32
On Contracts, Sandboxes, and Proxies for JavaScript Matthias Keil, Peter Thiemann University of Freiburg, Germany October 5, 2015, 18. Kolloquium Programmiersprachen und Grundlagen der Programmierung, KPS 2015 P¨ortschachamW¨orthersee, ¨ Osterreich

On Contracts, Sandboxes, and Proxies for JavaScript

Embed Size (px)

Citation preview

Page 1: On Contracts, Sandboxes, and Proxies for JavaScript

On Contracts, Sandboxes,and Proxies for JavaScript

Matthias Keil, Peter ThiemannUniversity of Freiburg, Germany

October 5, 2015, 18. Kolloquium Programmiersprachen und Grundlagen der Programmierung, KPS 2015Portschach am Worthersee, Osterreich

Page 2: On Contracts, Sandboxes, and Proxies for JavaScript

TreatJS

Language embedded contract system for JavaScript

Enforced by run-time monitoring

Standard abstractions for higher-order-contracts (base,function, and dependent contracts) [Findler,Felleisen’02]

Systematic blame calculation

Contract constructors generalize dependent contracts

Internal noninterference

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 2 / 14

Page 3: On Contracts, Sandboxes, and Proxies for JavaScript

Base Contract [Findler,Felleisen’02]

Base Contracts are built from predicates

Specified by a plain JavaScript function

Base Contract

function isNumber (arg) {return (typeof arg) === ’number’;};var Number = Contract.Base(isNumber);

assert(1, Number ); 3

assert(’a’, Number ); 7 blame the subject

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 3 / 14

Page 4: On Contracts, Sandboxes, and Proxies for JavaScript

Function Contract [Findler,Felleisen’02]

// Number × Number → Numberfunction plus (x, y) {return (x + y);}

Function Contract

var Plus = Contract.Function([ Number , Number ],Number );

var plusNumber = assert(plus, Plus );

plusNumber(1, 1); 3

plusNumber(’a’, ’a’); 7 blame the context

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 4 / 14

Page 5: On Contracts, Sandboxes, and Proxies for JavaScript

JavaScript Proxies

Handler

Proxy Target Shadow

proxy.x;proxy.y=1;...

handler.get(target, ’x’, proxy);handler.set(target, ’y’, 1, proxy);...

target[’x’];target[’y’]=1;...

Meta-Level

Base-Level

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14

Page 6: On Contracts, Sandboxes, and Proxies for JavaScript

JavaScript Proxies

Handler

Proxy Target Shadow

proxy.x;

proxy.y=1;...

handler.get(target, ’x’, proxy);handler.set(target, ’y’, 1, proxy);...

target[’x’];target[’y’]=1;...

Meta-Level

Base-Level

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14

Page 7: On Contracts, Sandboxes, and Proxies for JavaScript

JavaScript Proxies

Handler

Proxy Target Shadow

proxy.x;

proxy.y=1;...

handler.get(target, ’x’, proxy);

handler.set(target, ’y’, 1, proxy);...

target[’x’];target[’y’]=1;...

Meta-Level

Base-Level

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14

Page 8: On Contracts, Sandboxes, and Proxies for JavaScript

JavaScript Proxies

Handler

Proxy Target Shadow

proxy.x;

proxy.y=1;...

handler.get(target, ’x’, proxy);

handler.set(target, ’y’, 1, proxy);...

target[’x’];

target[’y’]=1;...

Meta-Level

Base-Level

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14

Page 9: On Contracts, Sandboxes, and Proxies for JavaScript

JavaScript Proxies

Handler

Proxy Target Shadow

proxy.x;proxy.y=1;...

handler.get(target, ’x’, proxy);handler.set(target, ’y’, 1, proxy);...

target[’x’];target[’y’]=1;...

Meta-Level

Base-Level

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14

Page 10: On Contracts, Sandboxes, and Proxies for JavaScript

Noninterference

Noninterference

The contract system should not interfere with the execution ofapplication code.

External Noninterference arises from the interaction of thecontract system with the host program

1 Exceptions2 Object equality

Internal Noninterference arises from executing unrestrictedcode in predicates

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 6 / 14

Page 11: On Contracts, Sandboxes, and Proxies for JavaScript

Internal Noninterference

No syntactic restrictions on predicates

Predicates may try to write to data that is visible to theapplication

Solution: Predicate evaluation takes place in a sandbox

Faulty Predicate

function isNumber (arg) {type = (typeof arg);return type === ’number’;};

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 7 / 14

Page 12: On Contracts, Sandboxes, and Proxies for JavaScript

Internal Noninterference

No syntactic restrictions on predicates

Predicates may try to write to data that is visible to theapplication

Solution: Predicate evaluation takes place in a sandbox

Faulty Predicate

function isNumber (arg) {type = (typeof arg); 7 access forbiddenreturn type === ’number’;};

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 7 / 14

Page 13: On Contracts, Sandboxes, and Proxies for JavaScript

TreatJS Sandbox

All contracts guarantee noninterference

Read-only access is safe

Predicate with Read-Access

function isArray (arg) {return (arg instanceof Array); 3

}

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 8 / 14

Page 14: On Contracts, Sandboxes, and Proxies for JavaScript

TreatJS Sandbox

Predicate execution may violate contracts

Solution: Sandbox redefines the responsibility

Predicate with Read-Access

function addOne (arg) {return plusNumber(arg, ’1’); 7 blame the ?}

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 9 / 14

Page 15: On Contracts, Sandboxes, and Proxies for JavaScript

TreatJS Sandbox

Predicate execution may violate contracts

Solution: Sandbox redefines the responsibility

Predicate with Read-Access

function addOne (arg) {return plusNumber(arg, ’1’); 7 blame the contract}

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 9 / 14

Page 16: On Contracts, Sandboxes, and Proxies for JavaScript

Sandbox Encapsulation

Faulty Predicate

function isNumber (arg) {type = (typeof arg);return type === ’number’;};

1 Place a write protection on objects (e.g. this, arg)

2 Remove external bindings of functions (e.g. type)

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 10 / 14

Page 17: On Contracts, Sandboxes, and Proxies for JavaScript

Identity Preserving Membrane

ProxyA

?ProxyB

ProxyC

TargetA

TargetB

TargetC

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14

Page 18: On Contracts, Sandboxes, and Proxies for JavaScript

Identity Preserving Membrane

ProxyA

?ProxyB

ProxyC

TargetA

TargetB

TargetC

x

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14

Page 19: On Contracts, Sandboxes, and Proxies for JavaScript

Identity Preserving Membrane

ProxyA

?ProxyB

ProxyC

TargetA

TargetB

TargetC

x x

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14

Page 20: On Contracts, Sandboxes, and Proxies for JavaScript

Identity Preserving Membrane

ProxyA

?ProxyB

ProxyC

TargetA

TargetB

TargetC

x x

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14

Page 21: On Contracts, Sandboxes, and Proxies for JavaScript

Identity Preserving Membrane

ProxyA

?ProxyB

ProxyC

TargetA

TargetB

TargetC

x

y

x

y

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14

Page 22: On Contracts, Sandboxes, and Proxies for JavaScript

Identity Preserving Membrane

ProxyA

?ProxyB

ProxyC

TargetA

TargetB

TargetC

x

z

y

x

z

y

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14

Page 23: On Contracts, Sandboxes, and Proxies for JavaScript

Shadow Objects

Handler

Proxy Target Shadow

proxy.x;proxy.y=1;

handler.get(target, ’x’, proxy);handler.set(target, ’y’, 1, proxy);

target[’x’];target[’y’]=1;

Meta-Level

Base-Level

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14

Page 24: On Contracts, Sandboxes, and Proxies for JavaScript

Shadow Objects

Handler

Proxy Target Shadow

proxy.x;proxy.y=1;proxy.y;

handler.get(target, ’x’, proxy);handler.set(target, ’y’, 1, proxy);handler.get(target, ’y’, proxy);

target[’x’]; shadow[’y’]=1;shadow[’y’];

Meta-Level

Base-Level

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14

Page 25: On Contracts, Sandboxes, and Proxies for JavaScript

Shadow Objects

Handler

Proxy Target Shadow

proxy.x;

proxy.y=1;proxy.y;

handler.get(target, ’x’, proxy);

handler.set(target, ’y’, 1, proxy);handler.get(target, ’y’, proxy);

target[’x’];

shadow[’y’]=1;shadow[’y’];

Meta-Level

Base-Level

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14

Page 26: On Contracts, Sandboxes, and Proxies for JavaScript

Shadow Objects

Handler

Proxy Target Shadow

proxy.x;proxy.y=1;

proxy.y;

handler.get(target, ’x’, proxy);handler.set(target, ’y’, 1, proxy);

handler.get(target, ’y’, proxy);

target[’x’]; shadow[’y’]=1;

shadow[’y’];

Meta-Level

Base-Level

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14

Page 27: On Contracts, Sandboxes, and Proxies for JavaScript

Shadow Objects

Handler

Proxy Target Shadow

proxy.x;proxy.y=1;proxy.y;

handler.get(target, ’x’, proxy);handler.set(target, ’y’, 1, proxy);handler.get(target, ’y’, proxy);

target[’x’]; shadow[’y’]=1;shadow[’y’];

Meta-Level

Base-Level

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14

Page 28: On Contracts, Sandboxes, and Proxies for JavaScript

Function Recompilation

var x = 1;

function f (){

function g (y) {var z = 1;return x+y+z;}

}

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14

Page 29: On Contracts, Sandboxes, and Proxies for JavaScript

Function Recompilation

var x = 1;

function f (){

”function g (y) {var z = 1;return x+y+z;}”

}

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14

Page 30: On Contracts, Sandboxes, and Proxies for JavaScript

Function Recompilation

var x = 1;

with(sbxglobal){

eval( ”function g (y) {var z = 1;return x+y+z;}”);

}

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14

Page 31: On Contracts, Sandboxes, and Proxies for JavaScript

Function Recompilation

var x = 1;

with(sbxglobal){

function g (y) {var z = 1;return x+y+z;}

}

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14

Page 32: On Contracts, Sandboxes, and Proxies for JavaScript

Conclusion

TreatJS:

