Dr. SES Distributed Resilient Secure EcmaScript
description
Transcript of Dr. SES Distributed Resilient Secure EcmaScript
![Page 1: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/1.jpg)
Dr. SESDistributed Resilient Secure EcmaScript
Mark S. Miller and the CajadoresGoogle
![Page 2: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/2.jpg)
Overview
A Brief History of the Web
Distributed Resilient
Secure EcmaScript
![Page 3: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/3.jpg)
Original Web
Server
Server
Frame
Frame
Browser
Link/Form GET/POST
New Page
Link/Form GET/POST
New Page
![Page 4: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/4.jpg)
Ajax = Mobile code + async msgs
Server
Server
Frame
Frame
Browser
XHR GET/POST
XHR Response
XHR GET/POST
XHR Response
Web services
![Page 5: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/5.jpg)
Kludging Towards Distributed Objects
Server
Server
Frame
Frame
Browser
XHR GET/POST
XHR Response, Comet
XHR GET/POST
XHR Response, Comet
Web servicesJSONPFragment
tricks
![Page 6: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/6.jpg)
A Web of Distributed Objects
ServerJS
ServerJS
Frame
Frame
Browser
XHR GET/POST
XHR Response, SSE
XHR GET/POST
XHR Response, SSE
Web servicesCross-Origin XHR(CORS, UMP)
postMessage
![Page 7: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/7.jpg)
Distributed Resilient Secure EcmaScript
“Safe” mobile code as protocolLike x86
Massive adoption despite design mistakes
![Page 8: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/8.jpg)
Distributed Resilient Secure EcmaScript
“Safe” mobile code as protocolLike x86
Massive adoption despite design mistakes
Beautiful Simple Core: Scheme, SelfObjects as records. Functions as lexical closures.Records of lexical closures => objects with
methods
![Page 9: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/9.jpg)
Distributed Resilient Secure EcmaScript
Beautiful Simple Core: Scheme, SelfObjects as records. Functions as lexical closures.Records of lexical closures => objects with
methods
function makeCounter(count) { return { incr: function() { return ++count; } };}
![Page 10: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/10.jpg)
Distributed Resilient Secure EcmaScript
EcmaScript 5 StrictTamper-proof (frozen) objects. Encapsulated
closures.Frozen records of protected closures => High
integrity
‘use strict’;const makeCounter = Object.freeze(function(count) { return Object.freeze({ incr: Object.freeze(function() { return ++count; }); });});
![Page 11: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/11.jpg)
Distributed Resilient Secure EcmaScript
EcmaScript HarmonyMakes high integrity convenientFaithful virtualization by interpositionModular modules with lexical scoping
const makeCounter(count) { return Object.freeze({ incr: const() { return ++count; }; });};
![Page 12: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/12.jpg)
Distributed Resilient Secure EcmaScript
![Page 13: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/13.jpg)
Distributed Resilient Secure EcmaScript
When Alice asks: bob.foo(carol)Alice grants Bob access to Carol, as needed for foo
Memory-safe encapsulated objectsProtect objects from their outside world
![Page 14: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/14.jpg)
Distributed Resilient Secure EcmaScript
When Alice asks: bob.foo(carol)Alice grants Bob access to Carol, as needed for foo
Memory-safe encapsulated objectsProtect objects from their outside world
OCaps: Causality only by referencesNo powerful references by defaultProtect world from objects
Reference graph === Access graphDeny authority by witholding connectivity
![Page 15: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/15.jpg)
Distributed Resilient Secure EcmaScript
Java : Joe-E :: EcmaScript : SESDefensive Consistency & Natural POLA
SES ⊂ (ES5 Strict + a bit of ES-Harmony)Deny access to global variables, global objectDelete non-whitelisted propertiesFreeze accessible primordials (Object, Array,
Array.prototype,…)Restrict eval() and Function() to SES
![Page 16: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/16.jpg)
Distributed Resilient Secure EcmaScript
Easy Secure JavaScript Mashups Impossible?
![Page 17: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/17.jpg)
Distributed Resilient Secure EcmaScript
Easy Secure JavaScript Mashups Impossible?
The counter example:const bobEndowments = Object.freeze({counter: makeCounter(0)});const bobMakerCode = //... fetch potentially malicious code ...const bob = eval(bobMakerCode).make(bobEndowments);
Bob can only count.
![Page 18: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/18.jpg)
Distributed Resilient Secure EcmaScript
const makeMint() { const decr = EphemeronTable(); const makePurse(balance :Nat) { const purse = Object.freeze({ getBalance: const() { return balance; }, makePurse: const() { return makePurse(0); }, deposit: const(amount :Nat, src) { const newBal :Nat = balance + amount; decr.get(src)(amount); balance = newBal; }}); decr.set(purse, const(amount) { balance = balance – amount; }); return purse; } return makePurse; }
// The “factorial” of secure programming
![Page 19: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/19.jpg)
Distributed Resilient Secure EcmaScript
Shared State Message Passing
Blocking C++/pthreadsJava, C#, Mozart/OzJoCAML, Polyphonic C#
Blocking receiveCSP, Occam, CCSErlang, Scala, Go
Non-blocking
Soft Transactional MemArgus, FortressClojure, X10
Comm Event LoopsActors, AmbientTalkE, WaterkenAjax
![Page 20: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/20.jpg)
Distributed Resilient Secure EcmaScript
p1 = farBob ! foo(carol); // queue request for BobNo conventional deadlocks or memory racesSupports Defensive Programming
Shared State Message Passing
Blocking C++/pthreadsJava, C#, Mozart/OzJoCAML, Polyphonic C#
Blocking receiveCSP, Occam, CCSErlang, Scala, Go
Non-blocking
Soft Transactional MemArgus, FortressClojure, X10
Comm Event LoopsActors, AmbientTalkE, WaterkenAjax, Dr. SES
![Page 21: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/21.jpg)
Distributed Resilient Secure EcmaScript
Between machines…There is no do, there is only try.
--with apologies to Yoda
p1 = farBob ! foo(carol); // Bob throws, breaking p1
p3 = p1 ! bar(p2); // broken promise contagion
![Page 22: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/22.jpg)
Distributed Resilient Secure EcmaScript
Between machines…There is no do, there is only try.
--with apologies to Yoda
p1 = farBob ! foo(carol); // Bob throws, breaking p1
p3 = p1 ! bar(p2); // broken promise contagion
p4 = try when (r3 = p3) { // delayed error handling => “ok: ” + r3 } catch (ex) { => “bad: ” + ex };
![Page 23: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/23.jpg)
Distributed Resilient Secure EcmaScript
$100 $200
![Page 24: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/24.jpg)
Distributed Resilient Secure EcmaScript
$100 $200
const payment = myPurse ! makePurse();
![Page 25: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/25.jpg)
Distributed Resilient Secure EcmaScript
$100 $200
const payment = myPurse ! makePurse();
makePurse
![Page 26: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/26.jpg)
Distributed Resilient Secure EcmaScript
$100 $0
$200
const payment = myPurse ! makePurse();
![Page 27: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/27.jpg)
Distributed Resilient Secure EcmaScript
$100 $0
$200
const payment = myPurse ! makePurse();payment ! deposit(10, myPurse);
![Page 28: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/28.jpg)
Distributed Resilient Secure EcmaScript
$100 $0
$200
const payment = myPurse ! makePurse();payment ! deposit(10, myPurse);
deposit
![Page 29: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/29.jpg)
Distributed Resilient Secure EcmaScript
$100 $0
$200
const payment = myPurse ! makePurse();payment ! deposit(10, myPurse);
$90$10
![Page 30: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/30.jpg)
Distributed Resilient Secure EcmaScript
$100 $0
$200
const payment = myPurse ! makePurse();payment ! deposit(10, myPurse);const good = bob ! buy(desc, payment);
$90$10
![Page 31: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/31.jpg)
Distributed Resilient Secure EcmaScript
$100 $0
$200
const payment = myPurse ! makePurse();payment ! deposit(10, myPurse);const good = bob ! buy(desc, payment);
buy
$90$10
![Page 32: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/32.jpg)
Distributed Resilient Secure EcmaScript
$100 $0
$200
const payment = myPurse ! makePurse();payment ! deposit(10, myPurse);const good = bob ! buy(desc, payment);
return try when (p = payment) {
$90$10
![Page 33: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/33.jpg)
Distributed Resilient Secure EcmaScript
$100 $0
$200
const payment = myPurse ! makePurse();payment ! deposit(10, myPurse);const good = bob ! buy(desc, payment);
return try when (p = payment) { => try when (ok = myPurse ! deposit(10, p)) {
$90$10
![Page 34: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/34.jpg)
Distributed Resilient Secure EcmaScript
$100 $0
$200
const payment = myPurse ! makePurse();payment ! deposit(10, myPurse);const good = bob ! buy(desc, payment);
return try when (p = payment) { => try when (ok = myPurse ! deposit(10, p)) {
$90$10
deposit
![Page 35: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/35.jpg)
Distributed Resilient Secure EcmaScript
$100 $0
$200
const payment = myPurse ! makePurse();payment ! deposit(10, myPurse);const good = bob ! buy(desc, payment);
return try when (p = payment) { => try when (ok = myPurse ! deposit(10, p)) {
$90 $210
![Page 36: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/36.jpg)
Distributed Resilient Secure EcmaScript
$100 $0
$200
const payment = myPurse ! makePurse();payment ! deposit(10, myPurse);const good = bob ! buy(desc, payment);
return try when (p = payment) { => try when (ok = myPurse ! deposit(10, p)) { => good } …
$90 $210
![Page 37: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/37.jpg)
Distributed Resilient Secure EcmaScript
p1 = farBob ! foo(carol); // queue request for Bob
p3 = p1 ! bar(p2); // left dataflow chaining
p5 = try when (i = p3, j = p4) { => i + j }; // gather results
b5 = try whenever (i = b3, j = b4) { => i + j }; // perpetual
p6 = try (f = farF, x = farX) in (farEval) { => f(x) }; // mobile
![Page 38: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/38.jpg)
Distributed Resilient Secure EcmaScript
Remaining Open Resilience ProblemsPersistence: How orthogonal?
Waterken, KeyKOS, E, WorkersDisconnected Operation: How to reconcile?
Dominant partition, Wave OT, Una, Ambient references
Upgrade: When instances outlive their classCo-existence: When versions collide
Each presents new security challenges
![Page 39: Dr. SES Distributed Resilient Secure EcmaScript](https://reader035.fdocuments.us/reader035/viewer/2022062323/56815ff6550346895dcef4d7/html5/thumbnails/39.jpg)
Questions?