skip to main content
research-article

Fully abstract compilation to JavaScript

Published:23 January 2013Publication History
Skip Abstract Section

Abstract

Many tools allow programmers to develop applications in high-level languages and deploy them in web browsers via compilation to JavaScript. While practical and widely used, these compilers are ad hoc: no guarantee is provided on their correctness for whole programs, nor their security for programs executed within arbitrary JavaScript contexts. This paper presents a compiler with such guarantees. We compile an ML-like language with higher-order functions and references to JavaScript, while preserving all source program properties. Relying on type-based invariants and applicative bisimilarity, we show full abstraction: two programs are equivalent in all source contexts if and only if their wrapped translations are equivalent in all JavaScript contexts. We evaluate our compiler on sample programs, including a series of secure libraries.

Skip Supplemental Material Section

Supplemental Material

r2d2_talk5.mp4

References

  1. M. Abadi. Protection in programming-language translations. In ICALP, volume 1443, pages 868--83, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. M. Abadi and G. D. Plotkin. On protection by layout randomization. In IEEE CSF, pages 337--351, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. M. Abadi, C. Fournet, and G. Gonthier. Secure implementation of channel abstractions. Information and Computation, 174(1):37--83, Apr. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. P. Agten, R. Strackx, B. Jacobs, and F. Piessens. Secure compilation to modern processors. In IEEE CSF, pages 171--185, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. A. Ahmed and M. Blume. Typed closure conversion preserves observational equivalence. In ICFP, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Caja. Attack vectors for privilege escalation, 2012. URL http://code.google.com/p/google-caja/wiki/AttackVectors.Google ScholarGoogle Scholar
  7. E. Cooper, S. Lindley, P. Wadler, and J. Yallop. Links: Web programming without tiers. In FMCO, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. L. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. A. Guha, C. Saftoiu, and S. Krishnamurthi. The essence of JavaScript. In ECOOP, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. A. Kennedy. Securing the .NET programming model. TCS, 364(3), 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. S. Lassen. Eager normal form bisimulation. LICS, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. S. Maffeis, J. C. Mitchell, and A. Taly. An operational semantics for JavaScript. In APLAS, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. J. McCarthy. Towards a mathematical science of computation. In IFIP Congress, pages 21--28, 1962.Google ScholarGoogle Scholar
  14. L. A. Meyerovich and V. B. Livshits. Conscript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In IEEE S&P, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. J. C. Mitchell. On abstraction and the expressive power of programming languages. Science of Computer Programming, 21(2):141--163, 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. J. H. Morris. Protection in programming languages. In CACM (16), 1973. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. J. Politz, M. Carroll, B. Lerner, J. Pombrio, and S. Krishnamurthi. A tested semantics for getters, setters, and eval in JavaScript. In DLS, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. C. Schlesinger and N. Swamy. Verification condition generation with the Dijkstra state monad. Technical Report MSR-TR-2012-45, Mar. 2012.Google ScholarGoogle Scholar
  19. M. Serrano, E. Gallesio, and F. Loitsch. Hop: a language for programming the web 2.0. In OOPSLA Companion, pages 975--985, 2006.Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. E. Sumii and B. C. Pierce. A bisimulation for type abstraction and recursion. In POPL, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. N. Swamy, J. Chen, C. Fournet, P.-Y. Strub, K. Bhargavan, and J. Yang. Secure distributed programming with value-dependent types. In ICFP, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. N. Swamy, J.Weinberger, C. Schlesinger, J. Chen, and B. Livshits. Towards JavaScript verification with the Dijkstra state monad. Technical Report MSR-TR-2012-37, Mar 2012.Google ScholarGoogle Scholar
  23. A. Taly, U. Erlingsson, J. C. Mitchell, M. S. Miller, and J. Nagra. Automated analysis of security-critical JavaScript APIs. In IEEE S&P, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Fully abstract compilation to JavaScript

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM SIGPLAN Notices
          ACM SIGPLAN Notices  Volume 48, Issue 1
          POPL '13
          January 2013
          561 pages
          ISSN:0362-1340
          EISSN:1558-1160
          DOI:10.1145/2480359
          Issue’s Table of Contents
          • cover image ACM Conferences
            POPL '13: Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
            January 2013
            586 pages
            ISBN:9781450318327
            DOI:10.1145/2429069

          Copyright © 2013 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 23 January 2013

          Check for updates

          Qualifiers

          • research-article

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!