ADsafety. Type-based Verification of JavaScript Sandboxing. Joe Gibbs Politz Spiridon Aristides Eliopoulos Arjun Guha Shriram Krishnamurthi
|
|
- Edwin Jacobs
- 5 years ago
- Views:
Transcription
1 ADsafety Type-based Verification of JavaScript Sandboxing Joe Gibbs Politz Spiridon Aristides Eliopoulos Arjun Guha Shriram Krishnamurthi 1
2 2
3 3
4 third-party ad third-party ad 4
5 Who is running code in your browser? 5
6 Who is running code in your browser? 5
7 Who is running code in your browser? 5
8 the host you visit 6
9 the host you visit 6
10 the host you visit the ad server 6
11 the host you visit the ad server same JavaScript context 6
12 the host you visit the ad server <iframe> 6
13 the host you visit the ad server <iframe> top.location.href 6
14 Microsoft Web Sandbox Facebook JavaScript (FBJS) Google Caja Yahoo! ADsafe All are defining safe sub-languages 7
15 8
16 eval 8
17 eval 8
18 eval e 8
19 eval e wrap(e) 8
20 eval e wrap wrap(e) 8
21 filters wrappers eval rewriters e wrap wrap(e) Maffeis, Mitchell, and Taly, ESORICS
22 9
23 eval 9
24 eval ADSAFE.get(obj, x) untrusted widget 9
25 eval ADSAFE.get ADSAFE.get(obj, x) untrusted widget 9
26 1, 800 LOC adsafe.js library 50 calls to three kinds of assertions 40 type-tests 5 regular-expression based checks 60 privileged DOM method calls 10
27 ? 1, 800 LOC adsafe.js library 50 calls to three kinds of assertions 40 type-tests 5 regular-expression based checks 60 privileged DOM method calls 10
28 Type-based Verification of 11
29 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 12
30 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; eval() document.write() document.createelement("script")... 12
31 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; eval() document.write() document.createelement("script")... 12
32 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.s cannot obtain direct references to DOM nodes; <div> <p> <div> ADsafe Untrusted <b> 12
33 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.s cannot obtain direct references to DOM nodes; <div> <p> <div> ADsafe Untrusted <b> 12
34 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.s cannot obtain direct references to DOM nodes; <div> 3.s cannot affect the DOM outside of their subtree; and <div id="widget"> <p> <div> ADsafe Untrusted <b> 12
35 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.s cannot obtain direct references to DOM nodes; <div> 3.s cannot affect the DOM outside of their subtree; and <div id="widget"> <p> <div> ADsafe Untrusted <b> 12
36 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; 2.s cannot obtain direct references to DOM nodes; 3.s cannot affect the DOM outside of their subtree; and 4.Multiple widgets on the same page cannot communicate. A ADsafe B 12
37 eval Goal: Verify ADsafe ADSAFE.get ADSAFE.get(obj, x) 13
38 eval Goal: Verify ADsafe ADSAFE.get ADSAFE.get(obj, x) untrusted, but passes JSLint 13
39 eval Goal: Verify ADsafe Goal: model JSLint ADSAFE.get ADSAFE.get(obj, x) untrusted, but passes JSLint 13
40 JSLint ensures: no DOM references node <div> <p> <div> ADsafe Untrusted <b> s cannot obtain direct references to DOM nodes. 14
41 JSLint ensures: no DOM references node ADsafe ensures: only safe methods on bunches bunch = { nodes : array of nodes, append: function..., gettext: function..., functions } <div> <p> <div> ADsafe Untrusted <b> s cannot obtain direct references to DOM nodes. 14
42 JSLint ensures: no DOM references node ADsafe ensures: only safe methods on bunches bunch = { nodes : array of nodes, append: function..., gettext: function..., functions } bunch. nodes No private fields in JavaScript! <div> <p> <div> ADsafe Untrusted <b> s cannot obtain direct references to DOM nodes. 14
43 JSLint ensures: no DOM references node ADsafe ensures: only safe methods on bunches bunch = { nodes : array of nodes, append: function..., gettext: function..., functions } <div> JSLint ensures: nodes is private bunch. nodes <p> <div> ADsafe Untrusted <b> s cannot obtain direct references to DOM nodes. 14
44 JSLint ensures: no DOM references node ADsafe ensures: only safe methods on bunches bunch = { nodes : array of nodes, append: function..., gettext: function..., functions } <div> JSLint ensures: nodes is private bunch. nodes <p> <div> ADsafe Untrusted <b> bunch.append(...) Exploit append to return nodes? s cannot obtain direct references to DOM nodes. 14
45 JSLint ensures: no DOM references node ADsafe ensures: only safe methods on bunches bunch = { nodes : array of nodes, append: function..., gettext: function..., functions } <div> JSLint ensures: nodes is private bunch. nodes <p> <div> ADsafe Untrusted ADsafe ensures: DOM nodes are not returned bunch.append(...) <b> s cannot obtain direct references to DOM nodes. 14
46 eval Goal 2: Verify ADsafe Goal 1: model JSLint ADSAFE.get ADSAFE.get(obj, x) untrusted, but passes JSLint 15
47 var n = 6 var s = "a string" var b = true 16
48 var n = 6 var s = "a string" var b = true := Number + String + Boolean + Undefined + Null + 16
49 := Number + String + Boolean + Undefined + Null + 17
50 { x: 6, b: "car" } := Number + String + Boolean + Undefined + Null + 17
51 { x: 6, b: "car" } { nested: { y: 10, b: false } } := Number + String + Boolean + Undefined + Null + : nodes : Array<Node> caller: prototype:... code :... proto : Object + Function + Array
52 { x: 6, b: "car" } { nested: { y: 10, b: false } } { nodes : 90 } myobj.prototype = { }; := Number + String + Boolean + Undefined + Null + : nodes : Array<Node> caller: prototype:... code :... proto : Object + Function + Array
53 { x: 6, b: "car" } { nested: { y: 10, b: false } } { nodes : 90 } myobj.prototype = { }; function foo(x) { return x + 1; } foo(900) foo.w = "functions are objects" ["array", "of", "strings"] /regular[ \t]*expressions/ := Number + String + Boolean + Undefined + Null + : nodes : Array<Node> caller: prototype:... code :... proto : Object + Function + Array
54 JSLint type-checker typable widgets widgets that pass JSLint 18
55 JSLint type-checker typable widgets Claim: widgets that pass JSLint evidence: 1,100 LOC of tests or, passing JSLint -typable 18
56 JSLint type-checker typable widgets type-based arguments about widgets Claim: widgets that pass JSLint evidence: 1,100 LOC of tests or, passing JSLint -typable 18
57 eval Goal 2: Verify ADsafe Goal 1: model JSLint ADSAFE.get ADSAFE.get(obj, x) untrusted, but passes JSLint 19
58 window.settimeout(callback, delay); eval String window.settimeout 20
59 Object String Number eval String /*: */ ADSAFE.later = function(callback, delay) { if (typeof callback!== "function") { throw "expected function"; } } window.settimeout(callback, delay); window.settimeout 20
60 Object String Number window : { eval:, settimeout : (... ) Undefined,... } eval String /*: */ ADSAFE.later = function(callback, delay) { if (typeof callback!== "function") { throw "expected function"; } } window.settimeout(callback, delay); window.settimeout 20
61 Object String Number window : { eval:, settimeout : (... ) Undefined,... } eval String /*: */ ADSAFE.later = function(callback, delay) { if (typeof callback!== "function") { throw "expected function"; } } window.settimeout(callback, delay); window.settimeout 20
62 Object String Number window : { eval:, settimeout : (... ) Undefined,... } /*: */ ADSAFE.later = function(callback, delay) { if (typeof callback!== "function") { throw "expected function"; } window.settimeout(callback, delay); eval String }... window.settimeout 20
63 Object String Number window : { eval:, settimeout : (... ) Undefined,... } /*: */ ADSAFE.later = function(callback, delay) { if (typeof callback!== "function") { throw "expected function"; } window.settimeout(callback, delay); eval String }... window.settimeout This is just one kind of if-split we handle. Politz et al. USENIX Security 2011 and Guha, Saftoiu, Krishnamurthi. ESOP
64 JSLinted adsafe.js widget 21
65 JSLinted adsafe.js widget 21
66 JSLinted adsafe.js widget 21
67 JSLinted adsafe.js widget 21
68 JSLinted adsafe.js widget 21
69 JSLinted adsafe.js widget 21
70 Array<Node> Node JSLinted adsafe.js widget 21
71 Node Node Array<Node> Node JSLinted adsafe.js widget 21
72 typable widgets widgets that pass JSLint + = Array<Node> Node adsafe.js JSLinted widget JSLint model Type-checked ADsafe 22
73 typable widgets widgets that pass JSLint var fakenode = { tagname: "div", appendchild: function(elt) { var win = elt.ownerdocument.defaultview; win.eval("alert('hacked')"); } }; 23
74 typable widgets widgets that pass JSLint var fakenode = { tagname: "div", appendchild: function(elt) { var win = elt.ownerdocument.defaultview; win.eval("alert('hacked')"); } }; var fakebunch = { nodes : [fakenode] }; Rejected by JSLint 23
75 typable widgets widgets that pass JSLint var fakenode = { tagname: "div", appendchild: function(elt) { var win = elt.ownerdocument.defaultview; win.eval("alert('hacked')"); } }; var fakebunch = { nodes : [fakenode] }; var fakebunch = { ' nodes ': [fakenode] }; Rejected by JSLint Accepted by JSLint type error: expected Array<HTML>, received Array<> 23
76 /*: */ WrappedElt.prototype.style = function(name, val) { var regexp = new Regexp("url"); if (regexp.test(val)) { return error(); }... this. node.style[name] = val... } 24
77 /*: */ WrappedElt.prototype.style = function(name, val) { var regexp = new Regexp("url"); } if (regexp.test(val)) { return error(); }... this. node.style[name] = val... expected String, received 24
78 /*: */ WrappedElt.prototype.style = function(name, val) { var regexp = new Regexp("url"); } if (regexp.test(val)) { return error(); }... this. node.style[name] = val... expected String, received var firstcall = true; var badname = { tostring: function() { if (firstcall) { firstcall = false; return "font"; } else { return "url('/evil.xml')"; } } }; passes safety check returns bad value 24
79 Fix: check_string assertion inserted here, and in 16 other places /*: */ WrappedElt.prototype.style = function(name, val) { var regexp = new Regexp("url"); } if (regexp.test(val)) { return error(); }... this. node.style[name] = val... expected String, received var firstcall = true; var badname = { tostring: function() { if (firstcall) { firstcall = false; return "font"; } else { return "url('/evil.xml')"; } } }; passes safety check returns bad value 24
80 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; eval() document.write() document.createelement("script")... <div> 2.s cannot obtain direct <p> <div> ADsafe Untrusted references to DOM nodes; <b> <div> 3.s cannot affect the DOM outside of their subtree; <div id="widget"> and <p> <div> ADsafe Untrusted <b> 4.Multiple widgets on the same page cannot communicate. A ADsafe B 25
81 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; eval() document.write() document.createelement("script")... <div> 2.s cannot obtain direct <p> <div> ADsafe Untrusted references to DOM nodes; <b> <div> 3.s cannot affect the DOM outside of their subtree; <div id="widget"> and <p> <div> ADsafe Untrusted <b> 4.Multiple widgets on the same page cannot communicate. A ADsafe B 25
82 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; eval() document.write() document.createelement("script")... <div> 2.s cannot obtain direct <p> <div> ADsafe Untrusted references to DOM nodes; <b> <div> 3.s cannot affect the DOM outside of their subtree; <div id="widget"> and <p> <div> ADsafe Untrusted <b> 4.Multiple widgets on the same page cannot communicate. A ADsafe B 25
83 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; eval() document.write() document.createelement("script")... <div> 2.s cannot obtain direct <p> <div> ADsafe Untrusted references to DOM nodes; <b> <div> 3.s cannot affect the DOM outside of their subtree; <div id="widget"> and <p> <div> ADsafe Untrusted <b> 4.Multiple widgets on the same page cannot communicate. A ADsafe B 25
84 Definition 1 (ADsafety): If all embedded widgets pass JSLint, then: 1.s cannot load new code at runtime, or cause ADsafe to load new code on their behalf; eval() document.write() document.createelement("script")... <div> 2.s cannot obtain direct references to DOM nodes; <p> <b> <div> ADsafe Untrusted <div> 3.s cannot affect the DOM outside of their subtree; and <div id="widget"> <p> <div> ADsafe Untrusted 4.Multiple widgets on the same Retracted page cannot communicate. A <b> ADsafe B 25
85 ! Caveats: 11 LOC unverified subtree property unverified 26
86 JavaScript program Proofs for JavaScript? 27
87 JavaScript program desugar λ JS program Proofs for JavaScript? Proofs for λjs. 27
88 JavaScript program desugar λ JS program Proofs for JavaScript? SpiderMonkey, V8, Rhino 100 LOC interpreter Proofs for λjs. their answer identical for Mozilla JS test suite* our answer Guha, Saftoiu, Krishnamurthi. ECOOP
89 banned = { 'arguments' : true, callee : true, caller : true, constructor : true, 'eval' : true, prototype : true, stack : true, unwatch : true, valueof : true, watch : true } + function reject_global(that) { if (that.window) { error(); } } + if (/url/i.test(string_check(value[i]))) { error('adsafe error.'); } and other patterns... 28
90 banned = { 'arguments' : true, callee : true, caller : true, constructor : true, 'eval' : true, prototype : true, stack : true, unwatch : true, valueof : true, watch : true } + function reject_global(that) { if (that.window) { error(); } } + if (/url/i.test(string_check(value[i]))) { error('adsafe error.'); } and other patterns can be succinctly expressed with types := Number + String + Boolean + Undefined + Null + : nodes : Array<Node> caller: prototype:... code :... proto : Object + Function + Array
91 Conclusion untypable 1.Model sandbox as a type eval e system typable wrap wrap(e) typable 2.Object types for JavaScript ( and ) := Number + String + Boolean + Undefined + Null + : proto : Object + Function + Array +... code :... arguments: caller:... JavaScript program desugar λ JS program 3.Proofs over tractable SpiderMonkey, V8, Rhino 100 LOC interpreter JavaScript semantics their answer identical for Mozilla JS test suite* our answer 29
92 Spiridon Aristides Eliopoulos Extra Slides 30
93 Unverified Code function F() {}; ADSAFE.create = typeof Object.create === 'function'? Object.create : function (o) { F.prototype = typeof o === 'object' && o? o : Object.prototype; return new F(); }; /*: (banned True) & (not_banned False) */ function reject_name(name) { return banned[name] ((typeof name!== 'number' name < 0) && (typeof name!== 'string' name.charat(0) === '_' name.slice(-1) === '_' name.charat(0) === '-')); } 31
94 Theorems 32
95 Full Type 33
A Structural Operational Semantics for JavaScript
Dept. of Computer Science, Stanford University Joint work with Sergio Maffeis and John C. Mitchell Outline 1 Motivation Web Security problem Informal and Formal Semantics Related work 2 Formal Semantics
More informationAnalysis of Security Critical APIs
Automated Encapsulation Analysis of Security Critical APIs Ankur Taly Stanford University it Joint work with John C. Mitchell, Ulfar Eli Erlingsson, Mark ks. Miller and Jasvir Nagra 5/5/2011 Stanford Security
More informationLanguage Based isolation of Untrusted JavaScript
Dept. of Computer Science, Stanford University Joint work with Sergio Maffeis (Imperial College London) and John C. Mitchell (Stanford University) Outline 1 Motivation 2 Case Study : FBJS Design Attacks
More informationFunctional JavaScript. Douglas Crockford Yahoo! Inc.
Functional JavaScript Douglas Crockford Yahoo! Inc. The World's Most Misunderstood Programming Language A language of many contrasts. The broadest range of programmer skills of any programming language.
More informationPROGRAMMING LANGUAGE SEMANTICS AS NATURAL SCIENCE
PROGRAMMING LANGUAGE SEMANTICS AS NATURAL SCIENCE THE PECULIAR, EVOLVING, AND BARELY CONSUMMATED RELATIONSHIP BETWEEN SEMANTICS AND SCRIPTING LANGUAGES Arjun Guha Joe Gibbs Politz Ben Lerner Justin Pombrio
More informationJavaScript: The Good Parts. Douglas Crockford Yahoo! Inc.
JavaScript: The Good Parts Douglas Crockford Yahoo! Inc. http://www.crockford.com/codecamp/ The World's Most Popular Programming Language The World's Most Popular Programming Language The World's Most
More informationObject Capabilities and Isolation of Untrusted Web Application
Object Capabilities and Isolation of Untrusted Web Applications Dept. of Computer Science, Stanford University Joint work with Sergio Maffeis (Imperial College London) and John C. Mitchell (Stanford University)
More informationLanguage Based isolation of Untrusted JavaScript
Dept. of Computer Science, Stanford University Joint work with Sergio Maffeis and John C. Mitchell 1 Introduction 2 Existing subsets of JavaScript: FBJS and ADsafe FBJS 08 : Attacks and Challenges ADsafe
More informationJavaScript: The Good Parts
JavaScript: The Good Parts The World's Most Misunderstood Programming Language Douglas Crockford Yahoo! Inc. A language of many contrasts. The broadest range of programmer skills of any programming language.
More informationIsolating JavaScript with Filters, Rewriting, and Wrappers
Isolating JavaScript with Filters, Rewriting, and Wrappers Sergio Maffeis 1, John C. Mitchell 2, and Ankur Taly 2 1 Imperial College London 2 Stanford University Abstract. We study methods that allow web
More informationThe Web of Confusion. Douglas Crockford Yahoo! Inc.
The Web of Confusion Douglas Crockford Yahoo! Inc. http://crockford.com/codecamp/confusion.ppt Web 2.0 Security and Privacy The problems started in 1995. We have made no progress on the fundamental problems
More informationNode.js Training JavaScript. Richard richardrodger.com
Node.js Training JavaScript Richard Rodger @rjrodger richardrodger.com richard.rodger@nearform.com A New Look at JavaScript Embracing JavaScript JavaScript Data Structures JavaScript Functions Functional
More informationA Structural Operational Semantics for JavaScript
Dept. of Computer Science, Stanford University 1 Need for a Formal Semantics? 2 Structural Operational Semantics for IMP Formalizing the program state Semantic Rules Formal properties 3 Structural Operational
More informationSTOPIFY WRESTLING CONTROL FROM WEB BROWSERS
Sam Baxter Rachit Nigam Arjun Guha Joe Politz Shriram Krishnamurthi STOPIFY WRESTLING CONTROL FROM WEB BROWSERS WEB PROGRAMMING ENVIRONMENTS 2 WEB PROGRAMMING ENVIRONMENTS 2 WEB PROGRAMMING ENVIRONMENTS
More informationINF5750. Introduction to JavaScript and Node.js
INF5750 Introduction to JavaScript and Node.js Outline Introduction to JavaScript Language basics Introduction to Node.js Tips and tools for working with JS and Node.js What is JavaScript? Built as scripting
More informationThe Essence of JavaScript
Corrected: October 3, 2015 The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi Brown University Abstract. We reduce JavaScript to a core calculus structured as a small-step
More informationThe Essence of JavaScript
The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi Brown University Abstract. We reduce JavaScript to a core calculus structured as a small-step operational semantics. We
More informationIntroduction to JavaScript p. 1 JavaScript Myths p. 2 Versions of JavaScript p. 2 Client-Side JavaScript p. 3 JavaScript in Other Contexts p.
Preface p. xiii Introduction to JavaScript p. 1 JavaScript Myths p. 2 Versions of JavaScript p. 2 Client-Side JavaScript p. 3 JavaScript in Other Contexts p. 5 Client-Side JavaScript: Executable Content
More informationJSTrace: Run-time Type Discovery for JavaScript
JSTrace: Run-time Type Discovery for JavaScript Claudiu Saftoiu May 13, 2010 Contents 1 Overview 2 2 Introduction 5 2.1 Static Type Inference.................................... 5 2.1.1 Subtyping......................................
More informationSymbols. accessor properties, attributes, creating, adding properties, 8 anonymous functions, 20, 80
Index Symbols { } (braces) for function contents, 18 and object properties, 9 == (double equals operator), 5 === (triple equals operator), 5 [ ] (square brackets) for array literals, 10 for property access,
More informationJavaScript: Sort of a Big Deal,
: Sort of a Big Deal, But Sort of Quirky... March 20, 2017 Lisp in C s Clothing (Crockford, 2001) Dynamically Typed: no static type annotations or type checks. C-Like Syntax: curly-braces, for, semicolons,
More informationSandboxing JavaScript. Lieven Desmet iminds-distrinet, KU Leuven OWASP BeNeLux Days 2012 (29/11/2012, Leuven) DistriNet
Sandboxing JavaScript Lieven Desmet iminds-distrinet, KU Leuven Lieven.Desmet@cs.kuleuven.be OWASP BeNeLux Days 2012 (29/11/2012, Leuven) DistriNet About myself Lieven Desmet @lieven_desmet Research manager
More informationLanguage-Based Isolation of Untrusted JavaScript
Language-Based Isolation of Untrusted JavaScript Sergio Maffeis 1, John C. Mitchell 2, Ankur Taly 2, 1 Department of Computing, Imperial College London 2 Department of Computer Science, Stanford University
More informationLanguage-Based Isolation of Untrusted JavaScript
Language-Based Isolation of Untrusted JavaScript Sergio Maffeis Department of Computing Imperial College London London, UK Email: maffeis@doc.ic.ac.uk Ankur Taly Department of Computer Science Stanford
More informationDOM based Angular sandbox escapes
DOM based Angular sandbox escapes About me I m a researcher at PortSwigger I love hacking JavaScript & browsers Array.from([1],alert) Follow me on twitter @garethheyes No sandbox Angular 1.0-1.1.5 didn
More informationDLint: Dynamically Checking Bad Coding Practices in JavaScript
DLint: Dynamically Checking Bad Coding Practices in JavaScript Liang Gong 1, Michael Pradel 2, Manu Sridharan 3 and Koushik Sen 1 1 UC Berkeley 2 TU Darmstadt 3 Samsung Research America Why JavaScript?
More informationClient-Side Web Technologies. JavaScript Part I
Client-Side Web Technologies JavaScript Part I JavaScript First appeared in 1996 in Netscape Navigator Main purpose was to handle input validation that was currently being done server-side Now a powerful
More informationJavaScript: the language of browser interactions. Claudia Hauff TI1506: Web and Database Technology
JavaScript: the language of browser interactions Claudia Hauff TI1506: Web and Database Technology ti1506-ewi@tudelft.nl Densest Web lecture of this course. Coding takes time. Be friendly with Codecademy
More informationJavaScript. What s wrong with JavaScript?
JavaScript 1 What s wrong with JavaScript? A very powerful language, yet Often hated Browser inconsistencies Misunderstood Developers find it painful Lagging tool support Bad name for a language! Java
More informationCS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011
CS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011 1 Introduction Type checking is a lightweight technique for proving simple properties of programs. Unlike theorem-proving techniques based on axiomatic
More information1 Introduction. 3 Syntax
CS 6110 S18 Lecture 19 Typed λ-calculus 1 Introduction Type checking is a lightweight technique for proving simple properties of programs. Unlike theorem-proving techniques based on axiomatic semantics,
More informationThe course is supplemented by numerous hands-on labs that help attendees reinforce their theoretical knowledge of the learned material.
Lincoln Land Community College Capital City Training Center 130 West Mason Springfield, IL 62702 217-782-7436 www.llcc.edu/cctc WA2442 Introduction to JavaScript Objectives This intensive training course
More informationWhy Discuss JavaScript? CS312: Programming Languages. Lecture 21: JavaScript. JavaScript Target. What s a Scripting Language?
Why Discuss JavaScript? CS312: Programming Languages Lecture 21: JavaScript Thomas Dillig JavaScript is very widely used and growing Any AJAX application heavily relies on JavaScript JavaScript also has
More informationJAVASCRIPT AND JQUERY: AN INTRODUCTION (WEB PROGRAMMING, X452.1)
Technology & Information Management Instructor: Michael Kremer, Ph.D. Class 4 Professional Program: Data Administration and Management JAVASCRIPT AND JQUERY: AN INTRODUCTION (WEB PROGRAMMING, X452.1) AGENDA
More informationCS312: Programming Languages. Lecture 21: JavaScript
CS312: Programming Languages Lecture 21: JavaScript Thomas Dillig Thomas Dillig, CS312: Programming Languages Lecture 21: JavaScript 1/25 Why Discuss JavaScript? JavaScript is very widely used and growing
More informationRun-time characteristics of JavaScript
Run-time characteristics of JavaScript http://d3s.mff.cuni.cz CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Part I Introduction On paper An analysis of the Dynamic Behavior of the JavaScript
More informationJavaScript Introduction
JavaScript Introduction Web Technologies I. Zsolt Tóth University of Miskolc 2016 Zsolt Tóth (UM) JavaScript Introduction 2016 1 / 31 Introduction Table of Contents 1 Introduction 2 Syntax Variables Control
More informationJavascript : the language. accu2009 conference 25 th April 2009 Tony Barrett-Powell
Javascript : the language accu2009 conference 25 th April 2009 Tony Barrett-Powell Introduction Exploring aspects of the language Considering styles Procedural Object-oriented Functional Some bad parts
More informationStatic Analysis of JavaScript. Ben Hardekopf
Static Analysis of JavaScript Insights and Challenges Ben Hardekopf Department of Computer Science University of California, Santa Barbara Setting Expectations What this talk is about Brief introduction
More informationDLint: Dynamically Checking Bad Coding Practices in JavaScript
DLint: Dynamically Checking Bad Coding Practices in JavaScript Liang Gong 1, Michael Pradel 2, Manu Sridharan 3 and Koushik Sen 1 1 UC Berkeley 2 TU Darmstadt 3 Samsung Research America Why JavaScript?
More informationWeb Application Development
Web Application Development Produced by David Drohan (ddrohan@wit.ie) Department of Computing & Mathematics Waterford Institute of Technology http://www.wit.ie JavaScript JAVASCRIPT FUNDAMENTALS Agenda
More informationxbook: Redesigning Privacy Control in Social Networking Platforms
xbook: Redesigning Privacy Control in Social Networking Platforms Kapil Singh Sumeer Bhola Wenke Lee School of Computer Science Google School of Computer Science Georgia Institute of Technology sumeer@acm.org
More informationOutline. Introduction Concepts and terminology The case for static typing. Implementing a static type system Basic typing relations Adding context
Types 1 / 15 Outline Introduction Concepts and terminology The case for static typing Implementing a static type system Basic typing relations Adding context 2 / 15 Types and type errors Type: a set of
More informationJavaScript. Training Offer for JavaScript Introduction JavaScript. JavaScript Objects
JavaScript CAC Noida is an ISO 9001:2015 certified training center with professional experience that dates back to 2005. The vision is to provide professional education merging corporate culture globally
More informationSANDBOXING UNTRUSTED JAVASCRIPT
SANDBOXING UNTRUSTED JAVASCRIPT ADISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR
More informationJavaScript Basics. Mendel Rosenblum. CS142 Lecture Notes - JavaScript Basics
JavaScript Basics Mendel Rosenblum 1 What is JavaScript? From Wikipedia:... high-level, dynamic, untyped, and interpreted programming language... is prototype-based with first-class functions,... supporting
More informationCSC Web Programming. Introduction to JavaScript
CSC 242 - Web Programming Introduction to JavaScript JavaScript JavaScript is a client-side scripting language the code is executed by the web browser JavaScript is an embedded language it relies on its
More informationPivot: Fast, Synchronous Mashup Isolation Using Generator Chains
Pivot: Fast, Synchronous Mashup Isolation Using Generator Chains James Mickens Microsoft Research mickens@microsoft.com Abstract Pivot is a new JavaScript isolation framework for web applications. Pivot
More informationTyped Lambda Calculus. Chapter 9 Benjamin Pierce Types and Programming Languages
Typed Lambda Calculus Chapter 9 Benjamin Pierce Types and Programming Languages t ::= x x. t t t Call-by-value small step perational Semantics terms variable v ::= values abstraction x. t abstraction values
More informationJavaScript CS 4640 Programming Languages for Web Applications
JavaScript CS 4640 Programming Languages for Web Applications 1 How HTML, CSS, and JS Fit Together {css} javascript() Content layer The HTML gives the page structure and adds semantics Presentation
More informationUnderstanding and Verifying JavaScript Programs
Understanding and Verifying JavaScript Programs Philippa Gardner Imperial College London LFCS 30th Anniversary 1/31 JavaScript at Imperial Philippa Gardner José Fragoso Santos Petar Maksimović Daiva Naudˇziūnienė
More informationiwiki Documentation Release 1.0 jch
iwiki Documentation Release 1.0 jch January 31, 2014 Contents i ii Contents: Contents 1 2 Contents CHAPTER 1 Python 1.1 Python Core 1.1.1 Strings 1.1.2 Functions Argument Lists *args tuple/list **kwargs
More informationCOMP519 Web Programming Lecture 12: JavaScript (Part 3) Handouts
COMP519 Web Programming Lecture 12: JavaScript (Part 3) Handouts Ullrich Hustadt Department of Computer Science School of Electrical Engineering, Electronics, and Computer Science University of Liverpool
More informationSpring JavaScript. John Mitchell Adapted by Mooly Sagiv. Reading: links on last slide Homework 1: 18/3 17/4
Spring 2012 JavaScript John Mitchell Adapted by Mooly Sagiv Reading: links on last slide Homework 1: 18/3 17/4 Why talk about JavaScript? Very widely used, and growing Web pages, AJAX, Web 2.0 Increasing
More informationMODELING AND REASONING
MODELING AND REASONING ABOUT DOM EVENTS Benjamin Lerner, Matthew Carroll, Dan Kimmel, Hannah Quay-de la Vallee, Shriram Krishnamurthi Brown University WebApps 2012 Those pesky ads Click here and type expo!
More informationLanguage-Based Isolation of Untrusted JavaScript
Language-Based Isolation of Untrusted JavaScript Sergio Maffeis Department of Computing, Imperial College London maffeis@doc.ic.ac.uk John C. Mitchell Department of Computer Science, Stanford University
More informationFunctional Programming. Pure Functional Programming
Functional Programming Pure Functional Programming Computation is largely performed by applying functions to values. The value of an expression depends only on the values of its sub-expressions (if any).
More informationExperimental New Directions for JavaScript
Experimental New Directions for JavaScript Andreas Rossberg, V8/Google Motivation Broad need for (more) scalable JavaScript Usability, esp. maintainability Performance, esp. predictability ES6 opens up
More informationInterprocedural Type Specialization of JavaScript Programs Without Type Analysis
Interprocedural Type Specialization of JavaScript Programs Without Type Analysis Maxime Chevalier-Boisvert joint work with Marc Feeley ECOOP - July 20th, 2016 Overview Previous work: Lazy Basic Block Versioning
More informationINF 212 ANALYSIS OF PROG. LANGS FUNCTION COMPOSITION. Instructors: Crista Lopes Copyright Instructors.
INF 212 ANALYSIS OF PROG. LANGS FUNCTION COMPOSITION Instructors: Crista Lopes Copyright Instructors. Topics Recursion Higher-order functions Continuation-Passing Style Monads (take 1) Identity Monad Maybe
More informationSlimming Languages by Reducing Sugar: A Case for Semantics-Altering Transformations
Final version to appear in Onward 2015 Slimming Languages by Reducing Sugar: A Case for Semantics-Altering Transformations Junsong Li, Justin Pombrio, Joe Gibbs Politz, Shriram Krishnamurthi Brown University
More informationiframe programming with jquery jquery Summit 2011
iframe programming with jquery jquery Summit 2011 who invited this guy? name s ben strange last name work at disqus co-author, Third-party JavaScript disqus? dis cuss dĭ-skŭs' third-party commenting platform
More informationObject Capabilities and Isolation of Untrusted Web Applications
Object Capabilities and Isolation of Untrusted Web Applications Sergio Maffeis 1, John C. Mitchell 2, Ankur Taly 2, 1 Department of Computing, Imperial College London 2 Department of Computer Science,
More informationPierce Ch. 3, 8, 11, 15. Type Systems
Pierce Ch. 3, 8, 11, 15 Type Systems Goals Define the simple language of expressions A small subset of Lisp, with minor modifications Define the type system of this language Mathematical definition using
More informationjavascripts in the javascripts ffconf 2014 andy wingo
javascripts in the javascripts ffconf 2014 andy wingo the es6 circus es-discuss clownshoes C++ knife-jugglers JavaScript acrobats is coming to town building Hark, an agenda: es.next in es.now Why? How:
More informationJAVASCRIPT AND JQUERY: AN INTRODUCTION (WEB PROGRAMMING, X452.1)
Technology & Information Management Instructor: Michael Kremer, Ph.D. Class 2 Professional Program: Data Administration and Management JAVASCRIPT AND JQUERY: AN INTRODUCTION (WEB PROGRAMMING, X452.1) AGENDA
More informationPrincess Nourah bint Abdulrahman University. Computer Sciences Department
Princess Nourah bint Abdulrahman University 1 And use http://www.w3schools.com/ JavaScript Objectives Introduction to JavaScript Objects Data Variables Operators Types Functions Events 4 Why Study JavaScript?
More informationDepartment of Computer Science. Technical Report. MSc Dissertation: An investigation of JavaScript isolation mechanisms: Sandboxing implementations
Department of Computer Science Technical Report MSc Dissertation: An investigation of JavaScript isolation mechanisms: Sandboxing implementations Efthymia Viopoulou Technical Report 2014-03 October 2014
More informationMetacircular Virtual Machine Layering for Run-Time Instrumentation. Erick Lavoie, Bruno Dufour, Marc Feeley Université de Montréal ericklavoie.
Metacircular Virtual Machine Layering for Run-Time Instrumentation Erick Lavoie, Bruno Dufour, Marc Feeley Université de Montréal ericklavoie.com 1 Motivation 2 2 Context Program comprehension Benchmark
More informationLesson 4 Typed Arithmetic Typed Lambda Calculus
Lesson 4 Typed Arithmetic Typed Lambda 1/28/03 Chapters 8, 9, 10 Outline Types for Arithmetic types the typing relation safety = progress + preservation The simply typed lambda calculus Function types
More informationJavaScript. The Bad Parts. Patrick Behr
JavaScript The Bad Parts Patrick Behr History Created in 1995 by Netscape Originally called Mocha, then LiveScript, then JavaScript It s not related to Java ECMAScript is the official name Many implementations
More informationRuby: Introduction, Basics
Ruby: Introduction, Basics Computer Science and Engineering College of Engineering The Ohio State University Lecture 4 Ruby vs Java: Similarities Imperative and object-oriented Classes and instances (ie
More informationStatic Analysis for JavaScript
Static Analysis for JavaScript Adi Yoga Sidi Prabawa Supervisor: Associate Professor Chin Wei Ngan Department of Computer Science School of Computing National University of Singapore June 30, 2013 Abstract
More informationAJAX: From the Client-side with JavaScript, Back to the Server
AJAX: From the Client-side with JavaScript, Back to the Server Asynchronous server calls and related technologies CS 370 SE Practicum, Cengiz Günay (Some slides courtesy of Eugene Agichtein and the Internets)
More informationCMSC 631 Program Analysis and Understanding. Dynamic Typing, Contracts, and Gradual Typing
CMSC 631 Program Analysis and Understanding Dynamic Typing, Contracts, and Gradual Typing Static vs. Dynamic Typing Languages with Static Typing Examples: Ocaml, Java, C#, Scala, Haskell Typechecker proves
More informationINF 102 CONCEPTS OF PROG. LANGS FUNCTIONAL COMPOSITION. Instructors: James Jones Copyright Instructors.
INF 102 CONCEPTS OF PROG. LANGS FUNCTIONAL COMPOSITION Instructors: James Jones Copyright Instructors. Topics Recursion Higher-order functions Continuation-Passing Style Monads (take 1) Identity Monad
More informationRelation Overriding. Syntax and Semantics. Simple Semantic Domains. Operational Semantics
SE3E03, 2006 1.59 61 Syntax and Semantics Syntax Shape of PL constructs What are the tokens of the language? Lexical syntax, word level How are programs built from tokens? Mostly use Context-Free Grammars
More informationLambda Calculus: Implementation Techniques and a Proof. COS 441 Slides 15
Lambda Calculus: Implementation Techniques and a Proof COS 441 Slides 15 Last Time: The Lambda Calculus A language of pure functions: values e ::= x \x.e e e v ::= \x.e With a call-by-value operational
More informationCOMS W3101: SCRIPTING LANGUAGES: JAVASCRIPT (FALL 2017)
COMS W3101: SCRIPTING LANGUAGES: JAVASCRIPT (FALL 2017) RAMANA ISUKAPALLI RAMANA@CS.COLUMBIA.EDU 1 LECTURE-1 Course overview See http://www.cs.columbia.edu/~ramana Overview of HTML Formatting, headings,
More informationSample CS 142 Midterm Examination
Sample CS 142 Midterm Examination Spring Quarter 2016 You have 1.5 hours (90 minutes) for this examination; the number of points for each question indicates roughly how many minutes you should spend on
More informationLECTURE-2. Functions review HTML Forms. Arrays Exceptions Events. CS3101: Scripting Languages: Javascript Ramana Isukapalli
LECTURE-2 Functions review HTML Forms Arrays Exceptions Events 1 JAVASCRIPT FUNCTIONS, REVIEW Syntax function (params) { // code Note: Parameters do NOT have variable type. 1. Recall: Function
More informationConScript. Specifying and Enforcing Fine- Grained Security Policies for JavaScript in the Browser. Leo Meyerovich UC Berkeley
ConScript Specifying and Enforcing Fine- Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits MicrosoD Research 2 ComplicaFons Benign but buggy: who is to
More informationExploiting unknown browsers and objects. with the Hackability inspector
Exploiting unknown browsers and objects with the Hackability inspector!1 About me U+6158 I'm a researcher at PortSwigger I hacking JavaScript 1337inalert(1) @garethheyes!2 Hackability Created to test capabilities
More informationExtending the Web Security Model with Information Flow Control
Extending the Web Security Model with Information Flow Control Deian Stefan Advised by David Herman Motivation: 3rd party libraries Password-strength checker Desired security policy: Password is not leaked
More informationDependent Types for JavaScript
Dependent Types for JavaScript Ravi Chugh Ranjit Jhala University of California, San Diego David Herman Mozilla Research Dependent Why Types for JavaScript? Pervasive Used at Massive Scale Why Add Types?
More informationJavaScript for PHP Developers
JavaScript for PHP Developers Ed Finkler @funkatron coj@funkatron.com May 18, 2010 #tekx #js4php http://joind.in/1564 What is this? 2 A practical overview of JS for the PHP developer Stop c+p'ing, start
More informationIn Praise of Metacircular Virtual Machine Layering. Erick Lavoie, Bruno Dufour, Marc Feeley Université de Montréal ericklavoie.com
In Praise of Metacircular Virtual Machine Layering Erick Lavoie, Bruno Dufour, Marc Feeley Université de Montréal ericklavoie.com Motivation 2 Context Program comprehension Benchmark generation Hybrid
More informationMutable References. Chapter 1
Chapter 1 Mutable References In the (typed or untyped) λ-calculus, or in pure functional languages, a variable is immutable in that once bound to a value as the result of a substitution, its contents never
More informationThe results for a few specific cases below are indicated. allequal ([1,1,1,1]) should return true allequal ([1,1,2,1]) should return false
Test 1 Multiple Choice. Write your answer to the LEFT of each problem. 4 points each 1. Which celebrity has not received an ACM Turing Award? A. Alan Kay B. John McCarthy C. Dennis Ritchie D. Bjarne Stroustrup
More informationAssertions, pre/postconditions
Programming as a contract Assertions, pre/postconditions Assertions: Section 4.2 in Savitch (p. 239) Specifying what each method does q Specify it in a comment before method's header Precondition q What
More informationMore Scheme CS 331. Quiz. 4. What is the length of the list (()()()())? Which element does (car (cdr (x y z))) extract from the list?
More Scheme CS 331 Quiz 1. What is (car ((2) 3 4))? (2) 2. What is (cdr ((2) (3) (4)))? ((3)(4)) 3. What is (cons 2 (2 3 4))? (2 2 3 4) 4. What is the length of the list (()()()())? 4 5. Which element
More informationComputer Science 21b (Spring Term, 2015) Structure and Interpretation of Computer Programs. Lexical addressing
Computer Science 21b (Spring Term, 2015) Structure and Interpretation of Computer Programs Lexical addressing The difference between a interpreter and a compiler is really two points on a spectrum of possible
More informationJavaScript CS 4640 Programming Languages for Web Applications
JavaScript CS 4640 Programming Languages for Web Applications 1 How HTML, CSS, and JS Fit Together {css} javascript() Content layer The HTML gives the page structure and adds semantics Presentation
More informationCOMP284 Scripting Languages Lecture 14: JavaScript (Part 1) Handouts
COMP284 Scripting Languages Lecture 14: JavaScript (Part 1) Handouts Ullrich Hustadt Department of Computer Science School of Electrical Engineering, Electronics, and Computer Science University of Liverpool
More informationCSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum
ODDITIES Michele Spagnuolo Lukas Weichselbaum ABOUT US Michele Spagnuolo Lukas Weichselbaum Information Security Engineer Information Security Engineer We work in a special focus area of the Google security
More informationProgramming Languages
CSE 230: Winter 2008 Principles of Programming Languages Ocaml/HW #3 Q-A Session Push deadline = Mar 10 Session Mon 3pm? Lecture 15: Type Systems Ranjit Jhala UC San Diego Why Typed Languages? Development
More informationIdentity-based Access Control
Identity-based Access Control The kind of access control familiar from operating systems like Unix or Windows based on user identities This model originated in closed organisations ( enterprises ) like
More informationSome Facts Web 2.0/Ajax Security
/publications/notes_and_slides Some Facts Web 2.0/Ajax Security Allen I. Holub Holub Associates allen@holub.com Hackers attack bugs. The more complex the system, the more bugs it will have. The entire
More informationJavaScript Module System: Exploring the Design Space
JavaScript Module System: Exploring the Design Space Junhee Cho Sukyoung Ryu KAIST {ssaljalu, sryu.cs@kaist.ac.kr Abstract While JavaScript is one of the most widely used programming languages not only
More informationRethinking Web Platform Extensibility. Mohan Dhawan Rutgers University
Rethinking Web Platform Extensibility Mohan Dhawan Rutgers University Gateway to the World Wide Web March 13, 2013 Mohan Dhawan 2 Gateway to Web the Browser World Wide Web March 13, 2013 Mohan Dhawan 2
More information