Language embedded, dynamic, higher-order contract systemfor full JavaScript

Guarantees noninterference

Sandbox:

Language embedded sandbox for full JavaScript

Runs JavaScript code in isolation isolation

Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 14 / 14


Regulatory Sandboxes for Innovation in Financial Products

Regulatory Sandboxes for Innovation in Financial Products

Documents
Derbycon Bromium Labs: Sandboxes

Derbycon Bromium Labs: Sandboxes

Technology
Oracle Fusion CRM_Using Sandboxes

Oracle Fusion CRM_Using Sandboxes

Documents
Web Proxies

Web Proxies

Documents
What Are The Best Liquidity Proxies For Global … Liquidity Proxies 2011-07-01.pdfWhat Are The Best Liquidity Proxies For Global Research? Abstract We compare liquidity proxies constructed

What Are The Best Liquidity Proxies For Global … Liquidity Proxies 2011-07-01.pdfWhat Are The Best Liquidity Proxies For Global Research? Abstract We compare liquidity proxies constructed

Documents
From Paths to Sandboxes

From Paths to Sandboxes

Technology
ONTARIO’S INNOVATION SANDBOXES

ONTARIO’S INNOVATION SANDBOXES

Documents
ABAP Proxies

ABAP Proxies

Documents
DIGGING DEEP INTO THE FLASH SANDBOXES - Black Hat

DIGGING DEEP INTO THE FLASH SANDBOXES - Black Hat

Documents
ES6 JavaScript, Metaprogramming, & Object Proxies

ES6 JavaScript, Metaprogramming, & Object Proxies

Documents
The Perceptual Proxies of Visual Comparisonusers.umiacs.umd.edu/~elm/projects/perceptual-proxies/perceptual... · proxies for visual comparison, (3) implementations of these proxies

The Perceptual Proxies of Visual Comparisonusers.umiacs.umd.edu/~elm/projects/perceptual-proxies/perceptual... · proxies for visual comparison, (3) implementations of these proxies

Documents
Values & Vision - Cloud Sandboxes for BIG Earth Sciences

Values & Vision - Cloud Sandboxes for BIG Earth Sciences

Investor Relations
Black Hat EU 2011 - Assessing Practical Sandboxes

Black Hat EU 2011 - Assessing Practical Sandboxes

Technology
Scaling DFS With Regulatory Sandboxes (Segoie)sustainabledfs.lbs.edu.ng/FI-Resources/Scaling_DFS_With_Regulator… · with regulatory sandboxes scaling dfs white paper olayinka david-west

Scaling DFS With Regulatory Sandboxes (Segoie)sustainabledfs.lbs.edu.ng/FI-Resources/Scaling_DFS_With_Regulator… · with regulatory sandboxes scaling dfs white paper olayinka david-west

Documents
Transparent Object Proxies for JavaScript

Transparent Object Proxies for JavaScript

Technology
Climate Proxies

Climate Proxies

Documents
TxBox : Building Secure, Efficient Sandboxes with System Transactions

TxBox : Building Secure, Efficient Sandboxes with System Transactions

Documents
Shared proxies

Shared proxies

Documents
XSS Horror Show scary XSS vectors About me Researcher for Portswigger (makers of Burp suite) JavaScript XSS hacker I love JavaScript sandboxes Built

XSS Horror Show scary XSS vectors About me Researcher for Portswigger (makers of Burp suite) JavaScript XSS hacker I love JavaScript sandboxes Built

Documents
The role of sandboxes in promoting flexibility and

The role of sandboxes in promoting flexibility and

Documents
Global Experiences from Regulatory Sandboxes

Global Experiences from Regulatory Sandboxes

Documents
Evaluating Open Source Malware Sandboxes with Linux malware

Evaluating Open Source Malware Sandboxes with Linux malware

Documents
Ditch Sandboxes for Docker

Ditch Sandboxes for Docker

Technology
Metaprogramming & JavaScript Object Proxies · Object-oriented Intercession APIs Abstract: Proxies are a powerful approach to implement meta-objects in object-oriented languages without

Metaprogramming & JavaScript Object Proxies · Object-oriented Intercession APIs Abstract: Proxies are a powerful approach to implement meta-objects in object-oriented languages without

Documents
Regulating a Revolution: From Regulatory Sandboxes to

Regulating a Revolution: From Regulatory Sandboxes to

Documents
Poster: Dynamic Analysis Using JavaScript Proxies

Poster: Dynamic Analysis Using JavaScript Proxies

Documents
BUILDING FINTECH ECOSYSTEMS: REGULATORY SANDBOXES

BUILDING FINTECH ECOSYSTEMS: REGULATORY SANDBOXES

Documents
Hack In Paris 2011 - Assessing Practical Sandboxes

Hack In Paris 2011 - Assessing Practical Sandboxes

Technology
Efficient Dynamic Access Analysis Using JavaScript Proxies

Efficient Dynamic Access Analysis Using JavaScript Proxies

Technology
Malicious Proxies

Malicious Proxies

Documents