tags02-03-13

Count Tag411,345 C#361,080 Java337,896 PHP321,757 JavaScript175,765 C++160,768 Python

83,486 C64,345 Ruby

9,827 Haskell1,347 OCaml

Popular Server-Side Scripting Languages

2013


http://stackoverflow.com/tags

12

News

ShoppingBanking 2013


13

News

ShoppingBanking

Third-Party Ads

2013


14

News

ShoppingBanking

Third-Party Ads

Third-Party Apps

2013


15

2013


Third-Party

16

No longerjust “scripting”

2013


17

JavaScript ismuch harder than Java

2013


No longerjust “scripting”

18

… New Yorker article, “The Itch,” …

20

PRINT

“?printable=true”

21

“I want every article in print

mode”

Browser Extensions

Third-Party DevelopersCustomize

Browser

22

Browser Extensions

PRINTNEW YORKER

23

Browser Extensions

for (var elt in doc.getEltsByTagName(“a”)) {

var url = elt.getAttr(“href”);

if (url.match(/^newyorker.com/)) {

elt.setAttr(“href”, url + “?printable=true”);

} }

24

Browser Extensions

PRINTNEW YORKER

Document (DOM)

host-site.com

25

?printable=true

newyorker.com

Browser Extensions

PRINTNEW YORKER

Document (DOM)

host-site.com

26

?printable=true

newyorker.comevil.com EVIL

PasswordsBank Accts

History

Network Manager

OtherSensitive

APIs

JavaScriptEngine

BUGGY

27

Dynamic Checking…Expensive

Misses AttacksCan Blame Wrong Party

Goal: Static Verification

Enforcing JavaScript Security?

28

My Dissertation

Static Types for JavaScriptfor Dynamic Languages

1. Reliability / Security2. Development Tools3. Performance

29

My Dissertation

Static Types for JavaScriptfor Dynamic Languages

Working with JavaScriptCan Have Long-Term Impact

Many Challenges of Web are Independent of Language

New Techniques Apply to Traditional Languages

30

Static Types for JavaScriptDescribe sets of run-time values

“integers”

“booleans”

“objects with foo field”

“non-nullpointers”

“urls that are safe to visit”

31

Static Types for JavaScriptPrevent classes of run-time errors

“integers”

“booleans”

“objects with foo field”

“non-nullpointers”

“urls that are safe to visit”

“multiplyint and bool” “foo field

not found”“foo fieldnot found”

“null pointer exception”

“null pointer exception”

“navigating to evil.com”“redirect to evil.com”

32

f(x)

“expected args”“actual args”

Type1 Type2

“function call produces no error”✓

33

f(x)


Type1 Type2

“function call may produce error”✗

34

Type1 Type2{x|p }

{x|q }

{x|p }

{x|q }

Types + LogicRefinement Types


35

Types

Refinement Types

Nested Refinements [POPL ’12]Key to Encode Dynamic Features

Logic

{x|p } f :: {y|q }

Expressiveness

Usability

Types

VerificationHoare Logics

Model CheckingAbstract Interpretation

Theorem Proving…

+ Logic Dependent JavaScript (DJS)[POPL ’12, OOPSLA ’12]

Why is JavaScript Important?Why is JavaScript Hard?

Static Types via LogicSecurity via Logic

Looking Ahead

37

OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges

Why is JavaScript Important?

Why is JavaScript Hard?Static Types via Logic

Security via LogicLooking Ahead

38


Why is JavaScript Hard?

39


Lightweight ReflectionDictionary ObjectsAdditional Challenges

40

function negate(x) {

if (typeof x == “number”) {

}

Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic

xQ: What is my “type”?

41

All JavaScript Values


{x|tag(x) = “number” }

{x|tag(x) = “boolean” }

true false

{x|tag(x) = “object” }

{ } { “f”:17 }

{ “f”:42, “g”:true }...

Q: What is my “type”? x17 42

3.14-1

...

