Fission: Secure Dynamic Code-Splitting for JavaScript

Authors Arjun Guha, Jean-Baptiste Jeannin, Rachit Nigam, Jane Tangen, Rian Shambaugh



PDF
Thumbnail PDF

File

LIPIcs.SNAPL.2017.5.pdf
  • Filesize: 409 kB
  • 13 pages

Document Identifiers

Author Details

Arjun Guha
Jean-Baptiste Jeannin
Rachit Nigam
Jane Tangen
Rian Shambaugh

Cite AsGet BibTex

Arjun Guha, Jean-Baptiste Jeannin, Rachit Nigam, Jane Tangen, and Rian Shambaugh. Fission: Secure Dynamic Code-Splitting for JavaScript. In 2nd Summit on Advances in Programming Languages (SNAPL 2017). Leibniz International Proceedings in Informatics (LIPIcs), Volume 71, pp. 5:1-5:13, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2017)
https://doi.org/10.4230/LIPIcs.SNAPL.2017.5

Abstract

Traditional web programming involves the creation of two distinct programs: a client-side front-end, a server-side back-end, and a lot of communications boilerplate. An alternative approach is to use a tierless programming model, where a single program describes the behavior of both the client and the server, and the runtime system takes care of communication. Unfortunately, this usually entails adopting a new language and thus abandoning well-worn libraries and web programming tools. In this paper, we present our ongoing work on Fission, a platform that uses dynamic tier-splitting and dynamic information flow control to transparently run a single JavaScript program across the client and server. Although static tier-splitting has been studied before, our focus on dynamic approaches presents several new challenges and opportunities. For example, Fission supports characteristic JavaScript features such as eval and sophisticated JavaScript libraries like React. Therefore, programmers can reason about the integrity and confidentiality of information while continuing to use common libraries and programming patterns. Moreover, by unifying the client and server into a single program, Fission allows language-based tools, like type systems and IDEs, to manipulate complete web applications. To illustrate, we use TypeScript to ensure that client-server communication does not go wrong.
Keywords
  • JavaScript
  • information flow control

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads

References

  1. Amal Ahmed. Verified compilers for a multi-language world. In Summit oN Advances in Programming Languages (SNAPL), 2015. Google Scholar
  2. Devdatta Akhawe, Adam Barth, Peifung E. Lam, John C. Mitchell, and Dawn Song. Towards a formal foundation of Web security. In IEEE Computer Security Foundations Symposium (CSF), 2010. Google Scholar
  3. Cristiana Amza, Alan L. Cox, Sandhya Dwarkadas, Pete Keleher, Honghui Lu, Ramakrishnan Rajamony, Weimin Yu, and Willy Zwaenepoel. TreadMarks: Shared memory computing on networks of workstations. Computer, 29(2):18-28, February 1996. Google Scholar
  4. Jong-hoon David An, Avik Chaudhuri, and Jeffrey S. Foster. Static typing for Ruby on Rails. In IEEE International Symposium on Automated Software Engineering, 2009. Google Scholar
  5. Christopher Anderson, Paola Giannini, and Sophia Drossopoulou. Towards type inference for JavaScript. In European Conference on Object-Oriented Programming (ECOOP), 2005. Google Scholar
  6. Esben Andreasen and Anders Møller. Determinacy in static analysis for jQuery. In ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages and Applications (OOPSLA), 2014. Google Scholar
  7. Thomas H. Austin and Cormac Flanagan. Multiple facets for dynamic information flow control. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), 2012. Google Scholar
  8. Andrew D. Birrell and Bruce Jay Nelson. Implementing remote procedure calls. ACM Transactions on Computer Systems (TOCS), 2(1):39-59, February 1984. Google Scholar
  9. Martin Bodin, Arthur Chargueraud, Daniele Filaretti, Philippa Gardner, Sergio Maffeis, Daiva Naudziuniene, Alan Schmitt, and Gareth Smith. A trusted mechanised JavaScript specification. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), 2014. Google Scholar
  10. Bounty hunters: The honor roll. https://technet.microsoft.com/en-us/security/dn469163.aspx. Accessed Mar 24 2017.
  11. Satish Chandra, Colin S. Gordon, Jean-Baptiste Jeannin, Cole Schlesinger, Manu Sridharan, Frank Tip, and Young-Il Choi. Type inference for static compilation of JavaScript. In ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages and Applications (OOPSLA), 2016. Google Scholar
  12. Adam Chlipala. Ur/Web: A simple model for programming the web. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), 2015. Google Scholar
  13. Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, and Xin Zheng. Secure web applications via automatic partitioning. In ACM Symposium on Operating Systems Principles (SOSP), 2007. Google Scholar
  14. Ravi Chugh, David Herman, and Ranjit Jhala. Dependent types for JavaScript. In ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages and Applications (OOPSLA), 2012. Google Scholar
  15. Ravi Chugh, Jeffrey A. Meister, Ranjit Jhala, and Sorin Lerner. Staged information flow for JavaScript. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2009. Google Scholar
  16. Ravi Chugh, Patrick M. Rondon, and Ranjit Jhala. Nested refinements for dynamic languages. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), 2012. Google Scholar
  17. William R. Cook and Ben Wiedermann. Remote batch invocation for SQL databases. In International Symposium on Database Programming Languages (DBPL), 2011. Google Scholar
  18. Ezra Cooper, Sam Lindley, Philip Wadler, and Jeremy Yallop. Links: Web programming without tiers. In Formal Methods of Components and Objects, 2006. Google Scholar
  19. Brian J. Corcoran, Nikhil Swamy, and Michael Hicks. Cross-tier, label-based security enforcement for web applications. In ACM SIGMOD International Conference on Management of Data (SIGMOD), 2009. Google Scholar
  20. CVE-2016-6316: XSS vulnerability in Action View in Ruby on Rails. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6316. Accessed Mar 24 2017.
  21. Evan Czaplicki and Stephen Chong. Asynchronous functional reactive programming for GUIs. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2013. Google Scholar
  22. Facebook bug bounty: $5 million paid in 5 years. https://www.facebook.com/notes/facebook-bug-bounty/facebook-bug-bounty-5-million-paid-in-5-years/1419385021409053/. Accessed Mar 24 2017.
  23. Cedric Fournet, Nikhil Swamy, Juan Chen, Pierre-Evariste Dagand, Pierre-Yves Strub, and Benjamin Livshits. Fully abstract compilation to JavaScript. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), 2013. Google Scholar
  24. Michael Furr, Jong-hoon David An, and Jeffrey S. Foster. Profile-guilding static typing for dynamic scripting languages. In ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages and Applications (OOPSLA), 2009. Google Scholar
  25. Google security rewards-2015 year in review. https://security.googleblog.com/2016/01/google-security-rewards-2015-year-in.html. Accessed Mar 24 2017.
  26. Salvatore Guarnieri and Benjamin Livshits. GateKeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In USENIX Security Symposium, 2009. Google Scholar
  27. Arjun Guha, Shriram Krishnamurthi, and Trevor Jim. Using static analysis for Ajax intrusion detection. In World Wide Web Conference (WWW), 2009. Google Scholar
  28. Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi. The essence of JavaScript. In European Conference on Object-Oriented Programming (ECOOP), 2010. Google Scholar
  29. Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi. Typing local control and state using flow analysis. In European Symposium on Programming (ESOP), 2011. Google Scholar
  30. Phillip Heidegger and Peter Thiemann. Recency types for dynamically-typed, object-based languages: Strong updates for JavaScript. In Workshop on Foundations of Object-Oriented Languages (FOOL), 2009. Google Scholar
  31. Ali Ibrahim, Yang Jiao an d Eli Tilevich, and William R. Cook. Remote batch invocation for compositional object services. In European Conference on Object-Oriented Programming (ECOOP), 2009. Google Scholar
  32. JIF 3.5.0: Java information flow. https://www.cs.cornell.edu/jif. June 2016.
  33. Vineeth Kashyap, Kyle Dewey, Ethan A. Kuefner, John Wagner, Kevin Gibbons, John Sarracino, Ben Wiedermann, and Ben Hardekopf. JSAI: A static analysis platform for JavaScript. In ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE), 2014. Google Scholar
  34. Jukka Lehtosalo. mypy. URL: http://mypy-lang.org.
  35. Benjamin S. Lerner, Liam Elberty, Jincheng Li, and Shriram Krishnamurthi. Combining form and function: Static types for JQuery programs. In European Conference on Object-Oriented Programming (ECOOP), 2013. Google Scholar
  36. Benjamin S. Lerner, Joe Gibbs Politz, Arjun Guha, and Shriram Krishnamurthi. TeJaS: Retrofitting type systems for JavaScript. In Dynamic Languages Symposium (DLS), 2013. Google Scholar
  37. Magnus Madsen, Frank Tip, and Ondrej Lhoták. Static analysis of event-driven Node.js JavaScript applications. In ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages and Applications (OOPSLA), 2015. Google Scholar
  38. Sergio Maffeis, John C. Mitchell, and Ankur Taly. An operational semantics for JavaScript. In Asian Symposium on Programming Languages and Systems, 2008. Google Scholar
  39. Sergio Maffeis, John C. Mitchell, and Ankur Taly. Isolating JavaScript with filters, rewriting, and wrappers. In European Symposium on Research in Computer Security, 2009. Google Scholar
  40. Jacob Matthews and Robert Bruce Findler. Operational semantics for multi-language programs. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), 2007. Google Scholar
  41. Erik Meijer, Brian Beckman, and Gavin Bierman. LINQ: Reconciling object, relations and XML in the .NET Framework. In ACM SIGMOD International Conference on Management of Data (SIGMOD), 2006. Google Scholar
  42. Joseph Menn. U.S. election agency breached by hackers after November vote. http://www.reuters.com/article/us-election-hack-commission-idUSKBN1442VC. Accessed Jan 2 2017.
  43. Peter-Michael Osera, Vilhelm Sjöberg, and Steve Zdancewic. Dependent interoperability. In Programming Languages meets Program Verification Workshop (PLPV), 2012. Google Scholar
  44. Daejun Park, Andrei Stefănescu, and Grigore Roşu. KJS: A complete formal semantics of JavaScript. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2015. Google Scholar
  45. Joe Gibbs Politz, Matthew J. Carroll, Benjamin S. Lerner, and Shriram Krishnamurthi. A tested semantics for getters, setters, and eval in JavaScript. In Dynamic Languages Symposium (DLS), 2012. Google Scholar
  46. Joe Gibbs Politz, Spiridon Aristides Eliopoulos, Arjun Guha, and Shriram Krishnamurthi. Adsafety: Type-based verification of javascript sandboxing. In USENIX Security Symposium, 2011. Google Scholar
  47. Joe Gibbs Politz, Arjun Guha, and Shriram Krishnamurthi. Semantics and types for objects with first-class member names. In Workshop on Foundations of Object-Oriented Languages (FOOL), 2012. Google Scholar
  48. Donald E. Porter, Michael D. Bond, Indrajit Roy, Kathryn S. McKinley, and Emmett Witchel. Practical fine-grained information flow control using Laminar. ACM Transactions on Programming Languages and Systems (TOPLAS), 37(1):4:1-4:51, 2014. Google Scholar
  49. Gregor Richards, Sylvain Lebresne, Brian Burg, and Jan Vitek. An analysis of the dynamic behavior of JavaScript programs. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2010. Google Scholar
  50. Gregor Richards, Francesco Zappa Nardelli, and Jan Vitek. Concrete types for TypeScript. In European Conference on Object-Oriented Programming (ECOOP), 2015. Google Scholar
  51. Daniel Schoepe, Musard Balliu, Frank Piessens, and Andrei Sabelfeld. Let’s face it: Faceted values for taint tracking. In European Symposium on Research in Computer Security, 2016. Google Scholar
  52. Manuel Serrano, Erick Gallesio, and Florian Loitsch. Hop, a language for programming the Web 2.0. In Dynamic Languages Symposium (DLS), 2006. Google Scholar
  53. Manuel Serrano and Vincent Prunet. A glimpse of Hopjs. In ACM International Conference on Functional Programming (ICFP), 2016. Google Scholar
  54. Ankur Taly, Úlfar Erlingsson, Mark S. Miller, John C. Mitchell, and Jasvir Nagra. Automated analysis of security-critical JavaScript APIs. In IEEE Security and Privacy (Oakland), 2011. Google Scholar
  55. Peter Thiemann. Towards a type system for analyzing JavaScript programs. In European Symposium on Programming (ESOP), 2005. Google Scholar
  56. Peter Thiemann. A type safe DOM API. In International Workshop on Database Programming Languages, 2005. Google Scholar
  57. Panagiotis Vekris, Benjamin Cosman, and Ranjit Jhala. Trust, but verify: Two-phase typing for dynamic languages. In European Conference on Object-Oriented Programming (ECOOP), 2015. Google Scholar
  58. WordPress 4.6.1 security and maintenance release. https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/. Accessed Mar 24 2017.
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail