A Structural Operational Semantics for JavaScript

Similar documents
A Structural Operational Semantics for JavaScript

Language Based isolation of Untrusted JavaScript

Language Based isolation of Untrusted JavaScript

Object Capabilities and Isolation of Untrusted Web Application

Foundations. Yu Zhang. Acknowledgement: modified from Stanford CS242

Analysis of Security Critical APIs

Isolating JavaScript with Filters, Rewriting, and Wrappers

Language-Based Isolation of Untrusted JavaScript

Language-Based Isolation of Untrusted JavaScript

Language-Based Isolation of Untrusted JavaScript

ADsafety. Type-based Verification of JavaScript Sandboxing. Joe Gibbs Politz Spiridon Aristides Eliopoulos Arjun Guha Shriram Krishnamurthi

CS 242. Fundamentals. Reading: See last slide

SANDBOXING UNTRUSTED JAVASCRIPT

Formal Systems and their Applications

CS312: Programming Languages. Lecture 21: JavaScript

Why Discuss JavaScript? CS312: Programming Languages. Lecture 21: JavaScript. JavaScript Target. What s a Scripting Language?

Programming Languages Third Edition

JavaScript. Training Offer for JavaScript Introduction JavaScript. JavaScript Objects

Client-Side Web Technologies. JavaScript Part I

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS522 Programming Language Semantics

CS558 Programming Languages

Semantic Analysis. Outline. The role of semantic analysis in a compiler. Scope. Types. Where we are. The Compiler Front-End

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS422 Programming Language Semantics

1 Introduction. 3 Syntax

The role of semantic analysis in a compiler

Outline. Introduction Concepts and terminology The case for static typing. Implementing a static type system Basic typing relations Adding context

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

JavaScript: Features, Trends, and Static Analysis

Pierce Ch. 3, 8, 11, 15. Type Systems

Formal Syntax and Semantics of Programming Languages

Formal Syntax and Semantics of Programming Languages

Object Capabilities and Isolation of Untrusted Web Applications

INF5750. Introduction to JavaScript and Node.js

JAVASCRIPT AND JQUERY: AN INTRODUCTION (WEB PROGRAMMING, X452.1)

Semantic Analysis. Outline. The role of semantic analysis in a compiler. Scope. Types. Where we are. The Compiler so far

Qualifying Exam in Programming Languages and Compilers

Lecture 2: SML Basics

Understanding and Verifying JavaScript Programs

Static Analysis of JavaScript. Ben Hardekopf

A Small Interpreted Language

The Web of Confusion. Douglas Crockford Yahoo! Inc.

JavaScript for PHP Developers

Softwaretechnik. Lecture 03: Types and Type Soundness. Peter Thiemann. University of Freiburg, Germany SS 2008

Denotational Semantics. Domain Theory

Static Program Analysis Part 1 the TIP language

CS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011

The Rule of Constancy(Derived Frame Rule)

Spring JavaScript. John Mitchell Adapted by Mooly Sagiv. Reading: links on last slide Homework 1: 18/3 17/4

CSCC24 Functional Programming Scheme Part 2

Lecture 7: Type Systems and Symbol Tables. CS 540 George Mason University

Operational Semantics 1 / 13

Lectures 20, 21: Axiomatic Semantics

ECMAScript 2015 and beyond The Future of JavaScript is Now!

Application: Programming Language Semantics

Lambda Calculus: Implementation Techniques and a Proof. COS 441 Slides 15

An Annotated Language

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

Compilers. Type checking. Yannis Smaragdakis, U. Athens (original slides by Sam

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS422 Programming Language Design

Computing Fundamentals 2 Introduction to CafeOBJ

3.7 Denotational Semantics

Hoare Logic and Model Checking

More on Operational Semantics

Types for References, Exceptions and Continuations. Review of Subtyping. Γ e:τ τ <:σ Γ e:σ. Annoucements. How s the midterm going?

From Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA

An Extensible Programming Language for Verified Systems Software. Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012

Hoare logic. WHILE p, a language with pointers. Introduction. Syntax of WHILE p. Lecture 5: Introduction to separation logic

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

Semantic Analysis. Lecture 9. February 7, 2018

JavaScript: Sort of a Big Deal,

Proving Properties on Programs From the Coq Tutorial at ITP 2015

Compilers. 8. Run-time Support. Laszlo Böszörmenyi Compilers Run-time - 1

Hoare logic. Lecture 5: Introduction to separation logic. Jean Pichon-Pharabod University of Cambridge. CST Part II 2017/18

Introduction to Axiomatic Semantics (1/2)

Mutable References. Chapter 1

JavaScript CS 4640 Programming Languages for Web Applications

CSC 501 Semantics of Programming Languages

Reasoning About Imperative Programs. COS 441 Slides 10

Node.js Training JavaScript. Richard richardrodger.com

SCHOOL: a Small Chorded Object-Oriented Language

Towards a Program Logic for JavaScript

Type Checking in COOL (II) Lecture 10

Introduction to Axiomatic Semantics (1/2)

From IMP to Java. Andreas Lochbihler. parts based on work by Gerwin Klein and Tobias Nipkow ETH Zurich

G Programming Languages - Fall 2012

Handout 9: Imperative Programs and State

Propositional Logic Formal Syntax and Semantics. Computability and Logic

Certified Memory Usage Analysis

JAVASCRIPT AND JQUERY: AN INTRODUCTION (WEB PROGRAMMING, X452.1)

CS558 Programming Languages. Winter 2013 Lecture 3

An Introduction to ProofPower

HOL DEFINING HIGHER ORDER LOGIC LAST TIME ON HOL CONTENT. Slide 3. Slide 1. Slide 4. Slide 2 WHAT IS HIGHER ORDER LOGIC? 2 LAST TIME ON HOL 1

The Eval that Men Do

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

Control in Sequential Languages

Static Semantics. Winter /3/ Hal Perkins & UW CSE I-1

Programming Languages Third Edition. Chapter 7 Basic Semantics

Comp 411 Principles of Programming Languages Lecture 7 Meta-interpreters. Corky Cartwright January 26, 2018

ECMAScript 2015 The Future of JavaScript is Now!

JavaScript Doesn't Have to Hurt: Techniques, Tools and Frameworks to Ease JavaScript Development

Transcription:

Dept. of Computer Science, Stanford University Joint work with Sergio Maffeis and John C. Mitchell

Outline 1 Motivation Web Security problem Informal and Formal Semantics Related work 2 Formal Semantics for JavaScript (ECMA262-3) Syntax Main features Semantic rules 3 Formal Properties 4 Conclusions and Future work

JavaScript Widely used web programming language. History : Developed by Brendan Eich at Netscape. Standardized for Browser Compatability : ECMAScript 262-edition 3 Interesting and unusual features First class functions Prototype based language Powerful modification capabilities : can convert string to code (eval), can redefine object methods! Very important to fully understand the Semantics so as to reason about the security properties of programs written in it.

Big Picture Figure: Trusted and Untrusted code Many websites include untrusted JavaScript content: Third party advertisements Social Networking sites : User written applications Web Mashups Isolation Goal Allow untrusted code to perform valuable interactions at the same time prevent intrusion and malicious damage.

Real World Example Figure: Web Mashup

Formulating the Problem Static Analysis Problem Given an untrusted JavaScript program P and a Heap H (corresponding to the trusted page), determine if P accesses any security critical portions of the Heap. Very hard problem to solve for whole of JavaScript as all code that gets executed may not appear textually! Example : var m = tostring=func ; var n = tion(){return undefined}; ; eval(m + n); Simplification : Solve the above problem for subsets of JavaScript that are more amenable to static analysis. First step Define a Formal semantics for complete JavaScript

Formulating the Problem Static Analysis Problem Given an untrusted JavaScript program P and a Heap H (corresponding to the trusted page), determine if P accesses any security critical portions of the Heap. Very hard problem to solve for whole of JavaScript as all code that gets executed may not appear textually! Example : var m = tostring=func ; var n = tion(){return undefined}; ; eval(m + n); Simplification : Solve the above problem for subsets of JavaScript that are more amenable to static analysis. First step Define a Formal semantics for complete JavaScript

Informal Semantics ECMA262-3 specification manual - currently in its third edition. Sufficient for understanding the language but insufficient for rigorously proving properties about the language. Prove or Disprove : For all terms t, the execution of t only depends on the values of the variables appearing in t. Example : Meaning[x = x + 10] only depend on value of x? in C? Yes in JavaScript?

Example var y = a ; var x = {tostring : function(){ return y;}} x = x + 10; js> a10 Implicit type conversion of an object to a string in JavaScript involves calling the tostring function. Informal semantics fail to emphasize such examples.

