Static Verification for Web Scripting Languages

Static Verification forWeb ScriptingLanguages Ravi Chugh

Web Platform

Web Platform UntrustedCode ScriptingLanguages

My Goal: Rigorous Foundations Web Platform UntrustedCode Static Types and Logic! ScriptingLanguages

1995 • Web Page = Static HTML • Web Page + Links • Web Page + Client-Side Code <html> </html> <script type=“javascript”> loginButton.onclick= function () { if (passwordBox.value==“”) { alert(“Enter password!”); } else { ... } } </script> Username Password Login

1995 • No Static Types • “Dynamic” Features Make itEasy to Experiment… • … an easy-to-use “scripting language”as a companion to Java Brendan Eich,JavaScript creator

2013

2013 Asked whether Gmail would ever open up an API for developers to code add-ons and plug-ins with more official support and stability, Kowitz suggested it was unlikely. Gmail is based on “hundreds of thousands” of lines of JavaScript, Kowitz said,and it's a code base that “changes so quickly.” That said, Jackson said the Gmail team "loves" to see third-party functionality being developed, and the team tries to make developers aware of changes they know will affect those products. Article on LifeHacker

2013 Asked whether Gmail would ever open up an API for developers to code add-ons and plug-ins with more official support and stability, Kowitz suggested it was unlikely. Gmail is based on “hundreds of thousands” of lines of JavaScript, Kowitz said,andit's a code base that “changes so quickly.” That said, Jackson said the Gmail team "loves" to see third-party functionality being developed, and the team tries to make developers aware of changes they know will affect those products. • “Scripting”?!? Article on LifeHacker

2013 JavaScript isEverywhere http://stackoverflow.com/tags 02-03-13

2013 JavaScript isEverywhere http://stackoverflow.com/tags 02-03-13 Popular Server-SideScripting Languages

2013 Banking Shopping News JavaScript isEverywhere

2013 Banking Shopping News JavaScript isEverywhere Third-Party Ads

2013 Banking Shopping News JavaScript isEverywhere Third-Party Apps Third-Party Ads

2013 Third-Party JavaScript isEverywhere

2013 • No longerjust “scripting” • … an easy-to-use “scripting language”as a companion to Java

2013 • No longerjust “scripting” • … an easy-to-use “scripting language”as a companion to Java • JavaScript ismuch harder than Java

… New Yorker article, “The Itch,” …

PRINT

“?printable=true” “I want every article in print mode”

Browser Extensions Third-Party DevelopersCustomize Browser

Browser Extensions PRINTNEW YORKER

Browser Extensions for (var elt in doc.getEltsByTagName(“a”)) { var url = elt.getAttr(“href”); if (url.match(/^newyorker.com/)) { elt.setAttr(“href”, url + “?printable=true”); } }

Browser Extensions Document (DOM) host-site.com PRINTNEW YORKER newyorker.com ?printable=true

Browser Extensions Document (DOM) host-site.com PRINTNEW YORKER newyorker.com evil.com ?printable=true EVIL BUGGY Network Manager PasswordsBank AcctsHistory JavaScriptEngine OtherSensitiveAPIs

Enforcing JavaScript Security? • Dynamic Checking… • Expensive • Misses Attacks • Can Blame Wrong Party • Goal: Static Verification

My Dissertation • 1. Reliability / Security • 2. Development Tools • 3. Performance • Static Types for JavaScript • for Dynamic Languages

My Dissertation • New Techniques Apply to Traditional Languages • Static Types for JavaScript • for Dynamic Languages • Many Challenges of Web are Independent of Language • Working with JavaScriptCan Have Long-Term Impact

“booleans” • “integers” • “objects with foo field” • Static Types for JavaScript • Describe sets of run-time values • “urls that are safe to visit” • “non-nullpointers”

“multiplyint and bool” • “booleans” • “foo fieldnot found” • “integers” • “objects with foo field” • “foo fieldnot found” • Static Types for JavaScript • Prevent classes of run-time errors • “navigating to evil.com” • “redirect to evil.com” • “urls that are safe to visit” • “null pointer exception” • “null pointer exception” • “non-nullpointers”

f(x) • “actual args” • “expected args” •  • Type1 • Type2 ✓ • “function call produces no error”

f(x) • “actual args” • “expected args” •  • Type1 • Type2 ✗ • “function call may produce error”

Refinement Types • Types + Logic • “actual args” • “expected args” •  {x|p} • Type1 {x|q} • Type2  {x|p} {x|q}

Refinement Types Types Logic {x|p} f :: {y|q} • Nested Refinements [POPL ’12] • Key to Encode Dynamic Features

Usability Types + Logic Dependent JavaScript (DJS) [POPL ’12, OOPSLA ’12] Verification Hoare LogicsModel CheckingAbstract InterpretationTheorem Proving… Expressiveness

Why JavaScript? • Challenges • Types via Logic • Security via Logic • Looking Ahead Outline • Why is JavaScript Important? • Why is JavaScript Hard? • Static Types via Logic • Security via Logic • Looking Ahead

Why JavaScript? • Challenges • Types via Logic • Security via Logic • Looking Ahead Outline • Why is JavaScript Hard? • Lightweight Reflection • Dictionary Objects • Additional Challenges

Why JavaScript? • Challenges • Types via Logic • Security via Logic • Looking Ahead function negate(x) { if (typeofx==“number”) { } x • Q: What is my “type”?

Why JavaScript? • Challenges • Types via Logic • Security via Logic • Looking Ahead All JavaScript Values {x|tag(x)=“number”} 3.14 -1 17 42 ... x • Q: What is my “type”? {x|tag(x)=“boolean”} {} {“f”:17} {x|tag(x)=“object”} ... {“f”:42,“g”:true} true false

Why JavaScript? • Challenges • Types via Logic • Security via Logic • Looking Ahead function negate(x) { if (typeofx==“number”) { } x • Q: What is my “type”? • A: Described by “tag”

Why JavaScript? • Challenges • Types via Logic • Security via Logic • Looking Ahead function negate(x) { if (typeofx==“number”) { return 0 - x; } else { return !x; } } • “expected args” • values with tag“number”OR“boolean”

Why JavaScript? • Challenges • Types via Logic • Security via Logic • Looking Ahead obj.f means obj[“f”] • Objects are “Dictionaries”that mapstring keysto values • a.k.a.“maps”“hash tables”“associative arrays”

Why JavaScript? • Challenges • Types via Logic • Security via Logic • Looking Ahead function dispatch(table, op, i, j) { } • methodto invoke • methodtable

Why JavaScript? • Challenges • Types via Logic • Security via Logic • Looking Ahead function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); } • “*” keynot found • “foo fieldnot found” var integerOps = { “+” : function (n, m) { … } , “-” : function (n, m) { … }}; dispatch (integerOps, “*”, 17, 42);

Why JavaScript? • Challenges • Types via Logic • Security via Logic • Looking Ahead function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); } • “expected args” • table object with an op key that stores a function on numbers • Dependencybetween typesof arguments

Why JavaScript? • Challenges • Types via Logic • Security via Logic • Looking Ahead Outline • Why is JavaScript Hard? • Lightweight Reflection • Dictionary Objects • Extensible Objects • Prototype Inheritance • Array Semantics

Static Verification for Web Scripting Languages

Static Verification for Web Scripting Languages

Presentation Transcript

Scripting Languages

Scripting Languages

Scripting Languages

Scripting Languages

Scripting the Web

Scripting Languages Intro

Static Analysis and Verification

Scripting Data Integrity Verification

Scripting Languages

Scripting Languages

An overview of scripting languages

Scripting Languages Course 2

Trends in Scripting Languages

Scripting Languages Course 5

NMD202 Web Scripting

NMD202 Web Scripting

Types in Scripting Languages

NMD202 Web Scripting

Scripting Languages

Scripting the Web