Presentation is loading. Please wait.

Presentation is loading. Please wait.

TS*: Taming the Un-typed Adversary in JavaScript

Published byLeo Holt Modified over 6 years ago

Similar presentations

Presentation on theme: "TS*: Taming the Un-typed Adversary in JavaScript"— Presentation transcript:

1 TS*: Taming the Un-typed Adversary in JavaScript
Aseem Rastogi (University of Maryland, College Park) Joint work with: Nikhil Swamy, Cedric Fournet, Juan Chen, Karthik Bhargavan, Pierre-Yves Strub, and Gavin Bierman

2 Writing Security Critical JavaScript Code is Hard !
11/29/2018

3 Example – Html5 localStorage
-- No schema -- No authorization localStorage.setItem(string, string), localStorage.getItem(string), … Client Storage 11/29/2018

4 Example – Html5 localStorage
-- Enforce Schema -- Authorization -- Efficient High Integrity, Secure, Efficient Interface localStorage.setItem(string, string), localStorage.getItem(string), … Client Storage 11/29/2018

5 Let’s write Storage library in JavaScript !
JS Demo ! Let’s write Storage library in JavaScript ! 11/29/2018

6 That didn’t turn out well, huh ?
JS Demo ! (Demo elided: The basic idea is that despite writing clean idiomatic code in JavaScript providing a localStorage API, when interacting with a malicious third-party script in the same page, the clean code can easily be subverted by the third-party. Attacks include prototype poisoning, global namespace corruption, stack walks, etc. ) That didn’t turn out well, huh ? 11/29/2018

7 Migration from JavaScript to TS*
Security Critical Code in JS No Heap Separation No Heap Separation Low Effort Migration Other App Code in JS (e.g. UI) Third-party Code in JS (e.g. Ads) Complete Heap Separation Complete Heap Separation Security Critical Code in TS* Gradually-typed, Idiomatic JS 11/29/2018

8 Let’s try writing Storage library in TS*
TS* Demo ! See: Let’s try writing Storage library in TS* 11/29/2018

9 TS* Demo ! Pretty Cool, isn’t it ! 11/29/2018

10 Gradual Security 11/29/2018

11 TS* Tour with Example type Point : { x : number; y : number };
function bar (t) { t.x = true; } function foo ( s : Point ) : number { bar ( s ); return s.x + s.y; } var r = { x = true }; r.x = 2; r.y = 3; foo ( r ); 11/29/2018

12 TS* Tour with Example type Point : { x : number; y : number };
function bar (t) { t.x = true; } function foo ( s : Point ) : number { bar ( s ); return s.x + s.y; } var r = { x = true }; r.x = 2; r.y = 3; foo ( r ); 11/29/2018

13 TS*: Gradually Typed Gradual type system, compiles to JavaScript
type Point : { x : number; y : number }; function bar (t) { t.x = true; } function foo ( s : Point ) : number { bar ( s ); return s.x + s.y; } var r = { x = true }; r.x = 2; r.y = 3; foo ( r ); Gradual type system, compiles to JavaScript Supports idiomatic JavaScript 11/29/2018

14 TS*: RTTI based Gradual Typing
type Point : { x : number; y : number }; function bar (t) { t.x = true; } function foo ( s : Point ) : number { bar ( s ); return s.x + s.y; } var r = { x = true }; r.x = 2; r.y = 3; foo ( r ); Every value carries a type tag at run-time 11/29/2018

15 TS*: RTTI based Gradual Typing
type Point : { x : number; y : number }; function bar (t) { t.x = true; } function foo ( s : Point ) : number { bar ( s ); return s.x + s.y; } var r = { x = true }; ◄ r.x = 2; r.y = 3; foo ( r ); any { x = true } r: 11/29/2018

16 TS*: Type Safety in Any-typed Code
type Point : { x : number; y : number }; function bar (t) { t.x = true; } function foo ( s : Point ) : number { bar ( s ); return s.x + s.y; } var r = { x = true }; r.x = 2; ◄ r.y = 3; foo ( r ); Instrumented with run time type checks Must respect RTTI tags 11/29/2018

17 TS*: Type Safety in Any-typed Code
type Point : { x : number; y : number }; function bar (t) { t.x = true; } function foo ( s : Point ) : number { bar ( s ); return s.x + s.y; } var r = { x = true }; r.x = 2; ◄ r.y = 3; foo ( r ); Is r a record ? Does ( r.x = 2 ) respect r’s RTTI ? any { x = true } r: any { x = 2 } r: 11/29/2018

18 TS*: Type Safety in Any-typed Code
type Point : { x : number; y : number }; function bar (t) { t.x = true; } function foo ( s : Point ) : number { bar ( s ); return s.x + s.y; } var r = { x = true }; r.x = 2; r.y = 3; ◄ foo ( r ); Is r a record ? Does ( r.y = 3 ) respect r’s RTTI ? any { x = true } r: any { x = 2 } r: any { x = 2; y = 3 } r: 11/29/2018

19 TS*: RTTI Evolution Check that value has expected type …
type Point : { x : number; y : number }; function bar (t) { t.x = true; } function foo ( s : Point ) : number { bar ( s ); return s.x + s.y; } var r = { x = true }; r.x = 2; r.y = 3; foo ( r ); ◄ Check that value has expected type … And tag it -- RTTI tags evolve Ensures type safety in the presence of mutable records 11/29/2018

20 TS*: RTTI Evolution ✔ Is r a Point ?
type Point : { x : number; y : number }; function bar (t) { t.x = true; } function foo ( s : Point ) : number { bar ( s ); return s.x + s.y; } var r = { x = true }; r.x = 2; r.y = 3; foo ( r ); ◄ Is r a Point ? any { x = 2; y = 3 } r: Point { x = 2; y = 3 } r, s: 11/29/2018

21 TS*: Any-subtyping Seamless via Subtyping
type Point : { x : number; y : number }; function bar (t) { t.x = true; } function foo ( s : Point ) : number { bar ( s ); ◄ return s.x + s.y; } var r = { x = true }; r.x = 2; r.y = 3; foo ( r ); Seamless via Subtyping 11/29/2018

22 TS*: Type Safety in Any-typed Code
type Point : { x : number; y : number }; function bar (t) { t.x = true; ◄ } function foo ( s : Point ) : number { bar ( s ); return s.x + s.y; } var r = { x = true }; r.x = 2; r.y = 3; foo ( r ); Is t a record ? Does ( t.x = true ) respect t’s RTTI ? Point { x = 2; y = 3 } r, s, t: ( t.x = true ) fails s remains as is 11/29/2018

23 TS*: Statically-typed Code
type Point : { x : number; y : number }; function bar (t) { t.x = true; } function foo ( s : Point ) : number { bar ( s ); return s.x + s.y; ◄ } var r = { x = true }; r.x = 2; r.y = 3; foo ( r ); Executes as is No runtime checks in statically-typed code 11/29/2018

24 TS*: Un – The Other Dynamic Type
type Point : { x : number; y : number }; show : Un function foo ( s : Point ) : number { show ( s ); return s.x + s.y; } Interaction with Un-typed code mediated by wrappers Enforce heap separation from Un code 11/29/2018

25 TS*: Defensive Wrapper for Un
type Point : { x : number; y : number }; show : Un function foo ( s : Point ) : number { show ( s ); ◄ return s.x + s.y; } wrap ( Un, Point unit ) ( show ) ( s ) var t1 = wrap ( Point, Un ) ( s ); /* makes a deep copy of s */ var t2 = show ( t1 ); wrap ( Un, unit) ( t2 ) 11/29/2018

26 TS* Summary Statically-typed code: Any-typed code: Un-typed code:
No run-time type checks No run-time failures No performance penalty (except adding RTTI tags) Any-typed code: Instrumented with run-time type checks Respects RTTI tags set by the statically-typed code Un-typed code: Complete heap separation from TS* code 11/29/2018

27 You still don’t know all we did this summer !
Support for Arrays in TS* Performance Tweaking Formalization of TS* compilation in JSVerify† Type soundness proof Submitted TS* work to POPL’14 Spent couple of weeks reading Mental Poker ! †Swamy et. al. POPL’ 13 11/29/2018

28 TS* Summary TypeScript like surface language
Gradual type system, compiles to JavaScript Not one, but two dynamic types Any and Un Type safe (unlike TypeScript) Even when interacting with malicious context 11/29/2018

Download ppt "TS*: Taming the Un-typed Adversary in JavaScript"

Similar presentations

SYDJS July 2011. What is HaXe? Multi-platform language Open source (www.haxe.org) Community driven Version 2.07 (around since 2005) Single syntax for.

SYDJS July What is HaXe? Multi-platform language Open source ( Community driven Version 2.07 (around since 2005) Single syntax for.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Safe TypeScript Aseem Rastogi University of Maryland, College Park

Safe TypeScript Aseem Rastogi University of Maryland, College Park
Taming JavaScript with F* Nikhil Swamy Microsoft Research.

Taming JavaScript with F* Nikhil Swamy Microsoft Research.
Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.

Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.
1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.

1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.
WEAVING CODE EXTENSIONS INTO JAVASCRIPT Benjamin Lerner, Herman Venter, and Dan Grossman University of Washington, Microsoft Research.

WEAVING CODE EXTENSIONS INTO JAVASCRIPT Benjamin Lerner, Herman Venter, and Dan Grossman University of Washington, Microsoft Research.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013.

Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013.
North Shore.NET User Group Our Sponsors. North Shore.NET User Group Check out our new web site Next Meeting

North Shore.NET User Group Our Sponsors. North Shore.NET User Group Check out our new web site Next Meeting
Safe & Efficient Gradual Typing for TypeScript Aseem Rastogi University of Maryland, College Park Nikhil Swamy Cédric Fournet Gavin Bierman Panagiotis.

Safe & Efficient Gradual Typing for TypeScript Aseem Rastogi University of Maryland, College Park Nikhil Swamy Cédric Fournet Gavin Bierman Panagiotis.
Session 6 Server-side programming - ASP. An ASP page is an HTML page interspersed with server-side code. The.ASP extension instead of.HTM denotes server-side.

Session 6 Server-side programming - ASP. An ASP page is an HTML page interspersed with server-side code. The.ASP extension instead of.HTM denotes server-side.
Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.

Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.
Run-Time Storage Organization

Run-Time Storage Organization
Web Page Behavior IS 373—Web Standards Todd Will.

Web Page Behavior IS 373—Web Standards Todd Will.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Similar presentations

Ads by Google