42



}


xQ: What is my “type”?A: Described by “tag”

43




return 0 - x;

} else {

return !x;

}

}

“expected args”

values with tag“number” OR “boolean”


44


Lightweight Reflection

Dictionary ObjectsAdditional Challenges

45


obj.f means obj[“f”]

a.k.a.“maps”“hash tables”“associative arrays”

Objects are “Dictionaries”that mapstring keysto values

46

methodto invoke

methodtable


function dispatch(table, op, i, j) { }

47


var integerOps = { “+” : function (n, m) { … } , “-” : function (n, m) { … } };

function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); }

dispatch (integerOps, “*”, 17, 42);

“foo fieldnot found”“*” key

not found

48



“expected args”

table object with an op key that stores a function on numbers

Dependencybetween types

of arguments


49


Lightweight ReflectionDictionary ObjectsAdditional Challenges


50


Lightweight ReflectionDictionary Objects Extensible ObjectsPrototype InheritanceArray Semantics

Unsupported in Prior Work


51


Lightweight ReflectionDictionary Objects Extensible ObjectsPrototype InheritanceArray Semantics



Looking Ahead

52

OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallengesChallenges Types via Logic

53

All JavaScript Values{x|tag(x) = “number” }

true false

{ } { “f”:17 }

{ “f”:42, “g”:true }...

17 42

3.14-1

...


54

All JavaScript Values{x|tag(x) = “number” }

17 42

3.14-1

...




true false

{ } { “f”:17 }

{ “f”:42, “g”:true }...

55



{ } { “f”:17 }

{ “f”:42, “g”:true }...{x|x = true }

true false

{x|integer(x) }

{x|x > 0 }

17 42

3.14-1

...

56



“set of values x s.t. formula p is true”

{x|p }Refinement Types

57

f(x)


Type1 Type2


58

f(x)



{x|p }

{x|q }

{x|p }

{x|q }

59

is Subtyping is Set Inclusion is Implication

Type1 Type2


{x|p }

{x|q }

{x|p }

{x|q }

Static Types via Logic

60

OutlineWhy JavaScript? Security via Logic Looking AheadChallenges Types via Logic

Lightweight ReflectionDictionary ObjectsKey Technical InnovationsEvaluation

61

Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges



return 0 - x;

} else {

return !x;

} }

Type Annotation in Comments

//: negate :: (x:NumOrBool) NumOrBool

{v|tag(v) = “number” ∨ tag(v) = “boolean” }

NumOrBool

Syntactic Sugarfor Common Types

62




return 0 - x;

} else {

return !x;

} }



“expected args”



{x|tag(x) = “number” }✓

63




return 0 - x;

} else {

return !x;

} }


“expected args”


✓{x|not(tag(x) = “number”)

{x| ∧ (tag(x) = “number” ∨

{x| tag(x) = “boolean”) }

64




return 0 - x;

} else {

return !x;

} }


Logic EnablesPath-SensitiveReasoning on

Branches

✓

65




return 0 - x;

} else {

return !x;

} }

Logic Enables Types to Depend on Values

//: negate :: (x:NumOrBool) { y|tag(y) = tag(x) }

✓


66

OutlineWhy JavaScript? Security via Logic Looking AheadChallenges


Types via Logic

67




...

{ }

{ “f”:true }

{ “f”:17 }

{ “f”:42, “g”:null }

68



{x|tag(x) = “object” has(x,“f”) }

...

{ }

{ “f”:true }

{ “f”:17 }

{ “f”:42, “g”:null }

69



{x|tag(x) = “object” {x|has(x,“f”) {x|tag(sel(x,“f”)) = “number” }

...

{ }

{ “f”:true }

{ “f”:17 }

{ “f”:42, “g”:null }

70



{x|sel(x,“f”) = true {x|dom(x) = {“f”} }

...

{ }

{ “f”:true }

{ “f”:17 }

{ “f”:42, “g”:null }

71


//: dispatch ::

//: ({ table | tag(table) = “object” },

//: { op | tag(op) = “string”

//: { op | ∧ has(table,op)

//: { op | ∧ sel(table,op) :: (Num,Num) Num },

//: { i | tag(i) = “number” },

//: { j | tag(j) = “number” })

//: Num


72


//: dispatch ::

//: (table : { sel(table,op) :: (Num,Num) Num },

//: op : Str,

//: i : Num,

//: j : Num)

//:

//:

//: Num


73


var integerOps = { “+” : …, “-” : … };

dispatch (integerOps, “*”, 17, 42);

{op|op = “*” }

“actual args”{op|has(integerOps,op) }

Type Checking Prevents Run-Time Error

{op|op = “*” }

{op|has(integerOps,op) }✗


74



Types via Logic

75

PriorRefinement

Types

✓✗

lightweight reflection

dictionary objects


extensible objects

prototype inheritance

array semantics

✗✗✗

Dependent JavaScript

(DJS)[POPL ’12, OOPSLA ’12]

✓✓✓✓✓

Key Challenge:Function Subtyping

as Logical Implication76

PriorRefinement

Types

✗dictionary objects



✓


77


42 + negate (17)

{f|f :: }(x:Num) Num “expected function”

{f|f :: } (x:NumOrBool) { y|tag(y) = tag(x) }

{f|f :: }

78


(x:NumOrBool) { y|tag(y) = tag(x) }

{f|f :: }(x:Num) Num

How to Prove

?How to Encode Type System Inside Logic?

Prior Refinement SystemsDisallow Function Types Inside Logic!

79


T ::= {x|p }

| T1 T2

Types Refinement Logic

Satisfiability Modulo Theories (SMT)

SAT + Decidable Theories

p q✓✗

SMT Solver(e.g. Z3)

[Prior State-of-the-Art]

80


T ::= {x|p }

| T1 T2

p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …

| tag(x) = “number” | …

| sel(x,k) = 17 | …


• Boolean Connectives• Equality• Linear Arithmetic• Uninterpreted Functions• McCarthy Arrays

81


T ::= {x|p }

| T1 T2

p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …


| sel(x,k) = 17 | …


{v|tag(v) = “number” ∨ tag(v) = “boolean” }NumOrBool

Enables Union Types and Lightweight Reflection

82


T ::= {x|p }

| T1 T2

p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …


| sel(x,k) = 17 | …


Enables Dictionary Types with Dynamic Keys …{d|tag(sel(d,k)) = “boolean” ∧

{d|tag(sel(d,“f”)) = “function” ∧

{d|sel(d,“f”) ??? }

But DisallowsFunctions inDictionaries!

83


p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …


| sel(x,k) = 17 | …

| sel(x,k) :: T1 T2 | …


Goal: Refer to Type System Inside LogicGoal: Without Giving up Decidability

T ::= {x|p }

| T1 T2

Solution: Nested Refinements!

84


T ::= {x|p } p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …


| sel(x,k) = 17 | …

| sel(x,k) :: T1 T2 | …

Nested Refinements [POPL ’12]1. Decidable Encoding2. Precise Subtyping3. Type Soundness Proof


85




Decidable Encoding

Uninterpreted Predicate in Logic

Distinct UninterpretedConstants in Logic…

{f|f :: }

86


(x:NumOrBool) { y|tag(y) = tag(x) }


Decidable Encoding

Uninterpreted Predicate in Logic

w/ Types Nested Inside

Distinct UninterpretedConstants in Logic…

87


Decidable Encoding



✗SMTSolver

Trivially Decidable, but Imprecise

88

p f :: (x:S1) S2


{f|f :: }(x:T1) T2

{f|p }

Precise Subtyping

Step 1:

Step 2:

Find such that(x:S1) S2

SMTSolver✓

T1 S1 ✓✓S2 T2x:T1

Compare and(x:S1) S2 (x:T1) T2

✓

“contra-variance”

“co-variance”

89


{f|f :: }(x:Num) Num{f|f = negate }

Precise Subtyping

Step 1:

Step 2:

f = negate

f :: (x:NumOrBool) { y|tag(y) = tag(x) }SMTSolver✓

90


{f|f :: }(x:Num) Num{f|f = negate }

Precise Subtyping

Step 1:

Step 2:

f = negate

f :: (x:NumOrBool) { y|tag(y) = tag(x) }

Num

NumOrBool ✓✓{y|tag(y) = tag(x) } Nu

mx:Num

✓SMT

Solver✓

91


Precise Subtyping

Step 1:

Step 2:

Decidable Reasoningvia SMT

Precise Function Subtypingvia Syntactic Techniques

+

{f|f :: }{f|f = negate } ✓(x:Num) Num

92


Type Soundness Proof

Logic 0

Conventional ProofsRequire Logic to be an Oracle …

… but Nesting Introduces CircularityThat Prevents Typical Inductive Proofs

Type System 0

93

Type System ∞


Type Soundness Proof

Logic 0

Logic 1

Logic 2

Type System 1

Type System 2

Type System 0

… …

Proof Technique:Stratify into Infinite Hierarchy

94


T ::= {x|p } p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …


| sel(x,k) = 17 | …

| sel(x,k) :: T1 T2 | …

Nested Refinements [POPL ’12]


Key to Encode Dictionary Objects(Even in Statically Typed Languages!)

95


dictionary objects

extensible objects


array semantics




✓✓✓✓✓

PriorRefinement

Types

✓✗✗✗✗

JavaScript

JavaScript, Python, Ruby

96


dictionary objects

extensible objects


array semantics




✓✓✓✓✓


97



Types via Logic

98

306a

408(+33%)

LOCbefore/after

13 Excerpts from: JavaScript, Good Parts SunSpider Benchmark Suite Google Closure Library

Benchmarks


Chosen to Stretch the Limits of DJS

99

306a

408(+33%)

LOCbefore/after


Benchmarks


9 Browser Extensions from: [Guha et al. Oakland ’11]

321a

383(+19%)

1,003a

1,027(+2%)

2 Examples from: Google Gadgets

1,630

1,818(+12%)

TOTALS

100


1,630

1,818(+12%)

TOTALS

Already Improved by SimpleType Inference and Syntactic Sugar

Plenty of Room for Improvement• Iterative Predicate Abstraction• Bootstrap from Run-Time Traces [STOP ’11]

1,818(+12%)

101


1,630

1,818(+12%)

TOTALS

Already Improved using SimpleType Inference and Syntactic Sugar

Plenty of Room for Improvement• Apply State-of-the-Art Techniques• Bootstrap from Run-Time Traces [STOP ’11]

1,630

Will Enable Larger Examples

102

LOCbefore/after


306a

408(+33%)

Benchmarks

9 Browser Extensions from: [Guha et al. Oakland ’11]

321a

383(+19%)

2 Examples from: Google Gadgets

1,003a

1,027(+2%)

1,630

1,818(+12%)

10 sec

Running Time

3 sec

19 sec

32 sec


TOTALS

103

1,818(+12%)

32 sec


Already Improved by SimpleOptimizations• Avoid SMT Solver When Possible• Reduce Precision for Common Patterns

Plenty of Room for Improvement

1,630

TOTALS

32 sec


104



Types via Logic

Types via Logic



Looking Ahead

105

OutlineWhy JavaScript? Security via Logic Looking AheadChallenges Types via Logic Security via Logic

106

OutlineWhy JavaScript? Security via LogicTypes via Logic Looking AheadChallenges

Security via Logic Browser Extensions

Types for Fine-Grained Policies

Browser Extensions

PRINTNEW YORKER

107

host-site.com

Document (DOM)

PasswordsBank Accts

History

Network Manager

OtherSensitive

APIs

JavaScriptEngine

BUGGY

EVIL

108

Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges

Policy Expressiveness

Access All Resources

109


Access Some Resources

cannot access DOM cannot access History


110



coarse-grainedand uninformative!

cannot access DOM cannot access History

111



coarse-grainedand uninformative!

similar situation forother app platforms

112



Fine-Grained PoliciesGOAL

113


can write “a” elementsbut only “href” attribute

when original “href” valuestarts with “newyorker.com”and is prefix of new value

Fine-Grained PoliciesGOAL

114


Security via Logic Browser Extensions

Types for Fine-Grained Policies

115


Types for Security+ JavaScript Verification

= Fine-Grained Web Security

[ESOP ’10, Guha et al. ’11]

[POPL ’12, OOPSLA ’12]

[current]

116


Static Verification (DJS)

Security Expert

User

reviews only policy

reads informative policy

Developerwrites policy in logic!

117


Network Manager

request, …

JS Engine

eval, …

DOM

getAttr, setAttr, …

request ::

url:Str

Str

118


Network Manager

request, …

JS Engine

eval, …

DOM


request ::

{url:Str|WhiteListed(url)}

Str

119


Network Manager

request, …

JS Engine

eval, …

DOM


eval ::

s:Str

Void

120


Network Manager

request, …

JS Engine

eval, …

DOM


eval ::

{s:Str|not(Tainted(s))}

Void

121


Network Manager

request, …

JS Engine

eval, …

DOM


getAttr ::

elt:Element

attr:Str

Str

122


Network Manager

request, …

JS Engine

eval, …

DOM


getAttr ::

elt:Element

{attr:Str|CanRead(elt,attr)}

Str

123


Network Manager

request, …

JS Engine

eval, …

DOM


setAttr ::

elt:Element

attr:Str

y:Str

Void

124


Network Manager

request, …

JS Engine

eval, …

DOM


setAttr ::

elt:Element

attr:Str

{y:Str|CanWrite(elt,attr,y)}

Void

125


Network Manager

request, …

JS Engine

eval, …

DOM


Refined APIs Mediate Access

Typecheck Extension with Policy

126


forall url.

not (url = “evil.com”)

WhiteListed (url)

var s = request(“evil.com”);

✗finite blacklist

127


//: url:Str

var s = request(url);

✗might beblacklisted!

forall url.


WhiteListed (url)

forall url.


WhiteListed (url)

128


if (url != “evil.com”) {


}

✓

129




eval(s);

}

s:Str might be tainted!

✗

forall url.


WhiteListed (url)

130




s = sanitize(s);

eval(s);

} ✓STATICALLY VERIFIED!

s:Str

{s:Str|not(Tainted(s))}

forall url.


WhiteListed (url)

131


WhiteListed (“ny.com”)

WhiteListed (“golf.com”)

forall url.

WhiteListed (url)

not (Tainted (request (url)))

trust thatwhitelisted servers

return untainted strings

132


var s = request(“ny.com”);

eval(s);✓ no need to sanitize

WhiteListed (“ny.com”)

WhiteListed (“golf.com”)

forall url.

WhiteListed (url)

not (Tainted (request (url)))

STATICALLY VERIFIED!

133


forall e, oldUrl, newUrl.

ValueOf (e, “href”, oldUrl) ∧

StrPrefix (“newyorker.com”, oldUrl) ∧

StrPrefix (oldUrl, newUrl)

CanWrite (e, “href”, newUrl)





} }

134


ValueOf (elt, “href”, url) ∧

StrPrefix (“newyorker.com”, url) ∧

StrPrefix (url, url + “?printable=true”)

CanWrite (e, “href”, url+“?printable=true”)





} }

✓

135










} }

✓✓

136










} }

✓✓✓

137










} }

✓✓✓

✓STATICALLY VERIFIED!

138









elt.setAttr(“href”, “evil.com”);

} }

139




StrPrefix (url, “evil.com”)

CanWrite (e, “href”, “evil.com”)





} }

140




StrPrefix (url, “evil.com”)

CanWrite (e, “href”, “evil.com”)





} }

✓✓✗

✗

141


Types for Security+ JavaScript Verification

= Fine-Grained Web Security

[ESOP ’10, Guha et al. ’11]

[POPL ’12, OOPSLA ’12]

[current]

Secure Extensions Written in OCaml

Preliminary Benchmarks

142


Guha et al. ’11]

Secure Extensions Written in OCamlPreliminary Benchmarks

Ported to DJS ~400 LOC so far

Well-typed programsdon’t have run-time errorsand conform to security policies

143


Security via Logic

Browser ExtensionsTypes for Fine-Grained Policies



Looking Ahead

144

OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges Security via Logic Looking Ahead

145

Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead


Untrusted

Code

ScriptingLanguages

Web Platform

>>>

146


Expressiveness

Usability

Verification

Dependent JavaScript (DJS)

TypeScriptLightweight (unsound) static checking tools becoming popular

Translate for additional checking

and IDE support

147



Untrusted

Code

ScriptingLanguages

Web Platform

ToolSupport

>>>

148


Web Development ToolsWay Behind Tools for Java, etc.

• Static Types in DJS Enable Refactoring,• Documentation Tools, Code Completion

• Web-Based Interfaces to Collect Statistics• about Programming Patterns, Errors

149



Untrusted

Code

ScriptingLanguages

ToolSupport

PolicySpecification

Web Platform

>>>

150


Security Expert

User

Developer must write policy

must read policy

and


151

Developer must write policy

• Infer from traces• Incentives from platform

must read policyUser

• Traces to demonstrate behavior• Community review-and-recommend services

must read policySecurity Expert

• Modeling tools to analyze policies


152



Untrusted

Code

ScriptingLanguages

ToolSupport

PolicySpecification

DynamicEnforcement

Web Platform

>>>

153



Security Expert

User

Developer

154


…

eval(“…”);

…Dynamic

Code Loading

Impossible to statically analyzecode you don’t have!

155



Security Expert

User

Developer

DynamicEnforcement

156


DynamicEnforcement

…

eval(“…”);

//: #assume

…

New Types

Old Types

New Types

157


eval(“…”);

//: #assume New Types

• Dynamic Checking• Staged Analysis [PLDI ’09]

DynamicEnforcement

158



Untrusted

Code

ScriptingLanguages

ToolSupport

PolicySpecification

DynamicEnforcement

Trust Base

Web Platform

>>>

159



Security Expert

User

reviews only policy

Developer

DynamicEnforcement

160



Security Expertreviews only policy

trust

trust SMTSolver

Eliminate from TCB à laProof-Carrying Code [PLDI ’10]

Eliminate from TCB via Formal Verification

161



Security Expert

trust

SMTSolver

trust

162



Untrusted

Code

ScriptingLanguages

ToolSupport

PolicySpecification

DynamicEnforcement

Trust Base

Web PlatformStatic Types and Logic!

163


Static Types and Logic!

Static Types for:Reliability / SecurityDevelopment ToolsPerformance• Additional Just-in-Time Optimizations• Compile to Custom Architectures

164

Static Types and Logic!

Untrusted

Code

ScriptingLanguages

Concurrent Programs

Program Analysis via Set Constraints

[PLDI ’09]Run-Time Instrumentation[STOP ’11]

Dataflow Analysis and Race Detection

[PLDI ’08]

[ESOP ’10, PLDI ’10][POPL ’12, OOPSLA ’12]

165

Thanks!

Scripting Languages are Pervasive

DJS: Precise Static Types via Logic

Towards Fine-Grained Web Security

ravichugh.com

static verification for web scripting languages

Documents