Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. SES Distributed Resilient Secure EcmaScript Mark S. Miller and the Cajadores Google.

Similar presentations


Presentation on theme: "Dr. SES Distributed Resilient Secure EcmaScript Mark S. Miller and the Cajadores Google."— Presentation transcript:

1 Dr. SES Distributed Resilient Secure EcmaScript Mark S. Miller and the Cajadores Google

2 Overview A Brief History of the Web Distributed Resilient Secure EcmaScript

3 Original Web Server Frame Browser Link/Form GET/POST New Page Link/Form GET/POST New Page

4 Ajax = Mobile code + async msgs Server Frame Browser XHR GET/POST XHR Response XHR GET/POST XHR Response Web services

5 Kludging Towards Distributed Objects Server Frame Browser XHR GET/POST XHR Response, Comet XHR GET/POST XHR Response, Comet Web servicesJSONP Fragment tricks

6 A Web of Distributed Objects ServerJS Frame Browser XHR GET/POST XHR Response, SSE XHR GET/POST XHR Response, SSE Web services Cross-Origin XHR (CORS, UMP) postMessage

7 Distributed Resilient Secure EcmaScript “Safe” mobile code as protocol Like x86 Massive adoption despite design mistakes

8 Distributed Resilient Secure EcmaScript “Safe” mobile code as protocol Like x86 Massive adoption despite design mistakes Beautiful Simple Core: Scheme, Self Objects as records. Functions as lexical closures. Records of lexical closures => objects with methods

9 Distributed Resilient Secure EcmaScript Beautiful Simple Core: Scheme, Self Objects as records. Functions as lexical closures. Records of lexical closures => objects with methods function makeCounter ( count ) { return { incr: function() { return ++count; } }; }

10 Distributed Resilient Secure EcmaScript EcmaScript 5 Strict Tamper-proof (frozen) objects. Encapsulated closures. Frozen records of protected closures => High integrity ‘use strict’; const makeCounter = Object.freeze(function( count ) { return Object.freeze({ incr: Object.freeze(function() { return ++count; }); });

11 Distributed Resilient Secure EcmaScript EcmaScript Harmony Makes high integrity convenient Faithful virtualization by interposition Modular modules with lexical scoping const makeCounter ( count ) { return Object.freeze({ incr: const() { return ++count; }; }); };

12 Distributed Resilient Secure EcmaScript

13 When Alice asks: bob.foo(carol) Alice grants Bob access to Carol, as needed for foo Memory-safe encapsulated objects Protect objects from their outside world

14 Distributed Resilient Secure EcmaScript When Alice asks: bob.foo(carol) Alice grants Bob access to Carol, as needed for foo Memory-safe encapsulated objects Protect objects from their outside world OCaps: Causality only by references No powerful references by default Protect world from objects Reference graph === Access graph Deny authority by witholding connectivity

15 Distributed Resilient Secure EcmaScript Java : Joe-E :: EcmaScript : SES Defensive Consistency & Natural POLA SES ⊂ (ES5 Strict + a bit of ES-Harmony) Deny access to global variables, global object Delete non-whitelisted properties Freeze accessible primordials ( Object, Array, Array.prototype,…) Restrict eval() and Function() to SES

16 Distributed Resilient Secure EcmaScript Easy Secure JavaScript Mashups Impossible?

17 Distributed Resilient Secure EcmaScript Easy Secure JavaScript Mashups Impossible? The counter example: const bobEndowments = Object.freeze({counter: makeCounter(0)}); const bobMakerCode = //... fetch potentially malicious code... const bob = eval(bobMakerCode).make(bobEndowments); Bob can only count.

18 Distributed Resilient Secure EcmaScript const makeMint () { const decr = EphemeronTable(); const makePurse ( balance :Nat) { const purse = Object.freeze({ getBalance: const() { return balance; }, makePurse : const() { return makePurse(0); }, deposit : const( amount :Nat, src ) { const newBal :Nat = balance + amount; decr.get(src)(amount); balance = newBal; }}); decr.set(purse, const( amount ) { balance = balance – amount; }); return purse; } return makePurse; } // The “factorial” of secure programming

19 Distributed Resilient Secure EcmaScript Shared StateMessage Passing BlockingC++/pthreads Java, C#, Mozart/Oz JoCAML, Polyphonic C# Blocking receive CSP, Occam, CCS Erlang, Scala, Go Non-blockingSoft Transactional Mem Argus, Fortress Clojure, X10 Comm Event Loops Actors, AmbientTalk E, Waterken Ajax

20 Distributed Resilient Secure EcmaScript p1 = farBob ! foo(carol); // queue request for Bob No conventional deadlocks or memory races Supports Defensive Programming Shared StateMessage Passing BlockingC++/pthreads Java, C#, Mozart/Oz JoCAML, Polyphonic C# Blocking receive CSP, Occam, CCS Erlang, Scala, Go Non-blockingSoft Transactional Mem Argus, Fortress Clojure, X10 Comm Event Loops Actors, AmbientTalk E, Waterken Ajax, Dr. SES

21 Distributed Resilient Secure EcmaScript Between machines… There is no do, there is only try. --with apologies to Yoda p1 = farBob ! foo(carol); // Bob throws, breaking p1 p3 = p1 ! bar(p2); // broken promise contagion

22 Distributed Resilient Secure EcmaScript Between machines… There is no do, there is only try. --with apologies to Yoda p1 = farBob ! foo(carol); // Bob throws, breaking p1 p3 = p1 ! bar(p2); // broken promise contagion p4 = try when ( r3 = p3) { // delayed error handling => “ok: ” + r3 } catch ( ex ) { => “bad: ” + ex };

23 Distributed Resilient Secure EcmaScript $100$200

24 Distributed Resilient Secure EcmaScript $100$200 const payment = myPurse ! makePurse();

25 Distributed Resilient Secure EcmaScript $100$200 const payment = myPurse ! makePurse(); makePurse

26 Distributed Resilient Secure EcmaScript $100 $0 $200 const payment = myPurse ! makePurse();

27 Distributed Resilient Secure EcmaScript $100 $0 $200 const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse);

28 Distributed Resilient Secure EcmaScript $100 $0 $200 const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); deposit

29 Distributed Resilient Secure EcmaScript $100 $0 $200 const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); $90 $10

30 Distributed Resilient Secure EcmaScript $100 $0 $200 const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); const good = bob ! buy(desc, payment); $90 $10

31 Distributed Resilient Secure EcmaScript $100 $0 $200 const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); const good = bob ! buy(desc, payment); buy $90 $10

32 Distributed Resilient Secure EcmaScript $100 $0 $200 const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); const good = bob ! buy(desc, payment); return try when ( p = payment) { $90 $10

33 Distributed Resilient Secure EcmaScript $100 $0 $200 const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); const good = bob ! buy(desc, payment); return try when ( p = payment) { => try when ( ok = myPurse ! deposit(10, p)) { $90 $10

34 Distributed Resilient Secure EcmaScript $100 $0 $200 const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); const good = bob ! buy(desc, payment); return try when ( p = payment) { => try when ( ok = myPurse ! deposit(10, p)) { $90 $10 deposit

35 Distributed Resilient Secure EcmaScript $100 $0 $200 const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); const good = bob ! buy(desc, payment); return try when ( p = payment) { => try when ( ok = myPurse ! deposit(10, p)) { $90 $210

36 Distributed Resilient Secure EcmaScript $100 $0 $200 const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); const good = bob ! buy(desc, payment); return try when ( p = payment) { => try when ( ok = myPurse ! deposit(10, p)) { => good } … $90 $210

37 Distributed Resilient Secure EcmaScript p1 = farBob ! foo(carol); // queue request for Bob p3 = p1 ! bar(p2); // left dataflow chaining p5 = try when ( i = p3, j = p4) { => i + j }; // gather results b5 = try whenever ( i = b3, j = b4) { => i + j }; // perpetual p6 = try ( f = farF, x = farX) in (farEval) { => f(x) }; // mobile

38 Distributed Resilient Secure EcmaScript Remaining Open Resilience Problems Persistence: How orthogonal? Waterken, KeyKOS, E, Workers Disconnected Operation: How to reconcile? Dominant partition, Wave OT, Una, Ambient references Upgrade: When instances outlive their class Co-existence: When versions collide Each presents new security challenges

39 Questions?


Download ppt "Dr. SES Distributed Resilient Secure EcmaScript Mark S. Miller and the Cajadores Google."

Similar presentations


Ads by Google