EOI Talk – Summer 2013
TS*
TS*: Taming the Un-typed Adversary
in JavaScript
Aseem Rastogi
(University of Maryland, College Park)
Joint work with:
Nikhil Swamy, Cedric Fournet, Juan Chen, Karthik Bhargavan, Pierre-Yves Strub, and Gavin Bierman
EOI Talk – Summer 2013
TS*
Writing Security Critical JavaScript Code is Hard !
6/27/2016
2
EOI Talk – Summer 2013
TS*
Example – Html5 localStorage
-- No schema
-- No authorization
localStorage.setItem(string, string), localStorage.getItem(string), …
Client Storage
6/27/2016
3
EOI Talk – Summer 2013
TS*
Example – Html5 localStorage
-- Enforce Schema
-- Authorization
-- Efficient
High Integrity, Secure, Efficient Interface
localStorage.setItem(string, string), localStorage.getItem(string), …
Client Storage
6/27/2016
4
EOI Talk – Summer 2013
TS*
JS Demo !
Let’s write Storage library in JavaScript !
6/27/2016
5
EOI Talk – Summer 2013
TS*
JS Demo !
• (Demo elided:
– The basic idea is that despite writing clean
idiomatic code in JavaScript providing a
localStorage API, when interacting with a
malicious third-party script in the same page, the
clean code can easily be subverted by the thirdparty. Attacks include prototype poisoning, global
namespace corruption, stack walks, etc. )
That didn’t turn out well, huh ?
6/27/2016
6
EOI Talk – Summer 2013
TS*
Migration from JavaScript to TS*
Security Critical
Code in JS
Other App Code
in JS (e.g. UI)
Low
Effort
Migration
Third-party Code
in JS (e.g. Ads)
Security Critical
Code in TS*
6/27/2016
Gradually-typed, Idiomatic JS
7
EOI Talk – Summer 2013
TS*
TS* Demo !
• See: http://rise4fun.com/FStar/tutorial/tsStar
Let’s try writing Storage library in TS*
6/27/2016
8
EOI Talk – Summer 2013
TS*
TS* Demo !
Pretty Cool, isn’t it !
6/27/2016
9
EOI Talk – Summer 2013
TS*
Gradual Security
Code
Statically Typed
Any-typed
Code
Un-typed
Statically Typed
Any-typed
Un-typed
Code
6/27/2016
Statically Typed
Any-typed
Un-typed
10
EOI Talk – Summer 2013
TS*
TS* Tour with Example
type Point : { x : number; y : number };
function bar (t) { t.x = true; }
function foo ( s : Point ) : number
{
bar ( s );
return s.x + s.y;
}
var r = { x = true };
r.x = 2;
r.y = 3;
foo ( r );
6/27/2016
11
EOI Talk – Summer 2013
TS*
TS* Tour with Example
type Point : { x : number; y : number };
function bar (t) { t.x = true; }
var r = { x = true };
r.x = 2;
r.y = 3;
foo ( r );
6/27/2016
function foo ( s : Point ) : number
{
bar ( s );
return s.x + s.y;
}
12
EOI Talk – Summer 2013
TS*
TS*: Gradually Typed
type Point : { x : number; y : number };
function bar (t) { t.x = true; }
var r = { x = true };
r.x = 2;
r.y = 3;
foo ( r );
function foo ( s : Point ) : number
{
bar ( s );
return s.x + s.y;
}
• Gradual type system, compiles to JavaScript
• Supports idiomatic JavaScript
6/27/2016
13
EOI Talk – Summer 2013
TS*
TS*: RTTI based Gradual Typing
type Point : { x : number; y : number };
function bar (t) { t.x = true; }
var r = { x = true };
r.x = 2;
r.y = 3;
foo ( r );
function foo ( s : Point ) : number
{
bar ( s );
return s.x + s.y;
}
• Every value carries a type tag at run-time
6/27/2016
14
EOI Talk – Summer 2013
TS*
TS*: RTTI based Gradual Typing
type Point : { x : number; y : number };
function bar (t) { t.x = true; }
var r = { x = true }; ◄
r.x = 2;
r.y = 3;
foo ( r );
function foo ( s : Point ) : numb
{
bar ( s );
return s.x + s.y;
}
r:
any
{ x = true }
6/27/2016
15
EOI Talk – Summer 2013
TS*
TS*: Type Safety in Any-typed Code
type Point : { x : number; y : number };
function bar (t) { t.x = true; }
var r = { x = true };
r.x = 2; ◄ r.y = 3;
foo ( r );
function foo ( s : Point ) : numb
{
bar ( s );
return s.x + s.y;
}
• Instrumented with run time type checks
• Must respect RTTI tags
6/27/2016
16
EOI Talk – Summer 2013
TS*
TS*: Type Safety in Any-typed Code
type Point : { x : number; y : number };
function bar (t) { t.x = true; }
function foo ( s : Point ) : numb
{
bar ( s );
return s.x + s.y;
}
var r = { x = true };
r.x = 2; ◄ r.y = 3;
foo ( r );
Is r a record ? Does ( r.x = 2 ) respect r’s RTTI ?
✔
r:
r:
any
any
{ x = true }
{ x =2 }
6/27/2016
17
EOI Talk – Summer 2013
TS*
TS*: Type Safety in Any-typed Code
type Point : { x : number; y : number };
function bar (t) { t.x = true; }
function foo ( s : Point ) : numb
{
bar ( s );
return s.x + s.y;
}
var r = { x = true };
r.x = 2;
r.y = 3; ◄
foo ( r );
Is r a record ? Does ( r.y = 3 ) respect r’s RTTI ?
r:
r:
✔
r:
any
any
any
{ x = true }
{ x =2 }
{ x = 2; y = 3 }
6/27/2016
18
EOI Talk – Summer 2013
TS*
TS*: RTTI Evolution
type Point : { x : number; y : number };
function bar (t) { t.x = true; }
var r = { x = true };
r.x = 2;
r.y = 3;
foo ( r ); ◄
function foo ( s : Point ) : numb
{
bar ( s );
return s.x + s.y;
}
• Check that value has expected type …
• And tag it -- RTTI tags evolve
• Ensures type safety in the presence of mutable records
6/27/2016
19
EOI Talk – Summer 2013
TS*
TS*: RTTI Evolution
type Point : { x : number; y : number };
function bar (t) { t.x = true; }
var r = { x = true };
r.x = 2;
r.y = 3;
foo ( r ); ◄
Is r a Point ?
function foo ( s : Point ) : numb
{
bar ( s );
return s.x + s.y;
}
✔
r, s:
r:
any
Point
{ x = 2; y = 3 }
{ x = 2; y = 3 }
6/27/2016
20
EOI Talk – Summer 2013
TS*
TS*: Any-subtyping
type Point : { x : number; y : number };
function bar (t) { t.x = true; }
var r = { x = true };
r.x = 2;
r.y = 3;
foo ( r );
function foo ( s : Point ) : numb
{
bar ( s ); ◄
return s.x + s.y;
}
Seamless via Subtyping
6/27/2016
21
EOI Talk – Summer 2013
TS*
TS*: Type Safety in Any-typed Code
type Point : { x : number; y : number };
function bar (t) { t.x = true; ◄ }
var r = { x = true };
r.x = 2;
r.y = 3;
foo ( r );
function foo ( s : Point ) : numb
{
bar ( s );
return s.x + s.y;
}
Is t a record ? Does ( t.x = true ) respect t’s RTTI ?
✗
r, s, t:
Point
{ x = 2; y = 3 }
6/27/2016
• ( t.x = true ) fails
• s remains as is
22
EOI Talk – Summer 2013
TS*
TS*: Statically-typed Code
type Point : { x : number; y : number };
function bar (t) { t.x = true; }
var r = { x = true };
r.x = 2;
r.y = 3;
foo ( r );
function foo ( s : Point ) : numb
{
bar ( s );
return s.x + s.y; ◄
}
• Executes as is
• No runtime checks in statically-typed code
6/27/2016
23
EOI Talk – Summer 2013
TS*
TS*: Un – The Other Dynamic Type
type Point : { x : number; y : number };
show : Un
function foo ( s : Point ) :
number
{
show ( s );
return s.x + s.y;
}
• Interaction with Un-typed code mediated by
wrappers
• Enforce heap separation from Un code
6/27/2016
24
EOI Talk – Summer 2013
TS*
TS*: Defensive Wrapper for Un
type Point : { x : number; y : number };
show : Un
function foo ( s : Point ) :
number
{
show ( s ); ◄
return s.x + s.y;
}
wrap ( Un, Point
unit ) ( show ) ( s )
var t1 = wrap ( Point, Un ) ( s );
var t2 = show ( t1 );
wrap ( Un, unit) ( t2 )
6/27/2016
/* makes a deep copy of s */
25
EOI Talk – Summer 2013
TS*
TS* Summary
• Statically-typed code:
– No run-time type checks
– No run-time failures
– No performance penalty (except adding RTTI tags)
• Any-typed code:
– Instrumented with run-time type checks
– Respects RTTI tags set by the statically-typed code
• Un-typed code:
– Complete heap separation from TS* code
6/27/2016
26
EOI Talk – Summer 2013
TS*
You still don’t know all we did this summer !
•
•
•
•
•
•
Support for Arrays in TS*
Performance Tweaking
Formalization of TS* compilation in JSVerify†
Type soundness proof
Submitted TS* work to POPL’14
Spent couple of weeks reading Mental Poker !
†Swamy
6/27/2016
et. al. POPL’ 13
27
EOI Talk – Summer 2013
TS*
TS* Summary
TypeScript like surface language
• Gradual type system, compiles to JavaScript
Not one, but two dynamic types
• Any and Un
Type safe (unlike TypeScript)
• Even when interacting with malicious context
6/27/2016
28