Academia.eduAcademia.edu

Fully abstract compilation to JavaScript

Profile image of Pierre-yves StrubPierre-yves Strub

2013, Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages - POPL '13

visibility

description

15 pages

link

1 file

Abstract

Many tools allow programmers to develop applications in highlevel languages and deploy them in web browsers via compilation to JavaScript. While practical and widely used, these compilers are ad hoc: no guarantee is provided on their correctness for whole programs, nor their security for programs executed within arbitrary JavaScript contexts. This paper presents a compiler with such guarantees. We compile an ML-like language with higher-order functions and references to JavaScript, while preserving all source program properties. Relying on type-based invariants and applicative bisimilarity, we show full abstraction: two programs are equivalent in all source contexts if and only if their wrapped translations are equivalent in all JavaScript contexts. We evaluate our compiler on sample programs, including a series of secure libraries.

Key takeaways

  • Disclaimer As usual, full abstraction holds only within our formal semantics of JavaScript, and various side channels may still exist in JavaScript implementations, based, for instance, on stack or heap exhaustion, or timing analysis.
  • Our wrappers are JavaScript functions indexed by source types t. They come in pairs: a 'down' wrapper, written ↓ t, takes a light translation of a source value v:t and exports it safely to the context; an 'up' wrapper, written ↑t, takes any JavaScript value supplied by the context and attempts to extract from it a value that is a light translation of some source v:t; this may fail.
  • To handle this, we represent JavaScript functions as js values Fun o f, constructed from a function object o:dyn and a closure f. All functions in JavaScript receive an implicit this parameter and, following λ JS, a single argument object with a field for each of their explicit arguments.
  • Formally, our compiler can be viewed as the translation from f to JavaScript ( §4) composed with the embedding of JavaScript into js ( §5).
  • Performance The benefits of running secure JavaScript come at a price, as any interactions with untrusted code are mediated by wrappers.

Related papers

Fully Abstract Compilation to JavaScript Fully Abstract Compilation to JavaScript
Pierre-yves Strub

This is a preliminary version of a technical report accompanying a conference submission of the same title. It differs from the submission in the following main regards. (1) Expanded section 4, where we provide more details on our JavaScript semantics and background on Lambda JS. (2) Expanded section 5, where we provide more details on our verified runtime JSVerify, more details on the heap invariant used in our theory, and more description of the light translation as well. We also improved on some of the syntactic conventions, which helped facilitate the mechanized proof of JSVerify in F . This makes some of definitions look superficially different, although they remain essentially unchanged. For example, rather than overload stub functions in the Abs heap, we now separate them into their own heap compartment called Stub. This makes the proofs easier, although the main ideas remain unchanged. (3) Expanded section 7, with all the details on our applicative bisimulation machinery—we ...

View PDFchevron_right
Information-Flow Security for a Core of JavaScript
Daniel Hedin

2012 IEEE 25th Computer Security Foundations Symposium, 2012

Tracking information flow in dynamic languages remains an important and intricate problem. This paper makes substantial headway toward understanding the main challenges and resolving them. We identify language constructs that constitute a core of JavaScript: objects, higher-order functions, exceptions, and dynamic code evaluation. The core is powerful enough to naturally encode native constructs as arrays, as well as functionalities of JavaScript's API from the document object model (DOM) related to document tree manipulation and event processing. As the main contribution, we develop a dynamic type system that guarantees information-flow security for this language.

View PDFchevron_right
Language-Based Isolation of Untrusted JavaScript
Ankur Taly

2009 22nd IEEE Computer Security Foundations Symposium, 2009

Web sites that incorporate untrusted content may use browseror language-based methods to keep such content from maliciously altering pages, stealing sensitive information, or causing other harm. We study methods for filtering and rewriting JavaScript code, using Yahoo! ADsafe and Facebook FBJS as motivating examples. We explain the core problems by describing previously unknown vulnerabilities and shortcomings, and give a foundation for improved solutions based on an operational semantics of the full ECMA262-3 language. We also discuss how to apply our analysis to address the problems we discovered.

View PDFchevron_right
The essence of JavaScript
Claudiu Saftoiu

2004

Abstract. We reduce JavaScript to a core calculus structured as a small-step operational semantics. We present several peculiarities of the language and show that our calculus models them. We explicate the desugaring process that turns JavaScript programs into ones in the core. We demonstrate faithfulness to JavaScript using real-world test suites. Finally,weillustrateutilitybydefiningasecurityproperty,implementing it as a type system on the core, and extending it to the full language. 1 The Need for Another JavaScript Semantics The growing use of JavaScript has created whole new technical and business models of program construction and deployment. JavaScript is a feature-rich language with many quirks, and these quirks are often exploited by security and privacy attacks. This is especially true in cases where JavaScript has a familiar syntax but an unconventional semantics. Duetoitspopularityandshortcomings,companiesandresearchershavetried to tame JavaScript via program analyses [4...

View PDFchevron_right
Formal Approaches to Secure Compilation
Amal Ahmed

ACM Computing Surveys

Secure compilation is a discipline aimed at developing compilers that preserve the security properties of the source programs they take as input in the target programs they produce as output. This discipline is broad in scope, targeting languages with a variety of features (including objects, higher-order functions, dynamic memory allocation, call/cc, concurrency) and employing a range of different techniques to ensure that source-level security is preserved at the target level. This article provides a survey of the existing literature on formal approaches to secure compilation with a focus on those that prove fully abstract compilation, which has been the criterion adopted by much of the literature thus far. This article then describes the formal techniques employed to prove secure compilation in existing work, introducing relevant terminology, and discussing the merits and limitations of each work. Finally, this article discusses open challenges and possible directions for future ...

View PDFchevron_right
Fully abstract compilation via universal embedding
Amal Ahmed

ACM SIGPLAN Notices

A fully abstract compiler guarantees that two source components are observationally equivalent in the source language if and only if their translations are observationally equivalent in the target. Full abstraction implies the translation is secure : target-language attackers can make no more observations of a compiled component than a source-language attacker interacting with the original source component. Proving full abstraction for realistic compilers is challenging because realistic target languages contain features (such as control effects) unavailable in the source, while proofs of full abstraction require showing that every target context to which a compiled component may be linked can be back-translated to a behaviorally equivalent source context. We prove the first full abstraction result for a translation whose target language contains exceptions, but the source does not. Our translation---specifically, closure conversion of simply typed λ-calculus with recursive types---...

View PDFchevron_right
Type-based dependency analysis for javascript
Peter Thiemann

Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security - PLAS '13, 2013

Dependency analysis is a program analysis that determines potential data flow between program points. While it is not a security analysis per se, it is a viable basis for investigating data integrity, for ensuring confidentiality, and for guaranteeing sanitization. A noninterference property can be stated and proved for the dependency analysis.

View PDFchevron_right
Information-flow security for JavaScript and its APIs
Luciano Bello, Daniel Hedin

Journal of Computer Security, 2016

JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy. This paper presents a dynamic mechanism for securing script executions by tracking information flow in JavaScript and its APIs. On the formal side, the paper identifies language constructs that constitute a core of JavaScript: dynamic objects, higherorder functions, exceptions, and dynamic code evaluation. It develops a dynamic type system that guarantees information-flow security for this language. Based on this formal model, the paper presents JSFlow, a practical security-enhanced interpreter for fine-grained tracking of information flow in full JavaScript and its APIs. Our experiments with JSFlow deployed as a browser extension provide in-depth understanding of information manipulation by third-party scripts. We find that different sites intended to provide similar services effectuate rather different security policies for the user's sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties.

View PDFchevron_right
Security types preserving compilation
Tamara Rezk

Computer Languages, Systems & Structures, 2007

Starting from the seminal work of Volpano and Smith, there has been growing evidence that type systems may be used to enforce confidentiality of programs through non-interference. However, most type systems operate on high-level languages and calculi, and "low-level languages have not received much attention in studies of secure information flow" (Sabelfeld and Myers, [Language-based information-flow security. IEEE Journal on Selected Areas in Communications 2003; 21:5-19]). Therefore, we introduce an information flow type system for a lowlevel language featuring jumps and calls, and show that the type system enforces termination-insensitive noninterference.

