modern type systems for dynamic languages ravi chugh
TRANSCRIPT
ModernType Systems for
Dynamic Languages
Ravi Chugh
2
Web Platform
ScriptingLanguages
Untrusted
Code
3
Web Platform
Goal: Rigorous Foundations
Untrusted
Code
ScriptingLanguages
Types
+ Logic
4
1995
<html>
</html>
Username
Login
Password
Web Page = Static HTMLWeb Page + LinksWeb Page + Client-Side Code
<script type=“javascript”>
loginButton.onclick = function () {
if (passwordBox.value == “”) {
alert(“Enter password!”);
} else {
...
} }
</script>
5
1995
… an easy-to-use “scripting language”as a companion to Java
No Static Types
“Dynamic” Features Make itEasy to Experiment…
Brendan Eich,JavaScript creator
2014
2014Asked whether Gmail would ever open up an API for developers to code add-ons and plug-ins with more official support and stability, Kowitz suggested it was unlikely. Gmail is based on “hundreds of thousands” of lines of JavaScript, Kowitz said, and it's a code base that “changes so quickly.” That said, Jackson said the Gmail team "loves" to see third-party functionality being developed, and the team tries to make developers aware of changes they know will affect those products. Article on LifeHacker
2014Asked whether Gmail would ever open up an API for developers to code add-ons and plug-ins with more official support and stability, Kowitz suggested it was unlikely. Gmail is based on “hundreds of thousands” of lines of JavaScript, Kowitz said, and it's a code base that “changes so quickly.” That said, Jackson said the Gmail team "loves" to see third-party functionality being developed, and the team tries to make developers aware of changes they know will affect those products. Article on LifeHacker
“Scripting”?!?
9
http://stackoverflow.com/tags02-26-14
Count Tag599,605 C#583,322 Java555,164 JavaScript532,851 PHP273,086 Python268,725 C++129,483 C
97,154 Ruby15,044 Haskell
2,175 OCaml
2014
JavaScript isPervasive
10
http://stackoverflow.com/tags02-26-14
Other Dynamic Languages Are, Too
2014 Count Tag
599,605 C#
583,322 Java
555,164 JavaScript
532,851 PHP
273,086 Python
268,725 C++
129,483 C
97,154 Ruby
15,044 Haskell
2,175 OCaml
JavaScript isPervasive
11
News
ShoppingBanking 2014
JavaScript isPervasive
12
News
ShoppingBanking
Third-Party Ads
2014
JavaScript isPervasive
13
News
ShoppingBanking
Third-Party Ads
Third-Party Apps
2014
JavaScript isPervasive
14
2014
JavaScript isPervasive
Third-Party
15
No longerjust “scripting”
2014
… an easy-to-use “scripting language”as a companion to Java
16
1. Development Tools2. Reliability / Security3. Performance
But JS is hard to reason about!
Significant Interest For:
17
Static TypesMy Ph.D.
JavaScript, Python, Ruby, PHPShare Common Challenges
New Techniques Apply Broadly,Even to Statically Typed Languages
for Dynamic Languages
18
Describe sets of run-time values
“integers”
“booleans” “objects with foo field”
“non-nullpointers”
“urls that are safe to visit”
Static Types
19
Prevent classes of run-time errors
“integers”
“booleans” “objects with foo field”
“non-nullpointers”
“urls that are safe to visit”
“multiplyint and bool”
“navigating to evil.com”“redirect to evil.com”
“foo fieldnot found”“foo fieldnot found”
“null pointer exception”
“null pointer exception”
Static Types
20
f(x)
“expected args”“actual args”
Type1 Type2
“function call produces no error”✓
21
f(x)
“expected args”“actual args”
Type1 Type2
“function call may produce error”✗
22
For all programs p in
If p has a type T in
Then p does not failwith any error e in
PROGRAMS
TYPES
ERRORS
23
For all programs p in
If p has a type T in
Then p does not failwith any error e in
PROGRAMS
TYPES
ERRORS
GOAL: Reason AboutMore Programs
24
For all programs p in
If p has a type T in
Then p does not failwith any error e in
PROGRAMS
TYPES
ERRORS
GOAL: Reason AboutMore Programs
GOAL: EliminateMore Errors
25
TYPES
26
TYPES
Types + LogicRefinement Types
27
Type1 Type2“expected args”“actual args”
{x|p }
{x|q }
{x|p }
{x|q }
Types + LogicRefinement Types
28
Types
Refinement Types
Nested Refinements [POPL ’12]Key to Encode Dynamic Features
Logic
{x|p } f :: {y|q }
Expressiveness
Usability
Types
VerificationHoare Logics
Model CheckingAbstract Interpretation
Theorem Proving…
+ Logic Dependent JavaScript (DJS)[POPL ’12, OOPSLA ’12]
Why is JavaScript Important?Why is JavaScript Hard?Static Types via LogicSecurity via LogicLooking Ahead
30
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges
TYPES
PROGRAMS
ERRORS
Why is JavaScript Important?Why is JavaScript Hard?Static Types via LogicSecurity via LogicLooking Ahead
31
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges
TYPES
PROGRAMS
ERRORS
Why is JavaScript Hard?
32
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Lightweight ReflectionDictionary ObjectsAdditional Challenges
PROGRAMS
33
function negate(x) {
if (typeof x == “number”) {
}
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
xQ: What is my “type”?
34
All JavaScript Values
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
{x|tag(x) = “number” }
{x|tag(x) = “boolean” }
true false
{x|tag(x) = “object” }
{ } { “f”:17 }
{ “f”:42, “g”:true }...
Q: What is my “type”? x17 42
3.14-1
...
35
function negate(x) {
if (typeof x == “number”) {
}
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
xQ: What is my “type”?A: Described by “tag”
36
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
function negate(x) {
if (typeof x == “number”) {
return 0 - x;
} else {
return !x;
}
}
“expected args”
values with tag“number” OR “boolean”
Why is JavaScript Hard?
37
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Lightweight Reflection
Dictionary ObjectsAdditional Challenges
PROGRAMS
38
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
obj.f means obj[“f”]
a.k.a.“maps”“hash tables”“associative arrays”
Objects are “Dictionaries”that mapstring keysto values
39
methodto invoke
methodtable
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
function dispatch(table, op, i, j) { }
40
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
var integerOps = { “+” : function (n, m) { … } , “-” : function (n, m) { … } };
function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); }
dispatch (integerOps, “*”, 17, 42);
“foo fieldnot found”“*” key
not found
41
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); }
“expected args”
table object with an op key that stores a function on numbers
Dependencybetween types
of arguments
Why is JavaScript Hard?
42
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Lightweight ReflectionDictionary ObjectsAdditional Challenges
PROGRAMS
Why is JavaScript Hard?
43
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Lightweight ReflectionDictionary Objects Extensible ObjectsPrototype InheritanceJavaScript Peculiarities
PROGRAMS
Unsupported in Prior Work
Why is JavaScript Hard?
44
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Lightweight ReflectionDictionary Objects Extensible ObjectsPrototype InheritanceJavaScript Peculiarities
PROGRAMS
Why is JavaScript Important?Why is JavaScript Hard?Static Types via LogicSecurity via LogicLooking Ahead
45
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallengesChallenges Types via Logic
PROGRAMS
TYPES
ERRORS
46
All JavaScript Values{x|tag(x) = “number” }
true false
{ } { “f”:17 }
{ “f”:42, “g”:true }...
17 42
3.14-1
...
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
47
All JavaScript Values{x|tag(x) = “number” }
17 42
3.14-1
...
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
{x|tag(x) = “boolean” }
{x|tag(x) = “object” }
true false
{ } { “f”:17 }
{ “f”:42, “g”:true }...
48
All JavaScript Values
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
{ } { “f”:17 }
{ “f”:42, “g”:true }...
true false
{x|integer(x) }
{x|x > 0 }
17 42
3.14-1
...
