1 / 19

Secure JavaScript Programming Practices: Ephemeron Tables & Membranes

Explore ECMA Script Harmony with secure programming examples using Ephemeron tables and soft fields for robust coding practices. Learn about unique labelling and identity preserving membranes. Follow guidelines for cycle-tolerant graph walking and object encapsulation. Discover how to use OCaps for memory-safe encapsulated objects in JavaScript programming.

sutton
Download Presentation

Secure JavaScript Programming Practices: Ephemeron Tables & Membranes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ephemeron Tablesfor EcmaScript Harmonyand Secure EcmaScript Mark S. Miller and the Cajadores Google, Inc.

  2. Shorthand: Const functions     {         ... constfoo(a) { ...; }         ...     } shorthand for     { constfoo = function(a) { ...; };    // unitialized foo unobservable         Object.freeze(foo);                    // mutable foo unobservable         Object.freeze(foo.prototype);    // mutable foo.prototype unobservable         ...         ...     }

  3. // The "factorial" of secure programming constmakeCurrency() { constdecr = makeEphemeronTable();   return constmakePurse(balance :Nat) { constpurse = Object.freeze({       getBalance: const() { return balance; },       makePurse: const() { return makePurse(0); },       depositFrom: const(amount :Nat, src) { constnewBal :Nat = balance + amount; decr.get(src)(amount);         balance = newBal;     }}); decr.set(purse, const(withdrawal) { balance -= withdrawal; }); return purse; };} Soft Fields, Rights Amplification

  4. Soft Fields with Inheritance constmakeSoftField() { constet = makeEphemeronTable(); return Object.freeze({    get: const(key) {while (key !== null) { constresult = et.get(key); if (result !== undefined) { return result; }         key = Object.getPrototypeOf(key);       } return undefined;     },     set: et.set;   }); }

  5. Unique Labeller constmakeLabeler() { constet = makeEphemeronTable();  letcount = 0;  return Object.freeze({     label: const(obj) { constresult = et.get(obj);  if (result) { return result; }  et.set(obj, ++count);        return count;     }    }); }

  6. Cycle Tolerant Graph Walking constallPropNames(root) { constprops = Object.create(null); constseen = makeEphemeronTable(); constrecur(node) {  if (node !== Object(node)) { return; }  if (seen.get(node)) { return; }  seen.set(node, true);      recur(Object.getPrototypeOf(node));     Object.getOwnPropertyNames(node).forEach(const(key) {        props[key] = true;        recur(node[key]); });}    recur(root);  return Object.keys(props);  }

  7. Identity Preserving Membranes

  8. Better Membrane (Overview) constmakeMembrane(wetTarget) { letwet2dry = makeEphemeronTable(true); letdry2wet = makeEphemeronTable(true); constasDry(wet) {/*...*/} constasWet(dry) {/*...*/} constgate = Object.freeze({ revoke: const() {       dry2wet = wet2dry = Object.freeze({ get: const(key) { throw new Error("revoked"); },         set: const(key, val) {}       });     }   }); return Object.freeze({ wrapper: asDry(wetTarget),                                       gate: gate }); }

  9. Better Membrane (Detail) constmakeMembrane(wetTarget) { letwet2dry = makeEphemeronTable(true); letdry2wet = makeEphemeronTable(true); constasDry(wet) { if (wet !== Object(wet)) { return wet; } letdryResult = wet2dry.get(wet); if (dryResult) { return dryResult; } constwetHandler = makeHandler(wet); constdryRevokeHandler = Proxy.create(Object.freeze({       get: const(rcvr, name) {  return const(...dryArgs) { constwetHandler2 = dry2wet.get(dryRevokeHandler); return asDry(wetHandler2[name](...dryArgs.map(asWet)));       };}})); dry2wet.set(dryRevokeHandler, wetHandler);     dryResult = Proxy.create(dryRevokeHandler,                                            asDry(Object.getPrototypeOf(wet))); wet2dry.set(wet, dryResult);     dry2wet.set(dryResult, wet); return dryResult; } ....

  10. Secure EcmaScript When Alice asks: bob.foo(carol) Alice grants Bob access to Carol, as needed for foo Memory-safe encapsulated objects Protect objects from their outside world OCaps: Causality only by references No powerful references by default Protect world from objects Reference graph === Access graph Deny authority by witholding connectivity

  11. Secure EcmaScript SES ⊂ (ES5 Strict + a bit of ES-Harmony) Deny access to global variables, global object Delete non-whitelisted properties Freeze accessible primordials (Object, Array, Array.prototype,…) Restrict eval() and Function() to SES

  12. Secure EcmaScript SES ⊂ (ES5 Strict + a bit of ES-Harmony) Deny access to global variables, global object Delete non-whitelisted properties Freeze accessible primordials (Object, Array, Array.prototype,…) Restrict eval() and Function() to SES SES5 trivial to implement on friendly ES5, given freeVars(programSrc :string) :string[] Small init wraps eval & Function with verifier, this binder Uses getOwnPropertyNames() to delete all unknowns Freezes all whitelisted paths

  13. Safe JavaScript Mashups Impossible? The counter example: const bobPowers = Object.freeze({counter: makeCounter(0)}); const bobMakerCode = //…get potentially bad code… const bob = eval(bobMakerCode).make(bobPowers); Bob can only count.

  14. Mashup Compartments constc1 = makeMembrane(eval); const {wrapper: ev1, gate: g1} = c1; constbadCode = //...get bad code... constresult = ev1(badCode); //...use result...

  15. Mashup Compartments constc1 = makeMembrane(eval); const {wrapper: ev1, gate: g1} = c1; constbadCode = //...get bad code... constresult = ev1(badCode); //...use result... g1.revoke();

  16. Mashup Compartments constc1 = makeMembrane(eval); const {wrapper: ev1, gate: g1} = c1; constbadCode = //...get bad code... constresult = ev1(badCode); //...use result... g1.revoke(); //...compartment gone... • Bob no longer counts.

  17. Mashup Compartments constc1 = makeMembrane(eval); const {wrapper: ev1, gate: g1} = c1; constbadCode = //...get bad code... constresult = ev1(badCode); //...use result... g1.revoke(); //...compartment gone... • SES = SES5 + Proxy + makeEphemeronTable

  18. Mashup Compartments constc1 = makeMembrane(eval); const {wrapper: ev1, gate: g1} = c1; constbadCode = //...get bad code... constresult = ev1(badCode); //...use result... g1.revoke(); //...compartment gone... • Hopefully even smoother using modules!

  19. Questions?

More Related