modern type systems for dynamic languages ravi chugh

ModernType Systems for

Dynamic Languages

Ravi Chugh

2

Web Platform

ScriptingLanguages

Untrusted

Code

3

Web Platform

Goal: Rigorous Foundations

Untrusted

Code

ScriptingLanguages

Types

+ Logic

4

1995

<html>

</html>

Username

Login

Password

Web Page = Static HTMLWeb Page + LinksWeb Page + Client-Side Code

<script type=“javascript”>

loginButton.onclick = function () {

if (passwordBox.value == “”) {

alert(“Enter password!”);

} else {

...

} }

</script>

5

1995

… an easy-to-use “scripting language”as a companion to Java

No Static Types

“Dynamic” Features Make itEasy to Experiment…

Brendan Eich,JavaScript creator

http://brendaneich.com/2008/04/popularity/

http://brendaneich.com/2008/04/popularity/

2014Asked whether Gmail would ever open up an API for developers to code add-ons and plug-ins with more official support and stability, Kowitz suggested it was unlikely. Gmail is based on “hundreds of thousands” of lines of JavaScript, Kowitz said, and it's a code base that “changes so quickly.” That said, Jackson said the Gmail team "loves" to see third-party functionality being developed, and the team tries to make developers aware of changes they know will affect those products. Article on LifeHacker

http://lifehacker.com/5493475/what-the-gmail-team-is-working-on

2014Asked whether Gmail would ever open up an API for developers to code add-ons and plug-ins with more official support and stability, Kowitz suggested it was unlikely. Gmail is based on “hundreds of thousands” of lines of JavaScript, Kowitz said, and it's a code base that “changes so quickly.” That said, Jackson said the Gmail team "loves" to see third-party functionality being developed, and the team tries to make developers aware of changes they know will affect those products. Article on LifeHacker

“Scripting”?!?

http://lifehacker.com/5493475/what-the-gmail-team-is-working-on

9

http://stackoverflow.com/tags02-26-14

Count Tag599,605 C#583,322 Java555,164 JavaScript532,851 PHP273,086 Python268,725 C++129,483 C

97,154 Ruby15,044 Haskell

2,175 OCaml

2014

JavaScript isPervasive

http://stackoverflow.com/tags

10

http://stackoverflow.com/tags02-26-14

Other Dynamic Languages Are, Too

2014 Count Tag

599,605 C#

583,322 Java

555,164 JavaScript

532,851 PHP

273,086 Python

268,725 C++

129,483 C

97,154 Ruby

15,044 Haskell

2,175 OCaml


http://stackoverflow.com/tags

11

News

ShoppingBanking 2014


12

News

ShoppingBanking

Third-Party Ads

2014


13

News

ShoppingBanking

Third-Party Ads

Third-Party Apps

2014


14

2014


Third-Party

15

No longerjust “scripting”

2014

… an easy-to-use “scripting language”as a companion to Java

16

1. Development Tools2. Reliability / Security3. Performance

But JS is hard to reason about!

Significant Interest For:

17

Static TypesMy Ph.D.

JavaScript, Python, Ruby, PHPShare Common Challenges

New Techniques Apply Broadly,Even to Statically Typed Languages

for Dynamic Languages

18

Describe sets of run-time values

“integers”

“booleans” “objects with foo field”

“non-nullpointers”

“urls that are safe to visit”

Static Types

19

Prevent classes of run-time errors

“integers”

“booleans” “objects with foo field”

“non-nullpointers”

“urls that are safe to visit”

“multiplyint and bool”

“navigating to evil.com”“redirect to evil.com”

“foo fieldnot found”“foo fieldnot found”

“null pointer exception”

“null pointer exception”

Static Types

20

f(x)

“expected args”“actual args”

Type1 Type2

“function call produces no error”✓

21

f(x)


Type1 Type2

“function call may produce error”✗

22

For all programs p in

If p has a type T in

Then p does not failwith any error e in

PROGRAMS

TYPES

ERRORS

23




PROGRAMS

TYPES

ERRORS

GOAL: Reason AboutMore Programs

24




PROGRAMS

TYPES

ERRORS

GOAL: Reason AboutMore Programs

GOAL: EliminateMore Errors

25

TYPES

26

TYPES

Types + LogicRefinement Types

27

Type1 Type2“expected args”“actual args”

{x|p }

{x|q }

{x|p }

{x|q }

Types + LogicRefinement Types

28

Types

Refinement Types

Nested Refinements [POPL ’12]Key to Encode Dynamic Features

Logic

{x|p } f :: {y|q }

Expressiveness

Usability

Types

VerificationHoare Logics

Model CheckingAbstract Interpretation

Theorem Proving…

+ Logic Dependent JavaScript (DJS)[POPL ’12, OOPSLA ’12]

Why is JavaScript Important?Why is JavaScript Hard?Static Types via LogicSecurity via LogicLooking Ahead

30

OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges

TYPES

PROGRAMS

ERRORS


31


TYPES

PROGRAMS

ERRORS

Why is JavaScript Hard?

32


Lightweight ReflectionDictionary ObjectsAdditional Challenges

PROGRAMS

33

function negate(x) {

if (typeof x == “number”) {

}

Why JavaScript? Security via Logic Looking AheadChallenges Types via Logic

xQ: What is my “type”?

34

All JavaScript Values


{x|tag(x) = “number” }

{x|tag(x) = “boolean” }

true false

{x|tag(x) = “object” }

{ } { “f”:17 }

{ “f”:42, “g”:true }...

Q: What is my “type”? x17 42

3.14-1

...

35



}


xQ: What is my “type”?A: Described by “tag”

36




return 0 - x;

} else {

return !x;

}

}

“expected args”

values with tag“number” OR “boolean”


37


Lightweight Reflection

Dictionary ObjectsAdditional Challenges

PROGRAMS

38


obj.f means obj[“f”]

a.k.a.“maps”“hash tables”“associative arrays”

Objects are “Dictionaries”that mapstring keysto values

39

methodto invoke

methodtable


function dispatch(table, op, i, j) { }

40


var integerOps = { “+” : function (n, m) { … } , “-” : function (n, m) { … } };

function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); }

dispatch (integerOps, “*”, 17, 42);

“foo fieldnot found”“*” key

not found

41



“expected args”

table object with an op key that stores a function on numbers

Dependencybetween types

of arguments


42


Lightweight ReflectionDictionary ObjectsAdditional Challenges

PROGRAMS


43


Lightweight ReflectionDictionary Objects Extensible ObjectsPrototype InheritanceJavaScript Peculiarities

PROGRAMS

Unsupported in Prior Work


44


Lightweight ReflectionDictionary Objects Extensible ObjectsPrototype InheritanceJavaScript Peculiarities

PROGRAMS


45

OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallengesChallenges Types via Logic

PROGRAMS

TYPES

ERRORS

46

All JavaScript Values{x|tag(x) = “number” }

true false

{ } { “f”:17 }

{ “f”:42, “g”:true }...

17 42

3.14-1

...


47

All JavaScript Values{x|tag(x) = “number” }

17 42

3.14-1

...




true false

{ } { “f”:17 }

{ “f”:42, “g”:true }...

48



{ } { “f”:17 }

{ “f”:42, “g”:true }...

true false

{x|integer(x) }

{x|x > 0 }

17 42

3.14-1

...

49



“set of values x s.t. formula p is true”

{x|p }Refinement Types

50

f(x)


Type1 Type2


51

f(x)



{x|p }

{x|q }

{x|p }

{x|q }

52

Subtyping is ImplicationSource of Expressive Power

Type1 Type2


{x|p }

{x|q }

{x|p }

{x|q }

Static Types via Logic

53

OutlineWhy JavaScript? Security via Logic Looking AheadChallenges Types via Logic

Lightweight ReflectionDictionary ObjectsKey Technical InnovationsEvaluation

TYPES

54

Why JavaScript? Types via Logic Security via Logic Looking AheadChallenges



return 0 - x;

} else {

return !x;

} }

Type Annotation in Comments

//: negate :: (x:NumOrBool) NumOrBool

{v|tag(v) = “number” ∨ tag(v) = “boolean” }

NumOrBool

Syntactic Sugarfor Common Types

55




return 0 - x;

} else {

return !x;

} }



“expected args”



{x|tag(x) = “number” }✓

56




return 0 - x;

} else {

return !x;

} }


“expected args”


✓{x|not(tag(x) = “number”)

{x| ∧ (tag(x) = “number” ∨

{x| tag(x) = “boolean”) }

57




return 0 - x;

} else {

return !x;

} }


Logic EnablesPath-SensitiveReasoning on

Branches

✓

58




return 0 - x;

} else {

return !x;

} }

Logic Enables Types to Depend on Values

//: negate :: (x:NumOrBool) { y|tag(y) = tag(x) }

✓


59

OutlineWhy JavaScript? Security via Logic Looking AheadChallenges


Types via Logic

TYPES

60




...

{ }

{ “f”:true }

{ “f”:17 }

{ “f”:42, “g”:null }

61



{x|tag(x) = “object” has(x,“f”) }

...

{ }

{ “f”:true }

{ “f”:17 }

{ “f”:42, “g”:null }

62



{x|tag(x) = “object” {x|has(x,“f”) {x|tag(sel(x,“f”)) = “number” }

...

{ }

{ “f”:true }

{ “f”:17 }

{ “f”:42, “g”:null }

63


//: dispatch ::

//: ({ table | tag(table) = “object” },

//: { op | tag(op) = “string”

//: { op | ∧ has(table,op)

//: { op | ∧ sel(table,op) :: (Num,Num) Num },

//: { i | tag(i) = “number” },

//: { j | tag(j) = “number” })

//: Num


64


//: dispatch ::

//: (table : { sel(table,op) :: (Num,Num) Num },

//: op : Str,

//: i : Num,

//: j : Num)

//:

//:

//: Num


65


var integerOps = { “+” : …, “-” : … };

dispatch (integerOps, “*”, 17, 42);

{op|op = “*” }

“actual args”{op|has(integerOps,op) }

Type Checking Prevents Run-Time Error

{op|op = “*” }

{op|has(integerOps,op) }✗


66



Types via Logic

67

PriorRefinement

Types

✓✗

lightweight reflection

dictionary objects


extensible objects

prototype inheritance

JavaScript peculiarities

✗✗✗

Dependent JavaScript

(DJS)[POPL ’12, OOPSLA ’12]

✓✓✓✓✓

Key Challenge:Function Subtyping

as Logical Implication68

PriorRefinement

Types

✗dictionary objects



✓


69


42 + negate (17)

{f|f :: }(x:Num) Num “expected function”

{f|f :: } (x:NumOrBool) { y|tag(y) = tag(x) }

{f|f :: }

70


(x:NumOrBool) { y|tag(y) = tag(x) }

{f|f :: }(x:Num) Num

How to Prove

?How to Encode Type System Inside Logic?

Prior Refinement SystemsDisallow Function Types Inside Logic!

71


T ::= {x|p }

| T1 T2

Types Refinement Logic

Satisfiability Modulo Theories (SMT)

SAT + Decidable Theories

p q✓✗

SMT Solver(e.g. Z3)

[Prior State-of-the-Art]

72


T ::= {x|p }

| T1 T2

p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …

| tag(x) = “number” | …

| sel(x,k) = 17 | …


• Boolean Connectives• Equality• Linear Arithmetic• Uninterpreted Functions• McCarthy Arrays

73


T ::= {x|p }

| T1 T2

p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …


| sel(x,k) = 17 | …


{v|tag(v) = “number” ∨ tag(v) = “boolean” }NumOrBool

Enables Union Types and Lightweight Reflection

74


T ::= {x|p }

| T1 T2

p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …


| sel(x,k) = 17 | …


Enables Dictionary Types with Dynamic Keys …{d|tag(sel(d,k)) = “boolean” ∧

{d|tag(sel(d,“f”)) = “function” ∧

{d|sel(d,“f”) ??? }

But DisallowsFunctions inDictionaries!

75


p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …


| sel(x,k) = 17 | …

| sel(x,k) :: T1 T2 | …


Goal: Refer to Type System Inside LogicGoal: Without Giving up Decidability

T ::= {x|p }

| T1 T2

Solution: Nested Refinements!

76


T ::= {x|p } p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …


| sel(x,k) = 17 | …

| sel(x,k) :: T1 T2 | …

Nested Refinements [POPL ’12]1. Decidable Encoding2. Precise Subtyping3. Type Soundness Proof


77




Decidable Encoding

Uninterpreted Predicate in Logic

Distinct UninterpretedConstants in Logic…

{f|f :: }

78


(x:NumOrBool) { y|tag(y) = tag(x) }


Decidable Encoding

Uninterpreted Predicate in Logic

w/ Types Nested Inside

Distinct UninterpretedConstants in Logic…

79


Decidable Encoding



✗SMTSolver

Trivially Decidable, but Imprecise

80

p f :: (x:S1) S2


{f|f :: }(x:T1) T2

{f|p }

Precise Subtyping

Step 1:

Step 2:

Find such that(x:S1) S2

SMTSolver✓

T1 S1 ✓✓S2 T2x:T1

Compare and(x:S1) S2 (x:T1) T2

✓

“contra-variance”

“co-variance”

81


{f|f :: }(x:Num) Num{f|f = negate }

Precise Subtyping

Step 1:

Step 2:

f = negate

f :: (x:NumOrBool) { y|tag(y) = tag(x) }SMTSolver✓

82


{f|f :: }(x:Num) Num{f|f = negate }

Precise Subtyping

Step 1:

Step 2:

f = negate

f :: (x:NumOrBool) { y|tag(y) = tag(x) }

Num

NumOrBool ✓✓{y|tag(y) = tag(x) } Nu

mx:Num

✓SMT

Solver✓

83


Precise Subtyping

Step 1:

Step 2:

Decidable Reasoningvia SMT

Precise Function Subtypingvia Syntactic Techniques

+

{f|f :: }{f|f = negate } ✓(x:Num) Num

84


Type Soundness Proof

Logic 0

Conventional ProofsRequire Logic to be an Oracle …

… but Nesting Introduces CircularityThat Prevents Typical Inductive Proofs

Type System 0

85

Type System ∞


Type Soundness Proof

Logic 0

Logic 1

Logic 2

Type System 1

Type System 2

Type System 0

… …

Proof Technique:Stratify into Infinite Hierarchy

86


T ::= {x|p } p ::= p ∧ q | p ∨ q | p

| x = y | x > y | …


| sel(x,k) = 17 | …

| sel(x,k) :: T1 T2 | …

Nested Refinements [POPL ’12]


Key to Encode Dictionary Objects(Even in Statically Typed Languages!)

87


dictionary objects

extensible objects






✓✓✓✓✓

PriorRefinement

Types

✓✗✗✗✗

path-sensitivity

nested refinements

flow-sensitivity

logical encoding

logical encoding

JavaScript

JavaScript, Python, Ruby

88


dictionary objects

extensible objects






✓✓✓✓✓

path-sensitivity

nested refinements

flow-sensitivity

logical encoding

logical encoding

Statically Typed Languages(Java, C++, OCaml, Haskell, …)

89


dictionary objects

extensible objects






✓✓✓✓✓

path-sensitivity

nested refinements

flow-sensitivity

logical encoding

logical encoding✗

Statically Typed Languages(Java, C++, OCaml, Haskell, …)

90




✓✓✓

path-sensitivity

nested refinements

flow-sensitivity

General Techniques Can BeUsed to Eliminate More

ERRORS


91



Types via Logic

TYPES

92

306a

408(+33%)

LOCbefore/after

13 Excerpts from: JavaScript, Good Parts SunSpider Benchmark Suite Google Closure Library

Benchmarks


Chosen to Stretch Expressiveness Limits of DJS

93

306a

408(+33%)

LOCbefore/after


Benchmarks


9 Browser Extensions from: [Guha et al. Oakland ’11]

321a

383(+19%)

1,003a

1,027(+2%)

2 Examples from: Google Gadgets

1,630

1,818(+12%)

TOTALS

94


1,630

1,818(+12%)

TOTALS

Relatively Simple Syntactic Sugar andType Inference Have Helped Significantly

Opportunities for Improved Type Inference:• Iterative Predicate Abstraction• Bootstrap by Running Test Cases [STOP ’11]• Translating Programs from TypeScript

1,818(+12%)

Type Annotations

95

LOCbefore/after


306a

408(+33%)

Benchmarks

9 Browser Extensions from: [Guha et al. Oakland ’11]

321a

383(+19%)

2 Examples from: Google Gadgets

1,003a

1,027(+2%)

1,630

1,818(+12%)

10 sec

Running Time

3 sec

19 sec

32 sec


TOTALS

96

1,818(+12%)

32 sec


1,630

TOTALS

32 sec

Relatively Simple Optimizations So Far:• Avoid SMT Solver When Possible• Reduce Precision for Common Patterns• Rely on Nested Refinements When Needed

Performance


97



Types via Logic

TYPES

Types via Logic


98

OutlineWhy JavaScript? Security via Logic Looking AheadChallenges Types via Logic Security via Logic

TYPES

ERRORS

PROGRAMS

99

OutlineWhy JavaScript? Security via LogicTypes via Logic Looking AheadChallenges

Security via Logic Browser Extensions

Types for Fine-Grained Policies

ERRORS

100

… New Yorker article, “The Itch,” …

102

PRINT

“?printable=true”

103

“I want every article in print

mode”

Browser Extensions

Third-Party DevelopersCustomize

Browser

104

Browser Extensions

PRINTNEW YORKER

105

Browser Extensions

for (var elt in doc.getEltsByTagName(“a”)) {

var url = elt.getAttr(“href”);

if (url.match(/^newyorker.com/)) {

elt.setAttr(“href”, url + “?printable=true”);

} }

106

Browser Extensions

PRINTNEW YORKER

Document (DOM)

host-site.com

107

?printable=true

newyorker.com

Browser Extensions

PRINTNEW YORKER

Document (DOM)

host-site.com

108

?printable=true

newyorker.comevil.com EVIL

PasswordsBank Accts

History

Network Manager

OtherSensitive

APIs

JavaScriptEngine

BUGGY

109

Why JavaScript? Security via LogicTypes via Logic Looking AheadChallenges

Policy Expressiveness

Access All Resources

110


Access Some Resources

cannot access DOM cannot access History


111



coarse-grainedand uninformative!

cannot access DOM cannot access History

112



coarse-grainedand uninformative!

similar situation forother app platforms

113



Fine-Grained PoliciesGOAL

114


can write “a” elementsbut only “href” attribute

when original “href” valuestarts with “newyorker.com”and is prefix of new value

Fine-Grained PoliciesGOAL

115

Language-Based SecurityIf Language Could Enforce SomeSecurity-Related Policies …

Then Reduce Dependence On:• Testing• Code Reviews• Dynamic Checking


116




PROGRAMS

TYPES

ERRORS

117




PROGRAMS

TYPES

ERRORSGOAL: Eliminate SomeSecurity-Related Errors

118

PROGRAMS

TYPES

ERRORSGOAL: Eliminate SomeSecurity-Related Errors

But How?

119

Subtyping is ImplicationSource of Expressive Power

Type1 Type2{x|p }

{x|q }

{x|p }

{x|q }


120


Security via Logic Browser Extensions

Types for Fine-Grained Policies

ERRORS

121


Static Verification (DJS)

Security Expert

User

reviews only policy

reads informative policy

Developerwrites policy in logic!

122


Network Manager

request, …

JS Engine

eval, …

DOM

getAttr, setAttr, …

request ::

url:Str

Str

123


Network Manager

request, …

JS Engine

eval, …

DOM


request ::

{url:Str|WhiteListed(url)}

Str

124


Network Manager

request, …

JS Engine

eval, …

DOM


eval ::

s:Str

Void

125


Network Manager

request, …

JS Engine

eval, …

DOM


eval ::

{s:Str|not(Tainted(s))}

Void

126


Network Manager

request, …

JS Engine

eval, …

DOM


getAttr ::

elt:Element

attr:Str

Str

127


Network Manager

request, …

JS Engine

eval, …

DOM


getAttr ::

elt:Element

{attr:Str|CanRead(elt,attr)}

Str

128


Network Manager

request, …

JS Engine

eval, …

DOM


setAttr ::

elt:Element

attr:Str

y:Str

Void

129


Network Manager

request, …

JS Engine

eval, …

DOM


setAttr ::

elt:Element

attr:Str

{y:Str|CanWrite(elt,attr,y)}

Void

130


Network Manager

request, …

JS Engine

eval, …

DOM


Refined APIs Mediate Access

Typecheck Extension with Policy

131


forall url.

not (url = “evil.com”)

WhiteListed (url)

var s = request(“evil.com”);

✗finite blacklist

132


//: url:Str

var s = request(url);

✗might beblacklisted!

forall url.


WhiteListed (url)

forall url.


WhiteListed (url)

133


if (url != “evil.com”) {


}

✓

134




eval(s);

}

s:Str might be tainted!

✗

forall url.


WhiteListed (url)

135




s = sanitize(s);

eval(s);

} ✓STATICALLY VERIFIED!

s:Str

{s:Str|not(Tainted(s))}

forall url.


WhiteListed (url)

136


WhiteListed (“ny.com”)

WhiteListed (“golf.com”)

forall url.

WhiteListed (url)

not (Tainted (request (url)))

trust thatwhitelisted servers

return untainted strings

137


var s = request(“ny.com”);

eval(s);✓ no need to sanitize

WhiteListed (“ny.com”)

WhiteListed (“golf.com”)

forall url.

WhiteListed (url)

not (Tainted (request (url)))

STATICALLY VERIFIED!

138


forall e, oldUrl, newUrl.

ValueOf (e, “href”, oldUrl) ∧

StrPrefix (“newyorker.com”, oldUrl) ∧

StrPrefix (oldUrl, newUrl)

CanWrite (e, “href”, newUrl)





} }

139


ValueOf (elt, “href”, url) ∧

StrPrefix (“newyorker.com”, url) ∧

StrPrefix (url, url + “?printable=true”)

CanWrite (e, “href”, url+“?printable=true”)





} }

✓

140










} }

✓✓

141










} }

✓✓✓

142










} }

✓✓✓

✓STATICALLY VERIFIED!

