TxBox : Building Secure, Efficient Sandboxes with System Transactions
On Contracts, Sandboxes, and Proxies for JavaScript
-
Upload
matthias-keil -
Category
Technology
-
view
1.695 -
download
0
Transcript of On Contracts, Sandboxes, and Proxies for JavaScript
![Page 1: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/1.jpg)
On Contracts, Sandboxes,and Proxies for JavaScript
Matthias Keil, Peter ThiemannUniversity of Freiburg, Germany
October 5, 2015, 18. Kolloquium Programmiersprachen und Grundlagen der Programmierung, KPS 2015Portschach am Worthersee, Osterreich
![Page 2: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/2.jpg)
TreatJS
Language embedded contract system for JavaScript
Enforced by run-time monitoring
Standard abstractions for higher-order-contracts (base,function, and dependent contracts) [Findler,Felleisen’02]
Systematic blame calculation
Contract constructors generalize dependent contracts
Internal noninterference
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 2 / 14
![Page 3: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/3.jpg)
Base Contract [Findler,Felleisen’02]
Base Contracts are built from predicates
Specified by a plain JavaScript function
Base Contract
function isNumber (arg) {return (typeof arg) === ’number’;};var Number = Contract.Base(isNumber);
assert(1, Number ); 3
assert(’a’, Number ); 7 blame the subject
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 3 / 14
![Page 4: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/4.jpg)
Function Contract [Findler,Felleisen’02]
// Number × Number → Numberfunction plus (x, y) {return (x + y);}
Function Contract
var Plus = Contract.Function([ Number , Number ],Number );
var plusNumber = assert(plus, Plus );
plusNumber(1, 1); 3
plusNumber(’a’, ’a’); 7 blame the context
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 4 / 14
![Page 5: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/5.jpg)
JavaScript Proxies
Handler
Proxy Target Shadow
proxy.x;proxy.y=1;...
handler.get(target, ’x’, proxy);handler.set(target, ’y’, 1, proxy);...
target[’x’];target[’y’]=1;...
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
![Page 6: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/6.jpg)
JavaScript Proxies
Handler
Proxy Target Shadow
proxy.x;
proxy.y=1;...
handler.get(target, ’x’, proxy);handler.set(target, ’y’, 1, proxy);...
target[’x’];target[’y’]=1;...
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
![Page 7: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/7.jpg)
JavaScript Proxies
Handler
Proxy Target Shadow
proxy.x;
proxy.y=1;...
handler.get(target, ’x’, proxy);
handler.set(target, ’y’, 1, proxy);...
target[’x’];target[’y’]=1;...
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
![Page 8: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/8.jpg)
JavaScript Proxies
Handler
Proxy Target Shadow
proxy.x;
proxy.y=1;...
handler.get(target, ’x’, proxy);
handler.set(target, ’y’, 1, proxy);...
target[’x’];
target[’y’]=1;...
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
![Page 9: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/9.jpg)
JavaScript Proxies
Handler
Proxy Target Shadow
proxy.x;proxy.y=1;...
handler.get(target, ’x’, proxy);handler.set(target, ’y’, 1, proxy);...
target[’x’];target[’y’]=1;...
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14
![Page 10: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/10.jpg)
Noninterference
Noninterference
The contract system should not interfere with the execution ofapplication code.
