Mashic compiler: Mashup sandboxing based on inter-frame communication

Abstract

Mashups are a prevailing kind of web applications integrating external gadget APIs often written in the JavaScript programming language. Writing secure mashups is a challenging task due to the heterogeneity of existing gadget APIs, the privileges granted to gadgets during mashup executions, and JavaScript’s highly dynamic environment. We propose a new compiler, called Mashic, for the automatic generation of secure JavaScript-based mashups from existing mashup code. The Mashic compiler can effortlessly be applied to existing mashups based on a wide-range of gadget APIs. It offers security and correctness guarantees. Security is achieved via the Same Origin Policy. Correctness is ensured in the presence of benign gadgets, that satisfy confidentiality and integrity constraints with regard to the integrator code. The compiler has been successfully applied to real world mashups based on Google maps, Bing maps, YouTube, and Zwibbler APIs.

Keywords

Mashup security sandbox compilation same origin policy formal semantics correctness

1. Introduction

Mixing existing online libraries and data into new online applications in a rapid, inexpensive manner, often referred to as mashups, has captured the way of designing web applications. ProgrammableWeb mashup graphs currently report that over 6,000 mashup-based web applications and over 11,000 gadget APIs currently exist (http://www.programmableweb.com/). Since the release of the first major example, HousingMaps.com in early 2005, mashups are the de-facto applications in the web today.

In a mashup, the integrator code integrates gadgets from external code providers. Typically, code is written in JavaScript (JS) and executes on the browser as embedded script nodes in the Document Object Model (DOM) [24]. External gadget code in a mashup can be included in two ways:

either by using the script tag and granting access to all the resources of the integrator;

or by using the iframe tag, in which case the Same Origin Policy (SOP) applies. The SOP isolates untrusted JavaScript external code, limiting the interaction of gadget and integrator to message sending [3].

Static analysis to confine JavaScript programs is feasible for large-scale code consumers such as Facebook.com or Google.com, since they can restrict the JavaScript subset in which developers can write gadget code. Furthermore the size of those gadgets are relatively small. However, when it comes to small code consumers and large gadget providers, such as Google Maps API, full-fledged static analysis is usually infeasible since code providers do not confine them to a certain subset of JavaScript, and the gadget code size is usually large and difficult to be analyzed. Moreover, gadget code is subject to change from time to time by the provider. Mashup programmers are challenged to provide flexible functionality even if the code consumer is not willing to trust the gadgets that mashups utilize. Unfortunately, programmers often choose to include gadgets using the script tag and resign to security in the name of functionality.

Fig. 1.

Target architecture automatically generated by Mashic.

Recently, Smash [11], AdJail [26], and PostMash [2] proposed to use inter-frame communication between integrator and gadgets. Smash proposes a secure component model for mashups that generalizes the security policies imposed by the SOP. The model is implemented via inter-frame communication and offered as JavaScript libraries. However, integrators and gadgets code have to be adapted to this specific way of communication. AdJail focuses on advertisement scripts by delegating limited DOM interfaces from the integrator. PostMash targets interfaces to operate on gadgets and proposes an architecture for mashups depicted in Fig. 1. In the PostMash design there are stub libraries on both the integrator and the gadget. On the integrator side, the stub library must provide an interface similar to the original gadget’s interface. The stubbed interface sends corresponding messages by means of the PostMessage API in HTML5. On the gadget side, there is another stub library, listening and decoding incoming messages. Barth et al. [2] evaluate the feasibility of the PostMash design via a case study using a version of a Google Maps gadget by creating a stub library that mimicked GMap2 API. Regarding the libraries, the authors argue that the stub library can either be provided by the integrator (one for each untrusted gadget), or by the gadget in which case the library must be audited for security by the integrator.

In this work, we address the following questions about the PostMash design:

Can the stub libraries be made general (the same libraries for every gadget and integrator)?

Can PostMash mashups be automatically generated starting from potentially insecure mashups and preserving only the good behavior of the original mashup?

Is it possible to precisely define the security guarantees offered by the architecture?

We have positively answered these questions.

We address questions (1) and (2) with a novel compiler called Mashic which inputs existing mashup code, JavaScript code integrated to HTML, to generate reliable mashups using gadget isolation as shown in Fig. 1. In addition, for question (2), we formalize the notion of “benign gadget” that is useful to prove precisely in which cases the generated mashup behaves as the original one. Notably, the answer to question (3) corresponds to the first formalization as an observational semantics equivalence of the security guarantees offered by the Same Origin Policy in a browser, that, we conjecture, coincides with a form of declassification policy known as delimited release [34]. The Mashic compiler [35] offers the following features:

Automation and generality: Inter-frame communication and sandboxing code is fully generated by the compiler and can be used with any untrusted gadget without rewriting the gadget’s code. After sandboxing, gadget objects are not directly reached by the integrator when the SOP applies. Instead the integrator uses opaque handles [36] to interact with the gadget. Due to the asynchronous nature of the PostMessage API, integrator’s code is transformed into Continuation Passing Style (CPS).

Correctness guarantees: We prove a correctness theorem that states that the behavior of the Mashic compiled code is equivalent to the original mashup behavior under the hypotheses that the gadget is benign and correctness of marshaling/unmarshaling for objects that are sent via PostMessage.

The correctness notion of marshaling/unmarshaling allows us to identify, for example, that the implementation of a secure mashup is not correct as soon as the integrator sends an object with a cyclic structure to the gadget (if the implementation uses the JSON stringify for marshaling).

Precisely defining a benign gadget turned out to be a technical challenge in itself. For that, we instrument the JavaScript semantics extended with HTML constructs by a generalization of colored brackets [18] and resort to equivalences used in information flow security [33].

Security guarantees: We prove a security theorem that guarantees a delimited form of integrity and confidentiality for the compiled mashup. Information sent from the integrator to the gadget, corresponds to a declassification. We prove that the gadget cannot learn more than what the integrator sends. Analogously, the influence that the gadget can have on the integrator is delimited to the actions that the integrator performs with the messages that the gadget sends to the integrator. These guarantees are essential for the success of the compiler since the programmer can rely on this precise notion of security for compiled mashups using untrusted gadgets without further hypotheses. Indeed, if the gadget is not benign in the original mashup, malicious behavior is neutralized in the compiled mashup. This proof relies on the browsers’ SOP, that we formalize by means of iframe DOM elements.

The proposed compiler is directly applicable to real world and widespread mashups. We present evidence that our compiler is effective. We have compiled several mashups based on Google and Bing maps, YouTube, and Zwibbler APIs.

In summary our contributions are:

The Mashic compiler, its design and implementation, that can effortlessly be applied to existing mashups. The Mashic prototype and proofs are available online [35].

Security and correctness guarantees for Mashic compiled code and hence direct guarantees for the mashup end consumer. To our knowledge, this is the first work to formalize and prove guarantees of correctness and security for real world mashups.

A formalization of the SOP in browsers, related to frames and script tags, in a standard small-step semantics style.

A decorated semantics for JS extended with HTML constructs. This semantics provides clarity, in a highly dynamic language as JS, regarding ownership of properties in the heap and we prove it useful by specifying confidentiality and integrity policies in our theorems.

Case studies based on existing widespread mashups that demonstrate the effectiveness of the compiler.

An optimization for reducing the cost of cross-domain operations between gadgets and integrator in which an automatic batching mechanism groups together cross-domain operations in straight-line code, supporting loops and branching instructions.

Limitations. The current implementation of the Mashic compiler suffers from the following limitations:

Unsupported constructs: Our integrator transformer currently supports the full JavaScript language [12] except for a few programming constructs. Specifically, the for-in construct and exception construct are not supported. Some JavaScript features considered “dangerous” such as eval are not supported either.

Multiple gadgets inter-communication: The compiler is completely independent of gadget code, and does not support inter-gadget communication (communication is always done via the integrator), since this would imply transforming gadgets that want to use others’ interfaces. For simplicity, the formal presentation of the Mashic compiler applies to one gadget but its implementation supports multiple gadgets by generating unique ids for each iframe and using them in the proxy interface. Authentication is ensured by the PostMessage mechanism [3].

Symmetric interface: The current Mashic architecture is restricted to mashups that employ only one-way communication, i.e. only the integrator will invoke interfaces provided by the gadget. (Although the gadget is not allowed to send requests to the integrator, it can certainly reply to those that it receives as Mashic supports callbacks.) Certain types of mashups do not fall into this category, notably mashups containing advertisement scripts. Louw et al. [26] addresses two-way communication in AdJail where a subset of the DOM interface from the integrator is also provided to the gadget by dynamically modifying the DOM interface in the sandboxed gadget. In Mashic, in order to enable general interfaces to be exposed to gadgets, the gadget has to be CPS-transformed. At the cost of losing gadget-code independence, it is straightforward to use the Mashic compiler (transformations applied to integrator) for gadgets code, without loosing any of the correctness guarantees.

Remarks. This paper extends an earlier conference version [27]. We extend the conference version by adding explanations, examples, and studying the performance of the Mashic compiler. We propose and implement an optimization based on future batches by Bogle and Liskov [5] and on batching remote procedure calls by Ibrahim et al. [21].

Related work. The closest works to Mashic are AdJail [26], Smash [11], and PostMash [2], and are described above. We focus now in other related work. Nikiforakis et al. [31] crawl more than three million pages over the top 10,000 Alexa sites and show that many sites trust gadgets that could be successfully compromised by determined attackers. Moreover, a study over 6,805 unique websites [38] reveals that insecure JavaScript practices are common, showing that at least 66.4% of mashups include gadgets into the top-level documents of their webpages. Jang et al. [23] study on top of 50,000 websites privacy violating information flows in JavaScript-based web applications. Their survey shows that top-100 sites present vulnerabilities related to cookie stealing, location hijacking, history sniffing and behavior tracking. Browser implementation vulnerabilities have also been shown to leak JavaScript capabilities between different origins [4]. Many mechanisms to prevent JavaScript-based attacks have been deployed. For example the Facebook JavaScript subset (FBJS) [14] was intended to prevent user-written gadgets to attack trusted code but it did not really succeed in its goals [30]. Google Caja [17] is similar to FBJS, transforming JavaScript programs to insert run-time checks to prevent malicious access. Yahoo ADsafe [10] statically validates JavaScript programs. In contrast to the Mashic compiler, all of these mechanisms are gadget-code dependent. Maffeis et al. [29] resort to language-based techniques to find out a subset of JavaScript that can be used to prove an isolation property for JavaScript code. For that, they identify a capability-safe subset of JavaScript. They do not formalize the SOP and they focus on pure isolation of gadgets in contrast to our confidentiality and integrity properties.

Static analysis is usually not applicable or not sound for large web applications due to the highly dynamic nature of JavaScript programs and because gadgets in general cannot be restricted to subsets of JavaScript. Static analysis for JavaScript subsets has been proposed by [32], providing a formal guarantee of isolation for ADsafe subset. Relying on type-based invariants and applicative bisimilarity Fournet et al. [15] show full abstraction of a compiler from ML programs to JavaScript programs. Their result is similar to ours in that compiled JavaScript programs will execute in isolation, but it requires integrator code to be written in ML, which Mashic does not require.

As a response to the increasing need to get flexible functionality without resigning to security guarantees, the research community has proposed several communication abstractions [9,11,22,37]. Specifically, Wang et al. [37] create an analogy between operating systems security [13,39] and mashups security to develop communication abstractions. OMash [8] proposes a refined SOP to enable mashup communication. These abstractions usually require browser modifications and so far have not been adopted in HTML standards [20]. There are other works [1,6] pursuing the direction of formalizing web applications, but none of them formally model the SOP as a security property using observational semantics equivalences.

