Abstract
Many tools allow programmers to develop applications in high-level languages and deploy them in web browsers via compilation to JavaScript. While practical and widely used, these compilers are ad hoc: no guarantee is provided on their correctness for whole programs, nor their security for programs executed within arbitrary JavaScript contexts. This paper presents a compiler with such guarantees. We compile an ML-like language with higher-order functions and references to JavaScript, while preserving all source program properties. Relying on type-based invariants and applicative bisimilarity, we show full abstraction: two programs are equivalent in all source contexts if and only if their wrapped translations are equivalent in all JavaScript contexts. We evaluate our compiler on sample programs, including a series of secure libraries.
Supplemental Material
- M. Abadi. Protection in programming-language translations. In ICALP, volume 1443, pages 868--83, 1998. Google Scholar
Digital Library
- M. Abadi and G. D. Plotkin. On protection by layout randomization. In IEEE CSF, pages 337--351, 2010. Google Scholar
Digital Library
- M. Abadi, C. Fournet, and G. Gonthier. Secure implementation of channel abstractions. Information and Computation, 174(1):37--83, Apr. 2002. Google Scholar
Digital Library
- P. Agten, R. Strackx, B. Jacobs, and F. Piessens. Secure compilation to modern processors. In IEEE CSF, pages 171--185, 2012. Google Scholar
Digital Library
- A. Ahmed and M. Blume. Typed closure conversion preserves observational equivalence. In ICFP, 2008. Google Scholar
Digital Library
- Caja. Attack vectors for privilege escalation, 2012. URL http://code.google.com/p/google-caja/wiki/AttackVectors.Google Scholar
- E. Cooper, S. Lindley, P. Wadler, and J. Yallop. Links: Web programming without tiers. In FMCO, 2006. Google Scholar
Digital Library
- L. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS, 2008. Google Scholar
Digital Library
- A. Guha, C. Saftoiu, and S. Krishnamurthi. The essence of JavaScript. In ECOOP, 2010. Google Scholar
Digital Library
- A. Kennedy. Securing the .NET programming model. TCS, 364(3), 2006. Google Scholar
Digital Library
- S. Lassen. Eager normal form bisimulation. LICS, 2005. Google Scholar
Digital Library
- S. Maffeis, J. C. Mitchell, and A. Taly. An operational semantics for JavaScript. In APLAS, 2008. Google Scholar
Digital Library
- J. McCarthy. Towards a mathematical science of computation. In IFIP Congress, pages 21--28, 1962.Google Scholar
- L. A. Meyerovich and V. B. Livshits. Conscript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In IEEE S&P, 2010. Google Scholar
Digital Library
- J. C. Mitchell. On abstraction and the expressive power of programming languages. Science of Computer Programming, 21(2):141--163, 1993. Google Scholar
Digital Library
- J. H. Morris. Protection in programming languages. In CACM (16), 1973. Google Scholar
Digital Library
- J. Politz, M. Carroll, B. Lerner, J. Pombrio, and S. Krishnamurthi. A tested semantics for getters, setters, and eval in JavaScript. In DLS, 2012. Google Scholar
Digital Library
- C. Schlesinger and N. Swamy. Verification condition generation with the Dijkstra state monad. Technical Report MSR-TR-2012-45, Mar. 2012.Google Scholar
- M. Serrano, E. Gallesio, and F. Loitsch. Hop: a language for programming the web 2.0. In OOPSLA Companion, pages 975--985, 2006.Google Scholar
Digital Library
- E. Sumii and B. C. Pierce. A bisimulation for type abstraction and recursion. In POPL, 2005. Google Scholar
Digital Library
- N. Swamy, J. Chen, C. Fournet, P.-Y. Strub, K. Bhargavan, and J. Yang. Secure distributed programming with value-dependent types. In ICFP, 2011. Google Scholar
Digital Library
- N. Swamy, J.Weinberger, C. Schlesinger, J. Chen, and B. Livshits. Towards JavaScript verification with the Dijkstra state monad. Technical Report MSR-TR-2012-37, Mar 2012.Google Scholar
- A. Taly, U. Erlingsson, J. C. Mitchell, M. S. Miller, and J. Nagra. Automated analysis of security-critical JavaScript APIs. In IEEE S&P, 2011. Google Scholar
Digital Library
Index Terms
Fully abstract compilation to JavaScript
Recommendations
Fully abstract compilation to JavaScript
POPL '13: Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesMany tools allow programmers to develop applications in high-level languages and deploy them in web browsers via compilation to JavaScript. While practical and widely used, these compilers are ad hoc: no guarantee is provided on their correctness for ...







Comments