TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
On Contracts, Sandboxes, and Proxies for JavaScript
1. On Contracts, Sandboxes,
and Proxies for JavaScript
Matthias Keil, Peter Thiemann
University of Freiburg, Germany
October 5, 2015, 18. Kolloquium Programmiersprachen und Grundlagen der Programmierung, KPS 2015
P¨ortschach am W¨orthersee, ¨Osterreich
2. TreatJS
Language embedded contract system for JavaScript
Enforced by run-time monitoring
Standard abstractions for higher-order-contracts (base,
function, and dependent contracts) [Findler,Felleisen’02]
Systematic blame calculation
Contract constructors generalize dependent contracts
Internal noninterference
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 2 / 14
3. Base Contract [Findler,Felleisen’02]
Base Contracts are built from predicates
Specified by a plain JavaScript function
Base Contract
function isNumber (arg) {
return (typeof arg) === ’number’;
};
var Number = Contract.Base(isNumber);
assert(1, Number );
assert(’a’, Number ); blame the subject
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 3 / 14
4. Function Contract [Findler,Felleisen’02]
// Number × Number → Number
function plus (x, y) {
return (x + y);
}
Function Contract
var Plus = Contract.Function([ Number , Number ],
Number );
var plusNumber = assert(plus, Plus );
plusNumber(1, 1);
plusNumber(’a’, ’a’); blame the context
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 4 / 14
5. JavaScript Proxies
Handler
Proxy Target Shadow
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
6. JavaScript Proxies
Handler
Proxy Target Shadow
proxy.x;
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
7. JavaScript Proxies
Handler
Proxy Target Shadow
proxy.x;
handler.get(target, ’x’, proxy);
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
8. JavaScript Proxies
Handler
Proxy Target Shadow
proxy.x;
handler.get(target, ’x’, proxy);
target[’x’];
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
9. JavaScript Proxies
Handler
Proxy Target Shadow
proxy.x;
proxy.y=1;
...
handler.get(target, ’x’, proxy);
handler.set(target, ’y’, 1, proxy);
...
target[’x’];
target[’y’]=1;
...
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
10. Noninterference
Noninterference
The contract system should not interfere with the execution of
application code.
External Noninterference arises from the interaction of the
contract system with the host program
1 Exceptions
2 Object equality
Internal Noninterference arises from executing unrestricted
code in predicates
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 6 / 14
11. Internal Noninterference
No syntactic restrictions on predicates
Predicates may try to write to data that is visible to the
application
Solution: Predicate evaluation takes place in a sandbox
Faulty Predicate
function isNumber (arg) {
type = (typeof arg);
return type === ’number’;
};
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 7 / 14
12. Internal Noninterference
No syntactic restrictions on predicates
Predicates may try to write to data that is visible to the
application
Solution: Predicate evaluation takes place in a sandbox
Faulty Predicate
function isNumber (arg) {
type = (typeof arg); access forbidden
return type === ’number’;
};
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 7 / 14
13. TreatJS Sandbox
All contracts guarantee noninterference
Read-only access is safe
Predicate with Read-Access
function isArray (arg) {
return (arg instanceof Array);
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 8 / 14
14. TreatJS Sandbox
Predicate execution may violate contracts
Solution: Sandbox redefines the responsibility
Predicate with Read-Access
function addOne (arg) {
return plusNumber(arg, ’1’); blame the ?
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 9 / 14
15. TreatJS Sandbox
Predicate execution may violate contracts
Solution: Sandbox redefines the responsibility
Predicate with Read-Access
function addOne (arg) {
return plusNumber(arg, ’1’); blame the contract
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 9 / 14
16. Sandbox Encapsulation
Faulty Predicate
function isNumber (arg) {
type = (typeof arg);
return type === ’number’;
};
1 Place a write protection on objects (e.g. this, arg)
2 Remove external bindings of functions (e.g. type)
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 10 / 14
23. Shadow Objects
Handler
Proxy Target Shadow
proxy.x;
proxy.y=1;
handler.get(target, ’x’, proxy);
handler.set(target, ’y’, 1, proxy);
target[’x’];
target[’y’]=1;
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
24. Shadow Objects
Handler
Proxy Target Shadow
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
25. Shadow Objects
Handler
Proxy Target Shadow
proxy.x;
handler.get(target, ’x’, proxy);
target[’x’];
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
26. Shadow Objects
Handler
Proxy Target Shadow
proxy.x;
proxy.y=1;
handler.get(target, ’x’, proxy);
handler.set(target, ’y’, 1, proxy);
target[’x’]; shadow[’y’]=1;
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
27. Shadow Objects
Handler
Proxy Target Shadow
proxy.x;
proxy.y=1;
proxy.y;
handler.get(target, ’x’, proxy);
handler.set(target, ’y’, 1, proxy);
handler.get(target, ’y’, proxy);
target[’x’]; shadow[’y’]=1;
shadow[’y’];
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
28. Function Recompilation
var x = 1;
function f (){
function g (y) {
var z = 1;
return x+y+z;
}
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
29. Function Recompilation
var x = 1;
function f (){
”function g (y) {
var z = 1;
return x+y+z;
}”
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
30. Function Recompilation
var x = 1;
with(sbxglobal){
eval( ”function g (y) {
var z = 1;
return x+y+z;
}”);
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
31. Function Recompilation
var x = 1;
with(sbxglobal){
function g (y) {
var z = 1;
return x+y+z;
}
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
32. Conclusion
TreatJS:
Language embedded, dynamic, higher-order contract system
for full JavaScript
Guarantees noninterference
Sandbox:
Language embedded sandbox for full JavaScript
Runs JavaScript code in isolation isolation
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 14 / 14