2. Running example

In order to provide some background, we illustrate with a mashup different kinds of gadget inclusions and inter-frame communication. We reuse this example throughout the rest of the sections. There are two major types of gadgets in web mashups. The first type requires an interface from the integrator to accomplish some tasks. For instance advertisement scripts, which necessarily need to gather information of the integrator page through DOM APIs to implement the advertisement strategy. Another example of the first type of gadgets are user-supplied gadgets in social network platforms such as facebook.com. The second type provides a set of interfaces to the integrator. For instance the Google maps API, that provides various interfaces to operate a map gadget, is of this kind. We focus on the second type, that is gadget scripts that provide a set of interfaces to enable the integrator to manipulate the gadget.

In the example an integrator at i.com wants to include a gadget gadget.js provided by untrusted.com. The integrator creates an empty div element to delegate part of the DOM tree. The integrator includes the gadget by using a script tag:

Listing 1.

Code snippet of http://i.com/integrator.html.

We focus on gadget scripts that provide a set of interfaces to enable the integrator to manipulate the gadget. The integrator calls methods or functions as interfaces to change the state of the gadget. For example, the following is a code snippet (in the integrator) to manipulate the untrusted gadget via interfaces:

Listing 2.

Code snippet of http://i.com/integrator.html.

The gadget defines a global variable gadget to provide interfaces to the integrator.

The gadget.newInstance is used to create a new gadget instance that binds to the div; and instance.setLevel is a method used to change state at the gadget instance. Let us assume that the integrator stores a secret in global variable secret and a global variable price holding certain information with an important integrity requirement:

Listing 3.

Code snippet of http://i.com/integrator.html.

The secret flows to an untrusted source, and the price is modified at the gadget’s will if the gadget contains the following code:

Listing 4.

Non-benign gadget.

If the gadget is isolated using the iframe tag with a different origin, variables secret and price cannot be directly accessed by the gadget. We can modify the example in the following way:

Listing 5.

Code snippet of http://i.com/integrator-msg.html.

Listing 6.

Code snippet of http://u-i.com/gadget.html.

Instead of directly including the script, the integrator invents a new origin u-i.com to be used as an untrusted gadget container, and puts the gadget code in a frame belonging to this origin. By doing this, the JavaScript execution environment between integrator and gadget is isolated, as guaranteed by the browser’s SOP. Limited communication between frames and integrator is possible through the PostMessage API in the browser1

Inter-frame communication is also possible via e.g. navigation policies [3] but this kind of communication is now obsolete.

if there is an event listener for the ‘message’ event. To register a listener one provides a callback function as parameter and treats messages in a waiting queue, asynchronously. Only strings can be sent as messages with PostMessage. However, it is possible to marshal objects without cyclical references (as e.g. the global object) via a marshaling method, such as the standard JSON stringify. Code in gadget-msg.js and integrator-msg.html needs to adapt to the asynchronous behavior. Instead of calling methods or functions, the integrator must send messages to manipulate the untrusted gadget as shown in the following example:

Listing 7.

PostMessage example.

Compilation with Mashic will not preserve the malicious behavior of Listing 4 but will only preserve behavior that does not represent a confidentiality or integrity violation to the integrator.

The compiler relieves the programmer from rewriting code. Instead of rewriting gadget’s code, our compiler inserts a proxy and a listener library that implement a communication protocol for manipulating gadgets independently of untrusted gadgets sandboxed in frames. Instead of rewriting integrator code, our compiler implements a CPS transformation to overcome the asynchronous nature of PostMessage. After compilation of code in Listings 1 and 2 the gadget is modified in the following way:

Listing 8.

Compiled gadget at http://u-i.com/gadget.html.

The integrator is modified in the following way:

Listing 9.

Compiled integrator.

Notice that the gadget code used in the compiled gadget is not modified from the original one. The proxy library and the listener library provide general ways to encode gadget operations, and the programmer does not need to manually write the stub library to operate on confined gadgets. The integrator code, as we mentioned above, is transformed to CPS code integrator_cps.js to perform the same task as in the code shown in Listing 2.

3. Decorated semantics

We propose a decorated semantics to partition a JavaScript heap at the granularity of object properties. In order to prove security policies in a mashup, it is essential to distinguish at each execution step properties corresponding to different principals. Note that static decorations assigned to variables, traditionally used in information flow security policies [33], are not enough to specify security in JS programs due to two reasons: the dynamic nature of JS does not always allow us to syntactically determine the set of properties modified by a program (cf. [30]), and existing native properties in the heap may either be changed by programs or its decoration may depend on the context due to the SOP.

The following example shows some dynamic features of JavaScript.

Listing 10.

Dynamic features of JS.

First, the minimal container in JavaScript is property rather than object (or variable in other languages), so two properties of the same object could belong to different principals. Second, properties can be created dynamically, so static decoration is not possible.

Hence, we have resorted to ideas from colored brackets [18] and adapt them to a semantics modeling the SOP in the browsers. When decorations are erased, our JavaScript decorated rules are compliant with JavaScript semantics (Maffeis et al. [28]). For the sake of simplicity in the presentation, we limit this section to the inclusion of only one gadget as a frame, although the JavaScript semantics (and the Mashic compiler) is not limited in the number of gadgets included in a mashup. Thus, in this presentation, we need to distinguish three different colors. The ♠ color for the Integrator Principal, the ♣ color for the Gadget Principal, and the ♦ color to denote a neutral principal. We use □ or △ to denote any of them. For the sake of brevity, we do not include an origin parameter in the primitive PostMessage since there are only two possibilities: either the integrator communicates with the frame or vice-versa. We also simplify AddListener for the formal presentation: we assume that the only events it listens to is the event “message”.

3.1. Decorated objects

An object o is a tuple ${{i_{1}}_{{□}} : v_{1}, \dots, {i_{n}}_{{△}} : v_{n}}$ associating decorated properties $i_{{□}}$ (internal identifiers or strings) to values. We use i instead of $i_{{□}}$ whenever the decoration is not important. We distinguish internal properties that cannot be changed by programs with the symbol “@” in front of an identifier. We do not model attributes of properties that may indicate access controls as for example “do-not-delete” attributes [28]. We present a series of auxiliary definitions used in the operational semantics. For an object o and a property i, we use $i_{{□}} \in o$ to denote that o has property i with decoration □, and use $i \notin o$ to denote that o does not have property i.

3.2. Heaps

Objects are stored in heaps. A heap h is a partial mapping from locations in a set $L$ to objects. We use the notation $h (ℓ) = o$ , to retrieve the object o stored in location ℓ; and the notation $o . i_{{□}} = v$ to retrieve the value stored in property $i_{{□}}$ . We also use a shortcut $h (ℓ) . i_{{□}}$ whenever possible. To update (or create) a property $i_{{□}}$ of an object at location ℓ in the heap, we use the notation $h (ℓ . i_{{□}} = v) = h^{'}$ , where $h^{'}$ is the updated heap. We also use $Alloc (h, o) = h^{'}, ℓ^{'}$ , where $ℓ^{'} \notin dom (h)$ , for allocating a fresh location for an object in the heap. After adding the location, the new heap is $h^{'}$ . JavaScript heaps contain two important chains of objects. The scope chain keeps track of the dynamic chains of function calls via the $@ scope$ property. To resolve a scope of a variable name, one starts from the bottom of the chain, until reaching a scope object which contains the searched variable name. The scope look-up process is modeled by the $Scope (h, ℓ, m)$ function. It takes 3 parameters: a current heap, a heap location for a scope object (as the bottom of the scope chain), and a variable name as string to look up. $\begin{matrix} \begin{matrix} \begin{matrix} S COPE - NULL \\ Scope (h, null, m) = null \end{matrix} \begin{matrix} S COPE - REF \\ m \in h (ℓ) \\ Scope (h, ℓ, m) = ℓ \end{matrix} \\ \begin{matrix} S COPE - LOOKUP \\ m \notin h (ℓ) Scope (h, h (ℓ) . @ scope, m) = ℓ_{n} \\ Scope (h, ℓ, m) = ℓ_{n} \end{matrix} \end{matrix} \end{matrix}$

Example 1.
To lookup for name x from scope object ℓ in h, we use $Scope (h, ℓ, “ x ”)$ .

Similarly, the prototype chain represents the hierarchy between objects. A property that is not present in the current object, will be searched in the prototype chain, via the $@ prototype$ property. The helper function $Prototype (h, ℓ, m)$ looks for the m property of the object $h (ℓ)$ via the prototype chain. $\begin{matrix} \begin{matrix} \begin{matrix} P ROTOTYPE - NULL \\ Prototype (h, null, m) = null \end{matrix} \begin{matrix} P ROTOTYPE - REF \\ m \in h (ℓ) \\ Prototype (h, ℓ, m) = ℓ \end{matrix} \\ \begin{matrix} P ROTOTYPE - LOOKUP \\ m \notin h (ℓ) Prototype (h, h (ℓ) . @ prototype, m) = ℓ_{n} \\ Prototype (h, ℓ, m) = ℓ_{n} \end{matrix} \end{matrix} \end{matrix}$ On top of a scope chain, there is a distinguished object, namely the global object.

Integrator and gadgets global objects. We define a (simplified) initial integrator global object below (we use the form $# addr$ to represent an unique heap location): $\begin{matrix} {global}_{i} = \{\begin{matrix} @ {this}_{{♦}} : & # {global}_{i} \\ @ {scope}_{{♦}} : & null \\ “ Stringify ”_{{♦}} : & # {stringify}_{i} \\ “ Parse ”_{{♦}} : & # {parse}_{i} \\ “ PostMessage ”_{{♦}} : & # {postmessage}_{i} \\ “ Addlistener ”_{{♦}} : & # {addlistener}_{i} \\ “ window ”_{{♦}} : & # {global}_{i} \end{matrix}\} . \end{matrix}$ Global variables are defined as properties in the global object. For example $window$ is a global variable holding the location $# {global}_{i}$ of the initial global object. Notice that properties in the initial global object are decorated with ♦, which are not considered as heap locations created neither by the integrator nor the gadget.

Since by SOP the integrator and the frame do not share objects in the heap, we define similarly an initial global object ${global}_{f}$ for the frame, in which the properties hold locations $# {global}_{f}$ , $# {stringify}_{f}$ , …, and $# {addlistener}_{f}$ . $\begin{matrix} {global}_{f} = \{\begin{matrix} @ {this}_{{♦}} : & # {global}_{f} \\ @ {scope}_{{♦}} : & null \\ “ Stringify ”_{{♦}} : & # {stringify}_{f} \\ “ Parse ”_{{♦}} : & # {parse}_{f} \\ “ PostMessage ”_{{♦}} : & # {postmessage}_{f} \\ “ Addlistener ”_{{♦}} : & # {addlistener}_{f} \\ “ window ”_{{♦}} : & # {global}_{f} \end{matrix}\} . \end{matrix}$ Heap locations of the form $# {addr}_{f}$ with a subscript f, as in $# {global}_{f}$ , denote native objects that reside in the frame reserved part of the heap, as described by the semantics rules shown later.

Native functions in a heap are represented by locations (e.g. $# {postmessage}_{i}$ ) as abstract function objects. We use $NativeFuns$ to denote the set of locations of native functions. We give definition for pre-defined native objects existing in an initial heap when initializing an integrator or a frame. These native objects are defined below: $\begin{matrix} \begin{matrix} \begin{matrix} O BJECT P ROTOTYPE \\ objprot = {@ prototype : null} \end{matrix} & \begin{matrix} F UNCTION P ROTOTYPE \\ funprot = {@ prototype : null} \end{matrix} \\ \begin{matrix} S TRINGIFY F UNCTION \\ stringify = \{\begin{matrix} @ prototype : & # funprot \\ @ call : & true \end{matrix}\} \end{matrix} & \begin{matrix} P ARSE F UNCTION \\ parse = \{\begin{matrix} @ prototype : & # funprot \\ @ call : & true \end{matrix}\} \end{matrix} \\ \begin{matrix} P OST M ESSAGE F UNCTION \\ postmessage = \{\begin{matrix} @ prototype : & # funprot \\ @ call : & true \end{matrix}\} \end{matrix} & \begin{matrix} A DD L ISTENER F UNCTION \\ addlistener = \{\begin{matrix} @ prototype : & # funprot \\ @ call : & true \end{matrix}\} \end{matrix} \end{matrix} \end{matrix}$ The prototype objects of object and function are used as default prototypes. We model four native functions defined for marshaling/unmarshaling objects to strings, posting messages, and setting event listeners. We assume that $Alloc (h, o)$ never allocates those pre-defined heap locations mentioned above. We also use ⊕ to denote the union of two disjoint heaps (with non-overlapping addresses).

It is useful to define an initial heap. An initial heap for the integrator (resp. for the frame), denoted by $h_{in}$ (resp. $h_{in}^{f}$ ), is one that contains an element in its domain such that $h_{in} (# {global}_{i}) = {global}_{i}$ (for the case of frame $h_{in}^{f} (# {global}_{f}) = # {global}_{f}$ ). We give the definition of the initial heaps below: $\begin{matrix} h_{in} = \{\begin{matrix} # global & \mapsto global, \\ # objprot & \mapsto objprot, \\ # funprot & \mapsto funprot, \\ # stringify & \mapsto stringify, \\ # parse & \mapsto parse, \\ # postmessage & \mapsto postmessage, \\ # addlistener & \mapsto addlistener \end{matrix}\}, h_{in}^{f} = \{\begin{matrix} # {global}_{f} & \mapsto global, \\ # {objprot}_{f} & \mapsto objprot, \\ # {funprot}_{f} & \mapsto funprot, \\ # {stringify}_{f} & \mapsto stringify, \\ # {parse}_{f} & \mapsto parse, \\ # {postmessage}_{f} & \mapsto postmessage, \\ # {addlistener}_{f} & \mapsto addlistener \end{matrix}\} . \end{matrix}$

Fig. 2.
Example: Uniformly colored heap.

We say that a decorated object o is single-colored if and only if all properties of o are decorated with the same color. We say that a decorated heap h is uniformly colored if and only if for all $ℓ \in dom (h)$ such that $h (ℓ)$ is not a global object, then $h (ℓ)$ is a single-colored object (see Fig. 2, where solid black dots are ♠-colored objects, hollow red dots are ♣-colored objects). We say that a decorated object o is single-colored if and only if all properties of o are decorated with the same color. The projection $o ⇂_{□}$ for a decorated object o is defined by eliminating non-□ colored properties of o. If there is no property in o with color □ then the projection is undefined and denoted by ⊥. We define heap projections in order to reason about the portion of the heap owned by a given principal.

Projection $h ⇂_{□}$ is either undefined if there is no property of color □ in h or it is a heap $h^{'}$ such that: $\forall ℓ \in dom (h)$ , $h (ℓ) ⇂_{□} \neq ⊥ \Leftrightarrow ℓ \in dom (h^{'}) & h^{'} (ℓ) = h (ℓ) ⇂_{□}$ .
Remark 1.
If h is a uniformly colored heap, and $h^{'} = h ⇂_{□}$ , then for all $ℓ \in dom (h)$ such that $ℓ \neq # global$ or $ℓ \neq # {global}_{f}$ , $h^{'} (ℓ) = h (ℓ)$ .

We define $h = h^{'}$ as equality on heaps. We denote $h^{'} =_{□} h$ for $h^{'} ⇂_{□} = h ⇂_{□}$ . We also denote $h^{'} \subseteq_{□} h$ for $h^{'} ⇂_{□} \subseteq h ⇂_{□}$ .

Fig. 3.
JavaScript syntax with decorations.
3.3. Syntax

We present in Fig. 3 a simplified syntax of the extension of JavaScript with HTML constructs. We assume that $u \in U rl$ where $U rl$ is a set of URLs or origins. A program in the language is an HTML page M with embedded scripts and frames. Frames are important to reason about the SOP and untrusted code. For simplicity, we choose to restrict the language with at most one frame in HTML pages. Inclusion of many frames adds confusion and does not add any insights to the technical results. (This restriction does not apply to the Mashic compiler.) We assume that there is an implicit environment $Web : U rl \mapsto J$ that maps URLs to gadgets code. In the frame rule, we model with $Web (u)$ a gadget from a different origin $u \in U rl$ . In the syntax, scripts are decorated with a color to denote the principal owner of the script. Statements and expressions ranged over by P, s, and e are standard (see e.g. [28]).

Before a JavaScript program in a script node is executed, or before a body of a function is evaluated, all variable declarations are added to the current scope object in the heap. To that end, we use a function VD that returns a heap and takes as parameters a heap h, a location ℓ of the current scope object, a statement s, and a color □ to bind variables declared by $var x$ with proper decorations to the scope object ℓ. Function VD is presented in Fig. 4.

Fig. 4.

Variable declaration function.

Finally we define a helper function $GetType (h, v)$ , to return a string as the type of a primitive value, $\begin{matrix} GetType (h, v) = \{\begin{matrix} “ number ” & if v = n, \\ “ string ” & if v = m, \\ “ boolean ” & if v = b, \\ “ undefined ” & if v = null or v = undefined, \\ “ object ” & if v = l and @ call \notin h (ℓ), \\ “ function ” & if v = l and @ call \in h (ℓ) . \end{matrix} \end{matrix}$

3.4. Configurations

Instrumented global configurations feature a decoration component that denotes the owner principal of the program being executed. Decorations are propagated via semantics rules and, importantly, do not affect the normal semantics of JavaScript programs (they can be erased without further changes in the state). A global configuration is a 5-tuple ${⟨ □, h, ℓ, R, Q ⟩}_{x}$ that features:

A subscript x identifying the execution context of current code, I denotes that the current context is the integrator, and F denotes that the current context is the frame. We use the subscript x to denote a wildcard symbol for both I or F.

A decoration □ that denotes the principal of the current program in the configuration.

A heap h.

A location $ℓ \in L$ pointing to the current scope object (or $null$ only for the initial configuration).

A run-time program R currently being executed (see Section 3.6).

A waiting queue Q in order to give semantics to the PostMessage mechanism.

A waiting queue is of the form

⟨ ℓ_{i}, {mq}_{i} ⟩ ∥ ⟨ ℓ_{f}, {mq}_{f} ⟩

, where

ℓ_{i}

and

ℓ_{f}

are locations for event listeners and

{mq}_{i}

and

{mq}_{f}

are message queues for both, the integrator and the frame, respectively. The syntax for defining a message queue is:

\begin{matrix} mq : : = m mq ∣ ε, \end{matrix}

where m is a string. We use

{mq}_{1} + {mq}_{2}

to denote the concatenation of two message queues.

An initial configuration is of the form ${⟨ □, ε, null, M, Q_{init} ⟩}_{I}$ where $Q_{init} = ⟨ null, ε ⟩ ∥ ⟨ null, ε ⟩$ .

We also define a configuration for the core JavaScript semantics $\begin{matrix} (□, h, ℓ, s) \end{matrix}$ to be a 4-tuple featuring:

A decoration □ that denotes the principal of the current program in the configuration;

A heap h;

A location ℓ of the current scope object;

A current statement s being evaluated.

Transitions between core JavaScript configurations are featured with a label

ℓ mq

(h, ℓ, s) \overset{ℓ mq}{\to} (h^{'}, ℓ, s^{'})

. The label

ℓ mq

carries the side-effect of PostMessage and event listeners added by the native function addlistener, and is defined by the following syntax:

\begin{matrix} ℓ mq : : = mq ∣ ℓ + mq, \end{matrix}

where

mq

is a message queue and ℓ is a mark that denotes that an event listener is added and holds in location ℓ of the heap. Let

{\overset{ℓ mq}{\to}}^{*}

be the transitive closure of the transition relation, where

ℓ mq

denotes the accumulated side-effect. A trace of transitions is valid only if there is at most one side-effect for addlistener.

3.5. Semantics rules

We use a transition system to define the semantics of our language, via the $\overset{}{\to}$ relation between global configurations. We denote by ${\overset{}{\to}}^{*}$ the reflexive and transitive closure of $\overset{}{\to}$ . Figure 5 presents rules on the HTML extensions and the SOP property (see frame rules and DScript). The semantics rules of core JavaScript are defined in a context-redex style in Figs 6, 7, and 8.

3.6. DOM semantics rules

We extend the syntax with run-time expressions: $\begin{matrix} \begin{matrix} R & : : = & M ∣ F J ∣ F_{RT} J ∣ J ∣ s J & run-time programs \\ F_{RT} & : : = & <iframe> J </iframe> & run-time frames \\ ∣ & <iframe> s J </iframe> \\ e & : : = & \dots ∣ @ FunExe (ℓ, s, □) ∣ @ NewExe (ℓ_{o}, ℓ, s, □) & run-time expressions \\ v & : : = & pv ∣ ℓ ∣ undefined & run-time values \\ i & : : = & @ x ∣ m & properties of objects \end{matrix} \end{matrix}$

In the run-time syntax, R denotes run-time programs being executed, extended by run-time frame $F_{RT}$ . Run-time expressions e are extended with two types of functions $@ FunExe (ℓ, s, □)$ and $@ NewExe (ℓ_{o}, ℓ, s, □)$ , v denotes run-time values which consist of primitive values $pv$ , heap locations ℓ, and undefined value $undefined$ .

Fig. 5.

Decorated semantics rules (DOM).

Fig. 6.

Decorated semantics rules (Core JavaScript).

Fig. 7.

Decorated semantics rules (Core JavaScript, continued).

Fig. 8.

Decorated semantics rules (Core JavaScript, continued).

We define semantics rules for the DOM, i.e. the global transitions, in Fig. 5. Now we comment on the semantics rules.

DInit

A mashup execution initializes the heap of the configuration to the initial heap of the integrator $h_{in}$ . The scope object is set to the global object $# global$ .

DScript

A △-decorated script starts by $VD (h, ℓ, s, △)$ to initialize variables defined in s to the current scope object ℓ in h. The new configuration has color △.

DScriptFini

When an execution of a statement terminates, we continue with the rest of the computation.

DScript-I-1

This is a contextual rule: if the core JavaScript configuration can advance by 1 step with label $mq$ as the integrator, then the global configuration will accordingly update the message queue ${mq}_{f}$ for the frame. If the listener for the frame $ℓ_{f}$ is not $null$ , then we append $mq$ to ${mq}_{f}$ , otherwise we do nothing since no listener will respond to incoming messages.

DScript-I-2

This rule is similar to DScriptFini except that it sets the listener of the integrator to $ℓ^{'}$ (see the label of core JavaScript transition).

DScript-F-1, DScript-F-2

Similar to rule DScript-I-1 and DScript-I-2.

DFrameInit, DFrameExec, DFrameFini

These rules are for execution of a frame. A frame fetches the content $Web (u)$ and joins the initial frame heap $h_{in}^{f}$ to the current heap. Addresses in h do not overlap with addresses in $h_{in}^{f}$ by the SOP. Notice that the current scope object is set to the frame’s global object.

DCallback-I

When no program is executing, we can apply the event listeners to pending messages in the queues (this rule and rule DCallback-F). For example, if the integrator’s event listener $ℓ_{i}$ is not $null$ and the message queue ${mq}_{i}$ is not empty, then we can apply the listener to the first message in the queue. Note that the only non-determinism comes from these two rules for event listeners.

DCallback-F

See explanation above.