Formal Semantics Specify meaning in a Mathematically rigorous way. Provides a framework for proving properties of the kind mentioned on the previous slide. Our Goal Convert Informal semantics(ecma262-3) into a Formal semantics. (Done! This talk) Analyze existing safe subsets of JavaScript and formally prove the security properties that they entail. (Ongoing work) The very act of formalization revealed subtle aspects of the language.

Related work Giannini et al (ECOOP 05), Thiemann (ESOP 05) Formalized a small (but non-trivial) subset of JavaScript Provided a static type system but substantially simplified the semantics. We found examples of programs that are well-typed according to these simplified semantics but ill-typed according to the complete semantics and vice versa. Our Contribution : A Structural Operational semantics for complete ECMA standard language. Advantages: Ability to analyze semantics of arbitrary JavaScript code. Gives us a more systematic way of designing the subsets, parametric on the desired security properties.

Related work Giannini et al (ECOOP 05), Thiemann (ESOP 05) Formalized a small (but non-trivial) subset of JavaScript Provided a static type system but substantially simplified the semantics. We found examples of programs that are well-typed according to these simplified semantics but ill-typed according to the complete semantics and vice versa. Our Contribution : A Structural Operational semantics for complete ECMA standard language. Advantages: Ability to analyze semantics of arbitrary JavaScript code. Gives us a more systematic way of designing the subsets, parametric on the desired security properties.

Outline 1 Motivation Web Security problem Informal and Formal Semantics Related work 2 Formal Semantics for JavaScript (ECMA262-3) Syntax Main features Semantic rules 3 Formal Properties 4 Conclusions and Future work

Structural Operational Semantics (Gordon Plotkin) Meaning of a program sequence of actions that are taken during its execution. Specify sequence of actions as transitions of an Abstract State machine States corresponds to Term being evaluated Abstract description of memory and other data structures involved in computation. A state transition denotes a partial evaluation of the term. Specify the transitions in a syntax oriented manner using the inductive nature of the abstract syntax.

Basic JavaScript Syntax Syntax According to ECMA 2.62 : Expressions (e) :: this x e OP e e(e ) new e(e )... Statement (s) :: "s*" if (e) s else s while (e) s with (e) s... Programs (P) :: s P fd P Function Decl (fd) :: function x (x ){ P } Observation Observe that according to the spec, declaring a function inside an if block is a syntax error! However this allowed in all browsers

Basic JavaScript Syntax Syntax According to ECMA 2.62 : Expressions (e) :: this x e OP e e(e ) new e(e )... Statement (s) :: "s*" if (e) s else s while (e) s with (e) s... Programs (P) :: s P fd P Function Decl (fd) :: function x (x ){ P } Observation Observe that according to the spec, declaring a function inside an if block is a syntax error! However this allowed in all browsers

JavaScript : Key Features Everything (including functions) is either an object or a primitive value. Activation records are normal JavaScript objects and the variable declarations are properties of this object. All computation happens inside a global object which is also the initial activation object. Instead of a stack of activation records, there is a chain of activation records, which is called the scope chain. Arbitrary objects can be placed over the scope chain - with(e) s construct.

JavaScript : Subtle Features Example 2 var f = function(){if (true) {function g() { return 1;}; } else {function g() { return 2;};} var g = function() { return 3;} return g(); function g(){ return 4;}} var result = f(); What is the final value of result?

JavaScript : Subtle Features Example 2 var f = function(){if (true) {function g() { return 1;}; } else {function g() { return 2;};} var g = function() { return 3;} return g(); function g(){ return 4;}} var result = f(); What is the final value of result? result = 2 (according to ECMA262-3) Function body is parsed to process all variable declarations before the function call is executed! Different implementations chose different declarations : Mozilla Spidermonkey : 4, Safari : 1!

Formal Semantics : Program state State All objects are passed by reference The store must have information about Heap locations. Variables have different values in different scopes State must include info about current scope. Program state is represented as a triple H, l, t. H : Denotes the Heap, mapping from the set of locations(l) to objects. l : Location of the current scope object (or current activation record). t : Term being evaluated.

Semantic Rules e Three semantic functions,, for expressions, statements and programs. Small step transitions : A semantic function transforms one state to another if certain conditions (premise) are true. General form : Premise S t S Atomic Transitions : Rules which do have another transition in their premise Context rules : Rules to apply atomic transitions in presence of certain specific contexts. s P

Heap and Heap Reachability Graph Figure: Heap and its reachability graph Heap Reachability Graph : Heap addresses are the nodes. An edge from l i to l j, if the object at address l i has property p pointing to l j.

Scope and Prototype lookup Figure: Scope and Prototype lookup Every scope chain has the global object at its base. Every prototype chain has Object.prototype at the top, which is a native object containing predefined functions such as tostring, hasownproperty etc.

Scope lookup : Rules ECMA 2.62 (essence): 1 Get the next object (l) in the scope chain. If there isn t one, goto 4. 2 If l HasProperty x, return a reference type l* x. 3 Else, goto 1 4 Return null*x. Scope(H, l, x ) = ln H, l, x e H, l, ln x HasProperty(H, l, m) Scope(H, l, m) = l (HasProperty(H, l, m)) H(l).@Scope = ln Scope(H, l, m) = Scope(H, ln, m) Scope(H, null, m) = null

Prototype lookup : Rules ECMA 2.62 : 1 If base type is null, throw a ReferenceError exception. 2 Else, Call the Get method, passing prop name(x) and base type l as arguments. 3 Return result(2). H 2, l excp = alloc(h, o) o = newnativeerr(, #RefErrProt) H, l, (null m) e H 2, l, l excp Get(H, l, m) = va H, l, ln m e H, l, va HasOwnProperty(H, l, m) Dot(H, l, m) = va Get(H, l, m) = va (HasOwnProperty(H, l, m)) H(l).@prototype = lp Get(H, l, m) = Get(H, lp, m)

Exceptions When an intermediate step gives an exception, stop further evaluation and throw the exception to the top level. Example : Stop evaluation of a 2. H, l, a 0 H, l, l excp H, l, a 0 + a 1 H, l, l excp + a 1 Use context based reduction rules (Felleisen) Context Rule for Exceptions H, l, ec[ l excp ] H, l, l excp where ec ::= ec OP e va OP ec ec[e]...

Exceptions When an intermediate step gives an exception, stop further evaluation and throw the exception to the top level. Example : Stop evaluation of a 2. H, l, a 0 H, l, l excp H, l, a 0 + a 1 H, l, l excp + a 1 Use context based reduction rules (Felleisen) Context Rule for Exceptions H, l, ec[ l excp ] H, l, l excp where ec ::= ec OP e va OP ec ec[e]...

With statement With statement allows arbitrary objects to be placed on top of the scope chain. Example : var a = 5; var o = {a:10} with(o){ a; } > 10 A simple rule for with is : H, l, with(l new )s s H, l new, s Is the above rule correct? Observe that once with completes, we need to restore the old scope back!

Continuation as contexts We create a new context $with(l, ). The new rule is H, l, with(l new )s s H, l new, $with(l, s) Then we have separate context rules. H, l, s s H, l, s H, l, $with(l old, s) s [With s] H, l, $with(l old, s ) H, l, s s H, l, val H, l, $with(l old, s) s [With end] H, l old, val

Summary We developed an operational semantics for the entire ECMA 2.62 language. Complete set of rules (in ASCII) span 70 pages. Semantics does not cover features beyond ECMA 2.62, like setters/getters etc, which are present in various browsers. We do not model interaction with the Document Object Model (DOM) of web browsers. The entire exercise also led to the discovery of several inconsistencies in the various browsers.

Outline 1 Motivation Web Security problem Informal and Formal Semantics Related work 2 Formal Semantics for JavaScript (ECMA262-3) Syntax Main features Semantic rules 3 Formal Properties 4 Conclusions and Future work

Formal Analysis Contributions : Progress/Preservation Theorem Evaluation of a state is never stuck, and always progresses to a next state or a value or an exception. Essential for any subsequent formal analysis to make sense Heap Reachability Theorem Characterizing the reachable portion of the Heap Showing that evaluation of a state does not depend on anything outside the reachable portion. First step towards solving the static analysis problem of determining if a program can potentially access any security-critical portions.

Soundness Notations and Definitions : Wf ( H, l, t ) : Predicate denoting well-formedness of state ( H, l, t ) G(H) : Heap reachability graph of H. Theorem Progress : Wf (S) S is not a terminal state ( S : S S ) Proof Idea : Induction over the structure of terms. Preservation : Wf (S) S S Wf (S ). Proof Idea : Induction over the rules.

Heap Reachability Set of root addresses : ( H 0, l 0, t 0 ) = {l l t 0 } {l 0 } item view H (l) : Subgraph of the Heap reachability graph consisting only of nodes reachable from l. Theorem Evaluation of a state S = H, l, t only depends on the Heap addresses corresponding to nodes reachable from the set of root nodes in the Heap reachability graph..

Proof Idea Consider any two states S 1 and S 2. Define S 1 S 2 iff There exists a heap address renaming function f : dom(h) L. Theorem (S 1 ) = f ( (S 2 )). For all l (S 1 ), view H1 (l) = view f (H2 )(l) S 1 S 2 S 1 S 1 S 2. S 2 S 2 S 1 S 2. Proof Idea: Induction over the set of rules.

Garbage Collector for JavaScript Immediate Consequence of Reachability theorem. Mark and sweep garbage collector : For a particular state S, Garbage collect all heap addresses not reachable from (S) in the heap reachability graph. By Reachability theorem, the semantics of S is preserved during garbage collection.

A glimpse of Ongoing work Central Problem : Design safe subset of JavaScript more amenable to static analysis. Main Idea Filtering Syntactic subset. Example : Forbid use of evil constructs like eval, Function, e[e] etc Rewriting Semantic subset. Example : Rename all identifiers appearing in the program to separate out the namespace of untrusted code.

A glimpse of Ongoing work Breakdown central problem into designing subsets with certain language properties Design a subset of JavaScript such that for all programs in that subset, every property name that is accessed appears textually in the code. Design a subset of JavaScript such that the semantics of any program in that subset does not change under renaming of identifiers.... Starting point for systematically designing and proving the desired language property for each of these subsets is the formal semantics for entire JavaScript.

ADSafe (Douglas Crockford) ADSafe is a solution proposed by Yahoo for controlling the interaction between the trusted and untrusted code. Basic Idea : 1 Represents a safe subset of JavaScript. 2 Wraps untrusted code inside a safe object called ADSafe object. 3 All interaction with the trusted code happens only using the methods in the ADSafe object. 4 Untrusted code can be statically checked to ensure that it only calls methods of the ADSafe object (Tool : JSLint). More information on http:www.adsafe.org

Challenges and Issues Consider the following property : All interaction with the trusted code happens only using the methods in the ADSafe object. Is this achievable? Consider the following code : var o = {a:10}; var arr = [10,11]; arr[o]; This function implicitly calls Object.prototype.toString, which is a function defined in the trusted space. What if tostring in turn leaks out pointer to global object? Conclusion Besides the untrusted code, ADSafe has to impose restrictions on the native functions and objects present in the trusted space.

Challenges and Issues Consider the following property : All interaction with the trusted code happens only using the methods in the ADSafe object. Is this achievable? Consider the following code : var o = {a:10}; var arr = [10,11]; arr[o]; This function implicitly calls Object.prototype.toString, which is a function defined in the trusted space. What if tostring in turn leaks out pointer to global object? Conclusion Besides the untrusted code, ADSafe has to impose restrictions on the native functions and objects present in the trusted space.

Conclusions and Future work Conclusions : First step towards formal analysis of whole of JavaScript. We have formalized the entire ECMA 2.62 language. Complete set of rules (in ASCII) span 70 pages. Prove basic soundness properties like progress and preservation for the semantics and the fact that JavaScriptis garbage collectible. Future Work : Add features like setters/getters (not present in ECMA 2.62) and formalize interaction with DOM. Encode the semantics in a machine readable format. Apply the semantics for security analysis of safe fragments of JavaScript such as AdSafe (Yahoo!), FBJS (FaceBook).

Conclusions and Future work Conclusions : First step towards formal analysis of whole of JavaScript. We have formalized the entire ECMA 2.62 language. Complete set of rules (in ASCII) span 70 pages. Prove basic soundness properties like progress and preservation for the semantics and the fact that JavaScriptis garbage collectible. Future Work : Add features like setters/getters (not present in ECMA 2.62) and formalize interaction with DOM. Encode the semantics in a machine readable format. Apply the semantics for security analysis of safe fragments of JavaScript such as AdSafe (Yahoo!), FBJS (FaceBook).

Thank You!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback