defensive js in jscertajacs.inria.fr/files/2015-11-27-maksimovic.pdf · 2015-11-27 · 16/28...
TRANSCRIPT
![Page 1: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/1.jpg)
1/28
Defensive JS in JSCertInitial steps
Petar Maksimovic
Inria Rennes – Bretagne Atlantique
ANR AJACS MeetingParis, 27/11/2015
![Page 2: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/2.jpg)
2/28
Current State of JSCert
![Page 3: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/3.jpg)
3/28
Coverage of JSCert @ POPL’14
![Page 4: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/4.jpg)
4/28
Coverage of JSCert @ POPL’14
I Main functionalities (Ch 8-14) dominantly implementedI For-in broken, ergo not implementedI Functionalities depending on for-in not implemented
I Libraries (Function, Array, String... (Ch 15)) not formalisedI Functionalities depending on Ch 15 not formalisedI Array initialiser not formalised
![Page 5: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/5.jpg)
5/28
How to improve JSCert?
I Better Coverage of the Standard LibrariesWe need Ch 15 to fully test Ch 8–14 using Test262
I Better Testing InfrastructureWe need to increase our confidence in the test results
I Separate core from non-core library functionalityI Core functionality: everything the underlying
implementation must provideI Non-Core functionality: everything that can be implemented
in JavaScript on top of core functionality
I Extend JSCert, JSRef, proof with core library functionalityI Implement (or borrow an implementation of) non-core
functionality in JavaScript and load it into the initial heap
![Page 6: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/6.jpg)
6/28
Coverage of JSCert
![Page 7: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/7.jpg)
7/28
Coverage of JSCert - Detailed Results
![Page 8: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/8.jpg)
8/28
Coverage of JSCert - Detailed Results
![Page 9: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/9.jpg)
9/28
Coverage of JSCert - Detailed Results
![Page 10: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/10.jpg)
10/28
Coverage of JSCert - Array Library
![Page 11: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/11.jpg)
11/28
JSRef Testing Results: Array Library
Chs 8-14 Array LibraryPass Fail Abort Pass Fail Abort
POPL’14 paper 1796 404 582 139 873 1307POPL’14 talk 1851 392 539 149 864 1306CAV’15 paper 2437 129 216 180 1204 935+V8 Array 2440 126 216 1309 59 951CAV’15 talk 2506 47 229 267 1956 69+V8 Array 2510 43 229 2170 12 111
Evaluation
I Implementation of new features uncovered bugs in previouslyunused and unverified code.
I Changing the parser forced re-evaluation of parsing failures
![Page 12: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/12.jpg)
12/28
Defensive JavaScript
![Page 13: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/13.jpg)
13/28
What is DJS and why was it created?
I Typed subset of JavaScriptI Authors: K. Bhargavan, A. Delignat-Lavaud, S. MaffeisI Motivation: Guarantee that program functionalities cannot
be tampered with, even in a malicious environmentI Applications: Crypto libraries, single sign-on widgets,
bookmarklets
![Page 14: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/14.jpg)
14/28
What is meant by “defensiveness”?
Isolate security-critical code from the environment:I Use function closures/wrappersI Do not call external function explicitlyI Prevent triggering of coercionsI Prevent prototype lookups
![Page 15: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/15.jpg)
15/28
How is this achieved?
Using a static type system:I Static scopes
I Limited occurrences of variable declarations,I Strong scoping restriction on with
I Statically typed objects, functions, arraysI No out-of-bounds, not extensible
I Coercion-free operationsI Disjoint heaps
I No heap references allowed to be imported or exported,only string→ string
![Page 16: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/16.jpg)
16/28
Syntactic categories
I Literals (bool, number, string, object, array)I Most unary and binary operatorsI LHS-expressions (severely limiting dynamic access)
I Properties only via e.xI Arrays and strings indexed only within bounds
I ExpressionsI Assignments; unary, binary operationsI Fully applied function and method applications
I StatementsI If-then-else, while, sequenceI with(e)s, all FV(s) are properties of eI No variable declarations
![Page 17: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/17.jpg)
17/28
Syntactic categories
I FunctionsI Variable declarationsI Series of statementsI Single return statement
f := function(x1, . . . , xn){var y1 = e1, . . . ym = em;
s1; . . . ; sk; return e}
![Page 18: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/18.jpg)
18/28
Syntactic categories
I ProgramsI Wrapper around a single function fI Ensures argument is stringI Calls function, returns result
pf := (function (){var = f ;
return function(x){if (typeof(x) == ”string”)
return (x); }})();
I Wrapping—no leaking of source code of fI Argument type check—no import of external heap refs
![Page 19: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/19.jpg)
19/28
Types and Environments
![Page 20: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/20.jpg)
20/28
Illustration of the typing rules
![Page 21: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/21.jpg)
21/28
Key Properties of DJS
Independence: pf preserves the independence of f if any twosequences of calls with the same arguments to the result of pf ,interleaved with arbitrary JS code, return the same sequencesof return values, provided no call triggered an exception.
Encapsulation: pf encapsulates f over D if no JS program thatruns pf can distinguish between running pf and pf ′ withoutcalling the returned wrapped functions. Moreover, for anytuple v ∈ D, heaps resulting from pf (v) and f (v) are equivalent.
Defensiveness: If ` f : string → string, then the DJS program pfencapsulates f over strings and preserves its independence.
![Page 22: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/22.jpg)
22/28
What has been done so far in Coq?
1. Complete Syntax2. Complete Type System3. Mapping DJS → JSCert4. Predicate describing allowed JSCert terms5. Proof that (3) and (4) are equivalent
![Page 23: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/23.jpg)
23/28
Some more details
I Defined size for DJS types, DJS terms, JSCert termsI All proofs by induction on appropriate sizeI Using size, derive structural induction principles
I Rules of variable length (object, array, function)I Using Forall from TLCI Pretty-big-step style rulesI PBS for functions, Forall for the rest
| typing Array : forall G t le,length le > 0 ->Forall (fun e => G |- e :: t) le ->
G |- (djs a le) :: [[t, length le]]
![Page 24: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/24.jpg)
24/28
Some more detailsI Translation DJS → JSCert (toJSC)
I Mapping of unary and binary operatorsI Follow descriptions from the syntax
![Page 25: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/25.jpg)
25/28
Some more detailsI Allowed terms in JSCert (DJS allowed term)
I Mapping of operatorsI Follow descriptions from the syntax
![Page 26: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/26.jpg)
26/28
Some more details
I Relationship between toJSC and DJS allowed termI T – DJS term, t – JSCert term
∀t,DJS allowed term t ↔ (∃T,toJSC T = t)
![Page 27: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/27.jpg)
27/28
What are the next steps?
I Compatibility between Γ in DJS and (S, C) in JSCertI Type safetyI Properties of the heap
I Equivalence of heapsI Separation
I Additional information within JSCertI Traces?
I Semantics of DJS?
![Page 28: Defensive JS in JSCertajacs.inria.fr/files/2015-11-27-Maksimovic.pdf · 2015-11-27 · 16/28 Syntactic categories I Literals (bool, number, string, object, array) I Most unary and](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3d81cdaaf9648ce3682c4/html5/thumbnails/28.jpg)
28/28
Thank you for yourattention!