3.7. Core semantics rules

The semantics rules of core JavaScript are defined in a context-redex style in Figs 6, 7, and 8. The evaluation contexts of the core JavaScript are defined below, where $op \in {<,>,+,-,===}$ : $\begin{matrix} \begin{matrix} C & : : = & _∣ C_{i} [C] ∣ C = e \\ C_{i} & : : = & C_{v} ∣_(e) \\ C_{v} & : : = & _[e] ∣ l [_] ∣ new_(e) ∣ new l (_) \\ ∣ & l (_) ∣ l [m] (_) ∣_op e ∣ v op_ \\ ∣ & typeof_∣ x =_∣ l [m] =_ \end{matrix} \end{matrix}$ We need to define a special evaluation context $C_{i}$ to evaluate redexes that contain an identifier x. For example, in the expression $x = 3$ , x should not be evaluated to a value. Therefore $_= e$ is not a $C_{i}$ context. Evaluation context $C_{v}$ is special for a redex in the form of $ℓ [m]$ (a property accessor) to be evaluated to a value. For example, in the expression $ℓ [m] (e)$ , $ℓ [m]$ should not be evaluated into a value since it is a method invocation. Therefore $_(e)$ is not a $C_{v}$ context.

Now we explain the transition rules in detail. DThis

To resolve the this keyword, we return the $@ this$ property of the current scope object ℓ in h.

DObj-Literal

We first allocate a new empty object in h, represented by $ℓ_{o}$ . Then we evaluate each $e_{i}$ separately, adding the results $v_{i}$ as properties $m_{i}$ of the object in $ℓ_{o}$ .2

²
We do not explicitly mention the heap h when there is no ambiguity.

The result is the location

ℓ_{o}

of created object. The properties of the created object is all decorated with □.

DCallFunc

To invoke a function, we create a new scope object $ℓ_{s}$ as current scope object in which the $@ scope$ property is set to the function’s closure scope $h_{1} (ℓ_{1}) . @ fscope$ . Furthermore, the $@ this$ property of $ℓ_{s}$ is set to $ℓ_{g}$ , the global scope object of the current scope chain. $VD (h_{1}, ℓ_{s}, s, △)$ initializes local variables defined in the body of the function in $ℓ_{1}$ with the decoration of the function object rather than the current decoration in the configuration. The resulting expression $@ FunExe (ℓ, s, □)$ keeps record of the scope object ℓ to return, and the decoration □ to recover when the function execution finishes. For simplicity, we present functions with one parameter only. Function GetGlobal look up in the scope chain to get the address of the global object via the window property.

DCallMethod

This rule is similar to DCallFunc, the different is that we look up thought the prototype chain to obtain the function object $ℓ_{3}$ from $ℓ_{1} [m]$ , and we set the $@ this$ property of $ℓ_{s}$ is set to $ℓ_{1}$ , since it is a method call rather than a function call.

DCallContext

This is a contextual rule for evaluating a body of a function.

DCallFini

When a function invocation is finished and no value is returned, we restore the scope to ℓ and return $undefined$ as result.

DCallRet

When a function invocation is finished and value v is returned, we restore the scope to ℓ and return v as result.

DNew

The new construct uses a function as a constructor to initialize an object. It behaves method invocation. We first creates an empty object $ℓ_{o}$ in which the internal $@ prototype$ property is set to the $“ prototype ”$ property of the function $h ℓ_{1}$ . Then we proceed as in method invocation. The result expression $@ NewExe (ℓ_{o}, ℓ, s, □)$ keep records of both $ℓ_{o}$ and ℓ.

DNewContext

This is a contextual rule for evaluating a body of a function as object initialization.

DNewFini

When an execution of $@ NewExe (ℓ_{o}, ℓ, v)$ finished, we restore the scope object to ℓ and return $ℓ_{o}$ as the result of creating an object.

DFun

To create a new function, we first create an empty prototype object $ℓ_{p}$ , then we create $ℓ^{'}$ as the function object, where the $“ prototype ”$ property is set to $ℓ_{p}$ . We keep the current scope object ℓ in the $@ fscope$ property of $ℓ^{'}$ as the closure captured by the function definition. We finally return $ℓ^{'}$ as result. The function object is decorated with □, keeping track the owner of the function.

DTypeof

We use the $GetType (h, v)$ to obtain a string representing the type of v.

DOP

We use a conventional interpretation of $op$ .

DAsgnIdent

We first look up through the scope chain to check if x is defined in the chain. If it exist in scope object $ℓ_{n}$ , then we update the property of $“ x ”$ in $ℓ_{n}$ , otherwise we create a property $“ x ”$ in the global object $ℓ_{g}$ .

DAsgn-New-Property

To create a property m of $ℓ_{1}$ , we directly update $ℓ_{1}$ in h without following the prototype chain. A decoration is created only when a new property is created and cannot be changed afterward.

Example 2 (Decoration of a new property).

Suppose a location ℓ stored in variable x represents the object o in the heap. A program, with decoration ♣, $x [“ b ”] = 3$ results in the decorated object on the right side: $\begin{matrix} o = \{\begin{matrix} a_{{♣}} : & 2 \\ c_{{♠}} : & 4 \end{matrix}\} ⟹ \{\begin{matrix} a_{{♣}} : & 2 \\ b_{{♣}} : & 3 \\ c_{{♠}} : & 4 \end{matrix}\} . \end{matrix}$

DModify-Property

It is similar to DAsgn-New-Property. The color of the property in the heap is not changed.

DGetVProp

To access a property of an object, we look up through the prototype chain. The value v could possibly be an location. When the property m does not exist we return $undefined$ .

DGetVIdent

To resolve a variable name, we look up through the scope chain.

DParse

To de-marshal an object we use $parse (m)$ to reconstruct an object o. Note that it is a special rule for a native function.

DStringify

To marshal an object we use $stringify (o)$ to return the string (in JSON format) representation of the object.

DPostMsg

To post a message m, we use a label m to indicate the side-effect.

DAddListener

To set a event listener $ℓ_{i}$ , we use a label $ℓ_{i}$ to indicate the side-effect.

DVar

Since $var x$ has already been treated by VD before statement execution, we just skip this statement.

DBlockNext

When a statement evaluates to a value, we continue with the next one.

DBlockContext

It is a contextual rule for evaluating sequential composition of statements (block).

DIfTrue

If the condition expression e evaluates to $true$ then we execute the $“ then ”$ branch.

DIfFalse

If the condition expression e evaluates to $false$ then we execute the $“ else ”$ branch.

DWhileTrue

If the condition expression e evaluates to $true$ then we unfold the while body s once.

DWhileFalse

If the condition expression e evaluates to $true$ then we skip the while body.

DReturn

For $return$ statement, we skip all the rest of the statement s.

Example 3 (Decorated global object).

Recall variables secret and steal in Listings 4 and 3 of Section 2. Assuming that the secret input is “yes”, by semantics (after execution of the non-benign gadget) the shared global object has the following form: $\begin{matrix} h (# {global}_{i}) = \{\begin{matrix} ⋮ \\ “ price ”_{{♠}} : & 0 \\ “ secret ”_{{♠}} : & “ yes ” \\ “ steal ”_{{♣}} : & “ yes ” \end{matrix}\} . \end{matrix}$ If the gadget is sandboxed as in Listing 5, the gadget code gets stuck by the semantics when trying to read “secret” since the variable has not been defined. (In practice, however, the program raises an exception that we do not model in the semantics.)

4. Compilation overview

In this section we describe in detail how proxy and listener libraries work. For that, we need to define opaque object handles.

4.1. Opaque object handle

According to the SOP policy, the integrator and the framed gadget cannot exchange JavaScript references to objects. Our libraries provide a way for the integrator to refer to objects that are defined inside the gadget, called opaque object handles [2].

An opaque object handle is essentially an abstract representation of a JavaScript object. In our libraries it is a unique number associated with an object in the frame.

The following code excerpt demonstrates the data type for an opaque object handle:

In practice, an opaque object handle is an object with a field _is_ohandle being true and a field _id being the corresponding id. The handle_id_gen function generates a unique id. Since the data structure for handles only contains primitive values, they can be exchanged via PostMessage and standard marshaling methods.

On the listener library side, we keep a list for associating handles and objects:

Since an object could possibly be an opaque object handle, it is necessary to dynamically check whether the object being operated is an opaque object handle or a local object existing in the integrator. If it is an opaque object handle, we need to proxy the operation to the sandbox; if it is a local object, we can directly operate on this object. We define an isOpaque function to do the dynamic check:

Listing 11.

isOpaque function.

Bootstrapping. We model the interface provided by a given gadget as a set $V$ of global variables in the gadget.

Example 4.

For instance in our running example, $V = {gadget}$ , since gadget is the only global variable defined by the gadget. Another example is the interface provided by Google Maps API, that contains only the global variable google.

The Mashic compiler inserts bootstrapping scripts on both sides, integrator and gadget. The bootstrapping script for the integrator takes a set of variables $V = {x_{1}, \dots, x_{n}}$ and generates opaque object handles for each of them:

Listing 12.

Integrator bootstrapping.

The bootstrapping script for the gadget also generates opaque object handles and adds them to a list.

Listing 13.

Gadget bootstrapping.

In the rest of the paper we let ${Bootstrap}_{i}^{V}$ and ${Bootstrap}_{g}^{V}$ be the bootstrapping scripts for variable set $V$ for the integrator and the gadget respectively.

Proxy and listener interface. In the rest of the paper we let $P_{p}$ denote the proxy library, and $P_{l}$ the listener library. On the proxy library side, we provide a series of interfaces to obtain an opaque object handle, or operate on it.

To obtain an opaque object handle from a global variable in the gadget, we use the GET_GLOBAL_REF interface.

Listing 14.

Code snippet of the proxy library.

The GET_GLOBAL_REF interface takes two parameters, the global_name, and a function cont to be used as continuation.

The GET_GLOBAL_REF function, upon invocation on the proxy side, composes a message with a fresh message id and sends it to the gadget in iframe. Because of the asynchronous nature of the PostMessage communication, the listener library on the gadget side cannot respond to this message immediately. Hence, we register a continuation cont with the message id m_id.

There are other interfaces that are supported for operating on opaque objects handles:

GET_PROPERTY: to obtain an opaque object handle or the primitive value of a property of a given object (opaque object handle);

OBJ_PROP_ASSIGN: to assign a primitive value or an object or an opaque object handle to a property of a given object;

CALL_FUNCTION: to call a function (opaque object handle) with all parameters being primitive values, objects or opaque object handles;

CALL_METHOD: to call a method of an object (opaque object handle) with all parameters being primitive values or objects or opaque object handles;

NEW_OBJECT: to instantiate a function object (that is, an opaque object handle) with all parameters being primitive values or objects or opaque object handles.

Example 5.

Recall the mashup from Section 2. The interface to obtain an opaque object handle in the integrator is:

where “gadget” is the interface provided by the gadget and the second parameter is a callback function. Once the integrator obtains an opaque object handle, it can use other interfaces from the integrator to operate on the opaque object handle. If opq_inst corresponds to an instance object inside the gadget, to mimic the code of line 4 in Listing 2 we use:

The interface CALL_METHOD sends a message via PostMessage, and waits for a response from the gadget. Once the response arrives, the callback function(val){...} is invoked on the returned result. Note that the result might be an opaque object handle as well.

In the listener library, there are interfaces to generate a response as the following function:

The function GET_GLOBAL_REF_L gets the real object by the global name, and generates an opaque object handle if the object is not a primitive value. Then the opaque object handle is sent back to the integrator via PostMessage as a response for the previous sent message. Finally, the associated continuation cont will be applied on the response (possibly an opaque object handle).

Here we give details on how interface CALL_METHOD works.

The integrator invokes CALL_METHOD(opq_obj,method,cont,args), where opq_obj stands for the object inside the iframe on which we want to invoke the method; cont is the continuation; the args is possibly a list of arguments.

The proxy sends the following message to the listener in iframe:

The proxy library associates m_id with the continuation cont.

When the listener receives the message, it first obtains the real object corresponding to the handle obj; and then it converts the opaque object handles in arguments to corresponding objects; and finally it invokes object[method_name] on the arguments.

Once the invocation is finished, it sends back a message: where val is either a primitive value or an opaque object handle.

Upon receiving the response, the proxy library applies the continuation cont with the received result val.

