Featherweight Firefox

Size: px

Start display at page:

Download "Featherweight Firefox"

Buck Waters
5 years ago
Views:

1 Featherweight Firefox Formalizing the Core of a Web Browser Aaron Bohannon Benjamin Pierce University of Pennsylvania June 24, / 27

2 Pop Quiz! 2 / 27

3 Question 1 Assume d is a Document object. var e = d.createelement("div"); 3 / 27

4 Question 1 Assume d is a Document object. var e = d.createelement("div"); Assume d and e remain unchanged. 3 / 27

5 Question 1 Assume d is a Document object. var e = d.createelement("div"); Assume d and e remain unchanged. Is it guaranteed that e.ownerdocument == d is always true? a) Yes b) No 3 / 27

6 Question 1 Assume d is a Document object. var e = d.createelement("div"); Assume d and e remain unchanged. Is it guaranteed that e.ownerdocument == d is always true? b) No 3 / 27

7 Question 2 Which of the following can a script do to cause the browser to run (or re-run) some other script? 4 / 27

8 Question 2 Which of the following can a script do to cause the browser to run (or re-run) some other script? a) Remove a script node from a document and insert it somewhere else. 4 / 27

9 Question 2 Which of the following can a script do to cause the browser to run (or re-run) some other script? a) Remove a script node from a document and insert it somewhere else. b) Replace a child text node of a script node. 4 / 27

10 Question 2 Which of the following can a script do to cause the browser to run (or re-run) some other script? a) Remove a script node from a document and insert it somewhere else. b) Replace a child text node of a script node. c) Assign a new value to an already-present src attribute of a script node. 4 / 27

11 Question 2 Which of the following can a script do to cause the browser to run (or re-run) some other script? a) Remove a script node from a document and insert it somewhere else. b) Replace a child text node of a script node. c) Assign a new value to an already-present src attribute of a script node. d) All of the above. 4 / 27

12 Question 2 Which of the following can a script do to cause the browser to run (or re-run) some other script? a) Remove a script node from a document and insert it somewhere else. b) Replace a child text node of a script node. c) Assign a new value to an already-present src attribute of a script node. d) All of the above. e) None of the above. 4 / 27

13 Question 2 Which of the following can a script do to cause the browser to run (or re-run) some other script? e) None of the above. 4 / 27

14 Question 3 A handler for a button click can always get a reference to the window in which the user clicked. a) True b) False 5 / 27

15 Question 3 A handler for a button click can always get a reference to the window in which the user clicked. a) True True. The handler can just use the expression self (or window). 5 / 27

16 Question 3 A handler for a button click can always get a reference to the window in which the user clicked. b) False No, false. self is statically scoped to refer to the window where the code is defined. 5 / 27

17 Question 3 A handler for a button click can always get a reference to the window in which the user clicked. a) True No, true. Button handlers can always check the ownerdocument property of the button node. 5 / 27

18 Question 3 A handler for a button click can always get a reference to the window in which the user clicked. b) False No, false. If a different handler runs first, it may move the button node to a different window! 5 / 27

19 Web Script Semantics Web script semantics are a bit peculiar. 6 / 27

20 Web Script Semantics Web script semantics are a bit peculiar. Web scripts manipulate interconnected browser structures. 6 / 27

21 Web Script Semantics Web script semantics are a bit peculiar. Web scripts manipulate interconnected browser structures. Web scripts are event-driven (user input, network responses, timer events, etc.). 6 / 27

22 Web Script Semantics Web script semantics are a bit peculiar. Web scripts manipulate interconnected browser structures. Web scripts are event-driven (user input, network responses, timer events, etc.). Web scripts have interesting language constructs (first-class functions, dynamic evaluation, self, etc.). 6 / 27

23 Why Formalize This Stuff? We want to perform a rigorous study of browser information security policies. 7 / 27

24 Why Formalize This Stuff? We want to perform a rigorous study of browser information security policies. This demands a rigorous definition of browser behavior. 7 / 27

25 Simplifying Assumptions Abstract away from some lower-level details (parsing, rendering, DNS). 8 / 27

26 Simplifying Assumptions Abstract away from some lower-level details (parsing, rendering, DNS). Make the semantics deterministic, modulo the order of input events. 8 / 27

27 Simplifying Assumptions Abstract away from some lower-level details (parsing, rendering, DNS). Make the semantics deterministic, modulo the order of input events. Model the BOM operations semantics but not the details of the JavaScript langauge. 8 / 27

28 Simplifying Assumptions Abstract away from some lower-level details (parsing, rendering, DNS). Make the semantics deterministic, modulo the order of input events. Model the BOM operations semantics but not the details of the JavaScript langauge. Omit all security mechanisms. 8 / 27

29 Formalization Overview We ve designed a formal web browser semantics that... includes many key browser features. 9 / 27

30 Formalization Overview We ve designed a formal web browser semantics that... includes many key browser features. operates in a small-step style. 9 / 27

31 Formalization Overview We ve designed a formal web browser semantics that... includes many key browser features. operates in a small-step style. is declarative (in the style of logical inference rules). 9 / 27

32 Formalization Overview We ve designed a formal web browser semantics that... includes many key browser features. operates in a small-step style. is declarative (in the style of logical inference rules). is written down in a strongly-typed programming language (OCaml). 9 / 27

33 Included Features Multiple windows and pages Mutable document node trees Buttons and text boxes with handlers Network requests and responses with cookies Scripts with first-class functions, eval, and AJAX requests 10 / 27

34 Omitted Features Browsing history HTTP error codes and redirects timeout events in scripts javascript: URLs file: URLs 11 / 27

35 Related Work 12 / 27

36 Whole Browser Formalizations HTML5 13 / 27

37 Whole Browser Formalizations HTML5 Yu, Chander, Islam, and Serikov: JavaScript Instrumentation for Browser Security (POPL 2007). 13 / 27

38 Whole Browser Formalizations HTML5 Yu, Chander, Islam, and Serikov: JavaScript Instrumentation for Browser Security (POPL 2007). Yoshihama, Tateishi, Tabuchi, and Matsumoto: Information-Flow Based Access Control for Web Browsers (IEICE Transactions, May 2009). 13 / 27

39 Other Formalizations Maffeis, Mitchell, and Taly: An Operational Semantics for JavaScript (ASPLAS 2008). Gardner, Smith, Wheelhouse, and Zarfaty: Local Hoare Reasoning About DOM (PODS 2008). Akhawe, Barth, Lam, Mitchell, and Song: Towards a Formal Foundation of Web Security (CSF 2010). 14 / 27

40 Formalization Details 15 / 27

41 Reactive Systems Consumer States Producer States 16 / 27

42 Reactive Systems Consumer States i Producer States 16 / 27

43 Reactive Systems Consumer States i Producer States o 16 / 27

44 Reactive Systems Consumer States i Producer States o o 16 / 27

45 Web Browser Consumer State Window store Page store Node store Activation record store Cookie store List of open network connections 17 / 27

46 Web Browser Producer State Window store Page store Node store Activation record store Cookie store List of open network connections Task list 18 / 27

47 Window Store Window store Page store Node store Activation record store Cookie store List of open network connections Task list window: name string (optional) opener reference to a window (optional) current page reference to a page 19 / 27

48 Page Store Window store Page store Node store Activation record store Cookie store List of open network connections Task list page: address URL root node reference to a node environment reference to an activation record script queue list of scripts or placeholders 20 / 27

49 Network Connection List Window store Page store Node store Activation record store Cookie store List of open network connections Task list network connection: connection for document request: URL, reference to a window connection for script request: URL, reference to a node connection for AJAX request: URL, reference to a page, expression 21 / 27

50 Selected Inputs From the user: load in new window(url) click button(win, n) From the network: receive(d, n, resp) 22 / 27

51 Selected Outputs To the user: win closed(win) page updated(win, doc) To the network: send(d, req uri, cookies, msg) 23 / 27

52 What s Next? 24 / 27

53 Using Our Browser Semantics Primarily, our formalization should be viewed as a human-readable template. 25 / 27

54 Using Our Browser Semantics Primarily, our formalization should be viewed as a human-readable template. Others may be interested in slightly different features. 25 / 27

55 Using Our Browser Semantics Primarily, our formalization should be viewed as a human-readable template. Others may be interested in slightly different features. The semantics may need to be translated to a different machine-consumable form. 25 / 27

56 Work in Progress Translate browser formaliztion into Coq. 26 / 27

57 Work in Progress Translate browser formaliztion into Coq. Define security policies for the browser in terms of reactive noninterference (Bohannon, et al., CCS 2009). 26 / 27

58 Work in Progress Translate browser formaliztion into Coq. Define security policies for the browser in terms of reactive noninterference (Bohannon, et al., CCS 2009). Prove the soundness of some enforcement mechanisms for these policies. 26 / 27

59 Work in Progress Translate browser formaliztion into Coq. Define security policies for the browser in terms of reactive noninterference (Bohannon, et al., CCS 2009). Prove the soundness of some enforcement mechanisms for these policies. Gain a better understanding of end-to-end web browser security. 26 / 27

60 Thank You 27 / 27

Featherweight Firefox

Featherweight Firefox Formalizing the Core of a Web Browser Aaron Bohannon University of Pennsylvania Benjamin C. Pierce University of Pennsylvania Abstract We offer a formal specification of the core