static verification for web scripting languages
DESCRIPTION
Static Verification for Web Scripting Languages. Ravi Chugh. Web Platform. Web Platform. Untrusted Code. Scripting Languages. My Goal: Rigorous Foundations. Web Platform. Untrusted Code. Static Types and Logic!. Scripting Languages. 1995. Web Page = Static HTML Web Page + Links - PowerPoint PPT PresentationTRANSCRIPT
Static Verification forWeb Scripting
Languages
Ravi Chugh
2
Web Platform
3
Web Platform
ScriptingLanguages
Untrusted
Code
4
Web Platform
My Goal: Rigorous FoundationsStatic Types and Logic!
Untrusted
Code
ScriptingLanguages
5
1995
<html>
</html>
Username
Login
Password
Web Page = Static HTMLWeb Page + LinksWeb Page + Client-Side Code
<script type=“javascript”>
loginButton.onclick = function () {
if (passwordBox.value == “”) {
alert(“Enter password!”);
} else {
...
} }
</script>
6
1995
… an easy-to-use “scripting language”as a companion to Java
No Static Types
“Dynamic” Features Make itEasy to Experiment…
Brendan Eich,JavaScript creator
2013
2013Asked whether Gmail would ever open up an API for developers to code add-ons and plug-ins with more official support and stability, Kowitz suggested it was unlikely. Gmail is based on “hundreds of thousands” of lines of JavaScript, Kowitz said, and it's a code base that “changes so quickly.” That said, Jackson said the Gmail team "loves" to see third-party functionality being developed, and the team tries to make developers aware of changes they know will affect those products. Article on LifeHacker
2013Asked whether Gmail would ever open up an API for developers to code add-ons and plug-ins with more official support and stability, Kowitz suggested it was unlikely. Gmail is based on “hundreds of thousands” of lines of JavaScript, Kowitz said, and it's a code base that “changes so quickly.” That said, Jackson said the Gmail team "loves" to see third-party functionality being developed, and the team tries to make developers aware of changes they know will affect those products. Article on LifeHacker
“Scripting”?!?
10
http://stackoverflow.com/tags02-03-13
Count Tag411,345 C#361,080 Java337,896 PHP321,757 JavaScript175,765 C++160,768 Python
83,486 C64,345 Ruby
9,827 Haskell1,347 OCaml
JavaScript isEverywhere
2013
11
http://stackoverflow.com/tags02-03-13
Count Tag411,345 C#361,080 Java337,896 PHP321,757 JavaScript175,765 C++160,768 Python
83,486 C64,345 Ruby
9,827 Haskell1,347 OCaml
Popular Server-Side Scripting Languages
2013
JavaScript isEverywhere
12
News
ShoppingBanking 2013
JavaScript isEverywhere
13
News
ShoppingBanking
Third-Party Ads
2013
JavaScript isEverywhere
14
News
ShoppingBanking
Third-Party Ads
Third-Party Apps
2013
JavaScript isEverywhere
15
2013
JavaScript isEverywhere
Third-Party
16
No longerjust “scripting”
2013
… an easy-to-use “scripting language”as a companion to Java
17
JavaScript ismuch harder than Java
2013
… an easy-to-use “scripting language”as a companion to Java
No longerjust “scripting”
18
… New Yorker article, “The Itch,” …
19
20
“?printable=true”
21
“I want every article in print
mode”
Browser Extensions
Third-Party DevelopersCustomize
Browser
22
Browser Extensions
PRINTNEW YORKER
23
Browser Extensions
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, url + “?printable=true”);
} }
24
Browser Extensions
PRINTNEW YORKER
Document (DOM)
host-site.com
25
?printable=true
newyorker.com
Browser Extensions
PRINTNEW YORKER
Document (DOM)
host-site.com
26
?printable=true
newyorker.comevil.com EVIL
PasswordsBank Accts
History
Network Manager
OtherSensitive
APIs
JavaScriptEngine
BUGGY
27
Dynamic Checking…Expensive
Misses AttacksCan Blame Wrong Party
Goal: Static Verification
Enforcing JavaScript Security?
28
My Dissertation
Static Types for JavaScriptfor Dynamic Languages
1. Reliability / Security2. Development Tools3. Performance
29
My Dissertation
Static Types for JavaScriptfor Dynamic Languages
Working with JavaScriptCan Have Long-Term Impact
Many Challenges of Web are Independent of Language
New Techniques Apply to Traditional Languages
30
Static Types for JavaScriptDescribe sets of run-time values
“integers”
“booleans”
“objects with foo field”
“non-nullpointers”
“urls that are safe to visit”
31
Static Types for JavaScriptPrevent classes of run-time errors
“integers”
“booleans”
“objects with foo field”
“non-nullpointers”
“urls that are safe to visit”
“multiplyint and bool” “foo field
not found”“foo fieldnot found”
“null pointer exception”
“null pointer exception”
“navigating to evil.com”“redirect to evil.com”
32
f(x)
“expected args”“actual args”
Type1 Type2
“function call produces no error”✓
33
f(x)
“expected args”“actual args”
Type1 Type2
“function call may produce error”✗
34
Type1 Type2{x|p }
{x|q }
{x|p }
{x|q }
Types + LogicRefinement Types
“expected args”“actual args”
35
Types
Refinement Types
Nested Refinements [POPL ’12]Key to Encode Dynamic Features
Logic
{x|p } f :: {y|q }
Expressiveness
Usability
Types
VerificationHoare Logics
Model CheckingAbstract Interpretation
Theorem Proving…
+ Logic Dependent JavaScript (DJS)[POPL ’12, OOPSLA ’12]
Why is JavaScript Important?Why is JavaScript Hard?
Static Types via LogicSecurity via Logic
Looking Ahead
37
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Why is JavaScript Important?
Why is JavaScript Hard?Static Types via Logic
Security via LogicLooking Ahead
38
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Why is JavaScript Hard?
39
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Lightweight ReflectionDictionary ObjectsAdditional Challenges
40
function negate(x) {
if (typeof x == “number”) {
}
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
xQ: What is my “type”?
41
All JavaScript Values
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
{x|tag(x) = “number” }
{x|tag(x) = “boolean” }
true false
{x|tag(x) = “object” }
{ } { “f”:17 }
{ “f”:42, “g”:true }...
Q: What is my “type”? x17 42
3.14-1
...
42
function negate(x) {
if (typeof x == “number”) {
}
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
xQ: What is my “type”?A: Described by “tag”
43
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
function negate(x) {
if (typeof x == “number”) {
return 0 - x;
} else {
return !x;
}
}
“expected args”
values with tag“number” OR “boolean”
Why is JavaScript Hard?
44
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Lightweight Reflection
Dictionary ObjectsAdditional Challenges
45
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
obj.f means obj[“f”]
a.k.a.“maps”“hash tables”“associative arrays”
Objects are “Dictionaries”that mapstring keysto values
46
methodto invoke
methodtable
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
function dispatch(table, op, i, j) { }
47
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
var integerOps = { “+” : function (n, m) { … } , “-” : function (n, m) { … } };
function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); }
dispatch (integerOps, “*”, 17, 42);
“foo fieldnot found”“*” key
not found
48
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); }
“expected args”
table object with an op key that stores a function on numbers
Dependencybetween types
of arguments
Why is JavaScript Hard?
49
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Lightweight ReflectionDictionary ObjectsAdditional Challenges
Why is JavaScript Hard?
50
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Lightweight ReflectionDictionary Objects Extensible ObjectsPrototype InheritanceArray Semantics
Unsupported in Prior Work
Why is JavaScript Hard?
51
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Lightweight ReflectionDictionary Objects Extensible ObjectsPrototype InheritanceArray Semantics
Why is JavaScript Important?Why is JavaScript Hard?
Static Types via LogicSecurity via Logic
Looking Ahead
52
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallengesChallenges Types via Logic
53
All JavaScript Values{x|tag(x) = “number” }
true false
{ } { “f”:17 }
{ “f”:42, “g”:true }...
17 42
3.14-1
...
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
54
All JavaScript Values{x|tag(x) = “number” }
17 42
3.14-1
...
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
{x|tag(x) = “boolean” }
{x|tag(x) = “object” }
true false
{ } { “f”:17 }
{ “f”:42, “g”:true }...
55
All JavaScript Values
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
{ } { “f”:17 }
{ “f”:42, “g”:true }...{x|x = true }
true false
{x|integer(x) }
{x|x > 0 }
17 42
3.14-1
...
56
All JavaScript Values
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
“set of values x s.t. formula p is true”
{x|p }Refinement Types
57
f(x)
“expected args”“actual args”
Type1 Type2
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
58
f(x)
“expected args”“actual args”
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
{x|p }
{x|q }
{x|p }
{x|q }
59
is Subtyping is Set Inclusion is Implication
Type1 Type2
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
{x|p }
{x|q }
{x|p }
{x|q }
Static Types via Logic
60
OutlineWhy JavaScript? Security via Logic Looking AheadChallenges Types via Logic
Lightweight ReflectionDictionary ObjectsKey Technical InnovationsEvaluation
61
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
function negate(x) {
if (typeof x == “number”) {
return 0 - x;
} else {
return !x;
} }
Type Annotation in Comments
//: negate :: (x:NumOrBool) NumOrBool
{v|tag(v) = “number” ∨ tag(v) = “boolean” }
NumOrBool
Syntactic Sugarfor Common Types
62
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
function negate(x) {
if (typeof x == “number”) {
return 0 - x;
} else {
return !x;
} }
//: negate :: (x:NumOrBool) NumOrBool
{x|tag(x) = “number” }
“expected args”
{x|tag(x) = “number” }
{x|tag(x) = “number” }
{x|tag(x) = “number” }✓
63
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
function negate(x) {
if (typeof x == “number”) {
return 0 - x;
} else {
return !x;
} }
//: negate :: (x:NumOrBool) NumOrBool
“expected args”
{x|tag(x) = “boolean” }
✓{x|not(tag(x) = “number”)
{x| ∧ (tag(x) = “number” ∨
{x| tag(x) = “boolean”) }
64
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
function negate(x) {
if (typeof x == “number”) {
return 0 - x;
} else {
return !x;
} }
//: negate :: (x:NumOrBool) NumOrBool
Logic EnablesPath-SensitiveReasoning on
Branches
✓
65
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
function negate(x) {
if (typeof x == “number”) {
return 0 - x;
} else {
return !x;
} }
Logic Enables Types to Depend on Values
//: negate :: (x:NumOrBool) { y|tag(y) = tag(x) }
✓
Static Types via Logic
66
OutlineWhy JavaScript? Security via Logic Looking AheadChallenges
Lightweight ReflectionDictionary ObjectsKey Technical InnovationsEvaluation
Types via Logic
67
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
All JavaScript Values
{x|tag(x) = “object” }
...
{ }
{ “f”:true }
{ “f”:17 }
{ “f”:42, “g”:null }
68
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
All JavaScript Values
{x|tag(x) = “object” has(x,“f”) }
...
{ }
{ “f”:true }
{ “f”:17 }
{ “f”:42, “g”:null }
69
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
All JavaScript Values
{x|tag(x) = “object” {x|has(x,“f”) {x|tag(sel(x,“f”)) = “number” }
...
{ }
{ “f”:true }
{ “f”:17 }
{ “f”:42, “g”:null }
70
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
All JavaScript Values
{x|sel(x,“f”) = true {x|dom(x) = {“f”} }
...