View PDFchevron_right
JaVerT 2.0: compositional symbolic execution for JavaScript
Philippa Gardner

Proceedings of the ACM on Programming Languages, 2019

We propose a novel, unified approach to the development of compositional symbolic execution tools, bridging the gap between classical symbolic execution and compositional program reasoning based on separation logic. Using this approach, we build JaVerT 2.0, a symbolic analysis tool for JavaScript that follows the language semantics without simplifications. JaVerT 2.0 supports whole-program symbolic testing, verification, and, for the first time, automatic compositional testing based on bi-abduction. The meta-theory underpinning JaVerT 2.0 is developed modularly, streamlining the proofs and informing the implementation. Our explicit treatment of symbolic execution errors allows us to give meaningful feedback to the developer during whole-program symbolic testing and guides the inference of resource of the bi-abductive execution. We evaluate the performance of JaVerT 2.0 on a number of JavaScript data-structure libraries, demonstrating: the scalability of our whole-program symbolic te...

View PDFchevron_right

Related papers

Value-Sensitive Hybrid Information Flow Control for a JavaScript-Like Language
Daniel Hedin

2015 IEEE 28th Computer Security Foundations Symposium, 2015

View PDFchevron_right
Using Path-Dependent Types to Build Type Safe JavaScript Foreign Function Interfaces
Julien Richard-foy

Lecture Notes in Computer Science, 2014

View PDFchevron_right
A trusted mechanised JavaScript specification
Martin Bodin

Proceedings of the 41st Acm Sigplan Sigact Symposium, 2014

View PDFchevron_right
Semi-automatic ladderisation: improving code security through rewriting and dependent types
Tania Richmond

Proceedings of the 2022 ACM SIGPLAN International Workshop on Partial Evaluation and Program Manipulation, 2022

View PDFchevron_right
Towards Type Inference for JavaScript
Paola Giannini

2005

View PDFchevron_right
An Operational Semantics for JavaScript
Ankur Taly

Lecture Notes in Computer Science, 2008

View PDFchevron_right
libmask: Protecting browser JIT engines from the devil in the constants
Mohit Mishra

2016 14th Annual Conference on Privacy, Security and Trust (PST), 2016

View PDFchevron_right
A Provably Correct Compilation of Functional Languages into Scripting Languages
Albert Shaqiri

Scientific Annals of Computer Science, 2017

View PDFchevron_right
Type Analysis for JavaScript
Peter Thiemann

Lecture Notes in Computer Science, 2009

View PDFchevron_right
Towards a program logic for JavaScript
Philippa Gardner

ACM SIGPLAN Notices, 2012

View PDFchevron_right
Equivalence-Preserving Compilation
Amal Ahmed
View PDFchevron_right
Symbolic Execution for JavaScript
Julian Dolby

Proceedings of the 20th International Symposium on Principles and Practice of Declarative Programming

View PDFchevron_right
An Intermediate Language for Compilation to Scripting Languages
Albert Shaqiri

2013

View PDFchevron_right
Run-time enforcement of secure javascript subsets
Ankur Taly

2009

View PDFchevron_right
Lightweight compilation of (C)LP to JavaScript
Manuel Carro

Theory and Practice of Logic Programming, 2012

View PDFchevron_right
Toward Preserving the Crash Safety of JavaScript in Node
Krishna Kalubandi, Trevor Elwell
View PDFchevron_right
Safe wrappers and sane policies for self protecting JavaScript
Phu Phung

… 15th Nordic Conf. in Secure IT …, 2010

View PDFchevron_right
JSAI: Designing a Sound, Configurable, and Efficient Static Analyzer for JavaScript
John Sarracino
View PDFchevron_right
Weakly Sensitive Analysis for JavaScript Object-Manipulating Programs
Xavier Rival

HAL (Le Centre pour la Communication Scientifique Directe), 2019

View PDFchevron_right
An Analytic Framework for JavaScript
Matthew Might

2011

View PDFchevron_right
Introducing safe unknown types in Java-like languages
Elena Zucca

Proceedings of the 2006 ACM symposium on Applied computing - SAC '06, 2006

View PDFchevron_right
A security-preserving compiler for distributed programs: from information-flow policies to cryptographic mechanisms
Gurvan Le Guernic

… of the 16th ACM conference on …, 2009

View PDFchevron_right
SafeJava: A Unified Type System for Safe Programming
Chandrasekhar Boyapati

Ispd, 2004

View PDFchevron_right
Isolating JavaScript with Filters, Rewriting, and Wrappers
Ankur Taly

Lecture Notes in Computer Science, 2009

View PDFchevron_right