1 / 39

Dr. SES Distributed Resilient Secure EcmaScript

Dr. SES Distributed Resilient Secure EcmaScript. Mark S. Miller and the Cajadores Google. Overview. A Brief History of the Web Distributed Resilient Secure EcmaScript. Original Web. Link/Form GET/POST. Frame. Server. New Page. Browser. Link/Form GET/POST. Frame. Server. New Page.

ninon
Télécharger la présentation

Dr. SES Distributed Resilient Secure EcmaScript

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dr. SESDistributed Resilient Secure EcmaScript Mark S. Miller and the Cajadores Google

  2. Overview A Brief History of the Web Distributed Resilient Secure EcmaScript

  3. Original Web Link/Form GET/POST Frame Server New Page Browser Link/Form GET/POST Frame Server New Page

  4. Ajax = Mobile code + async msgs XHR GET/POST Frame Server XHR Response Browser Web services XHR GET/POST Frame Server XHR Response

  5. Kludging Towards Distributed Objects XHR GET/POST Frame Server XHR Response, Comet Fragment tricks Browser JSONP Web services XHR GET/POST Frame Server XHR Response, Comet

  6. A Web of Distributed Objects XHR GET/POST Frame ServerJS XHR Response, SSE postMessage Cross-Origin XHR (CORS, UMP) Browser Web services XHR GET/POST Frame ServerJS XHR Response, SSE

  7. Distributed Resilient Secure EcmaScript “Safe” mobile code as protocol Like x86 Massive adoption despite design mistakes

  8. Distributed Resilient Secure EcmaScript “Safe” mobile code as protocol Like x86 Massive adoption despite design mistakes Beautiful Simple Core: Scheme, Self Objects as records. Functions as lexical closures. Records of lexical closures => objects with methods

  9. Distributed Resilient Secure EcmaScript Beautiful Simple Core: Scheme, Self Objects as records. Functions as lexical closures. Records of lexical closures => objects with methods function makeCounter(count) { return { incr: function() { return ++count; } }; }

  10. Distributed Resilient Secure EcmaScript EcmaScript 5 Strict Tamper-proof (frozen) objects. Encapsulated closures. Frozen records of protected closures => High integrity ‘use strict’; const makeCounter = Object.freeze(function(count) { return Object.freeze({ incr: Object.freeze(function() { return ++count; }); }); });

  11. Distributed Resilient Secure EcmaScript EcmaScript Harmony Makes high integrity convenient Faithful virtualization by interposition Modular modules with lexical scoping const makeCounter(count) { return Object.freeze({ incr: const() { return ++count; }; }); };

  12. Distributed Resilient Secure EcmaScript

  13. Distributed Resilient Secure EcmaScript When Alice asks: bob.foo(carol) Alice grants Bob access to Carol, as needed for foo Memory-safe encapsulated objects Protect objects from their outside world

  14. Distributed Resilient Secure EcmaScript When Alice asks: bob.foo(carol) Alice grants Bob access to Carol, as needed for foo Memory-safe encapsulated objects Protect objects from their outside world OCaps: Causality only by references No powerful references by default Protect world from objects Reference graph === Access graph Deny authority by witholding connectivity

  15. Distributed Resilient Secure EcmaScript Java : Joe-E :: EcmaScript : SES Defensive Consistency & Natural POLA SES ⊂ (ES5 Strict + a bit of ES-Harmony) Deny access to global variables, global object Delete non-whitelisted properties Freeze accessible primordials (Object, Array, Array.prototype,…) Restrict eval() and Function() to SES

  16. Distributed Resilient Secure EcmaScript Easy Secure JavaScript Mashups Impossible?

  17. Distributed Resilient Secure EcmaScript Easy Secure JavaScript Mashups Impossible? The counter example: const bobEndowments = Object.freeze({counter: makeCounter(0)}); const bobMakerCode = //... fetch potentially malicious code ... const bob = eval(bobMakerCode).make(bobEndowments); Bob can only count.

  18. Distributed Resilient Secure EcmaScript // The “factorial” of secure programming const makeMint() { const decr = EphemeronTable(); const makePurse(balance :Nat) { const purse = Object.freeze({ getBalance: const() { return balance; }, makePurse: const() { return makePurse(0); }, deposit: const(amount :Nat, src) { const newBal :Nat = balance + amount; decr.get(src)(amount); balance = newBal; }}); decr.set(purse, const(amount) { balance = balance – amount; }); return purse; } return makePurse; }

  19. Distributed Resilient Secure EcmaScript

  20. Distributed Resilient Secure EcmaScript p1 = farBob ! foo(carol); // queue request for Bob No conventional deadlocks or memory races Supports Defensive Programming

  21. Distributed Resilient Secure EcmaScript Between machines… There is no do, there is only try. --with apologies to Yoda p1 = farBob ! foo(carol); // Bob throws, breaking p1 p3 = p1 ! bar(p2); // broken promise contagion

  22. Distributed Resilient Secure EcmaScript Between machines… There is no do, there is only try. --with apologies to Yoda p1 = farBob ! foo(carol); // Bob throws, breaking p1 p3 = p1 ! bar(p2); // broken promise contagion p4 = try when (r3 = p3) { // delayed error handling => “ok: ” + r3 } catch (ex) { => “bad: ” + ex };

  23. Distributed Resilient Secure EcmaScript $100 $200

  24. Distributed Resilient Secure EcmaScript const payment = myPurse ! makePurse(); $100 $200

  25. Distributed Resilient Secure EcmaScript const payment = myPurse ! makePurse(); makePurse $100 $200

  26. $0 Distributed Resilient Secure EcmaScript const payment = myPurse ! makePurse(); $100 $200

  27. $0 Distributed Resilient Secure EcmaScript const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); $100 $200

  28. deposit $0 Distributed Resilient Secure EcmaScript const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); $100 $200

  29. $0 Distributed Resilient Secure EcmaScript const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); $10 $100 $200 $90

  30. $0 Distributed Resilient Secure EcmaScript const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); const good = bob ! buy(desc, payment); $10 $100 $200 $90

  31. $0 Distributed Resilient Secure EcmaScript const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); const good = bob ! buy(desc, payment); buy $10 $100 $200 $90

  32. $0 Distributed Resilient Secure EcmaScript const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); const good = bob ! buy(desc, payment); return try when (p = payment) { $10 $100 $200 $90

  33. $0 Distributed Resilient Secure EcmaScript const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); const good = bob ! buy(desc, payment); return try when (p = payment) { => try when (ok = myPurse ! deposit(10, p)) { $10 $100 $200 $90

  34. $0 deposit Distributed Resilient Secure EcmaScript const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); const good = bob ! buy(desc, payment); return try when (p = payment) { => try when (ok = myPurse ! deposit(10, p)) { $10 $100 $200 $90

  35. $0 Distributed Resilient Secure EcmaScript const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); const good = bob ! buy(desc, payment); return try when (p = payment) { => try when (ok = myPurse ! deposit(10, p)) { $100 $200 $90 $210

  36. $0 Distributed Resilient Secure EcmaScript const payment = myPurse ! makePurse(); payment ! deposit(10, myPurse); const good = bob ! buy(desc, payment); return try when (p = payment) { => try when (ok = myPurse ! deposit(10, p)) { => good } … $100 $200 $90 $210

  37. Distributed Resilient Secure EcmaScript p1 = farBob ! foo(carol); // queue request for Bob p3 = p1 ! bar(p2); // left dataflow chaining p5 = try when (i = p3, j = p4) { => i + j }; // gather results b5 = try whenever (i = b3, j = b4) { => i + j }; // perpetual p6 = try (f = farF, x = farX) in (farEval) { => f(x) }; // mobile

  38. Distributed Resilient Secure EcmaScript Remaining Open Resilience Problems Persistence: How orthogonal? Waterken, KeyKOS, E, Workers Disconnected Operation: How to reconcile? Dominant partition, Wave OT, Una, Ambient references Upgrade: When instances outlive their class Co-existence: When versions collide Each presents new security challenges

  39. Questions?

More Related