{ }
{ “f”:true }
{ “f”:17 }
{ “f”:42, “g”:null }
71
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
//: dispatch ::
//: ({ table | tag(table) = “object” },
//: { op | tag(op) = “string”
//: { op | ∧ has(table,op)
//: { op | ∧ sel(table,op) :: (Num,Num) Num },
//: { i | tag(i) = “number” },
//: { j | tag(j) = “number” })
//: Num
function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); }
72
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
//: dispatch ::
//: (table : { sel(table,op) :: (Num,Num) Num },
//: op : Str,
//: i : Num,
//: j : Num)
//:
//:
//: Num
function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); }
73
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
var integerOps = { “+” : …, “-” : … };
dispatch (integerOps, “*”, 17, 42);
{op|op = “*” }
“actual args”{op|has(integerOps,op) }
Type Checking Prevents Run-Time Error
{op|op = “*” }
{op|has(integerOps,op) }✗
Static Types via Logic
74
OutlineWhy JavaScript? Security via Logic Looking AheadChallenges
Lightweight ReflectionDictionary ObjectsKey Technical InnovationsEvaluation
Types via Logic
75
PriorRefinement
Types
✓✗
lightweight reflection
dictionary objects
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
extensible objects
prototype inheritance
array semantics
✗✗✗
Dependent JavaScript
(DJS)[POPL ’12, OOPSLA ’12]
✓✓✓✓✓
Key Challenge:Function Subtyping
as Logical Implication76
PriorRefinement
Types
✗dictionary objects
Dependent JavaScript
(DJS)[POPL ’12, OOPSLA ’12]
✓
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
77
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
42 + negate (17)
{f|f :: }(x:Num) Num “expected function”
{f|f :: } (x:NumOrBool) { y|tag(y) = tag(x) }
{f|f :: }
78
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
(x:NumOrBool) { y|tag(y) = tag(x) }
{f|f :: }(x:Num) Num
How to Prove
?How to Encode Type System Inside Logic?
Prior Refinement SystemsDisallow Function Types Inside Logic!
79
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
T ::= {x|p }
| T1 T2
Types Refinement Logic
Satisfiability Modulo Theories (SMT)
SAT + Decidable Theories
p q✓✗
SMT Solver(e.g. Z3)
[Prior State-of-the-Art]
80
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
T ::= {x|p }
| T1 T2
p ::= p ∧ q | p ∨ q | p
| x = y | x > y | …
| tag(x) = “number” | …
| sel(x,k) = 17 | …
Types Refinement Logic
• Boolean Connectives• Equality• Linear Arithmetic• Uninterpreted Functions• McCarthy Arrays
81
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
T ::= {x|p }
| T1 T2
p ::= p ∧ q | p ∨ q | p
| x = y | x > y | …
| tag(x) = “number” | …
| sel(x,k) = 17 | …
Types Refinement Logic
{v|tag(v) = “number” ∨ tag(v) = “boolean” }NumOrBool
Enables Union Types and Lightweight Reflection
82
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
T ::= {x|p }
| T1 T2
p ::= p ∧ q | p ∨ q | p
| x = y | x > y | …
| tag(x) = “number” | …
| sel(x,k) = 17 | …
Types Refinement Logic
Enables Dictionary Types with Dynamic Keys …{d|tag(sel(d,k)) = “boolean” ∧
{d|tag(sel(d,“f”)) = “function” ∧
{d|sel(d,“f”) ??? }
But DisallowsFunctions inDictionaries!
83
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
p ::= p ∧ q | p ∨ q | p
| x = y | x > y | …
| tag(x) = “number” | …
| sel(x,k) = 17 | …
| sel(x,k) :: T1 T2 | …
Types Refinement Logic
Goal: Refer to Type System Inside LogicGoal: Without Giving up Decidability
T ::= {x|p }
| T1 T2
Solution: Nested Refinements!
84
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
T ::= {x|p } p ::= p ∧ q | p ∨ q | p
| x = y | x > y | …
| tag(x) = “number” | …
| sel(x,k) = 17 | …
| sel(x,k) :: T1 T2 | …
Nested Refinements [POPL ’12]1. Decidable Encoding2. Precise Subtyping3. Type Soundness Proof
Types Refinement Logic
85
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
{f|f :: } (x:NumOrBool) { y|tag(y) = tag(x) }
{f|f :: }(x:Num) Num
Decidable Encoding
Uninterpreted Predicate in Logic
Distinct UninterpretedConstants in Logic…
{f|f :: }
86
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
(x:NumOrBool) { y|tag(y) = tag(x) }
{f|f :: }(x:Num) Num
Decidable Encoding
Uninterpreted Predicate in Logic
w/ Types Nested Inside
Distinct UninterpretedConstants in Logic…
87
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Decidable Encoding
{f|f :: } (x:NumOrBool) { y|tag(y) = tag(x) }
{f|f :: }(x:Num) Num
✗SMTSolver
Trivially Decidable, but Imprecise
88
p f :: (x:S1) S2
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
{f|f :: }(x:T1) T2
{f|p }
Precise Subtyping
Step 1:
Step 2:
Find such that(x:S1) S2
SMTSolver✓
T1 S1 ✓✓S2 T2x:T1
Compare and(x:S1) S2 (x:T1) T2
✓
“contra-variance”
“co-variance”
89
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
{f|f :: }(x:Num) Num{f|f = negate }
Precise Subtyping
Step 1:
Step 2:
f = negate
f :: (x:NumOrBool) { y|tag(y) = tag(x) }SMTSolver✓
90
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
{f|f :: }(x:Num) Num{f|f = negate }
Precise Subtyping
Step 1:
Step 2:
f = negate
f :: (x:NumOrBool) { y|tag(y) = tag(x) }
Num
NumOrBool ✓✓{y|tag(y) = tag(x) } Nu
mx:Num
✓SMT
Solver✓
91
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Precise Subtyping
Step 1:
Step 2:
Decidable Reasoningvia SMT
Precise Function Subtypingvia Syntactic Techniques
+
{f|f :: }{f|f = negate } ✓(x:Num) Num
92
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Type Soundness Proof
Logic 0
Conventional ProofsRequire Logic to be an Oracle …
… but Nesting Introduces CircularityThat Prevents Typical Inductive Proofs
Type System 0
93
Type System ∞
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Type Soundness Proof
Logic 0
Logic 1
Logic 2
Type System 1
Type System 2
Type System 0
… …
Proof Technique:Stratify into Infinite Hierarchy
94
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
T ::= {x|p } p ::= p ∧ q | p ∨ q | p
| x = y | x > y | …
| tag(x) = “number” | …
| sel(x,k) = 17 | …
| sel(x,k) :: T1 T2 | …
Nested Refinements [POPL ’12]
Types Refinement Logic
Key to Encode Dictionary Objects(Even in Statically Typed Languages!)
95
lightweight reflection
dictionary objects
extensible objects
prototype inheritance
array semantics
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Dependent JavaScript
(DJS)[POPL ’12, OOPSLA ’12]
✓✓✓✓✓
PriorRefinement
Types
✓✗✗✗✗
JavaScript
JavaScript, Python, Ruby
96
lightweight reflection
dictionary objects
extensible objects
prototype inheritance
array semantics
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Dependent JavaScript
(DJS)[POPL ’12, OOPSLA ’12]
✓✓✓✓✓
Static Types via Logic
97
OutlineWhy JavaScript? Security via Logic Looking AheadChallenges
Lightweight ReflectionDictionary ObjectsKey Technical InnovationsEvaluation
Types via Logic
98
306a
408(+33%)
LOCbefore/after
13 Excerpts from: JavaScript, Good Parts SunSpider Benchmark Suite Google Closure Library
Benchmarks
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Chosen to Stretch the Limits of DJS
99
306a
408(+33%)
LOCbefore/after
13 Excerpts from: JavaScript, Good Parts SunSpider Benchmark Suite Google Closure Library
Benchmarks
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
9 Browser Extensions from: [Guha et al. Oakland ’11]
321a
383(+19%)
1,003a
1,027(+2%)
2 Examples from: Google Gadgets
1,630
1,818(+12%)
TOTALS
100
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
1,630
1,818(+12%)
TOTALS
Already Improved by SimpleType Inference and Syntactic Sugar
Plenty of Room for Improvement• Iterative Predicate Abstraction• Bootstrap from Run-Time Traces [STOP ’11]
1,818(+12%)
101
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
1,630
1,818(+12%)
TOTALS
Already Improved using SimpleType Inference and Syntactic Sugar
Plenty of Room for Improvement• Apply State-of-the-Art Techniques• Bootstrap from Run-Time Traces [STOP ’11]
1,630
Will Enable Larger Examples
102
LOCbefore/after
13 Excerpts from: JavaScript, Good Parts SunSpider Benchmark Suite Google Closure Library
306a
408(+33%)
Benchmarks
9 Browser Extensions from: [Guha et al. Oakland ’11]
321a
383(+19%)
2 Examples from: Google Gadgets
1,003a
1,027(+2%)
1,630
1,818(+12%)
10 sec
Running Time
3 sec
19 sec
32 sec
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
TOTALS
103
1,818(+12%)
32 sec
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Already Improved by SimpleOptimizations• Avoid SMT Solver When Possible• Reduce Precision for Common Patterns
Plenty of Room for Improvement
1,630
TOTALS
32 sec
Static Types via Logic
104
OutlineWhy JavaScript? Security via Logic Looking AheadChallenges
Lightweight ReflectionDictionary ObjectsKey Technical InnovationsEvaluation
Types via Logic
Types via Logic
Why is JavaScript Important?Why is JavaScript Hard?
Static Types via LogicSecurity via Logic
Looking Ahead
105
OutlineWhy JavaScript? Security via Logic Looking AheadChallenges Types via Logic Security via Logic
106
OutlineWhy JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Security via Logic Browser Extensions
Types for Fine-Grained Policies
Browser Extensions
PRINTNEW YORKER
107
host-site.com
Document (DOM)
PasswordsBank Accts
History
Network Manager
OtherSensitive
APIs
JavaScriptEngine
BUGGY
EVIL
108
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Policy Expressiveness
Access All Resources
109
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Access Some Resources
cannot access DOM cannot access History
Policy Expressiveness
110
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Policy Expressiveness
coarse-grainedand uninformative!
cannot access DOM cannot access History
111
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Policy Expressiveness
coarse-grainedand uninformative!
similar situation forother app platforms
112
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Policy Expressiveness
Fine-Grained PoliciesGOAL
113
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
can write “a” elementsbut only “href” attribute
when original “href” valuestarts with “newyorker.com”and is prefix of new value
Fine-Grained PoliciesGOAL
114
OutlineWhy JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Security via Logic Browser Extensions
Types for Fine-Grained Policies
115
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Types for Security+ JavaScript Verification
= Fine-Grained Web Security
[ESOP ’10, Guha et al. ’11]
[POPL ’12, OOPSLA ’12]
[current]
116
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Static Verification (DJS)
Security Expert
User
reviews only policy
reads informative policy
Developerwrites policy in logic!