49
All JavaScript Values
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
“set of values x s.t. formula p is true”
{x|p }Refinement Types
50
f(x)
“expected args”“actual args”
Type1 Type2
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
51
f(x)
“expected args”“actual args”
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
{x|p }
{x|q }
{x|p }
{x|q }
52
Subtyping is ImplicationSource of Expressive Power
Type1 Type2
Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic
{x|p }
{x|q }
{x|p }
{x|q }
Static Types via Logic
53
OutlineWhy JavaScript? Security via Logic Looking AheadChallenges Types via Logic
Lightweight ReflectionDictionary ObjectsKey Technical InnovationsEvaluation
TYPES
54
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
function negate(x) {
if (typeof x == “number”) {
return 0 - x;
} else {
return !x;
} }
Type Annotation in Comments
//: negate :: (x:NumOrBool) NumOrBool
{v|tag(v) = “number” ∨ tag(v) = “boolean” }
NumOrBool
Syntactic Sugarfor Common Types
55
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
function negate(x) {
if (typeof x == “number”) {
return 0 - x;
} else {
return !x;
} }
//: negate :: (x:NumOrBool) NumOrBool
{x|tag(x) = “number” }
“expected args”
{x|tag(x) = “number” }
{x|tag(x) = “number” }
{x|tag(x) = “number” }✓
56
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
function negate(x) {
if (typeof x == “number”) {
return 0 - x;
} else {
return !x;
} }
//: negate :: (x:NumOrBool) NumOrBool
“expected args”
{x|tag(x) = “boolean” }
✓{x|not(tag(x) = “number”)
{x| ∧ (tag(x) = “number” ∨
{x| tag(x) = “boolean”) }
57
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
function negate(x) {
if (typeof x == “number”) {
return 0 - x;
} else {
return !x;
} }
//: negate :: (x:NumOrBool) NumOrBool
Logic EnablesPath-SensitiveReasoning on
Branches
✓
58
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
function negate(x) {
if (typeof x == “number”) {
return 0 - x;
} else {
return !x;
} }
Logic Enables Types to Depend on Values
//: negate :: (x:NumOrBool) { y|tag(y) = tag(x) }
✓
Static Types via Logic
59
OutlineWhy JavaScript? Security via Logic Looking AheadChallenges
Lightweight ReflectionDictionary ObjectsKey Technical InnovationsEvaluation
Types via Logic
TYPES
60
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
All JavaScript Values
{x|tag(x) = “object” }
...
{ }
{ “f”:true }
{ “f”:17 }
{ “f”:42, “g”:null }
61
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
All JavaScript Values
{x|tag(x) = “object” has(x,“f”) }
...
{ }
{ “f”:true }
{ “f”:17 }
{ “f”:42, “g”:null }
62
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
All JavaScript Values
{x|tag(x) = “object” {x|has(x,“f”) {x|tag(sel(x,“f”)) = “number” }
...
{ }
{ “f”:true }
{ “f”:17 }
{ “f”:42, “g”:null }
63
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
//: dispatch ::
//: ({ table | tag(table) = “object” },
//: { op | tag(op) = “string”
//: { op | ∧ has(table,op)
//: { op | ∧ sel(table,op) :: (Num,Num) Num },
//: { i | tag(i) = “number” },
//: { j | tag(j) = “number” })
//: Num
function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); }
64
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
//: dispatch ::
//: (table : { sel(table,op) :: (Num,Num) Num },
//: op : Str,
//: i : Num,
//: j : Num)
//:
//:
//: Num
function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); }
65
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
var integerOps = { “+” : …, “-” : … };
dispatch (integerOps, “*”, 17, 42);
{op|op = “*” }
“actual args”{op|has(integerOps,op) }
Type Checking Prevents Run-Time Error
{op|op = “*” }
{op|has(integerOps,op) }✗
Static Types via Logic
66
OutlineWhy JavaScript? Security via Logic Looking AheadChallenges
Lightweight ReflectionDictionary ObjectsKey Technical InnovationsEvaluation
Types via Logic
67
PriorRefinement
Types
✓✗
lightweight reflection
dictionary objects
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
extensible objects
prototype inheritance
JavaScript peculiarities
✗✗✗
Dependent JavaScript
(DJS)[POPL ’12, OOPSLA ’12]
✓✓✓✓✓
Key Challenge:Function Subtyping
as Logical Implication68
PriorRefinement
Types
✗dictionary objects
Dependent JavaScript
(DJS)[POPL ’12, OOPSLA ’12]
✓
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
69
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
42 + negate (17)
{f|f :: }(x:Num) Num “expected function”
{f|f :: } (x:NumOrBool) { y|tag(y) = tag(x) }
{f|f :: }
70
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
(x:NumOrBool) { y|tag(y) = tag(x) }
{f|f :: }(x:Num) Num
How to Prove
?How to Encode Type System Inside Logic?
