Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Type-based Dependency Analysis
1. Type-based Dependency Analysis
RS3 Topic Workshop on Concurrent Noninterference
University of Freiburg
Matthias Keil
Institute for Computer Science
Faculty of Engineering
University of Freiburg
June 2012
2. Outline
University of Freiburg
1 Dependencies
2 Formalization
Dependency Type
3 Abstract Analysis
4 Soundness
Noninterference
Correctness
Termination
5 Dependency-based Access Permission Contracts
Matthias Keil Type-based Dependency Analysis June 2012 2 / 60
3. Outline
University of Freiburg
1 Dependencies
2 Formalization
Dependency Type
3 Abstract Analysis
4 Soundness
Noninterference
Correctness
Termination
5 Dependency-based Access Permission Contracts
Matthias Keil Type-based Dependency Analysis June 2012 3 / 60
8. Outline
University of Freiburg
1 Dependencies
2 Formalization
Dependency Type
3 Abstract Analysis
4 Soundness
Noninterference
Correctness
Termination
5 Dependency-based Access Permission Contracts
Matthias Keil Type-based Dependency Analysis June 2012 7 / 60
9. Syntax of λJS [Int99]
University of Freiburg
Constant ∋ c ::= bool | num | str | undefined | null
Variable ∋ x ::= x0 . . .
Value ∋ v ::= c | ξℓ
Expression ∋ e ::= v | x
| let (x = e) in e
| op(e . . . )
| e.e
| e.e = e
| e(e)
| newℓ
| if (e) e, e
| λℓx.e
| e; e
| traceι(e)
Matthias Keil Type-based Dependency Analysis June 2012 8 / 60
10. Semantic domains
University of Freiburg
Location ∋ ξℓ
Function ∋ λℓx.e
Closure ∋ f ::= Environment × Function
Properties ∋ P ::= str → Value
Object ∋ o ::= Properties × Closure
Environment ∋ ρ ::= Variable → Value
Heap ∋ H ::= Location → Object
Definition (Judgement λJS)
H, ρ ⊢ e ⇓ H′
| v (2.1)
Matthias Keil Type-based Dependency Analysis June 2012 9 / 60
11. Dependency Type
University of Freiburg
Basic Value ∋ v ::= c
| ξℓ
Value ∋ ω ::= v : κ
Dependency Type ∋ κ ::= ∅
| ι
| κ • κ
Definition (Judgement λD
JS)
H, ρ, κ ⊢ e ⇓ H′
| ω (2.2)
Matthias Keil Type-based Dependency Analysis June 2012 10 / 60
12. Evaluation of λD
JS
Semantics
University of Freiburg
(DT-Constant)
H, ρ, κ ⊢ c ⇓ H | c : κ
(DT-Variable)
H, ρ, κ ⊢ x ⇓ H | ρ(x) • κ
(DT-Operation)
H, ρ, κ ⊢ e0 ⇓ H′
| v0 : κ0
...
Hn−1
, ρ, κ ⊢ en ⇓ Hn
| vn : κn
vop = ⇓v
op (v0 . . . vn)
H, ρ, κ ⊢ op(e0 . . . en) ⇓ Hn
| vop : κ0 • . . . • κn
Matthias Keil Type-based Dependency Analysis June 2012 11 / 60
35. Outline
University of Freiburg
1 Dependencies
2 Formalization
Dependency Type
3 Abstract Analysis
4 Soundness
Noninterference
Correctness
Termination
5 Dependency-based Access Permission Contracts
Matthias Keil Type-based Dependency Analysis June 2012 34 / 60
36. Soundness
University of Freiburg
1 Noninterference on λD
JS
2 Correctness (C-Consistency)
3 Termination
Matthias Keil Type-based Dependency Analysis June 2012 35 / 60
37. Noninterference
University of Freiburg
H, ρ, κ ⊢ e ⇓ H′
| v : κv (4.1)
ι /∈ κv : H, ρ, κ ⊢ ¯e ⇓ ˜H′
| v : κv (4.2)
¯e = e[ι → ˜e] (4.3)
Matthias Keil Type-based Dependency Analysis June 2012 36 / 60
38. Substitution of ι
University of Freiburg
Definition (Substitution of ι)
The substitution e[ι → ˜e] of ι in e is defined as:
∀e′
∈ SubExp(e) : e′
[ι → ˜e] (4.4)
traceι
(eι)[ι → ˜e] ≡ traceι
(˜e) (4.5)
Termination-Insensitive Noninterference
Matthias Keil Type-based Dependency Analysis June 2012 37 / 60
39. Bijection of ξℓ
University of Freiburg
Definition (Bijection of ξℓ
)
The bijection ♭ : Location → Location from location ξℓ to location
ξℓ′ maps permutations on heap entries.
