research-article

Fully abstract compilation to JavaScript

Authors:

Cedric Fournet,

Pierre-Evariste Dagand,

Pierre-Yves Strub,

Benjamin LivshitsAuthors Info & Claims

ACM SIGPLAN Notices, Volume 48, Issue 1

Pages 371 - 384

https://doi.org/10.1145/2480359.2429114

Published: 23 January 2013 Publication History

Abstract

Many tools allow programmers to develop applications in high-level languages and deploy them in web browsers via compilation to JavaScript. While practical and widely used, these compilers are ad hoc: no guarantee is provided on their correctness for whole programs, nor their security for programs executed within arbitrary JavaScript contexts. This paper presents a compiler with such guarantees. We compile an ML-like language with higher-order functions and references to JavaScript, while preserving all source program properties. Relying on type-based invariants and applicative bisimilarity, we show full abstraction: two programs are equivalent in all source contexts if and only if their wrapped translations are equivalent in all JavaScript contexts. We evaluate our compiler on sample programs, including a series of secure libraries.

Supplementary Material

JPG File (r2d2_talk5.jpg)

Download
10.70 KB

MP4 File (r2d2_talk5.mp4)

Download
213.37 MB

References

[1]

M. Abadi. Protection in programming-language translations. In ICALP, volume 1443, pages 868--83, 1998.

Digital Library

[2]

M. Abadi and G. D. Plotkin. On protection by layout randomization. In IEEE CSF, pages 337--351, 2010.

Digital Library

[3]

M. Abadi, C. Fournet, and G. Gonthier. Secure implementation of channel abstractions. Information and Computation, 174(1):37--83, Apr. 2002.

Digital Library

[4]

P. Agten, R. Strackx, B. Jacobs, and F. Piessens. Secure compilation to modern processors. In IEEE CSF, pages 171--185, 2012.

Digital Library

[5]

A. Ahmed and M. Blume. Typed closure conversion preserves observational equivalence. In ICFP, 2008.

Digital Library

[6]

Caja. Attack vectors for privilege escalation, 2012. URL http://code.google.com/p/google-caja/wiki/AttackVectors.

[7]

E. Cooper, S. Lindley, P. Wadler, and J. Yallop. Links: Web programming without tiers. In FMCO, 2006.

Digital Library

[8]

L. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS, 2008.

Digital Library

[9]

A. Guha, C. Saftoiu, and S. Krishnamurthi. The essence of JavaScript. In ECOOP, 2010.

Digital Library

[10]

A. Kennedy. Securing the .NET programming model. TCS, 364(3), 2006.

Digital Library

[11]

S. Lassen. Eager normal form bisimulation. LICS, 2005.

Digital Library

[12]

S. Maffeis, J. C. Mitchell, and A. Taly. An operational semantics for JavaScript. In APLAS, 2008.

Digital Library

[13]

J. McCarthy. Towards a mathematical science of computation. In IFIP Congress, pages 21--28, 1962.

[14]

L. A. Meyerovich and V. B. Livshits. Conscript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In IEEE S&P, 2010.

Digital Library

[15]

J. C. Mitchell. On abstraction and the expressive power of programming languages. Science of Computer Programming, 21(2):141--163, 1993.

Digital Library

[16]

J. H. Morris. Protection in programming languages. In CACM (16), 1973.

Digital Library

[17]

J. Politz, M. Carroll, B. Lerner, J. Pombrio, and S. Krishnamurthi. A tested semantics for getters, setters, and eval in JavaScript. In DLS, 2012.

Digital Library

[18]

C. Schlesinger and N. Swamy. Verification condition generation with the Dijkstra state monad. Technical Report MSR-TR-2012-45, Mar. 2012.

[19]

M. Serrano, E. Gallesio, and F. Loitsch. Hop: a language for programming the web 2.0. In OOPSLA Companion, pages 975--985, 2006.

Digital Library

[20]

E. Sumii and B. C. Pierce. A bisimulation for type abstraction and recursion. In POPL, 2005.

Digital Library

[21]

N. Swamy, J. Chen, C. Fournet, P.-Y. Strub, K. Bhargavan, and J. Yang. Secure distributed programming with value-dependent types. In ICFP, 2011.

Digital Library

[22]

N. Swamy, J.Weinberger, C. Schlesinger, J. Chen, and B. Livshits. Towards JavaScript verification with the Dijkstra state monad. Technical Report MSR-TR-2012-37, Mar 2012.

[23]

A. Taly, U. Erlingsson, J. C. Mitchell, M. S. Miller, and J. Nagra. Automated analysis of security-critical JavaScript APIs. In IEEE S&P, 2011.

Digital Library

Cited By

Protzenko JBeurdouche BMerigoux DBhargavan K(2019)Formally Verified Cryptographic Web Applications in WebAssembly2019 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2019.00064(1256-1274)Online publication date: May-2019
https://doi.org/10.1109/SP.2019.00064
Patrignani MGarg D(2019)Robustly Safe CompilationProgramming Languages and Systems10.1007/978-3-030-17184-1_17(469-498)Online publication date: 6-Apr-2019
https://doi.org/10.1007/978-3-030-17184-1_17
Bowman WCong YRioux NAhmed A(2017)Type-preserving CPS translation of Σ and Π types is not not possibleProceedings of the ACM on Programming Languages10.1145/31581102:POPL(1-33)Online publication date: 27-Dec-2017
https://dl.acm.org/doi/10.1145/3158110
Show More Cited By

Index Terms

Fully abstract compilation to JavaScript
1. General and reference
  1. Cross-computing tools and techniques
    1. Validation
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Empirical software validation
      2. Process validation

Recommendations

Fully abstract compilation to JavaScript
POPL '13: Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

Many tools allow programmers to develop applications in high-level languages and deploy them in web browsers via compilation to JavaScript. While practical and widely used, these compilers are ad hoc: no guarantee is provided on their correctness for ...
JavaScript: Moving to ES2015
Drupal 6 JavaScript and jQuery

Comments

Information & Contributors

Information

Published In

cover image ACM SIGPLAN Notices

ACM SIGPLAN Notices Volume 48, Issue 1

POPL '13

January 2013

561 pages

ISSN:0362-1340

EISSN:1558-1160

DOI:10.1145/2480359

Issue’s Table of Contents

POPL '13: Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
January 2013
586 pages
ISBN:9781450318327
DOI:10.1145/2429069
General Chair:
Roberto Giacobazzi
Università di Verona, Italy
,
Program Chair:
Radhia Cousot
École normale supérieure CNRS & INRIA, France

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 January 2013

Published in SIGPLAN Volume 48, Issue 1

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

68
Total Citations
View Citations
713
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)0

Reflects downloads up to 02 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Protzenko JBeurdouche BMerigoux DBhargavan K(2019)Formally Verified Cryptographic Web Applications in WebAssembly2019 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2019.00064(1256-1274)Online publication date: May-2019
https://doi.org/10.1109/SP.2019.00064
Patrignani MGarg D(2019)Robustly Safe CompilationProgramming Languages and Systems10.1007/978-3-030-17184-1_17(469-498)Online publication date: 6-Apr-2019
https://doi.org/10.1007/978-3-030-17184-1_17
Bowman WCong YRioux NAhmed A(2017)Type-preserving CPS translation of Σ and Π types is not not possibleProceedings of the ACM on Programming Languages10.1145/31581102:POPL(1-33)Online publication date: 27-Dec-2017
https://dl.acm.org/doi/10.1145/3158110
Kobeissi NBhargavan KBlanchet B(2017)Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach2017 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP.2017.38(435-450)Online publication date: Apr-2017
https://doi.org/10.1109/EuroSP.2017.38
Amy MRoetteler MSvore K(2017)Verified Compilation of Space-Efficient Reversible CircuitsComputer Aided Verification10.1007/978-3-319-63390-9_1(3-21)Online publication date: 13-Jul-2017
https://doi.org/10.1007/978-3-319-63390-9_1
New MBowman WAhmed A(2016)Fully abstract compilation via universal embeddingACM SIGPLAN Notices10.1145/3022670.295194151:9(103-116)Online publication date: 4-Sep-2016
https://dl.acm.org/doi/10.1145/3022670.2951941
Devriese DPatrignani MPiessens F(2016)Fully-abstract compilation by approximate back-translationACM SIGPLAN Notices10.1145/2914770.283761851:1(164-177)Online publication date: 11-Jan-2016
https://dl.acm.org/doi/10.1145/2914770.2837618
Devriese DPatrignani MPiessens FBodik RMajumdar R(2016)Fully-abstract compilation by approximate back-translationProceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages10.1145/2837614.2837618(164-177)Online publication date: 11-Jan-2016
https://dl.acm.org/doi/10.1145/2837614.2837618
Patrignani MAgten PStrackx RJacobs BClarke DPiessens F(2015)Secure Compilation to Protected Module ArchitecturesACM Transactions on Programming Languages and Systems10.1145/269950337:2(1-50)Online publication date: 16-Apr-2015
https://dl.acm.org/doi/10.1145/2699503
Giannini PShaqiri A(2014)Compiling Functional to Scripting LanguagesSoftware Technologies10.1007/978-3-662-45943-0_8(114-130)Online publication date: 1-Oct-2014
https://doi.org/10.1007/978-3-662-45943-0_8
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents