Modern Type Systems for Dynamic Languages Ravi Chugh.

Modern Type Systems for Dynamic Languages Ravi Chugh

2 Web Platform

3 Goal: Rigorous Foundations

4 1995 Username Login Password Web Page = Static HTML Web Page + Links Web Page + Client-Side Code loginButton.onclick = function () { if (passwordBox.value == “”) { alert(“Enter password!”); } else {... }

5 1995 … an easy-to-use “scripting language” as a companion to Java No Static Types “Dynamic” Features Make it Easy to Experiment… Brendan Eich, JavaScript creator

Asked whether Gmail would ever open up an API for developers to code add-ons and plug-ins with more official support and stability, Kowitz suggested it was unlikely. Gmail is based on “hundreds of thousands” of lines of JavaScript, Kowitz said, and it's a code base that “changes so quickly.” That said, Jackson said the Gmail team "loves" to see third-party functionality being developed, and the team tries to make developers aware of changes they know will affect those products. Article on LifeHacker

2014 Asked whether Gmail would ever open up an API for developers to code add-ons and plug-ins with more official support and stability, Kowitz suggested it was unlikely. Gmail is based on “hundreds of thousands” of lines of JavaScript, Kowitz said, and it's a code base that “changes so quickly.” That said, Jackson said the Gmail team "loves" to see third-party functionality being developed, and the team tries to make developers aware of changes they know will affect those products. Article on LifeHacker “Scripting” ?!?

9 http://stackoverflow.com/tags 02-26-14 CountTag 599,605C# 583,322Java 555,164JavaScript 532,851PHP 273,086Python 268,725C++ 129,483C 97,154Ruby 15,044Haskell 2,175OCaml 2014 JavaScript is Pervasive

10 http://stackoverflow.com/tags 02-26-14 Other Dynamic Languages Are, Too 2014 CountTag 599,605C# 583,322Java 555,164JavaScript 532,851PHP 273,086Python 268,725C++ 129,483C 97,154Ruby 15,044Haskell 2,175OCaml JavaScript is Pervasive

11 News ShoppingBanking 2014 JavaScript is Pervasive

12 News ShoppingBanking Third-Party Ads 2014 JavaScript is Pervasive

13 News ShoppingBanking Third-Party Ads Third-Party Apps 2014 JavaScript is Pervasive

14 2014 JavaScript is Pervasive Third-Party

No longer just “scripting” 15 2014 … an easy-to-use “scripting language” as a companion to Java

16 1. Development Tools 2. Reliability / Security 3. Performance But JS is hard to reason about! Significant Interest For:

17 Static Types My Ph.D. JavaScript, Python, Ruby, PHP Share Common Challenges New Techniques Apply Broadly, Even to Statically Typed Languages for Dynamic Languages

18 Describe sets of run-time values “integers” “booleans” “objects with foo field” “non- null pointers” “urls that are safe to visit” Static Types

19 Prevent classes of run-time errors “integers” “booleans” “objects with foo field” “non- null pointers” “urls that are safe to visit” “multiply int and bool” “navigating to evil.com ” “redirect to evil.com ” “ foo field not found” “ null pointer exception” Static Types

20 f(x)f(x) “expected args”“actual args” Type 1 Type 2  “function call produces no error” ✓

21 f(x)f(x) “expected args”“actual args” Type 1 Type 2  “function call may produce error” ✗

22 For all programs p in If p has a type T in Then p does not fail with any error e in P ROGRAMS T YPES E RRORS

23 For all programs p in If p has a type T in Then p does not fail with any error e in P ROGRAMS T YPES E RRORS GOAL: Reason About More Programs

24 For all programs p in If p has a type T in Then p does not fail with any error e in P ROGRAMS T YPES E RRORS GOAL: Reason About More Programs GOAL: Eliminate More Errors

25 T YPES

26 T YPES Types + Logic Refinement Types

Type 1 Type 2  “expected args”“actual args” 27 {x|p}{x|p} {x|q}{x|q}  {x|p}{x|p}{x|q}{x|q} Types + Logic Refinement Types

Types 28 Refinement Types Nested Refinements [POPL ’12] Key to Encode Dynamic Features Logic {x|p}{x|p}f :: {  y  |  q  }

Expressiveness Usability Types Verification Hoare Logics Model Checking Abstract Interpretation Theorem Proving … + Logic Dependent JavaScript (DJS) [POPL ’12, OOPSLA ’12]

Why is JavaScript Important? Why is JavaScript Hard? Static Types via Logic Security via Logic Looking Ahead 30 Outline Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges T YPES P ROGRAMS E RRORS

Why is JavaScript Important? Why is JavaScript Hard? Static Types via Logic Security via Logic Looking Ahead 31 Outline Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges T YPES P ROGRAMS E RRORS

Why is JavaScript Hard? 32 Outline Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges Lightweight Reflection Dictionary Objects Additional Challenges P ROGRAMS

function negate(x) { if (typeof x == “number”) { } 33 Why JavaScript?Security via LogicLooking AheadChallengesTypes via Logic Q: What is my “type”?