Prior Refinement SystemsDisallow Function Types Inside Logic!
71
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
T ::= {x|p }
| T1 T2
Types Refinement Logic
Satisfiability Modulo Theories (SMT)
SAT + Decidable Theories
p q✓✗
SMT Solver(e.g. Z3)
[Prior State-of-the-Art]
72
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
T ::= {x|p }
| T1 T2
p ::= p ∧ q | p ∨ q | p
| x = y | x > y | …
| tag(x) = “number” | …
| sel(x,k) = 17 | …
Types Refinement Logic
• Boolean Connectives• Equality• Linear Arithmetic• Uninterpreted Functions• McCarthy Arrays
73
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
T ::= {x|p }
| T1 T2
p ::= p ∧ q | p ∨ q | p
| x = y | x > y | …
| tag(x) = “number” | …
| sel(x,k) = 17 | …
Types Refinement Logic
{v|tag(v) = “number” ∨ tag(v) = “boolean” }NumOrBool
Enables Union Types and Lightweight Reflection
74
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
T ::= {x|p }
| T1 T2
p ::= p ∧ q | p ∨ q | p
| x = y | x > y | …
| tag(x) = “number” | …
| sel(x,k) = 17 | …
Types Refinement Logic
Enables Dictionary Types with Dynamic Keys …{d|tag(sel(d,k)) = “boolean” ∧
{d|tag(sel(d,“f”)) = “function” ∧
{d|sel(d,“f”) ??? }
But DisallowsFunctions inDictionaries!
75
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
p ::= p ∧ q | p ∨ q | p
| x = y | x > y | …
| tag(x) = “number” | …
| sel(x,k) = 17 | …
| sel(x,k) :: T1 T2 | …
Types Refinement Logic
Goal: Refer to Type System Inside LogicGoal: Without Giving up Decidability
T ::= {x|p }
| T1 T2
Solution: Nested Refinements!
76
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
T ::= {x|p } p ::= p ∧ q | p ∨ q | p
| x = y | x > y | …
| tag(x) = “number” | …
| sel(x,k) = 17 | …
| sel(x,k) :: T1 T2 | …
Nested Refinements [POPL ’12]1. Decidable Encoding2. Precise Subtyping3. Type Soundness Proof
Types Refinement Logic
77
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
{f|f :: } (x:NumOrBool) { y|tag(y) = tag(x) }
{f|f :: }(x:Num) Num
Decidable Encoding
Uninterpreted Predicate in Logic
Distinct UninterpretedConstants in Logic…
{f|f :: }
78
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
(x:NumOrBool) { y|tag(y) = tag(x) }
{f|f :: }(x:Num) Num
Decidable Encoding
Uninterpreted Predicate in Logic
w/ Types Nested Inside
Distinct UninterpretedConstants in Logic…
79
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Decidable Encoding
{f|f :: } (x:NumOrBool) { y|tag(y) = tag(x) }
{f|f :: }(x:Num) Num
✗SMTSolver
Trivially Decidable, but Imprecise
80
p f :: (x:S1) S2
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
{f|f :: }(x:T1) T2
{f|p }
Precise Subtyping
Step 1:
Step 2:
Find such that(x:S1) S2
SMTSolver✓
T1 S1 ✓✓S2 T2x:T1
Compare and(x:S1) S2 (x:T1) T2
✓
“contra-variance”
“co-variance”
81
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
{f|f :: }(x:Num) Num{f|f = negate }
Precise Subtyping
Step 1:
Step 2:
f = negate
f :: (x:NumOrBool) { y|tag(y) = tag(x) }SMTSolver✓
82
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
{f|f :: }(x:Num) Num{f|f = negate }
Precise Subtyping
Step 1:
Step 2:
f = negate
f :: (x:NumOrBool) { y|tag(y) = tag(x) }
Num
NumOrBool ✓✓{y|tag(y) = tag(x) } Nu
mx:Num
✓SMT
Solver✓
83
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Precise Subtyping
Step 1:
Step 2:
Decidable Reasoningvia SMT
Precise Function Subtypingvia Syntactic Techniques
+
{f|f :: }{f|f = negate } ✓(x:Num) Num
84
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Type Soundness Proof
Logic 0
Conventional ProofsRequire Logic to be an Oracle …
… but Nesting Introduces CircularityThat Prevents Typical Inductive Proofs
Type System 0
85
Type System ∞
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Type Soundness Proof
Logic 0
Logic 1
Logic 2
Type System 1
Type System 2
Type System 0
… …
Proof Technique:Stratify into Infinite Hierarchy
86
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
T ::= {x|p } p ::= p ∧ q | p ∨ q | p
| x = y | x > y | …
| tag(x) = “number” | …
| sel(x,k) = 17 | …
| sel(x,k) :: T1 T2 | …
Nested Refinements [POPL ’12]
Types Refinement Logic
Key to Encode Dictionary Objects(Even in Statically Typed Languages!)
87
lightweight reflection
dictionary objects
extensible objects
prototype inheritance
JavaScript peculiarities
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Dependent JavaScript
(DJS)[POPL ’12, OOPSLA ’12]
✓✓✓✓✓
PriorRefinement
Types
✓✗✗✗✗
path-sensitivity
nested refinements
flow-sensitivity
logical encoding
logical encoding
JavaScript
JavaScript, Python, Ruby
88
lightweight reflection
dictionary objects
extensible objects
prototype inheritance
JavaScript peculiarities
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Dependent JavaScript
(DJS)[POPL ’12, OOPSLA ’12]
✓✓✓✓✓
path-sensitivity
nested refinements
flow-sensitivity
logical encoding
logical encoding
Statically Typed Languages(Java, C++, OCaml, Haskell, …)
89
lightweight reflection
dictionary objects
extensible objects
prototype inheritance
JavaScript peculiarities
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Dependent JavaScript
(DJS)[POPL ’12, OOPSLA ’12]
✓✓✓✓✓
path-sensitivity
nested refinements
flow-sensitivity
logical encoding
logical encoding✗
Statically Typed Languages(Java, C++, OCaml, Haskell, …)
90
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Dependent JavaScript
(DJS)[POPL ’12, OOPSLA ’12]
✓✓✓
path-sensitivity
nested refinements
flow-sensitivity
General Techniques Can BeUsed to Eliminate More
ERRORS
Static Types via Logic
91
OutlineWhy JavaScript? Security via Logic Looking AheadChallenges
Lightweight ReflectionDictionary ObjectsKey Technical InnovationsEvaluation
Types via Logic
TYPES
92
306a
408(+33%)
LOCbefore/after
13 Excerpts from: JavaScript, Good Parts SunSpider Benchmark Suite Google Closure Library
Benchmarks
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
Chosen to Stretch Expressiveness Limits of DJS
93
306a
408(+33%)
LOCbefore/after
13 Excerpts from: JavaScript, Good Parts SunSpider Benchmark Suite Google Closure Library
Benchmarks
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
9 Browser Extensions from: [Guha et al. Oakland ’11]
321a
383(+19%)
1,003a
1,027(+2%)
2 Examples from: Google Gadgets
1,630
1,818(+12%)
TOTALS
94
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
1,630
1,818(+12%)
TOTALS
Relatively Simple Syntactic Sugar andType Inference Have Helped Significantly
Opportunities for Improved Type Inference:• Iterative Predicate Abstraction• Bootstrap by Running Test Cases [STOP ’11]• Translating Programs from TypeScript
1,818(+12%)
Type Annotations
95
LOCbefore/after
13 Excerpts from: JavaScript, Good Parts SunSpider Benchmark Suite Google Closure Library
306a
408(+33%)
Benchmarks
9 Browser Extensions from: [Guha et al. Oakland ’11]
321a
383(+19%)
2 Examples from: Google Gadgets
1,003a
1,027(+2%)
1,630
1,818(+12%)
10 sec
Running Time
3 sec
19 sec
32 sec
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
TOTALS
96
1,818(+12%)
32 sec
Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges
1,630
TOTALS
32 sec
Relatively Simple Optimizations So Far:• Avoid SMT Solver When Possible• Reduce Precision for Common Patterns• Rely on Nested Refinements When Needed
Performance
Static Types via Logic
97
OutlineWhy JavaScript? Security via Logic Looking AheadChallenges
Lightweight ReflectionDictionary ObjectsKey Technical InnovationsEvaluation
Types via Logic
TYPES
Types via Logic
Why is JavaScript Important?Why is JavaScript Hard?Static Types via LogicSecurity via LogicLooking Ahead
98
OutlineWhy JavaScript? Security via Logic Looking AheadChallenges Types via Logic Security via Logic
TYPES
ERRORS
PROGRAMS
99
OutlineWhy JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Security via Logic Browser Extensions
Types for Fine-Grained Policies
ERRORS
100
… New Yorker article, “The Itch,” …
101
102
“?printable=true”
103
“I want every article in print
mode”
Browser Extensions
Third-Party DevelopersCustomize
Browser
104
Browser Extensions
PRINTNEW YORKER
105
Browser Extensions
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, url + “?printable=true”);
} }
106
Browser Extensions
PRINTNEW YORKER
Document (DOM)
host-site.com
107
?printable=true
newyorker.com
Browser Extensions
PRINTNEW YORKER
Document (DOM)
host-site.com
108
?printable=true
newyorker.comevil.com EVIL
PasswordsBank Accts
History
Network Manager
OtherSensitive
APIs
JavaScriptEngine
BUGGY
109
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Policy Expressiveness
Access All Resources
110
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Access Some Resources
cannot access DOM cannot access History
Policy Expressiveness
111
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Policy Expressiveness
coarse-grainedand uninformative!
cannot access DOM cannot access History
112
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Policy Expressiveness
coarse-grainedand uninformative!
similar situation forother app platforms
113
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Policy Expressiveness
Fine-Grained PoliciesGOAL
114
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
can write “a” elementsbut only “href” attribute
when original “href” valuestarts with “newyorker.com”and is prefix of new value
Fine-Grained PoliciesGOAL
115
Language-Based SecurityIf Language Could Enforce SomeSecurity-Related Policies …
Then Reduce Dependence On:• Testing• Code Reviews• Dynamic Checking
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
116
For all programs p in
If p has a type T in
Then p does not failwith any error e in
PROGRAMS
TYPES
ERRORS
117
For all programs p in
If p has a type T in
Then p does not failwith any error e in
PROGRAMS
TYPES
ERRORSGOAL: Eliminate SomeSecurity-Related Errors
118
PROGRAMS
TYPES
ERRORSGOAL: Eliminate SomeSecurity-Related Errors
But How?
119
Subtyping is ImplicationSource of Expressive Power
Type1 Type2{x|p }
{x|q }
{x|p }
{x|q }
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
120
OutlineWhy JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Security via Logic Browser Extensions
Types for Fine-Grained Policies
ERRORS
121
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Static Verification (DJS)
Security Expert
User
reviews only policy
reads informative policy
Developerwrites policy in logic!
122
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
request ::
url:Str
Str
123
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
request ::
{url:Str|WhiteListed(url)}
Str
124
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
eval ::
s:Str
Void
125
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
eval ::
{s:Str|not(Tainted(s))}
Void
126
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
getAttr ::
elt:Element
attr:Str
Str
127
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
getAttr ::
elt:Element
{attr:Str|CanRead(elt,attr)}
Str
128
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
setAttr ::
elt:Element
attr:Str
y:Str
Void
129
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
setAttr ::
elt:Element
attr:Str
{y:Str|CanWrite(elt,attr,y)}
Void
130
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Network Manager
request, …
JS Engine
eval, …
DOM
getAttr, setAttr, …
Refined APIs Mediate Access
Typecheck Extension with Policy
131
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
forall url.
not (url = “evil.com”)
WhiteListed (url)
var s = request(“evil.com”);
✗finite blacklist
132
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
//: url:Str
var s = request(url);
✗might beblacklisted!
forall url.
not (url = “evil.com”)
WhiteListed (url)
forall url.
not (url = “evil.com”)
WhiteListed (url)
133
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
if (url != “evil.com”) {
var s = request(url);
}
✓
134
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
if (url != “evil.com”) {
var s = request(url);
eval(s);
}
s:Str might be tainted!
✗
forall url.
not (url = “evil.com”)
WhiteListed (url)
135
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
if (url != “evil.com”) {
var s = request(url);
s = sanitize(s);
eval(s);
} ✓STATICALLY VERIFIED!
s:Str
{s:Str|not(Tainted(s))}
forall url.
not (url = “evil.com”)
WhiteListed (url)
136
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
WhiteListed (“ny.com”)
WhiteListed (“golf.com”)
forall url.
WhiteListed (url)
not (Tainted (request (url)))
trust thatwhitelisted servers
return untainted strings
137
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
var s = request(“ny.com”);
eval(s);✓ no need to sanitize
WhiteListed (“ny.com”)
WhiteListed (“golf.com”)
forall url.
WhiteListed (url)
not (Tainted (request (url)))
STATICALLY VERIFIED!
138
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
forall e, oldUrl, newUrl.
ValueOf (e, “href”, oldUrl) ∧
StrPrefix (“newyorker.com”, oldUrl) ∧
StrPrefix (oldUrl, newUrl)
CanWrite (e, “href”, newUrl)
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, url + “?printable=true”);
} }
139
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
ValueOf (elt, “href”, url) ∧
StrPrefix (“newyorker.com”, url) ∧
StrPrefix (url, url + “?printable=true”)
CanWrite (e, “href”, url+“?printable=true”)
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, url + “?printable=true”);
} }
✓
140
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
ValueOf (elt, “href”, url) ∧
StrPrefix (“newyorker.com”, url) ∧
StrPrefix (url, url + “?printable=true”)
CanWrite (e, “href”, url+“?printable=true”)
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, url + “?printable=true”);
} }
✓✓
141
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
ValueOf (elt, “href”, url) ∧
StrPrefix (“newyorker.com”, url) ∧
StrPrefix (url, url + “?printable=true”)
CanWrite (e, “href”, url+“?printable=true”)
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, url + “?printable=true”);
} }
✓✓✓
142
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
ValueOf (elt, “href”, url) ∧
StrPrefix (“newyorker.com”, url) ∧
StrPrefix (url, url + “?printable=true”)
CanWrite (e, “href”, url+“?printable=true”)
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, url + “?printable=true”);
} }
✓✓✓
✓STATICALLY VERIFIED!
143
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
ValueOf (elt, “href”, url) ∧
StrPrefix (“newyorker.com”, url) ∧
StrPrefix (url, url + “?printable=true”)
CanWrite (e, “href”, url+“?printable=true”)
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, “evil.com”);
} }
144
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
ValueOf (elt, “href”, url) ∧
StrPrefix (“newyorker.com”, url) ∧
StrPrefix (url, “evil.com”)
CanWrite (e, “href”, “evil.com”)
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, “evil.com”);
} }
145
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
ValueOf (elt, “href”, url) ∧
StrPrefix (“newyorker.com”, url) ∧
StrPrefix (url, “evil.com”)
CanWrite (e, “href”, “evil.com”)
for (var elt in doc.getEltsByTagName(“a”)) {
var url = elt.getAttr(“href”);
if (url.match(/^newyorker.com/)) {
elt.setAttr(“href”, “evil.com”);
} }
✓✓✗
✗
146
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Types for Security+ JavaScript Verification
= Fine-Grained Web Security
[ESOP ’10, Guha et al. ’11]
[POPL ’12, OOPSLA ’12]
[current]
Secure Extensions Written in OCaml
Preliminary Benchmarks
147
Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Guha et al. ’11]
Secure Extensions Written in OCamlPreliminary Benchmarks
Ported to DJS (~400 LOC so far)
Well-typed programsdon’t have run-time errorsand conform to security policies
148
OutlineWhy JavaScript? Security via LogicTypes via Logic Looking AheadChallenges
Security via Logic
Browser ExtensionsTypes for Fine-Grained Policies
ERRORS
Why is JavaScript Important?Why is JavaScript Hard?Static Types via LogicSecurity via LogicLooking Ahead
149
OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges Security via Logic Looking Ahead
TYPES
ERRORS
PROGRAMS
150
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Dependent JavaScript
Untrusted
Code
ScriptingLanguages
Web Platform
>>>
151
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Dependent JavaScript
Untrusted
Code
ScriptingLanguages
PolicySpecification
Web Platform
>>>
152
Static Verification (DJS)
Security Expert
User
Developer must write policy
must read policy
and
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
153
Developer must write policy
• Infer from traces• Incentives from platform
must read policyUser
• Traces to demonstrate behavior• Community review-and-recommend services
must read policySecurity Expert
• Modeling tools to analyze policies
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
154
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Dependent JavaScript
Untrusted
Code
ScriptingLanguages
PolicySpecification
DynamicEnforcement
Web Platform
>>>
155
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Static Verification (DJS)
Security Expert
User
Developer
156
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
…
eval(“…”);
…Dynamic
Code Loading
Impossible to statically analyzecode you don’t have!
157
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Static Verification (DJS)
Security Expert
User
Developer
DynamicEnforcement
158
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
DynamicEnforcement
…
eval(“…”);
//: #assume
…
New Types
Old Types
New Types
159
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Limits of Static Reasoning
“expected”“actual”
p q✓ Definitely Safe
Maybe Unsafe✗p q(But Maybe Safe…)
160
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Limits of Static Reasoning
p q Definitely Safe
Maybe Unsafe✗p qDefinitely Unsafep q✓
“expected”“actual”
✓
161
Dynamic Enforcement
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Limits of Static Reasoning• Accept Program, Rather than Reject
• Rely on Programmer-Trusted or• Dynamically-Checked Assumption
✗ Maybe Unsafep q
162
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Dependent JavaScript
Untrusted
Code
ScriptingLanguages
PolicySpecification
DynamicEnforcement
Trust Base
Web Platform
>>>
163
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Static Verification (DJS)
Security Expert
User
reviews only policy
Developer
DynamicEnforcement
164
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Static Verification (DJS)
Security Expertreviews only policy
trust
trust SMTSolver
Eliminate from TCB à laProof-Carrying Code [PLDI ’10]
Eliminate from TCB via Formal Verification
165
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Static Verification (DJS)
Security Expert
trust
SMTSolver
trust
166
PolicySpecification
DynamicEnforcement
Trust Base
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Dependent JavaScript
Untrusted
Code
ScriptingLanguages
Web Platform
ToolSupport
>>>
167
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
• Generate Tests and Find Bugsfor Unannotated Programs
• Support Refactoring and Code Completionfor Annotated Programs
• Provide Analysis and Documentation Toolsfor Large, Popular Libraries like jQuery
• Web-Based Interfaces to Collect Statisticsabout Programming Patterns, Errors
Tools for Web Development
168
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Inferred Annotationsare in Comments
Flow-SensitiveType Information
by Hoveringover Program Point
169
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Inferred Annotationsare in Comments
Flow-SensitiveType Information
by Hoveringover Program Point
Many Software Engineering Challenges!
172
Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead
Dependent JavaScript
Untrusted
Code
ScriptingLanguages
ToolSupport
PolicySpecification
DynamicEnforcement
Trust Base
Web PlatformTypes
+ Logic
173
[STOP ’11][POPL ’12]
[OOPSLA ’12][ML ’13]
[ESOP ’10]
[PLDI ’10][PLDI ’09]
Program Analysisfor Security
Dataflow Analysis for Race Detection
[PLDI ’08]
PL TechniquesTypes
+ Logic
174
Dynamic Languages are Pervasive
DJS: Precise Static Types via Logic
Towards Fine-Grained Web Security
ravichugh.com
Thanks!
175