Abstract
The ideal software contract fully specifies the behavior of an operation. Often, in particular in the context of scripting languages, a full specification may be cumbersome to state and may not even be desired. In such cases, a partial specification, which describes selected aspects of the behavior, may be used to raise the confidence in an implementation of the operation to a reasonable level.
We propose a novel kind of contract for object-based languages that specifies the side effects of an operation with access permissions. An access permission contract uses sets of access paths to express read and write permissions for the properties of the objects accessible from the operation.
We specify a monitoring semantics for access permission contracts and implement this semantics in a contract system for JavaScript. We prove soundness and stability of violation under increasing aliasing for our semantics.
Applications of access permission contracts include enforcing modularity, test-driven development, program understanding, and regression testing. With respect to testing and understanding, we find that adding access permissions to contracts increases the effectiveness of error detection through contract monitoring by 6-13%.
Supplemental Material
- P. Abercrombie and M. Karaorman. jContractor: Design by contract for Java. http://jcontractor.sourceforge.net/, 2003.Google Scholar
- A. Ahmed, R. B. Findler, J. G. Siek, and P. Wadler. Blame for all. In Proc. 38th ACM Symp. POPL, pages 201--214, Austin, USA, Jan. 2011. ACM Press. Google Scholar
Digital Library
- J. Aldrich and C. Chambers. Ownership domains: Separating aliasing policy from mechanism. In M. Odersky, editor, 18th ECOOP, volume 3086 of LNCS, pages 1--25, Oslo, Norway, June 2004. Springer.Google Scholar
- M. Barnett, K. R. M. Leino, and W. Schulte. The Spec# Programming System: An Overview. In CASSIS 2004: Construction and Analysis of Safe, Secure and Interoperable Smart devices, pages 49--69. Springer, 2004. Google Scholar
Digital Library
- K. Bierhoff and J. Aldrich. Modular typestate checking of aliased objects. In Proc. 22nd ACM Conf. OOPSLA, pages 301--320, Montreal, QC, CA, 2007. ACM Press, New York. Google Scholar
Digital Library
- J. Boyland, J. Noble, and W. Retert. Capabilities for sharing: A generalisation of uniqueness and read-only. In J. L. Knudsen, editor, 15th ECOOP, volume 2072 of LNCS, pages 2--27, Budapest, Hungary, June 2001. Springer. Google Scholar
Digital Library
- R. A. DeMillo, R. J. Lipton, and F. G. Sayward. Hints on test data selection: Help for the practicing programmer. Computer, 11:34--41, April 1978. Google Scholar
Digital Library
- A. Deutsch. A storeless model of aliasing and its abstractions using finite representations of right-regular equivalence relations. In Proc. IEEE International Conference on Computer Languages 1992, pages 2--13, Oakland, CA, Apr. 1992. IEEE.Google Scholar
Cross Ref
- T. D'Hondt, editor. 24th ECOOP, volume 6183 of LNCS, Maribor, Slovenia, 2010. Springer.Google Scholar
- W. Dietl and P. Müller. Universes: Lightweight ownership for JML. Journal of Object Technology (JOT), 4(8):5--32, Oct. 2005.Google Scholar
- ECMAScript Language Specification, Dec. 2009. ECMA International, ECMA-262, 5th edition.Google Scholar
- Eiffel: Analysis, design and programming language, June 2006. ECMA International, ECMA-367, 2nd edition.Google Scholar
- Ú. Erlingsson and F. B. Schneider. SASI enforcement of security policies: A retrospective. In Proceedings of the 1999 New Security Paradigms Workshop, Caledon Hills, Ontario, Canada, Sept. 1999. Google Scholar
Digital Library
- M. Fahndrich, M. Barnett, and F. Logozzo. Embedded contract languages. In S. Y. Shin, S. Ossowski, M. Schumacher, M. J. Palakal, and C.-C. Hung, editors, SAC, pages 2103--2110, Sierre, Switzerland, 2010. ACM. Google Scholar
Digital Library
- R. B. Findler and M. Felleisen. Contract soundness for object-oriented languages. In Proc. 16th ACM Conf. OOPSLA, pages 1--15, Tampa Bay, FL, USA, 2001. ACM Press, New York. Google Scholar
Digital Library
- R. B. Findler and M. Felleisen. Contracts for higher-order functions. In S. Peyton-Jones, editor, Proc. ICFP 2002, pages 48--59, Pittsburgh, PA, USA, Oct. 2002. ACM Press, New York. Google Scholar
Digital Library
- R. B. Findler, S. Guo, and A. Rogers. Lazy contract checking for immutable data structures. In O. Chitil, Z. Horváth, and V. Zsók, editors, Implementation and Application of Functional Languages, 19th International Workshop, IFL 2007, number 5083 in Lecture Notes in Computer Science, pages 111--128. Springer, 2008. Google Scholar
Digital Library
- M. Finifter, J. Weinberger, and A. Barth. Preventing Capability Leaks in Secure JavaScript Subsets. In Proceedings of Network and Distributed System Security Symposium, pages 375--388. Internet Society, 2010.Google Scholar
- D. Gifford and J. Lucassen. Integrating functional and imperative programming. In Proc. 1986 ACM Conf. on Lisp and Functional Programming, pages 28--38, 1986. Google Scholar
Digital Library
- google-caja: A source-to-source translator for securing JavaScript-based web content. http://code.google.com/p/google-caja/.Google Scholar
- M. Greenberg, B. C. Pierce, and S. Weirich. Contracts made manifest. In J. Palsberg, editor, Proc. 37th ACM Symp. POPL, pages 353--364, Madrid, Spain, Jan. 2010. ACM Press. Google Scholar
Digital Library
- A. Greenhouse and J. Boyland. An object-oriented effects system. In R. Guerraoui, editor, 13th ECOOP, volume 1628 of LNCS, pages 205--229, Lisbon, Portugal, June 1999. Springer. Google Scholar
Digital Library
- A. Guha, C. Saftoiu, and S. Krishnamurthi. The essence of JavaScript. In D'Hondt ECOOP 2010. Google Scholar
Digital Library
- P. Heidegger, A. Bieniusa, and P. Thiemann. Access permission contracts for scripting languages (extended version). Technical Report 264, Universitat Freiburg, July 2011. http://proglang.informatik.uni-freiburg.de/jscontest/.Google Scholar
- P. Heidegger and P. Thiemann. Contract-driven testing of JavaScript code. In Proceedings of the 48th International Conference on Objects, Models, Components, Patterns, TOOLS'10, pages 154--172, Malaga, Spain, June 2010. Springer. Google Scholar
Digital Library
- P. Heidegger and P. Thiemann. Recency types for analyzing scripting languages. In D'Hondt. ECOOP 2010. Google Scholar
Digital Library
- R. Hinze, J. Jeuring, and A. Löh. Typed contracts for functional programming. In P. Wadler and M. Hagiya, editors, Proceedings of the 8th International Symposium on Functional and Logic Programming FLOPS 2006, pages 208--225, Fuji Susono, Japan, Apr. 2006. Springer. Google Scholar
Digital Library
- R. L. B. Jr., V. S. Adve, D. Dig, S. V. Adve, S. Heumann, R. Komuravelli, J. Overbey, P. Simmons, H. Sung, and M. Vakilian. A type and effect system for deterministic parallel Java. In S. Arora and G. T. Leavens, editors, Proc. 24th ACM Conf. OOPSLA, pages 97--116, Orlando, Florida, USA, 2009. ACM Press, New York. Google Scholar
Digital Library
- R. Kramer. iContract -- the Java design by contract tool. In Proceedings of the Technology of Object-Oriented Languages and Systems, pages 295--307, Santa Barbara, CA, USA, 1998. Google Scholar
Digital Library
- P. Le Hégaret, R. Whitmer, and L. Wood. W3C document object model. http://www.w3.org/DOM/, Aug. 2003.Google Scholar
- G. T. Leavens, A. L. Baker, and C. Ruby. JML: A Notation for Detailed Design. In H. Kilov, B. Rumpe, and I. Simmonds, editors, Behavioral Specifications of Businesses and Systems, pages 175--188. Kluwer, 1999.Google Scholar
Digital Library
- H. Lehner and P. Müller. Efficient runtime assertion checking of assignable clauses with datagroups. In D. S. Rosenblum and G. Taentzer, editors, FASE, volume 6013 of Lecture Notes in Computer Science, pages 338--352. Springer, 2010. Google Scholar
Digital Library
- Y. Lu and J. Potter. Protecting representation with effect encapsulation. In S. Peyton Jones, editor, Proc. 33rd ACM Symp. POPL, pages 359--371, New York, NY, USA, Jan. 2006. ACM. Google Scholar
Digital Library
- S. Maffeis, J. C. Mitchell, and A. Taly. Isolating JavaScript with filters, rewriting, and wrappers. In ESORICS'09: Proceedings of the 14th European Conference on Research in Computer Security, pages 505--522, Saint-Malo, France, 2009. Springer-Verlag. Google Scholar
Digital Library
- B. Meyer. Applying "Design by Contract". IEEE Computer, 25(10):40--51, Oct. 1992. Google Scholar
Digital Library
- B. Meyer. Object-Oriented Software Construction. Prentice-Hall, 2nd edition, 1997. Google Scholar
Digital Library
- L. A. Meyerovich and B. Livshits. ConScript: Specifying and enforcing fine-grained security policies for Javascript in the browser. In IEEE Symposium on Security and Privacy, May 2010. Google Scholar
Digital Library
- P. Müller, A. Poetzsch-Heffter, and G. T. Leavens. Modular specification of frame properties in JML. Concurrency and Computation: Practice and Experience, 15(2):117--154, 2003.Google Scholar
Cross Ref
- J. Noble, J. Vitek, and J. Potter. Flexible alias protection. In E. Jul, editor, ECOOP, volume 1445 of LNCS, pages 158--185, Brussels, Belgium, July 1998. Springer. Google Scholar
Digital Library
- C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. ACM Trans. Web, 1(3):11, 2007. Google Scholar
Digital Library
- J. Smans, B. Jacobs, and F. Piessens. Implicit dynamic frames: Combining dynamic frames and separation logic. In S. Drossopoulou, editor, 23th ECOOP, volume 5653 of LNCS, pages 148--172, Genova, Italy, 2009. Springer. Google Scholar
Digital Library
- F. Spoto and E. Poll. Static Analysis of JML's assignable Clauses. International Workshop on Foundations of Object-Oriented Languages, Jan. 2003.Google Scholar
- J.-P. Talpin and P. Jouvelot. The type and effect discipline. Information and Computation, 111(2):245--296, 1994. Google Scholar
Digital Library
- P. Wadler and R. B. Findler. Well-typed programs can't be blamed. In G. Castagna, editor, Proc. 18th ESOP, volume 5502 of LNCS, pages 1--16, York, UK, Mar. 2009. Springer-Verlag. Google Scholar
Digital Library
- D. N. Xu, S. Peyton Jones, and K. Claessen. Static contract checking for Haskell. In B. Pierce, editor, Proc. 36th ACM Symp. POPL, pages 41--52, Savannah, GA, USA, Jan. 2009. ACM Press. Google Scholar
Digital Library
- T. Zhao, J. Palsberg, and J. Vitek. Lightweight confinement for Featherweight Java. In Proc. 18th ACM Conf. OOPSLA, pages 135--148, Anaheim, CA, USA, 2003. ACM Press, New York. Google Scholar
Digital Library
Index Terms
Access permission contracts for scripting languages
Recommendations
Access permission contracts for scripting languages
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesThe ideal software contract fully specifies the behavior of an operation. Often, in particular in the context of scripting languages, a full specification may be cumbersome to state and may not even be desired. In such cases, a partial specification, ...
Extensible access control with authorization contracts
OOPSLA '16Existing programming language access control frameworks do not meet the needs of all software components. We propose an expressive framework for implementing access control monitors for components. The basis of the framework is a novel concept: the ...
Extensible access control with authorization contracts
OOPSLA 2016: Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and ApplicationsExisting programming language access control frameworks do not meet the needs of all software components. We propose an expressive framework for implementing access control monitors for components. The basis of the framework is a novel concept: the ...







Comments