♭ ::= ∅ | ♭[ξℓ
→ ξℓ′
] (4.6)
Definition (Bijection of v)
The bijection ♭ for values is defined as:
♭(v) ::=
♭(ξℓ) v = ξℓ
v v = ξℓ
(4.7)
Matthias Keil Type-based Dependency Analysis June 2012 38 / 60
40. κ-equivalence of H
University of Freiburg
Definition (κ-equivalence)
Two heaps H0,H1 are κ-equivalent H0 ≡♭,κ H1 iff
∀ξℓ
∈ dom(♭) : H0(ξℓ
) ≡♭,κ H1(♭(ξℓ
)) (4.8)
The heaps H0,H1 only differ in values v : κv with any intersection
with κ or in one-sided locations.
Matthias Keil Type-based Dependency Analysis June 2012 39 / 60
41. κ-equivalence of o
University of Freiburg
Definition (κ-equivalence)
Two objects o0,o1 are κ-equivalent
P0, ρ0, λℓx.e0 ≡♭,κ P1, ρ1, λℓx.e1 iff
∀str ∈ dom(P0) :
str ∈ dom(P1) ∧ P0(str) = P1(str) ∨
P0(str) = v : κv ∧ κ ∩ κv = ∅
(4.9)
∀str ∈ dom(P1) :
str ∈ dom(P) ∧ P0(str) = P1(str) ∨
P1(str) = v : κv ∧ κ ∩ κv = ∅
(4.10)
ρ0 ≡♭,κ ρ1 ∧ λℓ
x.e0 ≡♭,κ λℓ
x.e1 (4.11)
The objects o0,o1 only differ in values v : κv with any intersection
with κ.
Matthias Keil Type-based Dependency Analysis June 2012 40 / 60
42. κ-equivalence of ρ
University of Freiburg
Definition (κ-equivalence)
Two environments ρ0,ρ1 are κ-equivalent ρ0 ≡♭,κ ρ1 iff
∀x ∈ dom(ρ0) :
x ∈ dom(ρ1) ∧ ρ0(x) = ρ1(x) ∨
ρ0(x) = v : κv ∧ κ ∩ κv = ∅
(4.12)
∀x ∈ dom(ρ1) :
x ∈ dom(ρ0) ∧ ρ0(x) = ρ1(x) ∨
ρ1(x) = v : κv ∧ κ ∩ κv = ∅
(4.13)
The environments ρ0,ρ1 only differ in values v : κv with any
intersection with κ.
Matthias Keil Type-based Dependency Analysis June 2012 41 / 60
43. κ-equivalence of ω
University of Freiburg
Definition (κ-equivalence)
Two value ω0,ω1 are κ-equivalent v0 : κ0 ≡♭,κ v1 : κ1 iff
κ ∩ κ0 = ∅ ∧ κ ∩ κ1 = ∅ → ♭(v0) = v1 (4.14)
The values ω0,ω1 only differ in the case of any intersection with κ.
Matthias Keil Type-based Dependency Analysis June 2012 42 / 60
44. κ-equivalence of e
University of Freiburg
Definition (κ-equivalence)
Two expressions e0,e1 are κ-equivalent e0 ≡♭,κ e1 iff
κ = {ι0, ..., ιn} → ∃e′
0 . . . ∃e′
n : e0 = e1[ι0 → e′
0] . . . [ιn → e′
n]
(4.15)
The expressions e0,e1 only differ below traceι(eι) subexpressions
with ι ∈ κ.
Matthias Keil Type-based Dependency Analysis June 2012 43 / 60
45. Context Dependency
Theorem
University of Freiburg
Theorem (Context Dependency)
We assume that ∀H, ρ, κ, e : H, ρ, κ ⊢ e ⇓ H′ | v : κv implies
that κ ⊆ κv .
Matthias Keil Type-based Dependency Analysis June 2012 44 / 60
46. Noninterference
Theorem
University of Freiburg
Theorem (Noninterference)
We assume ∀¯κ, ∀♭ that
∀H, ˜H, ρ, ˜ρ, κ, e : H, ρ, κ ⊢ e ⇓ H′ | v : κv .