143









elt.setAttr(“href”, “evil.com”);

} }

144




StrPrefix (url, “evil.com”)

CanWrite (e, “href”, “evil.com”)





} }

145




StrPrefix (url, “evil.com”)

CanWrite (e, “href”, “evil.com”)





} }

✓✓✗

✗

146


Types for Security+ JavaScript Verification

= Fine-Grained Web Security

[ESOP ’10, Guha et al. ’11]

[POPL ’12, OOPSLA ’12]

[current]

Secure Extensions Written in OCaml

Preliminary Benchmarks

147


Guha et al. ’11]

Secure Extensions Written in OCamlPreliminary Benchmarks

Ported to DJS (~400 LOC so far)

Well-typed programsdon’t have run-time errorsand conform to security policies

148


Security via Logic

Browser ExtensionsTypes for Fine-Grained Policies

ERRORS


149

OutlineWhy JavaScript? Types via Logic Security via Logic Looking AheadChallenges Security via Logic Looking Ahead

TYPES

ERRORS

PROGRAMS

150

Why JavaScript? Types via Logic Security via LogicChallenges Looking Ahead


Untrusted

Code

ScriptingLanguages

Web Platform

>>>

151



Untrusted

Code

ScriptingLanguages

PolicySpecification

Web Platform

>>>

152


Security Expert

User

Developer must write policy

must read policy

and


153

Developer must write policy

• Infer from traces• Incentives from platform

must read policyUser

• Traces to demonstrate behavior• Community review-and-recommend services

must read policySecurity Expert

• Modeling tools to analyze policies


154



Untrusted

Code

ScriptingLanguages

PolicySpecification

DynamicEnforcement

Web Platform

>>>

155



Security Expert

User

Developer

156


…

eval(“…”);

…Dynamic

Code Loading

Impossible to statically analyzecode you don’t have!

157



Security Expert

User

Developer

DynamicEnforcement

158


DynamicEnforcement

…

eval(“…”);

//: #assume

…

New Types

Old Types

New Types

159


Limits of Static Reasoning

“expected”“actual”

p q✓ Definitely Safe

Maybe Unsafe✗p q(But Maybe Safe…)

160


Limits of Static Reasoning

p q Definitely Safe

Maybe Unsafe✗p qDefinitely Unsafep q✓

“expected”“actual”

✓

161

Dynamic Enforcement


Limits of Static Reasoning• Accept Program, Rather than Reject

• Rely on Programmer-Trusted or• Dynamically-Checked Assumption

✗ Maybe Unsafep q

162



Untrusted

Code

ScriptingLanguages

PolicySpecification

DynamicEnforcement

Trust Base

Web Platform

>>>

163



Security Expert

User

reviews only policy

Developer

DynamicEnforcement

164



Security Expertreviews only policy

trust

trust SMTSolver

Eliminate from TCB à laProof-Carrying Code [PLDI ’10]

Eliminate from TCB via Formal Verification

165



Security Expert

trust

SMTSolver

trust

166

PolicySpecification

DynamicEnforcement

Trust Base



Untrusted

Code

ScriptingLanguages

Web Platform

ToolSupport

>>>

167


• Generate Tests and Find Bugsfor Unannotated Programs

• Support Refactoring and Code Completionfor Annotated Programs

• Provide Analysis and Documentation Toolsfor Large, Popular Libraries like jQuery

• Web-Based Interfaces to Collect Statisticsabout Programming Patterns, Errors

Tools for Web Development

168


Inferred Annotationsare in Comments

Flow-SensitiveType Information

by Hoveringover Program Point

169


Inferred Annotationsare in Comments

Flow-SensitiveType Information

by Hoveringover Program Point

Many Software Engineering Challenges!

172



Untrusted

Code

ScriptingLanguages

ToolSupport

PolicySpecification

DynamicEnforcement

Trust Base

Web PlatformTypes

+ Logic

173

[STOP ’11][POPL ’12]

[OOPSLA ’12][ML ’13]

[ESOP ’10]

[PLDI ’10][PLDI ’09]

Program Analysisfor Security

Dataflow Analysis for Race Detection

[PLDI ’08]

PL TechniquesTypes

+ Logic

174

Dynamic Languages are Pervasive

DJS: Precise Static Types via Logic

Towards Fine-Grained Web Security

ravichugh.com

Thanks!

modern type systems for dynamic languages ravi chugh

Documents