On Contracts, Sandboxes, and Proxies for JavaScript
•
1 gostou•1,802 visualizações
October 5, 2015, 18. Kolloquium Programmiersprachen und Grundlagen der Programmierung, KPS 2015 P ̈ortschach am W ̈orthersee, O ̈sterreich
![TreatJS
Language embedded contract system for JavaScript
Enforced by run-time monitoring
Standard abstractions for higher-order-contracts (base,
function, and dependent contracts) [Findler,Felleisen’02]
Systematic blame calculation
Contract constructors generalize dependent contracts
Internal noninterference
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 2 / 14](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recomendados
Mais conteúdo relacionado
Destaque
Semelhante a On Contracts, Sandboxes, and Proxies for JavaScript
Semelhante a On Contracts, Sandboxes, and Proxies for JavaScript (6)
Mais de Matthias Keil
Mais de Matthias Keil (6)
Último
Último (20)
On Contracts, Sandboxes, and Proxies for JavaScript
- 1. On Contracts, Sandboxes, and Proxies for JavaScript Matthias Keil, Peter Thiemann University of Freiburg, Germany October 5, 2015, 18. Kolloquium Programmiersprachen und Grundlagen der Programmierung, KPS 2015 P¨ortschach am W¨orthersee, ¨Osterreich
- 2. TreatJS Language embedded contract system for JavaScript Enforced by run-time monitoring Standard abstractions for higher-order-contracts (base, function, and dependent contracts) [Findler,Felleisen’02] Systematic blame calculation Contract constructors generalize dependent contracts Internal noninterference Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 2 / 14
- 3. Base Contract [Findler,Felleisen’02] Base Contracts are built from predicates Specified by a plain JavaScript function Base Contract function isNumber (arg) { return (typeof arg) === ’number’; }; var Number = Contract.Base(isNumber); assert(1, Number ); assert(’a’, Number ); blame the subject Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 3 / 14
- 4. Function Contract [Findler,Felleisen’02] // Number × Number → Number function plus (x, y) { return (x + y); } Function Contract var Plus = Contract.Function([ Number , Number ], Number ); var plusNumber = assert(plus, Plus ); plusNumber(1, 1); plusNumber(’a’, ’a’); blame the context Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 4 / 14
- 5. JavaScript Proxies Handler Proxy Target Shadow Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
- 6. JavaScript Proxies Handler Proxy Target Shadow proxy.x; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
- 7. JavaScript Proxies Handler Proxy Target Shadow proxy.x; handler.get(target, ’x’, proxy); Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
- 8. JavaScript Proxies Handler Proxy Target Shadow proxy.x; handler.get(target, ’x’, proxy); target[’x’]; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
- 9. JavaScript Proxies Handler Proxy Target Shadow proxy.x; proxy.y=1; ... handler.get(target, ’x’, proxy); handler.set(target, ’y’, 1, proxy); ... target[’x’]; target[’y’]=1; ... Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
- 10. Noninterference Noninterference The contract system should not interfere with the execution of application code. External Noninterference arises from the interaction of the contract system with the host program 1 Exceptions 2 Object equality Internal Noninterference arises from executing unrestricted code in predicates Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 6 / 14
- 11. Internal Noninterference No syntactic restrictions on predicates Predicates may try to write to data that is visible to the application Solution: Predicate evaluation takes place in a sandbox Faulty Predicate function isNumber (arg) { type = (typeof arg); return type === ’number’; }; Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 7 / 14
- 12. Internal Noninterference No syntactic restrictions on predicates Predicates may try to write to data that is visible to the application Solution: Predicate evaluation takes place in a sandbox Faulty Predicate function isNumber (arg) { type = (typeof arg); access forbidden return type === ’number’; }; Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 7 / 14
- 13. TreatJS Sandbox All contracts guarantee noninterference Read-only access is safe Predicate with Read-Access function isArray (arg) { return (arg instanceof Array); } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 8 / 14
- 14. TreatJS Sandbox Predicate execution may violate contracts Solution: Sandbox redefines the responsibility Predicate with Read-Access function addOne (arg) { return plusNumber(arg, ’1’); blame the ? } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 9 / 14
- 15. TreatJS Sandbox Predicate execution may violate contracts Solution: Sandbox redefines the responsibility Predicate with Read-Access function addOne (arg) { return plusNumber(arg, ’1’); blame the contract } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 9 / 14
- 16. Sandbox Encapsulation Faulty Predicate function isNumber (arg) { type = (typeof arg); return type === ’number’; }; 1 Place a write protection on objects (e.g. this, arg) 2 Remove external bindings of functions (e.g. type) Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 10 / 14
- 17. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
- 18. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC x Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
- 19. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC x x Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
- 20. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC x x Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
- 21. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC x y x y Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
- 22. Identity Preserving Membrane ProxyA ?ProxyB ProxyC TargetA TargetB TargetC x z y x z y Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
- 23. Shadow Objects Handler Proxy Target Shadow proxy.x; proxy.y=1; handler.get(target, ’x’, proxy); handler.set(target, ’y’, 1, proxy); target[’x’]; target[’y’]=1; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
- 24. Shadow Objects Handler Proxy Target Shadow Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
- 25. Shadow Objects Handler Proxy Target Shadow proxy.x; handler.get(target, ’x’, proxy); target[’x’]; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
- 26. Shadow Objects Handler Proxy Target Shadow proxy.x; proxy.y=1; handler.get(target, ’x’, proxy); handler.set(target, ’y’, 1, proxy); target[’x’]; shadow[’y’]=1; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
- 27. Shadow Objects Handler Proxy Target Shadow proxy.x; proxy.y=1; proxy.y; handler.get(target, ’x’, proxy); handler.set(target, ’y’, 1, proxy); handler.get(target, ’y’, proxy); target[’x’]; shadow[’y’]=1; shadow[’y’]; Meta-Level Base-Level Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
- 28. Function Recompilation var x = 1; function f (){ function g (y) { var z = 1; return x+y+z; } } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
- 29. Function Recompilation var x = 1; function f (){ ”function g (y) { var z = 1; return x+y+z; }” } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
- 30. Function Recompilation var x = 1; with(sbxglobal){ eval( ”function g (y) { var z = 1; return x+y+z; }”); } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
- 31. Function Recompilation var x = 1; with(sbxglobal){ function g (y) { var z = 1; return x+y+z; } } Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
- 32. Conclusion TreatJS: Language embedded, dynamic, higher-order contract system for full JavaScript Guarantees noninterference Sandbox: Language embedded sandbox for full JavaScript Runs JavaScript code in isolation isolation Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 14 / 14