117
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
request ::
url:Str
Str
118
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
request ::
{url:Str|WhiteListed(url)}
Str
119
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
eval ::
s:Str
Void
120
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
eval ::
{s:Str|not(Tainted(s))}
Void
121
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
getAttr ::
elt:Element
attr:Str
Str
122
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
getAttr ::
elt:Element
{attr:Str|CanRead(elt,attr)}
Str
123
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
setAttr ::
elt:Element
attr:Str
y:Str
Void
124
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
setAttr ::
elt:Element
attr:Str
{y:Str|CanWrite(elt,attr,y)}
Void
125
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
Refined APIs Mediate Access
Typecheck Extension with Policy
126
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
forall url.
not (url = “evil.com”)
WhiteListed (url)
var s = request(“evil.com”);
✗finite blacklist
127
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
//: url:Str
var s = request(url);
✗might beblacklisted!
forall url.
not (url = “evil.com”)
WhiteListed (url)
forall url.
not (url = “evil.com”)
WhiteListed (url)
128
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
if (url != “evil.com”) {
var s = request(url);
}
✓
129
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
if (url != “evil.com”) {
var s = request(url);
eval(s);
}
s:Str might be tainted!
✗
forall url.
not (url = “evil.com”)
WhiteListed (url)
130
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
if (url != “evil.com”) {
var s = request(url);
s = sanitize(s);
eval(s);
} ✓STATICALLY VERIFIED!
s:Str
{s:Str|not(Tainted(s))}
forall url.
not (url = “evil.com”)
WhiteListed (url)
131
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
WhiteListed (“ny.com”)
WhiteListed (“golf.com”)
forall url.
WhiteListed (url)
not (Tainted (request (url)))
trust thatwhitelisted servers
return untainted strings
132
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
var s = request(“ny.com”);
eval(s);✓ no need to sanitize
WhiteListed (“ny.com”)
WhiteListed (“golf.com”)
forall url.
WhiteListed (url)
not (Tainted (request (url)))
STATICALLY VERIFIED!
133
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
forall e, oldUrl, newUrl.
ValueOf (e, “href”, oldUrl) ∧
StrPrefix (“newyorker.com”, oldUrl) ∧
StrPrefix (oldUrl, newUrl)
CanWrite (e, “href”, newUrl)
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, url + “?printable=true”);
} }
134
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
ValueOf (elt, “href”, url) ∧
StrPrefix (“newyorker.com”, url) ∧
StrPrefix (url, url + “?printable=true”)
CanWrite (e, “href”, url+“?printable=true”)
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, url + “?printable=true”);
} }
✓
135
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
ValueOf (elt, “href”, url) ∧
StrPrefix (“newyorker.com”, url) ∧
StrPrefix (url, url + “?printable=true”)
CanWrite (e, “href”, url+“?printable=true”)
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, url + “?printable=true”);
} }
✓✓
136
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
ValueOf (elt, “href”, url) ∧
StrPrefix (“newyorker.com”, url) ∧
StrPrefix (url, url + “?printable=true”)
CanWrite (e, “href”, url+“?printable=true”)
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, url + “?printable=true”);
} }
✓✓✓
137
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
ValueOf (elt, “href”, url) ∧
StrPrefix (“newyorker.com”, url) ∧
StrPrefix (url, url + “?printable=true”)
CanWrite (e, “href”, url+“?printable=true”)
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, url + “?printable=true”);
} }
✓✓✓
✓STATICALLY VERIFIED!
138
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
ValueOf (elt, “href”, url) ∧
StrPrefix (“newyorker.com”, url) ∧
StrPrefix (url, url + “?printable=true”)
CanWrite (e, “href”, url+“?printable=true”)
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, “evil.com”);
} }
139
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
ValueOf (elt, “href”, url) ∧
StrPrefix (“newyorker.com”, url) ∧
StrPrefix (url, “evil.com”)
CanWrite (e, “href”, “evil.com”)
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, “evil.com”);
} }
140
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
ValueOf (elt, “href”, url) ∧
StrPrefix (“newyorker.com”, url) ∧
StrPrefix (url, “evil.com”)
CanWrite (e, “href”, “evil.com”)
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, “evil.com”);
} }
✓✓✗
✗
141
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Types for Security+ JavaScript Verification
= Fine-Grained Web Security
[ESOP ’10, Guha et al. ’11]
[POPL ’12, OOPSLA ’12]
[current]
Secure Extensions Written in OCaml
Preliminary Benchmarks
142
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Guha et al. ’11]
Secure Extensions Written in OCamlPreliminary Benchmarks
Ported to DJS ~400 LOC so far
Well-typed programsdon’t have run-time errorsand conform to security policies
143
OutlineWhy JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Security via Logic
Browser ExtensionsTypes for Fine-Grained Policies
Why is JavaScript Important?Why is JavaScript Hard?
Static Types via LogicSecurity via Logic
Looking Ahead
144
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges Security via Logic Looking Ahead
145
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Dependent JavaScript
Untrusted
Code
ScriptingLanguages
Web Platform
>>>
146
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Expressiveness
Usability
Verification
Dependent JavaScript (DJS)
TypeScriptLightweight (unsound) static checking tools becoming popular
Translate for additional checking
and IDE support
147
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Dependent JavaScript
Untrusted
Code
ScriptingLanguages
Web Platform
ToolSupport
>>>
148
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Web Development ToolsWay Behind Tools for Java, etc.
• Static Types in DJS Enable Refactoring,• Documentation Tools, Code Completion
• Web-Based Interfaces to Collect Statistics• about Programming Patterns, Errors
149
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Dependent JavaScript
Untrusted
Code
ScriptingLanguages
ToolSupport
PolicySpecification
Web Platform
>>>
150
Static Verification (DJS)
Security Expert
User
Developer must write policy
must read policy
and
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
151
Developer must write policy
• Infer from traces• Incentives from platform
must read policyUser
• Traces to demonstrate behavior• Community review-and-recommend services
must read policySecurity Expert
• Modeling tools to analyze policies
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
152
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Dependent JavaScript
Untrusted
Code
ScriptingLanguages
ToolSupport
PolicySpecification
DynamicEnforcement
Web Platform
>>>
153
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Static Verification (DJS)
Security Expert
User
Developer
154
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
…
eval(“…”);
…Dynamic
Code Loading
Impossible to statically analyzecode you don’t have!
155
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Static Verification (DJS)
Security Expert
User
Developer
DynamicEnforcement
156
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
DynamicEnforcement
…
eval(“…”);
//: #assume
…
New Types
Old Types
New Types
157
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
eval(“…”);
//: #assume New Types
• Dynamic Checking• Staged Analysis [PLDI ’09]
DynamicEnforcement
158
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Dependent JavaScript
Untrusted
Code
ScriptingLanguages
ToolSupport
PolicySpecification
DynamicEnforcement
Trust Base
Web Platform
>>>
159
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Static Verification (DJS)
Security Expert
User
reviews only policy
Developer
DynamicEnforcement
160
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Static Verification (DJS)
Security Expertreviews only policy
trust
trust SMTSolver
Eliminate from TCB à laProof-Carrying Code [PLDI ’10]
Eliminate from TCB via Formal Verification
161
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Static Verification (DJS)
Security Expert
trust
SMTSolver
trust
162
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Dependent JavaScript
Untrusted
Code
ScriptingLanguages
ToolSupport
PolicySpecification
DynamicEnforcement
Trust Base
Web PlatformStatic Types and Logic!
163
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Static Types and Logic!
Static Types for:Reliability / SecurityDevelopment ToolsPerformance• Additional Just-in-Time Optimizations• Compile to Custom Architectures
164
Static Types and Logic!
Untrusted
Code
ScriptingLanguages
Concurrent Programs
Program Analysis via Set Constraints
[PLDI ’09]Run-Time Instrumentation[STOP ’11]
Dataflow Analysis and Race Detection
[PLDI ’08]
[ESOP ’10, PLDI ’10][POPL ’12, OOPSLA ’12]
165
Thanks!
Scripting Languages are Pervasive
DJS: Precise Static Types via Logic
Towards Fine-Grained Web Security
ravichugh.com
166