October 5, 2015, 18. Kolloquium Programmiersprachen und Grundlagen der Programmierung, KPS 2015 P ̈ortschach am W ̈orthersee, O ̈sterreich

1. On Contracts, Sandboxes,
and Proxies for JavaScript
Matthias Keil, Peter Thiemann
University of Freiburg, Germany
October 5, 2015, 18. Kolloquium Programmiersprachen und Grundlagen der Programmierung, KPS 2015
P¨ortschach am W¨orthersee, ¨Osterreich

2. TreatJS
Language embedded contract system for JavaScript
Enforced by run-time monitoring
Standard abstractions for higher-order-contracts (base,
function, and dependent contracts) [Findler,Felleisen’02]
Systematic blame calculation
Contract constructors generalize dependent contracts
Internal noninterference
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 2 / 14

3. Base Contract [Findler,Felleisen’02]
Base Contracts are built from predicates
Specified by a plain JavaScript function
Base Contract
function isNumber (arg) {
return (typeof arg) === ’number’;
};
var Number = Contract.Base(isNumber);
assert(1, Number );
assert(’a’, Number ); blame the subject
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 3 / 14

4. Function Contract [Findler,Felleisen’02]
// Number × Number → Number
function plus (x, y) {
return (x + y);
}
Function Contract
var Plus = Contract.Function([ Number , Number ],
Number );
var plusNumber = assert(plus, Plus );
plusNumber(1, 1);
plusNumber(’a’, ’a’); blame the context
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 4 / 14

5. JavaScript Proxies
Handler
Proxy Target Shadow
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14

6. JavaScript Proxies
Handler
Proxy Target Shadow
proxy.x;
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14

7. JavaScript Proxies
Handler
Proxy Target Shadow
proxy.x;
handler.get(target, ’x’, proxy);
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14

8. JavaScript Proxies
Handler
Proxy Target Shadow
proxy.x;
handler.get(target, ’x’, proxy);
target[’x’];
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14

9. JavaScript Proxies
Handler
Proxy Target Shadow
proxy.x;
proxy.y=1;
...
handler.get(target, ’x’, proxy);
handler.set(target, ’y’, 1, proxy);
...
target[’x’];
target[’y’]=1;
...
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 5 / 14

10. Noninterference
Noninterference
The contract system should not interfere with the execution of
application code.
External Noninterference arises from the interaction of the
contract system with the host program
1 Exceptions
2 Object equality
Internal Noninterference arises from executing unrestricted
code in predicates
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 6 / 14

11. Internal Noninterference
No syntactic restrictions on predicates
Predicates may try to write to data that is visible to the
application
Solution: Predicate evaluation takes place in a sandbox
Faulty Predicate
function isNumber (arg) {
type = (typeof arg);
return type === ’number’;
};
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 7 / 14

12. Internal Noninterference
No syntactic restrictions on predicates
Predicates may try to write to data that is visible to the
application
Solution: Predicate evaluation takes place in a sandbox
Faulty Predicate
function isNumber (arg) {
type = (typeof arg); access forbidden
return type === ’number’;
};
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 7 / 14

13. TreatJS Sandbox
All contracts guarantee noninterference
Read-only access is safe
Predicate with Read-Access
function isArray (arg) {
return (arg instanceof Array);
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 8 / 14

14. TreatJS Sandbox
Predicate execution may violate contracts
Solution: Sandbox redefines the responsibility
Predicate with Read-Access
function addOne (arg) {
return plusNumber(arg, ’1’); blame the ?
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 9 / 14

15. TreatJS Sandbox
Predicate execution may violate contracts
Solution: Sandbox redefines the responsibility
Predicate with Read-Access
function addOne (arg) {
return plusNumber(arg, ’1’); blame the contract
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 9 / 14

16. Sandbox Encapsulation
Faulty Predicate
function isNumber (arg) {
type = (typeof arg);
return type === ’number’;
};
1 Place a write protection on objects (e.g. this, arg)
2 Remove external bindings of functions (e.g. type)
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 10 / 14

17. Identity Preserving Membrane
ProxyA
?ProxyB
ProxyC
TargetA
TargetB
TargetC
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14

18. Identity Preserving Membrane
ProxyA
?ProxyB
ProxyC
TargetA
TargetB
TargetC
x
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14

19. Identity Preserving Membrane
ProxyA
?ProxyB
ProxyC
TargetA
TargetB
TargetC
x x
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14

20. Identity Preserving Membrane
ProxyA
?ProxyB
ProxyC
TargetA
TargetB
TargetC
x x
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14

21. Identity Preserving Membrane
ProxyA
?ProxyB
ProxyC
TargetA
TargetB
TargetC
x
y
x
y
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14

22. Identity Preserving Membrane
ProxyA
?ProxyB
ProxyC
TargetA
TargetB
TargetC
x
z
y
x
z
y
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 11 / 14

23. Shadow Objects
Handler
Proxy Target Shadow
proxy.x;
proxy.y=1;
handler.get(target, ’x’, proxy);
handler.set(target, ’y’, 1, proxy);
target[’x’];
target[’y’]=1;
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14

24. Shadow Objects
Handler
Proxy Target Shadow
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14

25. Shadow Objects
Handler
Proxy Target Shadow
proxy.x;
handler.get(target, ’x’, proxy);
target[’x’];
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14

26. Shadow Objects
Handler
Proxy Target Shadow
proxy.x;
proxy.y=1;
handler.get(target, ’x’, proxy);
handler.set(target, ’y’, 1, proxy);
target[’x’]; shadow[’y’]=1;
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14

27. Shadow Objects
Handler
Proxy Target Shadow
proxy.x;
proxy.y=1;
proxy.y;
handler.get(target, ’x’, proxy);
handler.set(target, ’y’, 1, proxy);
handler.get(target, ’y’, proxy);
target[’x’]; shadow[’y’]=1;
shadow[’y’];
Meta-Level
Base-Level
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 12 / 14

28. Function Recompilation
var x = 1;
function f (){
function g (y) {
var z = 1;
return x+y+z;
}
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14

29. Function Recompilation
var x = 1;
function f (){
”function g (y) {
var z = 1;
return x+y+z;
}”
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14

30. Function Recompilation
var x = 1;
with(sbxglobal){
eval( ”function g (y) {
var z = 1;
return x+y+z;
}”);
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14

31. Function Recompilation
var x = 1;
with(sbxglobal){
function g (y) {
var z = 1;
return x+y+z;
}
}
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 13 / 14

32. Conclusion
TreatJS:
Language embedded, dynamic, higher-order contract system
for full JavaScript
Guarantees noninterference
Sandbox:
Language embedded sandbox for full JavaScript
Runs JavaScript code in isolation isolation
Matthias Keil, Peter Thiemann On Contracts, Sandboxes, and Proxies October 5, 2015 14 / 14