Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

On Contracts, Sandboxes, and Proxies for JavaScript

October 5, 2015, 18. Kolloquium Programmiersprachen und Grundlagen der Programmierung, KPS 2015 P ̈ortschach am W ̈orthersee, O ̈sterreich

  • Login to see the comments

  • Be the first to like this

On Contracts, Sandboxes, and Proxies for JavaScript

  1. 1. On Contracts, Sandboxes, and Proxies for JavaScript Matthias Keil, Peter Thiemann University of Freiburg, Germany October 5, 2015, 18. Kolloquium Programmiersprachen und Grundlagen der Programmierung, KPS 2015 P¨ortschach am W¨orthersee, ¨Osterreich
  2. 2. TreatJS Language embedded contract system for JavaScript Enforced by run-time monitoring Standard abstractions for higher-order-contracts (base, function, and dependent contracts) [Findler,Felleisen’02] Systematic blame calculation Contract constructors generalize dependent contracts Internal noninterference Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 2 / 14
  3. 3. Base Contract [Findler,Felleisen’02] Base Contracts are built from predicates Specified by a plain JavaScript function Base Contract function isNumber (arg) { return (typeof arg) === ’number’; }; var Number = Contract.Base(isNumber); assert(1, Number ); assert(’a’, Number ); blame the subject Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 3 / 14
  4. 4. Function Contract [Findler,Felleisen’02] // Number × Number → Number function plus (x, y) { return (x + y); } Function Contract var Plus = Contract.Function([ Number , Number ], Number ); var plusNumber = assert(plus, Plus ); plusNumber(1, 1); plusNumber(’a’, ’a’); blame the context Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 4 / 14
  5. 5. JavaScript Proxies Handler Proxy Target Shadow Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
  6. 6. JavaScript Proxies Handler Proxy Target Shadow proxy.x; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
  7. 7. JavaScript Proxies Handler Proxy Target Shadow proxy.x; handler.get(target, ’x’, proxy); Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
  8. 8. JavaScript Proxies Handler Proxy Target Shadow proxy.x; handler.get(target, ’x’, proxy); target[’x’]; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
  9. 9. JavaScript Proxies Handler Proxy Target Shadow proxy.x; proxy.y=1; ... handler.get(target, ’x’, proxy); handler.set(target, ’y’, 1, proxy); ... target[’x’]; target[’y’]=1; ... Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
  10. 10. Noninterference Noninterference The contract system should not interfere with the execution of application code. External Noninterference arises from the interaction of the contract system with the host program 1 Exceptions 2 Object equality Internal Noninterference arises from executing unrestricted code in predicates Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 6 / 14
  11. 11. Internal Noninterference No syntactic restrictions on predicates Predicates may try to write to data that is visible to the application Solution: Predicate evaluation takes place in a sandbox Faulty Predicate function isNumber (arg) { type = (typeof arg); return type === ’number’; }; Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 7 / 14
  12. 12. Internal Noninterference No syntactic restrictions on predicates Predicates may try to write to data that is visible to the application Solution: Predicate evaluation takes place in a sandbox Faulty Predicate function isNumber (arg) { type = (typeof arg); access forbidden return type === ’number’; }; Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 7 / 14
  13. 13. TreatJS Sandbox All contracts guarantee noninterference Read-only access is safe Predicate with Read-Access function isArray (arg) { return (arg instanceof Array); } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 8 / 14
  14. 14. TreatJS Sandbox Predicate execution may violate contracts Solution: Sandbox redefines the responsibility Predicate with Read-Access function addOne (arg) { return plusNumber(arg, ’1’); blame the ? } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 9 / 14
  15. 15. TreatJS Sandbox Predicate execution may violate contracts Solution: Sandbox redefines the responsibility Predicate with Read-Access function addOne (arg) { return plusNumber(arg, ’1’); blame the contract } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 9 / 14
  16. 16. Sandbox Encapsulation Faulty Predicate function isNumber (arg) { type = (typeof arg); return type === ’number’; }; 1 Place a write protection on objects (e.g. this, arg) 2 Remove external bindings of functions (e.g. type) Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 10 / 14
  17. 17. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
  18. 18. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC x Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
  19. 19. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC x x Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
  20. 20. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC x x Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
  21. 21. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC x y x y Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
  22. 22. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC x z y x z y Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
  23. 23. Shadow Objects Handler Proxy Target Shadow proxy.x; proxy.y=1; handler.get(target, ’x’, proxy); handler.set(target, ’y’, 1, proxy); target[’x’]; target[’y’]=1; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
  24. 24. Shadow Objects Handler Proxy Target Shadow Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
  25. 25. Shadow Objects Handler Proxy Target Shadow proxy.x; handler.get(target, ’x’, proxy); target[’x’]; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
  26. 26. Shadow Objects Handler Proxy Target Shadow proxy.x; proxy.y=1; handler.get(target, ’x’, proxy); handler.set(target, ’y’, 1, proxy); target[’x’]; shadow[’y’]=1; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
  27. 27. Shadow Objects Handler Proxy Target Shadow proxy.x; proxy.y=1; proxy.y; handler.get(target, ’x’, proxy); handler.set(target, ’y’, 1, proxy); handler.get(target, ’y’, proxy); target[’x’]; shadow[’y’]=1; shadow[’y’]; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
  28. 28. Function Recompilation var x = 1; function f (){ function g (y) { var z = 1; return x+y+z; } } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
  29. 29. Function Recompilation var x = 1; function f (){ ”function g (y) { var z = 1; return x+y+z; }” } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
  30. 30. Function Recompilation var x = 1; with(sbxglobal){ eval( ”function g (y) { var z = 1; return x+y+z; }”); } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
  31. 31. Function Recompilation var x = 1; with(sbxglobal){ function g (y) { var z = 1; return x+y+z; } } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
  32. 32. Conclusion TreatJS: Language embedded, dynamic, higher-order contract system for full JavaScript Guarantees noninterference Sandbox: Language embedded sandbox for full JavaScript Runs JavaScript code in isolation isolation Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 14 / 14

×