All JavaScript Values 34 Why JavaScript?Security via LogicLooking AheadChallengesTypes via Logic {  x  |  tag(x)  =  “number”  }{  x  |  tag(x)  =  “boolean”  } truefalse {  x  |  tag(x)  =  “object”  } {}{}{  “f”:17  } {  “f”:42,  “g”:true  }... Q: What is my “type”? x 1742 3.14...

function negate(x) { if (typeof x == “number”) { } 35 Why JavaScript?Security via LogicLooking AheadChallengesTypes via Logic Q: What is my “type”? A: Described by “tag”

36 Why JavaScript?Security via LogicLooking AheadChallengesTypes via Logic function negate(x) { if (typeof x == “number”) { return 0 - x; } else { return !x; } } “expected args” values with tag “number” OR “boolean”

38 Why JavaScript?Security via LogicLooking AheadChallengesTypes via Logic obj.f means obj[“f”] a.k.a. “maps” “hash tables” “associative arrays” Objects are “Dictionaries” that map string keys to values

method to invoke method table 39 Why JavaScript?Security via LogicLooking AheadChallengesTypes via Logic function dispatch(table, op, i, j) { }

40 Why JavaScript?Security via LogicLooking AheadChallengesTypes via Logic var integerOps = { “+” : function (n, m) { … }, “-” : function (n, m) { … } }; function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); } dispatch (integerOps, “*”, 17, 42); “ foo field not found” “*” key not found

41 Why JavaScript?Security via LogicLooking AheadChallengesTypes via Logic function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); } “expected args” table object with an op key that stores a function on numbers Dependency between types of arguments

Why is JavaScript Hard? 43 Outline Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges Lightweight Reflection Dictionary Objects Extensible Objects Prototype Inheritance JavaScript Peculiarities P ROGRAMS

Unsupported in Prior Work Why is JavaScript Hard? 44 Outline Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges Lightweight Reflection Dictionary Objects Extensible Objects Prototype Inheritance JavaScript Peculiarities P ROGRAMS

Why is JavaScript Important? Why is JavaScript Hard? Static Types via Logic Security via Logic Looking Ahead 45 Outline Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges Types via Logic P ROGRAMS T YPES E RRORS

All JavaScript Values 46 {  x  |  tag(x)  =  “number”  } truefalse {}{}{  “f”:17  } {  “f”:42,  “g”:true  }... 1742 3.14... Why JavaScript?Security via LogicLooking AheadChallengesTypes via Logic

All JavaScript Values 47 {  x  |  tag(x)  =  “number”  } 1742 3.14... Why JavaScript?Security via LogicLooking AheadChallengesTypes via Logic {  x  |  tag(x)  =  “boolean”  }{  x  |  tag(x)  =  “object”  } truefalse {}{}{  “f”:17  } {  “f”:42,  “g”:true  }...

All JavaScript Values 48 Why JavaScript?Security via LogicLooking AheadChallengesTypes via Logic {}{}{  “f”:17  } {  “f”:42,  “g”:true  }... truefalse {  x  |  integer(x)  }{x|x>0}{x|x>0} 1742 3.14...

All JavaScript Values 49 Why JavaScript?Security via LogicLooking AheadChallengesTypes via Logic “set of values x s.t. formula p is true” {x|p}{x|p} Refinement Types

50 f(x)f(x) “expected args”“actual args” Type 1 Type 2  Why JavaScript?Security via LogicLooking AheadChallengesTypes via Logic

51 f(x)f(x) “expected args”“actual args”  Why JavaScript?Security via LogicLooking AheadChallengesTypes via Logic {x|p}{x|p}{x|q}{x|q}  {x|p}{x|p}{x|q}{x|q}

52 Subtyping is Implication Source of Expressive Power Type 1 Type 2  Why JavaScript?Security via LogicLooking AheadChallengesTypes via Logic {x|p}{x|p}{x|q}{x|q}  {x|p}{x|p}{x|q}{x|q}

Static Types via Logic 53 Outline Why JavaScript?Security via LogicLooking AheadChallengesTypes via Logic Lightweight Reflection Dictionary Objects Key Technical Innovations Evaluation T YPES

54 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges function negate(x) { if (typeof x == “number”) { return 0 - x; } else { return !x; } Type Annotation in Comments //: negate :: (x:NumOrBool)  NumOrBool {  v  |  tag(v)  =  “number”  tag(v)  =  “boolean”  } NumOrBool  Syntactic Sugar for Common Types

55 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges function negate(x) { if (typeof x == “number”) { return 0 - x; } else { return !x; } //: negate :: (x:NumOrBool)  NumOrBool {  x  |  tag(x)  =  “number”  } “expected args”  {  x  |  tag(x)  =  “number”  }  ✓

56 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges function negate(x) { if (typeof x == “number”) { return 0 - x; } else { return !x; } //: negate :: (x:NumOrBool)  NumOrBool “expected args”  {  x  |  tag(x)  =  “boolean”  } ✓ {  x  |  not(tag(x)  =  “number”) {  x  |  ∧ (tag(x)  =  “number” ∨ {  x  |  tag(x)  =  “boolean”)  }

57 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges function negate(x) { if (typeof x == “number”) { return 0 - x; } else { return !x; } //: negate :: (x:NumOrBool)  NumOrBool Logic Enables Path-Sensitive Reasoning on Branches ✓

58 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges function negate(x) { if (typeof x == “number”) { return 0 - x; } else { return !x; } Logic Enables Types to Depend on Values //: negate :: (x:NumOrBool)  {  y|tag(y)  =  tag(x)  } ✓

Static Types via Logic 59 Outline Why JavaScript?Security via LogicLooking AheadChallenges Lightweight Reflection Dictionary Objects Key Technical Innovations Evaluation Types via Logic T YPES

60 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges All JavaScript Values {  x  |  tag(x)  =  “object”  }... {}{} {  “f”:true  } {  “f”:17  } {  “f”:42,  “g”:null  }

61 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges All JavaScript Values {  x  |  tag(x)  =  “object”  has(x,“f”)  }... {}{} {  “f”:true  } {  “f”:17  } {  “f”:42,  “g”:null  }

62 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges All JavaScript Values {  x  |  tag(x)  =  “object”  {  x  |  has(x,“f”)  {  x  |  tag(sel(x,“f”))  =  “number”  }... {}{} {  “f”:true  } {  “f”:17  } {  “f”:42,  “g”:null  }

63 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges //: dispatch :: //: ({  table  |  tag(table)  =  “object”  }, //: {  op  |  tag(op)  =  “string” //: {  op  |  ∧ has(table,op) //: {  op  |  ∧ sel(table,op)  ::  (Num,Num)  Num  }, //: {  i  |  tag(i)  =  “number”  }, //: {  j  |  tag(j)  =  “number”  }) //:  Num function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); }

64 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges //: dispatch :: //: (table  :  {  sel(table,op)  ::  (Num,Num)  Num  }, //: op  :  Str, //: i  :  Num, //: j  :  Num) //: //:  Num function dispatch(table, op, i, j) { var fn = table[op]; return fn(i, j); }

65 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges var integerOps = { “+” : …, “-” : … }; dispatch (integerOps, “*”, 17, 42); {  op  |  op  =  “*”  } “actual args” {  op  |  has(integerOps,op)  }  Type Checking Prevents Run-Time Error {  op  |  op  =  “*”  }{  op  |  has(integerOps,op)  }  ✗

Static Types via Logic 66 Outline Why JavaScript?Security via LogicLooking AheadChallenges Lightweight Reflection Dictionary Objects Key Technical Innovations Evaluation Types via Logic

67 Prior Refinement Types ✓ ✗ lightweight reflection dictionary objects Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges extensible objects prototype inheritance JavaScript peculiarities ✗ ✗ ✗ Dependent JavaScript (DJS) [POPL ’12, OOPSLA ’12] ✓ ✓ ✓ ✓ ✓

Key Challenge: Function Subtyping as Logical Implication 68 Prior Refinement Types ✗ dictionary objects Dependent JavaScript (DJS) [POPL ’12, OOPSLA ’12] ✓ Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges

69 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges 42 + negate  (17)  {  f  |  f  ::  } (x:Num)  Num “expected function” {  f  |  f  ::   } (x:NumOrBool)  {  y|tag(y)  =  tag(x)  }

{  f  |  f  ::   } 70 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges (x:NumOrBool)  {  y|tag(y)  =  tag(x)  } {  f  |  f  ::  } (x:Num)  Num  How to Prove ? How to Encode Type System Inside Logic? Prior Refinement Systems Disallow Function Types Inside Logic!

71 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges T ::= {  x  |  p  } | T 1  T 2 TypesRefinement Logic Satisfiability Modulo Theories (SMT) SAT + Decidable Theories p  q ✓ ✗ SMT Solver (e.g. Z3) [Prior State-of-the-Art]

72 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges T ::= {  x  |  p  } | T 1  T 2 p ::= p  ∧  q | p  ∨  q |  p | x  =  y | x  >  y | … | tag(x)  =  “number” | … | sel(x,k)  =  17 | … TypesRefinement Logic Boolean Connectives Equality Linear Arithmetic Uninterpreted Functions McCarthy Arrays

73 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges T ::= {  x  |  p  } | T 1  T 2 p ::= p  ∧  q | p  ∨  q |  p | x  =  y | x  >  y | … | tag(x)  =  “number” | … | sel(x,k)  =  17 | … TypesRefinement Logic {  v  |  tag(v)  =  “number”  tag(v)  =  “boolean”  } NumOrBool  Enables Union Types and Lightweight Reflection

74 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges T ::= {  x  |  p  } | T 1  T 2 p ::= p  ∧  q | p  ∨  q |  p | x  =  y | x  >  y | … | tag(x)  =  “number” | … | sel(x,k)  =  17 | … TypesRefinement Logic Enables Dictionary Types with Dynamic Keys … {  d  |  tag(sel(d,k))  =  “boolean” ∧ {  d  |  tag(sel(d,“f”))  =  “function” ∧ {  d  |  sel(d,“f”) ???  } But Disallows Functions in Dictionaries!

75 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges p ::= p  ∧  q | p  ∨  q |  p | x  =  y | x  >  y | … | tag(x)  =  “number” | … | sel(x,k)  =  17 | … | sel(x,k)  ::  T 1  T 2 | … TypesRefinement Logic Goal: Refer to Type System Inside Logic Goal: Without Giving up Decidability T ::= {  x  |  p  } | T 1  T 2 Solution: Nested Refinements!

76 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges T ::= {  x  |  p  } p ::= p  ∧  q | p  ∨  q |  p | x  =  y | x  >  y | … | tag(x)  =  “number” | … | sel(x,k)  =  17 | … | sel(x,k)  ::  T 1  T 2 | … Nested Refinements [POPL ’12] 1. Decidable Encoding 2. Precise Subtyping 3. Type Soundness Proof TypesRefinement Logic

77 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges {  f  |  f  ::   } (x:NumOrBool)  {  y|tag(y)  =  tag(x)  } {  f  |  f  ::  } (x:Num)  Num  Decidable Encoding Uninterpreted Predicate in Logic Distinct Uninterpreted Constants in Logic…

{  f  |  f  ::   } 78 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges (x:NumOrBool)  {  y|tag(y)  =  tag(x)  } {  f  |  f  ::  } (x:Num)  Num  Decidable Encoding Uninterpreted Predicate in Logic w/ Types Nested Inside Distinct Uninterpreted Constants in Logic…

79 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges Decidable Encoding {  f  |  f  ::   } (x:NumOrBool)  {  y|tag(y)  =  tag(x)  } {  f  |  f  ::  } (x:Num)  Num  ✗ SMT Solver Trivially Decidable, but Imprecise

p  f  ::(x:S 1 )  S 2 80 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges  {  f  |  f  ::  } (x:T 1 )  T 2 {f|p}{f|p} Precise Subtyping Step 1: Step 2: Find such that (x:S 1 )  S 2 SMT Solver ✓ T1T1 S1S1  ✓ ✓ S2S2 T2T2  x:T 1  Compare and (x:S 1 )  S 2 (x:T 1 )  T 2 ✓ “contra-variance” “co-variance”

81 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges  {  f  |  f  ::  } (x:Num)  Num {  f  |  f  =  negate  } Precise Subtyping Step 1: Step 2: f  =  negate  f  :: (x:NumOrBool)  {  y|tag(y)  =  tag(x)  } SMT Solver ✓

82 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges  {  f  |  f  ::  } (x:Num)  Num {  f  |  f  =  negate  } Precise Subtyping Step 1: Step 2: f  =  negate  f  :: (x:NumOrBool)  {  y|tag(y)  =  tag(x)  } NumNumOrBool  ✓ ✓ {  y  |  tag(y)  =  tag(x)  } Num  x:Num  ✓ SMT Solver ✓

83 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges Precise Subtyping Step 1: Step 2: Decidable Reasoning via SMT Precise Function Subtyping via Syntactic Techniques +  {  f  |  f  ::  }{  f  |  f  =  negate  } ✓ (x:Num)  Num

84 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges Type Soundness Proof Logic 0 Conventional Proofs Require Logic to be an Oracle … … but Nesting Introduces Circularity That Prevents Typical Inductive Proofs Type System 0

Type System ∞ 85 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges Type Soundness Proof Logic 0 Logic 1 Logic 2 Type System 1 Type System 2 Type System 0 …… Proof Technique: Stratify into Infinite Hierarchy

86 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges T ::= {  x  |  p  } p ::= p  ∧  q | p  ∨  q |  p | x  =  y | x  >  y | … | tag(x)  =  “number” | … | sel(x,k)  =  17 | … | sel(x,k)  ::  T 1  T 2 | … Nested Refinements [POPL ’12] TypesRefinement Logic Key to Encode Dictionary Objects (Even in Statically Typed Languages!)

87 lightweight reflection dictionary objects extensible objects prototype inheritance JavaScript peculiarities Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges Dependent JavaScript (DJS) [POPL ’12, OOPSLA ’12] ✓ ✓ ✓ ✓ ✓ Prior Refinement Types ✓ ✗ ✗ ✗ ✗ path-sensitivity nested refinements flow-sensitivity logical encoding

JavaScript JavaScript, Python, Ruby 88 lightweight reflection dictionary objects extensible objects prototype inheritance JavaScript peculiarities Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges Dependent JavaScript (DJS) [POPL ’12, OOPSLA ’12] ✓ ✓ ✓ ✓ ✓ path-sensitivity nested refinements flow-sensitivity logical encoding

Statically Typed Languages (Java, C++, OCaml, Haskell, …) 89 lightweight reflection dictionary objects extensible objects prototype inheritance JavaScript peculiarities Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges Dependent JavaScript (DJS) [POPL ’12, OOPSLA ’12] ✓ ✓ ✓ ✓ ✓ path-sensitivity nested refinements flow-sensitivity logical encoding ✗

Statically Typed Languages (Java, C++, OCaml, Haskell, …) 90 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges Dependent JavaScript (DJS) [POPL ’12, OOPSLA ’12] ✓ ✓ ✓ path-sensitivity nested refinements flow-sensitivity General Techniques Can Be Used to Eliminate More E RRORS

92 306 a 408 (+33%) LOC before/after 13 Excerpts from: JavaScript, Good Parts SunSpider Benchmark Suite Google Closure Library Benchmarks Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges Chosen to Stretch Expressiveness Limits of DJS

93 306 a 408 (+33%) LOC before/after 13 Excerpts from: JavaScript, Good Parts SunSpider Benchmark Suite Google Closure Library Benchmarks Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges 9 Browser Extensions from: [Guha et al. Oakland ’11] 321 a 383 (+19%) 1,003 a 1,027 (+2%) 2 Examples from: Google Gadgets 1,630 1,818 (+12%) TOTALS

94 Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges 1,630 1,818 (+12%) TOTALS Relatively Simple Syntactic Sugar and Type Inference Have Helped Significantly Opportunities for Improved Type Inference: Iterative Predicate Abstraction Bootstrap by Running Test Cases [STOP ’11] Translating Programs from TypeScript 1,818 (+12%) Type Annotations

95 LOC before/after 13 Excerpts from: JavaScript, Good Parts SunSpider Benchmark Suite Google Closure Library 306 a 408 (+33%) Benchmarks 9 Browser Extensions from: [Guha et al. Oakland ’11] 321 a 383 (+19%) 2 Examples from: Google Gadgets 1,003 a 1,027 (+2%) 1,630 1,818 (+12%) 10 sec Running Time 3 sec 19 sec 32 sec Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges TOTALS

96 1,818 (+12%) 32 sec Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallenges 1,630 TOTALS 32 sec Relatively Simple Optimizations So Far: Avoid SMT Solver When Possible Reduce Precision for Common Patterns Rely on Nested Refinements When Needed Performance

Types via Logic Why is JavaScript Important? Why is JavaScript Hard? Static Types via Logic Security via Logic Looking Ahead 98 Outline Why JavaScript?Security via LogicLooking AheadChallenges Types via LogicSecurity via Logic T YPES E RRORS P ROGRAMS

99 Outline Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Security via Logic Browser Extensions Types for Fine-Grained Policies E RRORS

100 … New Yorker article, “The Itch,” …

102 PRINT

“?printable=true” 103 “I want every article in print mode”

Browser Extensions Third-Party Developers Customize Browser 104

Browser Extensions PRINT NEW YORKER 105

Browser Extensions for (var elt in doc.getEltsByTagName(“a”)) { var url = elt.getAttr(“href”); if (url.match(/^newyorker.com/)) { elt.setAttr(“href”, url + “?printable=true”); } 106

Browser Extensions PRINT NEW YORKER Document (DOM) host-site.com 107 ?printable=true newyorker.com

Browser Extensions PRINT NEW YORKER Document (DOM) host-site.com 108 ?printable=true newyorker.com evil.com EVIL Passwords Bank Accts History Network Manager Other Sensitive APIs JavaScript Engine BUGGY

109 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Policy Expressiveness Access All Resources

110 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Access Some Resources cannot access DOM cannot access History Policy Expressiveness

111 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Policy Expressiveness coarse-grained and uninformative! cannot access DOM cannot access History

112 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Policy Expressiveness coarse-grained and uninformative! similar situation for other app platforms

113 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Policy Expressiveness Fine-Grained Policies GOAL

114 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges can write “a” elements but only “href” attribute when original “href” value starts with “newyorker.com” and is prefix of new value Fine-Grained Policies GOAL

115 Language-Based Security If Language Could Enforce Some Security-Related Policies … Then Reduce Dependence On: Testing Code Reviews Dynamic Checking Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges

116 For all programs p in If p has a type T in Then p does not fail with any error e in P ROGRAMS T YPES E RRORS

117 For all programs p in If p has a type T in Then p does not fail with any error e in P ROGRAMS T YPES E RRORS GOAL: Eliminate Some Security-Related Errors

118 P ROGRAMS T YPES E RRORS GOAL: Eliminate Some Security-Related Errors But How?

119 Subtyping is Implication Source of Expressive Power Type 1 Type 2  {x|p}{x|p}{x|q}{x|q}  {x|p}{x|p}{x|q}{x|q} Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges

121 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Static Verification (DJS) Security Expert User reviews only policy reads informative policy Developer writes policy in logic!

122 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Network Manager request, … JS Engine eval, … DOM getAttr, setAttr, … request ::  url:Str  Str

123 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Network Manager request, … JS Engine eval, … DOM getAttr, setAttr, … request ::  {url:Str|WhiteListed(url)}  Str

124 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Network Manager request, … JS Engine eval, … DOM getAttr, setAttr, … eval ::  s:Str  Void

125 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Network Manager request, … JS Engine eval, … DOM getAttr, setAttr, … eval ::  {s:Str|not(Tainted(s))}  Void

126 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Network Manager request, … JS Engine eval, … DOM getAttr, setAttr, … getAttr ::  elt:Element  attr:Str  Str

127 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Network Manager request, … JS Engine eval, … DOM getAttr, setAttr, … getAttr ::  elt:Element  {attr:Str|CanRead(elt,attr)}  Str

128 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Network Manager request, … JS Engine eval, … DOM getAttr, setAttr, … setAttr ::  elt:Element  attr:Str  y:Str  Void

129 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Network Manager request, … JS Engine eval, … DOM getAttr, setAttr, … setAttr ::  elt:Element  attr:Str  {y:Str|CanWrite(elt,attr,y)}  Void

130 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Network Manager request, … JS Engine eval, … DOM getAttr, setAttr, … Refined APIs Mediate Access Typecheck Extension with Policy

131 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges forall url.  not (url = “evil.com”)  WhiteListed (url) var s = request(“evil.com”); ✗ finite blacklist

132 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges //: url:Str var s = request(url); ✗ might be blacklisted! forall url.  not (url = “evil.com”)  WhiteListed (url)

forall url.  not (url = “evil.com”)  WhiteListed (url) 133 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges if (url != “evil.com”) { var s = request(url); } ✓

134 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges if (url != “evil.com”) { var s = request(url); eval(s); } s:Str might be tainted! ✗ forall url.  not (url = “evil.com”)  WhiteListed (url)

135 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges if (url != “evil.com”) { var s = request(url); s = sanitize(s); eval(s); } ✓ STATICALLY VERIFIED! s:Str{s:Str|not(Tainted(s))} forall url.  not (url = “evil.com”)  WhiteListed (url)

136 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges WhiteListed (“ny.com”) WhiteListed (“golf.com”) forall url.  WhiteListed (url)  not (Tainted (request (url))) trust that whitelisted servers return untainted strings

137 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges var s = request(“ny.com”); eval(s); ✓ no need to sanitize WhiteListed (“ny.com”) WhiteListed (“golf.com”) forall url.  WhiteListed (url)  not (Tainted (request (url))) STATICALLY VERIFIED!

138 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges forall e, oldUrl, newUrl. ValueOf (e, “href”, oldUrl) ∧ StrPrefix (“newyorker.com”, oldUrl) ∧ StrPrefix (oldUrl, newUrl)  CanWrite (e, “href”, newUrl) for (var elt in doc.getEltsByTagName(“a”)) { var url = elt.getAttr(“href”); if (url.match(/^newyorker.com/)) { elt.setAttr(“href”, url + “?printable=true”); }

139 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges ValueOf (elt, “href”, url) ∧ StrPrefix (“newyorker.com”, url) ∧ StrPrefix (url, url + “?printable=true”)  CanWrite (e, “href”, url+“?printable=true”) for (var elt in doc.getEltsByTagName(“a”)) { var url = elt.getAttr(“href”); if (url.match(/^newyorker.com/)) { elt.setAttr(“href”, url + “?printable=true”); } ✓

140 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges ValueOf (elt, “href”, url) ∧ StrPrefix (“newyorker.com”, url) ∧ StrPrefix (url, url + “?printable=true”)  CanWrite (e, “href”, url+“?printable=true”) for (var elt in doc.getEltsByTagName(“a”)) { var url = elt.getAttr(“href”); if (url.match(/^newyorker.com/)) { elt.setAttr(“href”, url + “?printable=true”); } ✓ ✓

141 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges ValueOf (elt, “href”, url) ∧ StrPrefix (“newyorker.com”, url) ∧ StrPrefix (url, url + “?printable=true”)  CanWrite (e, “href”, url+“?printable=true”) for (var elt in doc.getEltsByTagName(“a”)) { var url = elt.getAttr(“href”); if (url.match(/^newyorker.com/)) { elt.setAttr(“href”, url + “?printable=true”); } ✓ ✓ ✓

142 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges ValueOf (elt, “href”, url) ∧ StrPrefix (“newyorker.com”, url) ∧ StrPrefix (url, url + “?printable=true”)  CanWrite (e, “href”, url+“?printable=true”) for (var elt in doc.getEltsByTagName(“a”)) { var url = elt.getAttr(“href”); if (url.match(/^newyorker.com/)) { elt.setAttr(“href”, url + “?printable=true”); } ✓ ✓ ✓ ✓ STATICALLY VERIFIED!

143 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges ValueOf (elt, “href”, url) ∧ StrPrefix (“newyorker.com”, url) ∧ StrPrefix (url, url + “?printable=true”)  CanWrite (e, “href”, url+“?printable=true”) for (var elt in doc.getEltsByTagName(“a”)) { var url = elt.getAttr(“href”); if (url.match(/^newyorker.com/)) { elt.setAttr(“href”, “evil.com”); }

144 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges ValueOf (elt, “href”, url) ∧ StrPrefix (“newyorker.com”, url) ∧ StrPrefix (url, “evil.com”)  CanWrite (e, “href”, “evil.com”) for (var elt in doc.getEltsByTagName(“a”)) { var url = elt.getAttr(“href”); if (url.match(/^newyorker.com/)) { elt.setAttr(“href”, “evil.com”); }

145 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges ValueOf (elt, “href”, url) ∧ StrPrefix (“newyorker.com”, url) ∧ StrPrefix (url, “evil.com”)  CanWrite (e, “href”, “evil.com”) for (var elt in doc.getEltsByTagName(“a”)) { var url = elt.getAttr(“href”); if (url.match(/^newyorker.com/)) { elt.setAttr(“href”, “evil.com”); } ✓ ✓ ✗ ✗

146 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Types for Security + JavaScript Verification = Fine-Grained Web Security [ESOP ’10, Guha et al. ’11] [POPL ’12, OOPSLA ’12] [current] Secure Extensions Written in OCaml Preliminary Benchmarks

147 Why JavaScript?Security via LogicTypes via LogicLooking AheadChallenges Guha et al. ’11] Secure Extensions Written in OCaml Preliminary Benchmarks Ported to DJS (~400 LOC so far) Well-typed programs don’t have run-time errors and conform to security policies

Why is JavaScript Important? Why is JavaScript Hard? Static Types via Logic Security via Logic Looking Ahead 149 Outline Why JavaScript?Types via LogicSecurity via LogicLooking AheadChallengesSecurity via LogicLooking Ahead T YPES E RRORS P ROGRAMS

150 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Dependent JavaScript Web Platform >>>

151 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Dependent JavaScript Policy Specification Web Platform >>>

152 Static Verification (DJS) Security Expert User Developer must write policy must read policy and Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead

153 Developer must write policy Infer from traces Incentives from platform must read policy User Traces to demonstrate behavior Community review-and-recommend services must read policy Security Expert Modeling tools to analyze policies Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead

154 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Dependent JavaScript Policy Specification Dynamic Enforcement Web Platform >>>

155 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Static Verification (DJS) Security Expert User Developer

156 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead … eval(“…”); … Dynamic Code Loading Impossible to statically analyze code you don’t have!

157 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Static Verification (DJS) Security Expert User Developer Dynamic Enforcement

158 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Dynamic Enforcement … eval(“…”); //: #assume … New Types Old TypesNew Types

159 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Limits of Static Reasoning “expected”“actual” p   q ✓ Definitely Safe Maybe Unsafe ✗ p   q (But Maybe Safe…)

160 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Limits of Static Reasoning p   q Definitely Safe Maybe Unsafe ✗ p   q Definitely Unsafe p   q ✓ “expected”“actual” ✓

Dynamic Enforcement 161 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Limits of Static Reasoning Accept Program, Rather than Reject Rely on Programmer-Trusted or Dynamically-Checked Assumption ✗ Maybe Unsafe p   q

162 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Dependent JavaScript Policy Specification Dynamic Enforcement Trus t Base Web Platform >>>

163 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Static Verification (DJS) Security Expert User reviews only policy Developer Dynamic Enforcement

164 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Static Verification (DJS) Security Expert reviews only policy trust SMT Solver

Eliminate from TCB à la Proof-Carrying Code [PLDI ’10] Eliminate from TCB via Formal Verification 165 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Static Verification (DJS) Security Expert trust SMT Solver trust

Policy Specification Dynamic Enforcement Trus t Base 166 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Dependent JavaScript Web Platform Tool Support >>>

167 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Generate Tests and Find Bugs for Unannotated Programs Support Refactoring and Code Completion for Annotated Programs Provide Analysis and Documentation Tools for Large, Popular Libraries like jQuery Web-Based Interfaces to Collect Statistics about Programming Patterns, Errors Tools for Web Development

168 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Inferred Annotations are in Comments Flow-Sensitive Type Information by Hovering over Program Point

169 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Inferred Annotations are in Comments Flow-Sensitive Type Information by Hovering over Program Point Many Software Engineering Challenges!

170 Learning Complex Languages is Difficult Static Error Messages can be Mysterious Generate Concrete Run-Time Traces? Execution may be easier to understand Help motivate compile-time guarantees Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Tools for Education

171 Learning in Large Classes is Difficult Clickers and Peer Instruction Can Help Analyze Live In-Class Performance? To guide subsequent topics during class To provide personalized feedback after class To suggest well-balanced study groups Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Tools for Education

172 Why JavaScript?Types via LogicSecurity via LogicChallengesLooking Ahead Dependent JavaScript Tool Support Policy Specification Dynamic Enforcement Trus t Base Web Platform

173 [STOP ’11] [POPL ’12] [OOPSLA ’12] [ML ’13] [ESOP ’10] [PLDI ’10] [PLDI ’09] Program Analysis for Security Dataflow Analysis for Race Detection [PLDI ’08] PL Techniques

Dynamic Languages are Pervasive DJS: Precise Static Types via Logic Towards Fine-Grained Web Security ravichugh.com 174 Thanks!

Modern Type Systems for Dynamic Languages Ravi Chugh.

Similar presentations

Presentation on theme: "Modern Type Systems for Dynamic Languages Ravi Chugh."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Modern Type Systems for Dynamic Languages Ravi Chugh.

Similar presentations

Presentation on theme: "Modern Type Systems for Dynamic Languages Ravi Chugh."— Presentation transcript:

Similar presentations

About project

Feedback