External Noninterference arises from the interaction of thecontract system with the host program
1 Exceptions2 Object equality
Internal Noninterference arises from executing unrestrictedcode in predicates
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 6 / 14
![Page 11: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/11.jpg)
Internal Noninterference
No syntactic restrictions on predicates
Predicates may try to write to data that is visible to theapplication
Solution: Predicate evaluation takes place in a sandbox
Faulty Predicate
function isNumber (arg) {type = (typeof arg);return type === ’number’;};
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 7 / 14
![Page 12: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/12.jpg)
Internal Noninterference
No syntactic restrictions on predicates
Predicates may try to write to data that is visible to theapplication
Solution: Predicate evaluation takes place in a sandbox
Faulty Predicate
function isNumber (arg) {type = (typeof arg); 7 access forbiddenreturn type === ’number’;};
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 7 / 14
![Page 13: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/13.jpg)
TreatJS Sandbox
All contracts guarantee noninterference
Read-only access is safe
Predicate with Read-Access
function isArray (arg) {return (arg instanceof Array); 3
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 8 / 14
![Page 14: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/14.jpg)
TreatJS Sandbox
Predicate execution may violate contracts
Solution: Sandbox redefines the responsibility
Predicate with Read-Access
function addOne (arg) {return plusNumber(arg, ’1’); 7 blame the ?}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 9 / 14
![Page 15: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/15.jpg)
TreatJS Sandbox
Predicate execution may violate contracts
Solution: Sandbox redefines the responsibility
Predicate with Read-Access
function addOne (arg) {return plusNumber(arg, ’1’); 7 blame the contract}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 9 / 14
![Page 16: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/16.jpg)
Sandbox Encapsulation
Faulty Predicate
function isNumber (arg) {type = (typeof arg);return type === ’number’;};
1 Place a write protection on objects (e.g. this, arg)
2 Remove external bindings of functions (e.g. type)
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 10 / 14
![Page 17: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/17.jpg)
Identity Preserving Membrane
ProxyA
?ProxyB
ProxyC
TargetA
TargetB
TargetC
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
![Page 18: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/18.jpg)
Identity Preserving Membrane
ProxyA
?ProxyB
ProxyC
TargetA
TargetB
TargetC
x
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
![Page 19: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/19.jpg)
Identity Preserving Membrane
ProxyA
?ProxyB
ProxyC
TargetA
TargetB
TargetC
x x
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
![Page 20: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/20.jpg)
Identity Preserving Membrane
ProxyA
?ProxyB
ProxyC
TargetA
TargetB
TargetC
x x
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
![Page 21: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/21.jpg)
Identity Preserving Membrane
ProxyA
?ProxyB
ProxyC
TargetA
TargetB
TargetC
x
y
x
y
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
![Page 22: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/22.jpg)
Identity Preserving Membrane
ProxyA
?ProxyB
ProxyC
TargetA
TargetB
TargetC
x
z
y
x
z
y
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14
![Page 23: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/23.jpg)
Shadow Objects
Handler
Proxy Target Shadow
proxy.x;proxy.y=1;
handler.get(target, ’x’, proxy);handler.set(target, ’y’, 1, proxy);
target[’x’];target[’y’]=1;
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
![Page 24: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/24.jpg)
Shadow Objects
Handler
Proxy Target Shadow
proxy.x;proxy.y=1;proxy.y;
handler.get(target, ’x’, proxy);handler.set(target, ’y’, 1, proxy);handler.get(target, ’y’, proxy);
target[’x’]; shadow[’y’]=1;shadow[’y’];
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
![Page 25: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/25.jpg)
Shadow Objects
Handler
Proxy Target Shadow
proxy.x;
proxy.y=1;proxy.y;
handler.get(target, ’x’, proxy);
handler.set(target, ’y’, 1, proxy);handler.get(target, ’y’, proxy);
target[’x’];
shadow[’y’]=1;shadow[’y’];
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
![Page 26: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/26.jpg)
Shadow Objects
Handler
Proxy Target Shadow
proxy.x;proxy.y=1;
proxy.y;
handler.get(target, ’x’, proxy);handler.set(target, ’y’, 1, proxy);
handler.get(target, ’y’, proxy);
target[’x’]; shadow[’y’]=1;
shadow[’y’];
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
![Page 27: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/27.jpg)
Shadow Objects
Handler
Proxy Target Shadow
proxy.x;proxy.y=1;proxy.y;
handler.get(target, ’x’, proxy);handler.set(target, ’y’, 1, proxy);handler.get(target, ’y’, proxy);
target[’x’]; shadow[’y’]=1;shadow[’y’];
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14
![Page 28: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/28.jpg)
Function Recompilation
var x = 1;
function f (){
function g (y) {var z = 1;return x+y+z;}
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
![Page 29: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/29.jpg)
Function Recompilation
var x = 1;
function f (){
”function g (y) {var z = 1;return x+y+z;}”
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
![Page 30: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/30.jpg)
Function Recompilation
var x = 1;
with(sbxglobal){
eval( ”function g (y) {var z = 1;return x+y+z;}”);
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
![Page 31: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/31.jpg)
Function Recompilation
var x = 1;
with(sbxglobal){
function g (y) {var z = 1;return x+y+z;}
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14
![Page 32: On Contracts, Sandboxes, and Proxies for JavaScript](https://reader034.fdocuments.in/reader034/viewer/2022052117/58d032281a28ab04288b5d6d/html5/thumbnails/32.jpg)
Conclusion
TreatJS:
Language embedded, dynamic, higher-order contract systemfor full JavaScript
Guarantees noninterference
Sandbox:
Language embedded sandbox for full JavaScript
Runs JavaScript code in isolation isolation
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 14 / 14