If ι /∈ ¯κ and H ≡♭,{ι|ι/∈¯κ}
˜H and ρ ≡♭,{ι|ι/∈¯κ} ˜ρ then
˜H, ˜ρ, κ ⊢ ¯e ⇓ ˜H′ | ˜v : ˜κv with ¯e = e[ι → ˜e] and e ≡♭,{ι|ι/∈¯κ} ¯e
and H′ ≡♭,{ι|ι/∈¯κ}
˜H′ and v : κv ≡♭,{ι|ι/∈¯κ} ˜v : ˜κv .
Matthias Keil Type-based Dependency Analysis June 2012 45 / 60
47. Correctness
University of Freiburg
∀e :
H, ρ, κ ⊢ e ⇓ H′
| ω (4.16)
Γ, σ ⊢ e ⇓ Γ′
| ϑ (4.17)
H ≺C Γ ∧ ρ ≺C σ ∧ κ ≺C DΓ →
H′
≺C Γ′
∧ ω ≺C ϑ
(4.18)
Matthias Keil Type-based Dependency Analysis June 2012 46 / 60
48. C-Consistency
University of Freiburg
Definition (C-Consistency on dependencies κ ≺C D)
∀ι ∈ κ : τι ∈ D (4.19)
Definition (C-Consistency on constants c ≺C L)
c ∈ L (4.20)
Matthias Keil Type-based Dependency Analysis June 2012 47 / 60
49. C-Consistency
University of Freiburg
Definition (C-Consistency on location ξℓ
≺C Ξ)
ℓ ∈ Ξ (4.21)
Definition (C-Consistency on values ω ≺C ϑ)
κ ≺C D (4.22)
v ∈ V(ϑ) ::=
ℓ ∈ Ξ, v = ξℓ
c ∈ L, v = c
(4.23)
Matthias Keil Type-based Dependency Analysis June 2012 48 / 60
50. C-Consistency
University of Freiburg
Definition (C-Consistency on properties P ≺C ∆)
∀str ∈ dom(P) : ∃L ∈ dom(∆) : str ∈ L ∧ P(str) ≺C ∆(L)
(4.24)
∀str /∈ dom(P) : undefined ≺C ∆(str) (4.25)
Definition (C-Consistency on objects o ≺C θ)
P ≺C ∆ (4.26)
ρ ≺C σ (4.27)
Matthias Keil Type-based Dependency Analysis June 2012 49 / 60
51. C-Consistency
University of Freiburg
Definition (C-Consistency on scopes ρ ≺C σ)
∀x ∈ dom(ρ) : x ∈ dom(σ) ∧ ρ(x) ≺C σ(x) (4.28)
Definition (C-Consistency on heaps H ≺C Γ)
∀ξℓ
∈ dom(H) : ℓ ∈ Σ ∧ H(ξℓ
) ≺C Σ(ℓ) (4.29)
Matthias Keil Type-based Dependency Analysis June 2012 50 / 60
52. C-Consistency
University of Freiburg
Lemma (Subset C-Consistency)
H ≺C Γ0 ∧ Γ0 ⊑ Γ1 → H ≺C Γ1 (4.30)
v : κ ≺C ϑ0 ∧ ϑ0 ⊑ ϑ1 → v : κ ≺C ϑ1 (4.31)
Lemma (C-Consistency on Property Update)
∀o, θ, L, ϑ | o ≺C θ : o ≺C θ[L → θ(L) ⊔ ϑ] (4.32)
Matthias Keil Type-based Dependency Analysis June 2012 51 / 60
53. Correctness
Theorem
University of Freiburg
Theorem (Correctness Relation)
For all expressions e within the syntax of λD
JS the following
condition holds: ∀H, H′, ρ, v, κ : If H, ρ, κ ⊢ e ⇓ H′ | v than
∀Γ, σ with H ≺C Γ, ρ ≺C σ and κ ≺C DΓ: Γ, σ ⊢ e ⇓ Γ′ | ϑ
with H′ ≺C Γ′ and v ≺C ϑ.
Matthias Keil Type-based Dependency Analysis June 2012 52 / 60
54. Termination
Theorem
University of Freiburg
Theorem (Termination)
Γ, σ ⊢ e ⇓ Γ′ | ϑ with arbitrary e.
1 Monotony
2 Ascending chain condition
Matthias Keil Type-based Dependency Analysis June 2012 53 / 60
55. Outline
University of Freiburg
1 Dependencies
2 Formalization
Dependency Type
3 Abstract Analysis
4 Soundness
Noninterference
Correctness
Termination
5 Dependency-based Access Permission Contracts
Matthias Keil Type-based Dependency Analysis June 2012 54 / 60
56. Access Permission Contracts [HBT12]
Recap
University of Freiburg
1 function fun () {
2 " Contract : a . b , a . b . c , a . ? , a . b ∗. c"
3 var x = a . b ;
4 a = {b : 5 } ;
5 }
Matthias Keil Type-based Dependency Analysis June 2012 55 / 60
57. Dependency-based Access Permission Contracts
University of Freiburg
Dependency-based
TAJS, static dependency analysis
Contracts instead of traceι(e)
C: Contract: a.b [r,w];
Evaluation
1 trace values ϑ / state Γ
2 create proof constraints L
3 validate constraints L
Matthias Keil Type-based Dependency Analysis June 2012 56 / 60
58. Dependency-based Access Permission Contracts
Principles
University of Freiburg
Constraint Based Proof constraints L at the end
Lazy Enforcement No direct enforcement of contracts C
Dynamic Extent Nested contracts C
Pre-State Snapshot Γ, σ, ϑ at C
Read-Write Protection Γ, σ, ϑ at C
Matthias Keil Type-based Dependency Analysis June 2012 57 / 60
59. Dependency-based Access Permission Contracts
Syntax
University of Freiburg
Contract ∋ C ::= ∅ | Q; C
Permissions ∋ Q ::= A, Π
AccessPath ∋ A ::= v.P
Properties ∋ P ::= ǫ | p.P | p ∗ .P
Variable ∋ v ::= {x . . .}
Property ∋ p ::= {x . . .}
PathPermission ∋ Π ::= πr ,πw
Readable ∋ πr ::= ǫ | r
Writeable ∋ πw ::= ǫ | w
Matthias Keil Type-based Dependency Analysis June 2012 58 / 60
60. Dependency-based Access Permission Contracts
Constraints
University of Freiburg
ReadConstraint ∋ R
WriteConstraint ∋ W
(DT-Permit)
H, ρ, κ ⊢C
Apply C, ιR, ιW ⇓ H′
| ρ′
| κ′
| L
H′
, ρ′
, κ′
⊢ e ⇓ H′′
| v : κv
H′′
, ρ′
, κv ⊢C
Check L
H, ρ, κ ⊢ permitιR,ιW
C in e ⇓ H′′
| v : κv
Matthias Keil Type-based Dependency Analysis June 2012 59 / 60
62. T. Amtoft and A. Banerjee.
Information flow analysis in logical form.
Static Analysis, pages 33–36, 2004.
Torben Amtoft and Anindya Banerjee.
A logic for information flow analysis with an application to
forward slicing of simple imperative programs.
Sci. Comput. Program., 64:3–28, January 2007.
Martín Abadi.
Access control in a core calculus of dependency.
Electron. Notes Theor. Comput. Sci., 172:5–31, April 2007.
Torben Amtoft, Sruthi Bandhakavi, and Anindya Banerjee.
A logic for information flow in object-oriented programs.
In Conference record of the 33rd ACM SIGPLAN-SIGACT
symposium on Principles of programming languages, POPL
’06, pages 91–102, New York, NY, USA, 2006. ACM.
Martín Abadi, Anindya Banerjee, Nevin Heintze, and Jon G.
Riecke.
A core calculus of dependency.
Matthias Keil Type-based Dependency Analysis June 2012 60 / 60
63. In Proceedings of the 26th ACM SIGPLAN-SIGACT
symposium on Principles of programming languages, POPL
’99, pages 147–160, New York, NY, USA, 1999. ACM.
G. Balakrishnan and T. Reps.
Recency-abstraction for heap-allocated storage.
Static Analysis, pages 221–239, 2006.
P. Cousot and R. Cousot.
Abstract interpretation: a unified lattice model for static
analysis of programs by construction or approximation of
fixpoints.
In Proceedings of the 4th ACM SIGACT-SIGPLAN
symposium on Principles of programming languages, pages
238–252. ACM, 1977.
Dorothy E. Denning and Peter J. Denning.
Certification of programs for secure information flow.
Commun. ACM, 20:504–513, July 1977.
Dorothy E. Denning.
A lattice model of secure information flow.
Commun. ACM, 19:236–243, May 1976.
Matthias Keil Type-based Dependency Analysis June 2012 60 / 60
64. Jeanne Ferrante, Karl J. Ottenstein, and Joe D. Warren.
The program dependence graph and its use in optimization.
ACM Trans. Program. Lang. Syst., 9:319–349, July 1987.
Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi.
The essence of javascript.
In Proceedings of the 24th European conference on
Object-oriented programming, ECOOP’10, pages 126–150,
Berlin, Heidelberg, 2010. Springer-Verlag.
Phillip Heidegger, Annette Bieniusa, and Peter Thiemann.
Access permission contracts for scripting languages.
In Proceedings of the 39th annual ACM SIGPLAN-SIGACT
symposium on Principles of programming languages, POPL
’12, pages 111–122, New York, NY, USA, 2012. ACM.
Nevin Heintze and Jon G. Riecke.
The slam calculus: programming with secrecy and integrity.
In Proceedings of the 25th ACM SIGPLAN-SIGACT
symposium on Principles of programming languages, POPL
’98, pages 365–377, New York, NY, USA, 1998. ACM.
ECMA International.
Matthias Keil Type-based Dependency Analysis June 2012 60 / 60
65. Standard ECMA-262, volume 3.
1999.
ECMA International.
Standard ECMA-262, volume 5.
2009.
Neil D. Jones and Steven S. Muchnick.
A flexible approach to interprocedural data flow analysis and
programs with recursive data structures.
In Proceedings of the 9th ACM SIGPLAN-SIGACT
symposium on Principles of programming languages, POPL
’82, pages 66–74, New York, NY, USA, 1982. ACM.
Simon Holm Jensen, Magnus Madsen, and Anders Moller.
Modeling the HTML DOM and browser API in static analysis
of JavaScript web applications.
In Proc. 8th joint meeting of the European Software
Engineering Conference and the ACM SIGSOFT Symposium
on the Foundations of Software Engineering (ESEC/FSE),
September 2011.
Simon Holm Jensen, Anders Moller, and Peter Thiemann.
Matthias Keil Type-based Dependency Analysis June 2012 60 / 60
66. Type analysis for JavaScript.
In Proc. 16th International Static Analysis Symposium,
SAS ’09, volume 5673 of LNCS. Springer-Verlag, August
2009.
Simon Holm Jensen, Anders Moller, and Peter Thiemann.
Interprocedural analysis with lazy propagation.
In Proc. 17th International Static Analysis Symposium (SAS),
volume 6337 of LNCS. Springer-Verlag, September 2010.
J.B. Kam and J.D. Ullman.
Monotone data flow analysis frameworks.
Acta Informatica, 7(3):305–317, 1977.
Leo Meyerovich and Benjamin Livshits.
ConScript: Specifying and enforcing fine-grained security
policies for Javascript in the browser.
In IEEE Symposium on Security and Privacy, May 2010.
Sergio Maffeis, John C. Mitchell, and Ankur Taly.
Isolating javascript with filters, rewriting, and wrappers.
Matthias Keil Type-based Dependency Analysis June 2012 60 / 60
67. In Proceedings of the 14th European conference on Research
in computer security, ESORICS’09, pages 505–522, Berlin,
Heidelberg, 2009. Springer-Verlag.
Andrew C. Myers.
Jflow: practical mostly-static information flow control.
In Proceedings of the 26th ACM SIGPLAN-SIGACT
symposium on Principles of programming languages, POPL
’99, pages 228–241, New York, NY, USA, 1999. ACM.
Isabella Mastroeni and Damiano Zanardini.
Data dependencies and program slicing: from syntax to
abstract semantics.
In Proceedings of the 2008 ACM SIGPLAN symposium on
Partial evaluation and semantics-based program manipulation,
PEPM ’08, pages 125–134, New York, NY, USA, 2008. ACM.
F. Nielson, H.R. Nielson, and C. Hankin.
Principles of program analysis.
Springer-Verlag New York Inc, 1999.
Franccois Pottier and Vincent Simonet.
Information flow inference for ml.
Matthias Keil Type-based Dependency Analysis June 2012 60 / 60
68. In Proceedings of the 29th ACM SIGPLAN-SIGACT
symposium on Principles of programming languages, POPL
’02, pages 319–330, New York, NY, USA, 2002. ACM.
Andrei Sabelfeld and Andrew C. Myers.
Language-based information-flow security.
IEEE Journal on Selected Areas in Communications, 21:2003,
2003.
M. Sharir and A. Pnueli.
Two approaches to interprocedural data flow analysis.
Program Flow Analysis: Theory and Applications, pages
189–234, 1981.
Peter Thiemann.
A prototype dependency calculus.
In Proceedings of the 11th European Symposium on
Programming Languages and Systems, ESOP ’02, pages
228–242, London, UK, UK, 2002. Springer-Verlag.
Dennis Volpano, Cynthia Irvine, and Geoffrey Smith.
A sound type system for secure flow analysis.
J. Comput. Secur., 4:167–187, January 1996.
Matthias Keil Type-based Dependency Analysis June 2012 60 / 60