4.2. Integrator code transformation

JavaScript does not support Scheme-style call/cc (Call-with-Current-Continuation) for suspending and resuming an execution. Demanding the programmer to write in CPS would render the proposal impractical.

Example 6.
Recall the example in Section 2. In order to obtain the property gadget.Type.SIMPLE, the programmer should write the following code (using the proxy interface):

This style is similar to CPS, where one needs to explicitly specify continuations for the rest of a computation. In order to reuse the legacy code that operates on a gadget, we propose an automated transformation of legacy code in such a way that programmers do not need to rewrite their code. Legacy code in the integrator will be CPS-transformed, and inserted with dynamic checks for opaque object handles when necessary.

Fig. 9.
Transformation of statements.

We formally define the CPS transformation of an integrator code s, denoted $C ⟨ s ⟩$ . The function $C : s \mapsto s$ transforms JavaScript code into CPS. CPS-transformed programs are functions that take as parameter another function as an explicit continuation of the computation. The transformation rules for statements are shown in Fig. 9. The CPS transformation rules shown in Fig. 10 are standard with respect to the call-by-value lambda calculus. The transformation rules defined in Fig. 11 represent interesting and non-standard cases where the proxy library and dynamic checks are inserted into the CPS transformed code. We give explanations for important cases while other rules are similar. For each operation, the compilation inserts dynamic checks to verify whether the object is an opaque object handle or not.

We transform $e_{0} [e_{1}]$ to a function taking a parameter $_k$ as continuation. In the body of this function, we apply the transformed code of $e_{0}$ to a continuation where the transformed code of $e_{1}$ is applied to an inner-most continuation. In the inner-most continuation $_x_{0}$ and $_x_{1}$ bind to the results of evaluating $e_{0}$ and $e_{1}$ respectively. We dynamically check if $_x_{0}$ is an opaque object handle to decide whether to use the proxy interface or to apply $_k$ to $_x_{0} [_x_{1}]$ directly. Notice that $_x_{1}$ can only hold a string, otherwise the execution blocks since in our simplified JavaScript semantics we do not consider type-casting. The transformation of the expression $new e_{0} (e_{1})$ is trickier. This is due to the semantics of $new$ and its return value. Its semantics is similar to calling a function except that the return value is not the result of evaluating the function but the newly created object. Directly supplying the continuation $_k$ to evaluation $_x_{0}$ of $e_{0}$ , as in the case for $e_{0} [e_{1}]$ will not work since the returned value must be a reference and not the result of the function. In the inner-most continuation, we first create a dummy function $_x_{3}$ with the same prototype as the object obtained from $e_{0}$ in order to simulate the return value of an object reference. Then we create an empty object $_x_{2}$ with this dummy function. Next we create a continuation $_x_{4}$ with parameter $_v$ where $_k$ is always applied to $_x_{2}$ , no matter what is the parameter $_v$ . Finally, we apply $_x_{0}$ to $_x_{1}$ , to simulate function $e_{0}$ execution, using $_x_{4}$ as continuation and binding $_x_{2}$ to $this$ keyword (to initialize properties in $_x_{2}$ ) via $_x_{4}$ . Notice that the continuation will be always applied to $_x_{2}$ , and as in $new e_{0} (e_{1})$ , will return the created object rather than the result of the function invocation.

Fig. 10.
Transformation of expressions, Non-Message-Passing part.

Fig. 11.
Transformation of expressions, Message-Passing part.
4.3. Overall picture

In order to state the theorem, we define decorations for original and compiled mashups. In the original mashup we decorate the integrator as ♠ and the gadget as ♣.

Definition 1 (Decorated original mashup).

Let $P_{i}$ be an integrator script and $P_{g}$ be a gadget script. We define the original mashup $\tilde{M} (P_{i}, P_{g})$ to be: $\begin{matrix} \begin{matrix} <html> \\ <script ♣ > P_{g} </script> \\ <script ♠ > P_{i} </script> \\ </html> \end{matrix} \end{matrix}$

In the compiled mashup we decorate the run-time libraries as ♦. The run-time libraries are marked as neutral color ♦ since we show with the correctness theorem that changes to the integrator’s heaps by the original and the compiled versions are indistinguishable. The runtime libraries do not appear in the original heap.

Definition 2 (Mashic compilation).

Let $P_{i}$ be an integrator script, $P_{g}$ be a gadget script, and $V$ be a set of variables denoting global names exported by the gadget script. We define the Mashic compilation ${\tilde{M}}_{c} (P_{i}, P_{g}, V)$ to be: $\begin{matrix} \begin{matrix} <html> \\ <iframe src= u > </iframe> \\ <script ♦ > P_{p}; {Bootstrap}_{i}^{V} </script> \\ <script ♠ > C ⟨ P_{i} ⟩ (function (_x) {_x}) </script> \\ </html> \end{matrix} \end{matrix}$ where $\begin{matrix} Web (u) = \begin{matrix} <script ♦ > P_{l} </script> \\ <script ♣ > P_{g} </script> \\ <script ♦ > {Bootstrap}_{g}^{V} </script> \end{matrix} \end{matrix}$

We formally define the bootstrapping script that appears in Section 2.

Definition 3 (Bootstrapping script).

Given a set of variables $V = {x_{0}, \dots, x_{n}}$ , the Mashic bootstrapping script for an integrator ${Bootstrap}_{i}^{V}$ is defined, for $j \in {0, \dots, n}$ , as $\begin{matrix} var x_{j}; x_{j} = new OHandle (j); \end{matrix}$ and the bootstrapping script for a gadget ${Bootstrap}_{g}^{V}$ is: $\begin{matrix} add_handle_obj (new OHandle (j), x_{j}); \end{matrix}$

5. Correctness theorem

In this section we formally present the correctness theorem and its assumptions.

5.1. Preliminary definitions

Correct marshaling. We define the notion of correct marshal and unmarshal functions w.r.t. to a set of objects S. Intuitively this definition states that the process of marshaling and then unmarshaling an object preserves the structure of the object in the heap and preserves values that are not locations.

Definition 4 (Correct marshal/unmarshal for S).

Let ∼ be defined as $v \sim v^{'}$ in h iff there exists a bijection β such that $v, v^{'} \notin L$ and $v = v^{'}$ or $v, v^{'} \in L$ and $β (v) = v^{'}$ and for every property p in $h (v)$ , $h (v) . p \sim h (v^{'}) . p$ . Given two functions f and $f^{- 1}$ , we say that they are correct for a set of objects S if for all $o \in S$ , heap h, and $f^{- 1} (f (o)) = o^{'}$ we have $o^{'}$ satisfies: for every property p in o, $o . p \sim o^{'} . p$ in h.

Definition 4 is useful for the correctness theorem of the compiler. It captures the weakest hypothesis possible for the correctness theorem to hold. Following this hypothesis, implementation of marshaling/unmarshaling functions may vary. In the current prototype of the Mashic compiler we implement these functions with JSON stringify and parse, which do not preserve the structure of the objects if the structure contains a cycle. Thus, these functions are considered correct only if the set S of objects to be marshaled does not contain objects with cyclic structures. We have chosen JSON stringify/parse for efficiency reasons. However, it is straightforward to write correct marshaling/unmarshaling functions for a set of objects that also contain cycles in their structures.

Benign gadget. Intuitively, a benign gadget $P_{g}$ does not rely on the integrator’s portion (marked by ♠) and the neutral portion (marked with ♦) of the heap. Furthermore the evaluation of $P_{g}$ does not depend on any part of the heap except for the initial heap.

In order to state the definition we first define a benign gadget heap as a heap that contains gadget functions with confidentiality and integrity properties.

Definition 5 (Benign gadget heap).

A heap $h_{g}$ is benign if and only if for any heaps $h_{0}$ , $h_{1}$ such that $h_{j} ⇂_{♣} = h_{g}$ ( $j \in {0, 1}$ ), for any function located in $ℓ \in dom (h_{g})$ , for any $ℓ^{'}$ such that $h_{0} (ℓ^{'}) = h_{1} (ℓ^{'})$ is an object, and $(♠, h_{j}, ℓ_{j}, ℓ (ℓ^{'})) {\overset{}{\to}}^{*} (♠, h_{j}^{'}, ℓ_{j}^{'}, v_{j}^{'})$ , the following conditions hold:

$v_{0}^{'} = v_{1}^{'}$ ;

(integrity) $h_{j} =_{♠} h_{j}^{'}$ and $h_{j} =_{♦} h_{j}^{'}$ ;

(confidentiality) $h_{0}^{'} =_{♣} h_{1}^{'}$ ;

(preservation of benignity) $h_{1}^{'} ⇂_{♣}$ is benign.

Example 7 (Benign heap).

Recall the integrator’s code in Listing 3 in Section 2. If the gadget contains the following code, then the gadget will not produce a benign gadget heap:

Listing 15.

Non-benign gadget heap.

The gadget defines a function in the heap which tries to read from the global variable secret and tries to write into the global variable price. Calling the function from the integrator will violate the integrity and confidentiality requirement.

Definition 6 (Benign gadget).

Program $P_{g}$ is benign if and only if for any heaps $h_{i}$ ( $i \in {0, 1}$ ) such that $h_{i} ⇂_{♣} = \emptyset$ and $(♣, h_{i}, ℓ, P_{g}) {\overset{}{\to}}^{*} (♣, h_{i}^{'}, ℓ, v_{i})$ , the following conditions hold:

(integrity) $h_{i} =_{♠} h_{i}^{'}$ and $h_{i} =_{♦} h_{i}^{'}$ ;

(confidentiality) $h_{0}^{'} =_{♣} h_{1}^{'}$ ;

$h_{0}^{'} ⇂_{♣}$ is benign.

Example 8 (Benign gadget example).

Recall the example in Section 2, Listing 4. The gadget is not benign since it tries to read from the global variable secret and tries to write into the global variable price.

In the benign gadget definition we explicitly require that the initialization phase (adding functions to the heap) and execution of all functions (that are defined in the heap) always terminate.

It is possible to relax this definition by not requiring termination of benign gadgets (by using indistinguishability invariants for intermediate running expressions) but we consider more appropriate to see non-terminating behavior in gadgets as non-benign behavior since the gadget will never let the integrator execute. Hence if the gadget is non-terminating we do not offer any correctness guarantees (security guarantees still apply).

Notice that the termination requirement on gadgets does not imply termination of the mashup. The mashup might never terminate if gadget and integrator continuously run listener continuations and this is independent of termination of functions in gadgets (see e.g. fair termination [7]).

Correct integrator. For correctness, we impose some reasonable restrictions on the integrator’s code. Intuitively, a correct integrator does not modify directly a non-♦-colored property; and does not use objects defined by gadgets in the prototype chain. This restriction is not limiting in practice since an integrator usually operates on gadgets via the interfaces provided by it and not by directly modifying its properties. Given marshal/unmarshal functions, we also require that a correct integrator only sends to gadgets objects for which these functions are correct.

First, we give a notion of reachability of a location from a global variable in a given heap h.

Definition 7 (Reachability).

A location l is reachable from a variable x in h if and only if either:

$h (@ global) . x = l$ ; or

$\exists p$ such that l is reachable from $h (h (@ global) . x) . p$ .

Now we give the definition for correct integrator.

Definition 8 (Correct integrator for f, $f^{- 1}$ , $V$ ).

Program $P_{i}$ is a correct integrator for marshaling/unmarshaling functions f, $f^{- 1}$ and variable set $V$ if and only if, for any benign heap $h_{g}$ such that $(♠, h_{in} \oplus h_{g}, # global, P_{i})$ reaches a redex e and a heap h, then the following conditions hold:

If e is of the form $x = v$ and $Scope (h, ℓ, “ x ”) = ℓ_{n}$ , then either $ℓ_{n} = null$ or $“ x ”$ is a ♠-colored property of $h (ℓ_{n})$ .

If e is of the form $ℓ^{'} [m] = v$ , then $h (ℓ^{'})$ is a ♠-single-colored object.

For any ℓ such that $ℓ \in dom (h ⇂_{♠})$ and $h (ℓ) . @ prototype = ℓ_{n}$ , either $ℓ_{n} = null$ or $h (ℓ_{n})$ is a ♠-colored object.

If e is of the form $ℓ_{f} (ℓ^{'})$ and $h (ℓ_{f})$ is a ♣-colored function, then $h (ℓ^{'})$ is an object for which f and $f^{- 1}$ are correct and $ℓ_{f}$ is reachable from $V$ in h.

Example 9 (Correct integrator prototype chain).

We illustrate why a correct integrator’s object cannot have a gadget’s object as its prototype object (bullet (3)). Assume that in the heap of the original mashup, $h (ℓ_{i})$ is a ♠-colored object, and $h (ℓ_{g})$ is a ♣-colored object such that $\begin{matrix} h (ℓ_{i}) = {@ prototype : ℓ_{g}}, h (ℓ_{i}) = {a : 3} . \end{matrix}$ By reading the property $“ a ”$ of $ℓ_{i}$ in the original mashup we get 3. The heap of the compiled code will contain a pointer to a handle: $\begin{matrix} h (ℓ_{i}) = {@ prototype : ℓ_{o}}, h (ℓ_{o}) = \{\begin{matrix} “_id ” & n \\ “_is_ohandle ” & true \end{matrix}\} . \end{matrix}$

Hence, by reading the property $“ a ”$ of $ℓ_{i}$ in the compiled mashup we do not get value 3.

5.2. Indistinguishability and correctness

To define indistinguishability between the original heap and compiled heap, the structure of the scope chain in the heap must be preserved. We start by defining the notion of scope object and scope chain. We use $# global$ as the address of the original global object.

Definition 9 (Scope object).

Let h be a heap, and ℓ be a location for a scope object. We say ℓ is a scope object in h if one of the following conditions is satisfied:

$ℓ = # global$ , and $h (ℓ) . @ scope = null$ ;

$ℓ \neq # global$ , $h (ℓ) . @ scope = ℓ^{'} \neq null$ , and $ℓ^{'}$ is also a scope object in h.

Definition 10 (Scope chain).

Let h be a heap, and $ℓ_{1}$ be a scope object in h. We say that $ℓ_{1} ℓ_{2} \dots ℓ_{n}$ is the scope chain of $ℓ_{1}$ in h, if

For $i < n$ , $h (ℓ_{i}) . @ scope = ℓ_{i + 1}$ ;

$h (l_{n}) . @ scope = null$ .

We use $ℓ \in ℓ_{1} ℓ_{2} \dots ℓ_{n}$ to denote that scope object ℓ is included in the scope chain $ℓ_{1} ℓ_{2} \dots ℓ_{n}$ w.r.t. some heap h.

Fig. 12.

Example: Scope indistinguishability.

We define the β-indistinguishability $\sim_{β}$ on values, objects, and scope chains, where $β : L ⇀ L$ is a partial injective function between heap locations.

Definition 11 (Scope chain indistinguishability).

Let $ℓ_{1}$ be a scope object in h and $ℓ_{1}^{'}$ be a scope object in $h^{'}$ , and $β : L ⇀ L$ be a partial injective function. Let $ℓ_{1} ℓ_{2} \dots ℓ_{n}$ be the scope chain of $ℓ_{1}$ in h, and let $ℓ_{1}^{'} ℓ_{2}^{'} \dots ℓ_{m}^{'}$ be the scope chain of $ℓ_{1}^{'}$ in $h^{'}$ . We say that the two scope chains are indistinguishable, denoted $(h, ℓ_{1}) \approx_{β} (h^{'}, ℓ_{1}^{'})$ if and only if:

$β (ℓ_{1}) β (ℓ_{2}) \dots β (ℓ_{n})$ is a sub-sequence of $ℓ_{1}^{'} ℓ_{2}^{'} \dots ℓ_{m}^{'}$ ;

for $ℓ \notin β (ℓ_{1}) β (ℓ_{2}) \dots β (ℓ_{n})$ , and $ℓ \in ℓ_{1}^{'} ℓ_{2}^{'} \dots ℓ_{m}^{'}$ , $\forall i \in dom (h^{'} (ℓ))$ , $i \in {@ scope, @ prototype, @ this, “_k ”, “_l ”, “_m ”, “_x_{i} ”}$ .

The intuition of scope indistinguishability is that the structure of scope chains is preserved by the integrator transformation (even if scope chains do not have a one to one correspondence), as illustrated in Fig. 12. In the figure, scope objects are represented by round points, and the solid arrows represent the scope chain. The scope chain on the left is obtained by a normal execution of integrator code. The scope chain on the right is obtained by execution of the corresponding transformed code, where there are more CPS-administrative scope objects (gray-colored in the figure). The scope indistinguishability does not take into consideration those CPS-administrative scope objects.

Two values are indistinguishable either if they are equal or if they are both locations related by β. Even assuming a deterministic allocator, we need β to relate two heaps because objects created in the original mashup and compiled mashup will be necessarily different. In particular, the compiled heap will contain more objects.

Definition 12 (Value indistinguishability).

Let $v_{1}$ and $v_{2}$ be two values, and $β : L ⇀ L$ be a partial injective function. Value indistinguishability is defined as follows: $\begin{matrix} \begin{matrix} v \notin L \\ v \sim_{β} v \end{matrix} \begin{matrix} v_{1}, v_{2} \in L β (v_{1}) = v_{2} \\ v_{1} \sim_{β} v_{2} \end{matrix} \end{matrix}$

Objects are related if they have the same properties with the same values. Exceptions to this are properties ${@ scope, @ fscope, @ this}$ and function objects. Properties ${@ scope, @ fscope}$ are related via the scope chain indistinguishability as explained above. Function objects are indistinguishable if the $@ body$ property contains the same code in its original and compiled form.

Definition 13 (Object indistinguishability).

Let $o_{1}$ and $o_{2}$ be two objects, and $β : L ⇀ L$ be a partial injective function. We say that $o_{1}$ and $o_{2}$ are indistinguishable with respect to β, written $o_{1} ≃_{β} o_{2}$ , if for every $i \in dom (o_{1})$ one of the following holds:

$i \in {@ scope, @ fscope, @ this}$ ;

$i \notin {@ body, @ scope, @ fscope, @ this}$ and if $o_{1} . i \in dom (β)$ then $o_{1} . i \sim_{β} o_{2} . i$ ;

$i = @ this$ then $o_{1} . @ this \sim_{β} o_{2} . “_this ”$ ;

$i = @ body$ then $o_{1} . @ body = function (x) {s}$ , then $@ body \in dom (o_{2})$ and $o_{2} . @ body = function (_fun_cont, x) {s}$ , where $\begin{matrix} \begin{matrix} s & = & var_this; \\ _this = this; \\ (C^{'} ⟨ s ⟩) (_fun_cont) \end{matrix} \end{matrix}$

We give an example illustrating object indistinguishability.

Example 10 (Object indistinguishability).

Let $o_{1}$ , $o_{2}$ and $o_{3}$ be: $\begin{matrix} o_{1} = \{\begin{matrix} a : & 2 \\ b : & ℓ_{1} \\ @ scope : & ℓ_{2} \\ @ this : & ℓ_{3} \end{matrix}\}, o_{2} = \{\begin{matrix} a : & 2 \\ b : & β (ℓ_{1}) \\ @ scope : & ℓ_{2}^{'} \\ “_this ” : & β (ℓ_{3}) \end{matrix}\}, o_{3} = \{\begin{matrix} a : & 2 \\ b : & ℓ_{1}^{'} \\ @ scope : & ℓ_{2}^{'} \\ “_this ” : & β (ℓ_{3}) \end{matrix}\} . \end{matrix}$ If $ℓ_{1}^{'} \neq β (ℓ_{1})$ and $ℓ_{2} \neq ℓ_{2}^{'}$ , then we have $o_{1} ≃_{β} o_{2}$ and $o_{1} ≄_{β} o_{3}$ . We do not compare the $@ scope$ property between $o_{1}$ and $o_{2}$ ; but we do compare property b between $o_{2}$ and $o_{3}$ .

Finally, heaps are indistinguishable if all objects are indistinguishable and respective scope chains are indistinguishable.

Definition 14 (Heap indistinguishability).

Two pairs of heap and scope object $(h_{1}, ℓ_{1})$ and $(h_{2}, ℓ_{2})$ are indistinguishable with respect to a partial injective function $β : L ⇀ L$ , such that $dom (β) = dom (h_{1})$ and $rng (β) \subseteq dom (h_{2})$ , denoted $(h_{1}, ℓ_{1}) ≃_{β} (h_{2}, ℓ_{2})$ , if and only if:

for every $ℓ \in dom (β)$ with $o_{1} = h_{1} (ℓ)$ and $o_{2} = h_{2} (β (ℓ))$ :

$o_{1} ≃_{β} o_{2}$ ;

if $o_{1}$ has the $@ body$ property, then $(h_{1}, o_{1} . @ fscope) \approx_{β} (h_{2}, o_{2} . @ fscope)$ ;

$(h_{1}, ℓ_{1}) \approx_{β} (h_{2}, ℓ_{2})$ .

The correctness theorem gives strong guarantees if the gadget is benign: behavior of original and compiled mashup are equivalent in terms of the integrator’s heap. If the gadget is not benign there are no correctness guarantees but only security guarantees described in the following section. We use in the hypothesis that integrator and gadget do not declare the same variables $var (P_{i}) \cap var (P_{g}) = \emptyset$ , where $var$ is defined by: $\begin{matrix} var (s) = \{\begin{matrix} \emptyset & if s = e or s = return e, \\ var (s_{0}) \cup var (s_{1}) & if s = s_{0}; s_{1} or s = if (e) s_{0} else s_{1}, \\ var (s) & if s = while (e) s, \\ {x} & if s = var x . \end{matrix} \end{matrix}$

Notice that this definition of $var$ refers only to declared variables, and the hypothesis does not assume that integrator and gadget do not share variables.

In the following, let ${\tilde{M}}_{c}$ be the Mashic compiler using f and $f^{- 1}$ for marshaling and unmarshaling. Let $V$ be a set of names used by the integrator as the gadget interface.

Theorem 1 (Correctness).

Let $P_{i}$ be a correct integrator for f, $f^{- 1}$ , $V$ and $P_{g}$ be a benign gadget such that $var (P_{i}) \cap var (P_{g}) = \emptyset$ . If ${⟨ ♠, ε, null, \tilde{M} (P_{i}, P_{g}), Q_{init} ⟩}_{I} {\overset{}{\to}}^{*} {⟨ □, h_{0}, ℓ_{0}, ε, Q_{init} ⟩}_{x}$ then, $\begin{matrix} {⟨ ♠, ε, null, {\tilde{M}}_{c} (P_{i}, P_{g}, V), Q_{init} ⟩}_{I} {\overset{}{\to}}^{*} {⟨ □, h_{1}, ℓ_{1}, ε, Q_{1} ⟩}_{x}, \end{matrix}$ where $Q_{1}$ has no message waiting, and there exists β such that $\begin{matrix} (h_{1} ⇂_{♠}, ℓ_{1}) ≃_{β} (h_{0} ⇂_{♠}, ℓ_{0}) . \end{matrix}$

The proof proceeds in two stages by means of an intermediate compilation and by structural induction on programs. The behavior of the original mashup is indistinguishable from that of the intermediate compilation; and the intermediate compilation behaves indistinguishably from the Mashic compilation.

5.3. Auxiliary definitions and lemmas

In this section we give some auxiliary definitions and some useful lemmas to prove the main theorem. First we define the notion of intermediate compilation in which the gadget is not sandboxed by an iframe and the integrator is compiled to CPS-only code without using the proxy and listener interface. The intermediate compilation will be used in the proofs.

Definition 15 (Decorated intermediate compilation).

We define decorated intermediate compilation ${\tilde{M}}_{i} (P_{i}, P_{g})$ as the follows: $\begin{matrix} \begin{matrix} <html> \\ <script ♣ > P_{g} </script> \\ <script ♠ > C^{'} ⟨ P_{i} ⟩ (function (_x) {_x}) </script> \\ </html> \end{matrix} \end{matrix}$ where $C^{'} ⟨ ⟩$ is an intermediate CPS-transformation.

The intermediate CPS transformation is identical to the Mashic CPS transformation except for the rules shown in Fig. 13, where the proxy and the listener library are not used, since the gadget is not sandboxed.

Fig. 13.

CPS transformation (intermediate).

The following lemma shows that the Mashic compilation and the intermediate compilation preserve correctness of the integrator, since they will not introduce more behavior.

Lemma 2.

If $P_{i}$ is a correct integrator for marshaling/unmarshaling functions f, $f^{- 1}$ and variable set $V$ , then $C ⟨ P_{i} ⟩$ and $C^{'} ⟨ P_{i} ⟩$ are both correct integrators for the same functions and variable set.

Proof.

Straightforward by structural induction on the definition of $P_{i}$ . □

We define the notion of strong object indistinguishability, denoted $\sim_{β}$ , where we have a stronger condition in item 2 when comparing to object indistinguishability. The technical intuition for strong object indistinguishability is that the execution of an intermediate compilation and a mashic compilation of an integrator P do have a strong similarity due to the same structure in CPS transformed code, allowing us to prove a stronger lemma for the intermediate compilation.

Definition 16 (Strong object indistinguishability).

Let $o_{1}$ and $o_{2}$ be two objects, and $β : L ⇀ L$ be a partial injective function. We say $o_{1} \sim_{β} o_{2}$ , if for every $i \in dom (o_{1})$ one of the following holds:

$i \in {@ scope, @ fscope, @ this}$ ;

$i \notin {@ body, @ scope, @ fscope, @ this}$ and if $o_{1} . i \in dom (β)$ then $o_{1} . i \sim_{β} o_{2} . i$ otherwise $o_{1} . i = o_{2} . i$ ;

$i = @ this$ then $o_{1} . @ this \sim_{β} o_{2} . “_this ”$ ;

$i = @ body$ then $o_{1} . @ body = function (x) {s}$ , then $@ body \in dom (o_{2})$ and $o_{2} . @ body = function (_fun_cont, x) {s_{cps}}$ , where $\begin{matrix} \begin{matrix} s_{cps} & = & var_this; \\ _this = this; \\ (C^{'} ⟨ s ⟩) (_fun_cont) \end{matrix} \end{matrix}$

Accordingly, we update the definition of strong heap indistinguishability.

Definition 17 (Strong heap indistinguishability).

Two pairs of heap and scope object $(h_{1}, ℓ_{1})$ and $(h_{2}, ℓ_{2})$ , are strongly indistinguishable with respect to a partial injective function $β : L ⇀ L$ such that $dom (β) = dom (h_{1})$ and $rng (β) \subseteq dom (h_{2})$ , denoted $(h_{1}, ℓ_{1}) \sim_{β} (h_{2}, ℓ_{2})$ , if and only if:

for every $ℓ \in dom (β)$ with $o_{1} = h_{1} (ℓ)$ and $o_{2} = h_{2} (β (ℓ))$ :

$o_{1} \sim_{β} o_{2}$ ;

if $o_{1}$ has the $@ body$ property, then $(h_{1}, o_{1} . @ fscope) \approx_{β} (h_{2}, o_{2} . @ fscope)$ ;

$(h_{1}, ℓ_{1}) \approx_{β} (h_{2}, ℓ_{2})$ .

The following lemma shows that given two indistinguishable scope chains, the scope looking-up process will return indistinguishable heap locations for any normal variable. By normal variable we mean variables that do not start with a $“_”$ . Special case applies to resolving the $@ this$ identifier.

Lemma 3 (Scope look-up).

Let h, g be two heaps, and ℓ, j be two locations for scope objects. If $h \sim_{β} g$ and $(h, ℓ) \sim_{β} (g, j)$ , then the following holds:

if $i \neq @ this$ , $Scope (h, ℓ, i) = ℓ_{1}$ then $Scope (g, j, i) = j_{1}$ and $β (ℓ_{1}) = j_{1}$ ;

if $Scope (h, ℓ, @ this) = ℓ_{1}$ then $Scope (g, j, “_this ”) = j_{1}$ and $β (ℓ_{1}) = j_{1}$ .

Proof.
Straightforward by Definition 11 and Definition of $Scope (_,_,_)$ in semantics rules. □

We formally define the shape of an opaque object handle.
Definition 18 (Opaque object handle).

Let o be an object, o is an opaque object handle with id n if and only if $\begin{matrix} o = \{\begin{matrix} “_id ” & n \\ “_is_ohandle ” & true \end{matrix}\} . \end{matrix}$

We define a relation between two heaps up to a mapping from id of opaque object handles to heap locations. The intuition is that if in one heap, a property points to an opaque object handle, then in the other heap, it must point to a location corresponding to the opaque object handle by the mapping.

Definition 19.
Let $f : N \mapsto L$ be a partial injective function from numbers to locations. We say that $h_{c} \overset{f}{=} h_{i}$ if
$h_{c} =_{♣} h_{i}$ ;

$dom (h_{c} ⇂_{♠}) = dom (h_{i} ⇂_{♠})$ ;

$\forall ℓ \in dom (h_{c} ⇂_{♠})$ , $o_{c} = h_{c} (ℓ)$ and $o_{i} = h_{i} (ℓ)$ , we have that

if $o_{c} . i_{{♠}} = ℓ_{o}$ , and $h_{c} (ℓ_{o})$ is an opaque object handle with id n, then $o_{i} . i = f (n)$ ;

otherwise $o_{c} . i_{{♠}} = o_{i} . i_{{♠}}$ .

6. Security theorem

In this section we present the security theorem. In Mashic compiled code, the integrator has complete access to gadget resources but the gadget only has access to resources offered by the integrator in the proxy library. After Mashic compilation, the malicious gadget cannot scan properties of the integrator, as e.g. in Listing 4, because the SOP policy prevents the framed gadget from accessing the JavaScript execution environment of the integrator as shown in the DFrameInit rule in Fig. 5.

Example 11 (Gadget modifies native functions).

A native function that can commonly appear in the integrator code is the setTimeout function. This function takes two parameters. The first one is a function that will be executed when the time (in milliseconds) specified in the second parameter has passed:

In this example, after 5 ms a pop-up window with caption “timeout!” appears.

This function, as all native JavaScript functions, is associated as a property of the global object. As many native functions the code associated to the setTimeout function can be changed at execution time, changing in this way the assumed behavior for setTimeout.

Suppose the untrusted gadget owned by the attacker writes a function of its own into the setTimeout property:

Then every call to setTimeout in the integrator’s code will be calling the attacker’s code with the integrator privileges.

If instead the gadget is enclosed in a frame, the same code trying to affect the setTimeout property of the global object will only affect the property of the global object of the frame, that is in a disjoint part of the heap according to the SOP.

In order to state the security guarantee, we consider that all code coming from origin u is part of the gadget principal ♣. In contrast to the decorations used for correctness, we now consider the listener library and bootstrapping as gadget’s code. This should not be surprising since the gadget can modify this code and the security theorem must be valid also in this case. We decorate all code residing in the integrator with ♠. This is also different from the correctness theorem. Essentially, we are now interested in asserting that the gadget cannot change the proxy library or bootstrapping in the integrator, whereas for the correctness theorem we were interested in heap indistinguishability only for the integrator heap in the original and compiled mashups. Furthermore, we assume $h_{in}$ is decorated with ♠, and $h_{in}^{f}$ is decorated with ♣. (Notice that decorations do not affect the compiler or semantics of JavaScript code and are only used as technical instrumentation for the theorems and their proofs.)

Definition 20 (Decorated Mashic compilation (for security theorem)).

Given an integrator script $P_{i}$ , a gadget script $P_{g}$ , and a set of variable $V$ denoting global names exported by the gadget script, we define the Mashic compilation $\dot{M_{c}} (P_{i}, P_{g}, V)$ to be: $\begin{matrix} \begin{matrix} <html> \\ <iframe src= u > </iframe> \\ <script ♠ > \\ P_{p}; {Bootstrap}_{i}^{V}; C ⟨ P_{i} ⟩ (function (_x) {_x}) \\ </script> \\ </html> \end{matrix} \end{matrix}$ where $\begin{matrix} Web (u) = <script ♣ > P_{l}; P_{g}; {Bootstrap}_{g}^{V} </script> \end{matrix}$

Example 12 (Integrity violation).

In the example referred just above, the initial heap contains the native function setTimeout. Since the initial heap is decorated with ♠, the $“ timeout ”$ property of the global object is a property of the integrator, $\begin{matrix} h (# global) = \{\begin{matrix} ⋮ \\ “ timeout ”_{{♠}} : & ℓ \\ ⋮ \end{matrix}\} . \end{matrix}$ By using decoration of Definition 20 and semantics rules, we get that the projection $h ⇂_{♠}$ of the integrator heap before execution of the gadget and projection $h^{'} ⇂_{♠}$ after execution of the gadget do not coincide. The setTimeout property of the integrator’s global object has been changed by the gadget execution. This represents an integrity violation.

Example 13 (Confidentiality violation).

Recall variable secret in the example of Section 2. Let us assume that the gadget’s heap is $h ⇂_{♣}$ .

After execution of the non-benign gadget in Listing 4 with an integrator’s global object containing $“ secret ”_{{♠}} : “ yes ”$ $\begin{matrix} h (# global) = \{\begin{matrix} ⋮ \\ “ secret ”_{{♠}} : & “ yes ” \\ ⋮ \end{matrix}\} \end{matrix}$ the gadget heap has $h ⇂_{♣} (# {global}_{f}) . “ steal ” = “ yes ”$ . But starting with integrator’s global object containing $“ secret ”_{{♠}} : “ no ”$ $\begin{matrix} h (# global) = \{\begin{matrix} ⋮ \\ “ secret ”_{{♠}} : & “ no ” \\ ⋮ \end{matrix}\} \end{matrix}$ the gadget heap is $h ⇂_{♣} (# {global}_{f}) . “ steal ” = “ no ”$ . This difference depends on the integrator’s heap and represents a confidentiality violation.

We show that for any gadget code $P_{g}$ , and any integrator code $P_{i}$ , the Mashic compilation $\dot{M_{c}} (P_{i}, P_{g}, V)$ provides integrity and confidentiality guarantees. Notice that even if iframes provide strict heap separation, the theorem shows that this does not imply that the SOP provides strict isolation. Security provided by the SOP is not equivalent to a noninterference property or strict isolation but rather equivalent to a declassification property (the queue component in the configuration is set to be the same in the two executions). This is mainly due to inter-frame communication.

Theorem 2 (Security guarantee of integrator).

Let $P_{g}$ and $P_{i}$ be gadget and integrator code respectively, and let $V$ be a set of variables. For any configuration reachable from a Mashic compilation $\dot{M_{c}} (P_{i}, P_{g}, V)$ : $\begin{matrix} {⟨ ♠, ε, null, \dot{M_{c}} (P_{i}, P_{g}, V), Q_{init} ⟩}_{I} {\overset{}{\to}}^{*} {⟨ ♣, h, ℓ, s, Q ⟩}_{F} \end{matrix}$ if $\begin{matrix} {⟨ ♣, h, ℓ, s, Q ⟩}_{F} \overset{}{\to} {⟨ ♣, h^{'}, ℓ^{'}, s^{'}, Q^{'} ⟩}_{F} \end{matrix}$ then we have

(integrity.) $h =_{♠} h^{'}$ ;

(confidentiality.) For any $h_{0}$ such that $h_{0} =_{♣} h$ , we have ${⟨ ♣, h_{0}, ℓ, s, Q ⟩}_{F} \overset{}{\to} {⟨ ♣, h_{0}^{'}, ℓ^{'}, s^{'}, Q^{'} ⟩}_{F}$ , and $h_{0}^{'} =_{♣} h^{'}$ .

The proof of security proceeds by induction on the length of the execution and is simpler than the one of the correctness theorem.

7. Implementation and case studies

The Mashic compiler is written in Bigloo3

³
http://www-sop.inria.fr/mimosa/fp/Bigloo/.

(a dialect of Scheme) and JavaScript. It has 3.3k lines of Bigloo code and 0.8k lines of JavaScript code. We now turn to discuss practical issues as well as an optimization that we have designed and implemented based on batched futures. We also report on case studies.

CPS in JavaScript. Since JavaScript does not support any tail-recursive call optimization, CPS-transformed code can easily run out of call stacks. In order to deal with this, we implement a trampoline mechanism as proposed by Loitsch [25]. We define a global variable counter to count the depth of current call stacks. If the counter exceeds a certain limit (in the following example it is 30) a tail call will return a trampoline object instead of invoking the function.

This is shown in Listing 16.

Listing 16.

Trampoline of tail call.

A guard loop, on the top level, detects if a trampoline object is returned, as shown in Listing 17. If a trampoline object is detected, the loop restarts the execution of the tail call.

Listing 17.

Guard loop of trampoline execution.

Event handler. In mashups, we also find demands for registering integrator-defined functions as event handlers of gadgets’ DOM objects. For example, the Google Maps API provides an interface to set an integrator’s function as a handler of the event of clicking on the map. Every time the map is clicked, the corresponding function will be invoked, to notify the integrator of the event. By the SOP, the integrator and the gadget in a Mashic compilation cannot exchange function references. Hence we design and implement a mechanism called Opaque Function Handle to achieve the same functionality of an event handler. Similar to the opaque object handle, we associate opaque function handles with function objects on the integrator side. When an iframe-sandboxed gadget receives a function handle, it creates a wrapper function by using the function shown in Listing 18.

Listing 18.

Wraping function handle.

The wrapped function, upon each invocation, sends a message to notify the integrator to invoke the function associated with the function handle.

Fig. 14.

Case studies of applying Mashic compiler. (a) Map directions. (b) YouTube player controls.

Table 1

Selected case studies

Mashup	Gadget API	Description
Polyline Drawing (P)	Google Maps	Integrator uses the APIs to draw several random lines on the displayed map.
Marker Drawing (P)	Google Maps	Integrator uses the APIs to place several random markers on the displayed map.
Map Controls (O)	Bing Maps	Integrator implements several controls over the map such as zooming, relocating, etc.
Player Controls (O)	YouTube	Integrator implements several controls over the player such as forwarding, stop, etc.
Translator (O)	Bing Translator	Integrator uses the provided translating API to do translation.
Polyline and Marker (O)	Google Maps	A mashup that contains multiple gadgets.

Case studies. We have successfully applied our compiler to mashups using well-known gadget APIs, such as Google Maps API, Bing Maps API, and YouTube API. Those examples involve non-trivial interactions between the integrator and the gadget.

In Fig. 14 we show two concrete examples. The first example is a mashup using the Google Maps API to calculate driving directions between two cities. The map gadget is sandboxed by the Mashic compiler in an iframe, as indicated by a black box in the figure. The compiled integrator, as in the original integrator, permits to choose a starting point and an ending point to display a route in the map. The gadget’s response displayed by the integrator, is the distance between the two points. The latter example shows a sandboxed YouTube player, where one can control the behavior of the player through buttons in the integrator.

We report a selected list of mashups in Table 1. In the first column of the figure, the mark ‘P’ means that the integrator’s code was obtained from publicly available code in the web, whereas mark ‘O’ means that the code is ours.

For the 25 examples of Google Maps API we have studied, we have successfully compiled 23 of them. The other 2 examples are not supported by the Mashic compiler. They are overlay-remove and overlay-simple. The example of overlay-remove uses the for-in construct which is not currently supported by our compiler. In the overlay-simple example, the integrator uses some gadget’s object as the prototype of an integrator’s object, which is not allowed by Definition 8 (correct integrator).

Discussion on performance and optimization. The Mashic compiler prototype does have a running overhead on a compiled mashup compared to the original mashup. (This penalty is not perceptible for the final consumer of the mashup, if the interaction with the gadget is not inside a loop, for example.) The performance penalty in the Mashic compiler without optimizations [27] mainly comes from the unoptimized CPS-transformation and message-passing. We have implemented an optimized version of the compiler based on batched futures [5], [21] that we discuss here.

Batching optimization. Message-passing is the main cause of performance penalty, especially inside a loop. For example in the marker drawing mashup we show in Table 1, a loop inserts markers into the map. For each marker, it requires two round-trips of messages. The total message-passing overhead is proportional to the number of loop iterations. Although in practice, as in the above example, it is often the case that the loop can be parallelized, parallelism is not yet available in JS. Another alternative is to “batch” these messages to reduce the total message-passing overhead to constant time.

The key idea of our optimization is to transform programs in such a way that messages are only exchanged when the result produced by the gadget is actually required for determining the control flow in the integrator code. Consider, for instance, the program below in which the gadget is assumed to implement three methods g1, g2, and g3, while the integrator is assumed to implement two functions i1 and i2:

During the execution of the program generated by the original mashic, three messages are exchanged between the integrator and the gadget, each of them triggered by a single call to one of the gadget’s methods. In contrast, the program generated by the optimised mashic only exchanges one message with the gadget, just after the evaluation of the guard of the condition, as the outputs of previous calls are required for determining the control flow in the integrator code.

The code generated by the original mashic compiler is such that every time the integrator code interacts with an opaque object handle, the interface of the proxy library responsible for creating the corresponding message and sending it to the gadget is invoked. For instance, when using an opaque object handle as a function, the interface CALL_FUNCTION of the proxy library is invoked. This interface receives as parameters the opaque object handle corresponding to the gadget’s function as well as the corresponding arguments and the current continuation. It then creates a message that encapsulates the function call request, sends it to the gadget along with the arguments, and registers the current continuation. Once the gadget’s response arrives, the current continuation is invoked using the response value as its argument. In contrast, the optimised proxy interfaces do not send any message to the gadget but rather create a batched future that represents the future value returned by the gadget. Once the value of a batched future is needed for determining the control flow in the integrator’s code (for instance, for deciding which branch of a conditional to take), all the pending requests are batched together and sent to the gadget. To this end, the proxy provides an interface GET_REAL_VALUE, whose code is given below, that receives as input a value and a continuation.

This interface checks whether its first argument is a mashic internal object (either a batched future or a value envelope, which is explained later in this section) in which case it registers the current continuation and dispatches all the pending requests to the gadget using a special proxy function called FLUSH.

Every time a batched future is created, it is registered in a special array bound to the global variable _batched_futures. We distinguish two types of batched futures: those that represent a value to be returned by the gadget – that we call simple batched futures – and those that represent a value to be computed by the integrator using a value returned by the gadget – that we call complex batched futures. Function FLUSH, whose code is given below, batches together and sends to the gadget all the requests corresponding to the registered batched futures up to the first complex batched future. Additionally, the global variable _current_batch_index is set to the index of the first complex batched future in the array of registered batched futures.

When the gadget’s message arrives with the responses for all pending requests, the function _message_handler is invoked. This function starts by transforming all the batched futures whose value is sent by the gadget into value envelopes that encapsulate their corresponding values. A value envelope is an object with a field _value that holds its corresponding value. After transforming the batched futures into value envelopes, the complex batched futures that depended on these simple batched futures are resolved, that is, their values are determined and they are transformed into value envelopes. If, after this process, there are still registered batched futures to determine, the function FLUSH is invoked again. Otherwise, the registered continuation is invoked.

The proxy interfaces in the integrator’s side must be changed in order to handle the two kind of batched futures and the value envelopes. In the original mashic runtimes the role of the proxy interfaces GET_PROPERTY, OBJ_PROP_ASSIGN, CALL_FUNCTION, CALL_METHOD, and NEW_OBJECT is to:

Create the message containing the request to the gadget;

Send the message to the gadget.

In the optimised version of mashic, the role of these interfaces is to determine whether the output of the corresponding operations should yield a “real” value, a simple batched future, or a complex batched future, generate the appropriate result, and immediately call the current continuation using it as its argument. The execution of GET_PROPERTY(g, prop, cont) calls the continuation cont with:

a simple batched future, if g is bound to an opaque object handle or simple batched future and prop to a string or a simple batched future;

a complex batched future, if g is bound to an object belonging to the integrator or a complex batched future and prop to a simple or complex batched future;

a “real” value, if g is bound to an object belonging to the integrator and prop to a string.

Note that these proxy interfaces must also take into account value envelopes. Namely, they have to unnest the real value they contain before applying the corresponding operation. Since binary operations may be performed on both value envelopes and batched futures, we introduce an additional proxy interface BINARY_OPERATION that takes care of all the possibly different cases.

Since messages are only dispatched to the gadget when the value it returns is required for determining the control flow on the integrator’s side, the optimised version of mashic can use a partial-CPS transformation. Hence, continuations are only generated in program points where the control flow is at stake, such as the guards of conditionals and loops, function calls, and method calls. The partial-CPS transformation has to combine CPS terms with non-CPS terms. Therefore, it has to consider several cases for each type of expression. However, to avoid cluttering the presentation, we assume in the rest of this section a full CPS transformation.

In order for the batching mechanism to work, the CPS transformation performed by the mashic compiler must be slightly modified. We illustrate the difference between the original and the optimized transformations using the examples of the rules for the conditional statement, the member selector, and the binary operation given in Fig. 15.

Fig. 15.

Optimised mashic-CPS transformation.

Given a member selector expression, the original mashic CPS transformation generates a conditional expression that checks whether the inspected object is an opaque object handle, in which case GET_PROPERTY is invoked in order to dispatch the corresponding request to the gadget. Contrastingly, the code generated by the optimised mashic compiler always invokes GET_PROPERTY whose role is to handle the property look-up, possibly generating a batched future. The compilation of a binary operation generates a call to the proxy library function – BINARY_OPERATION. Observe that one can invoke a binary operation on different types of batched futures, thus generating different types of batched futures. For instance, while invoking a binary operator on two simple batched futures yields a simple batched future, invoking a binary operator on a simple batched future and a complex batched future yields a complex batched future. In order to determine which branch to take, the compilation of a conditional statement must invoke GET_REAL_VALUE on the value to which the guard evaluates (since it can be a batched future).

The greater the number of messages that can be batched together, the greater the impact on performance of the optimised mashic compiler. In order to measure this impact, we wrote a simple mashup using Google Maps that randomly generates map markers inside a loop and then adds them to a map as shown in Fig. 16. While the mashup compiled using the original mashic sends a message to the gadget for each marker that is randomly generated, the mashup that is compiled using the optimised version sends to the gadget a single message containing the requests for the creation of all markers. The chart given in Fig. 17 illustrates the impact on performance of the batching transformation depending on the number of generated markers. Experimental results were obtained on Firefox 30.0 on a 2.4 GHz Intel Core i5 running OS X Version 10.9.3.

Fig. 16.

Map markers.

Fig. 17.

Comparison between mashic optimised version and original version.

8. Conclusion

We have proposed the Mashic compiler as an automatic process to secure existing real world mashups. The Mashic compiler can offer a significant practical advantage to developers in order to effortlessly write secure mashups without giving up on functionality. Compiled code is formally guaranteed to satisfy precisely defined integrity and confidentiality properties of integrator’s sensitive resources.

We do not address in this paper analysis to prevent security vulnerabilities introduced by the integrator’s code. Consider the following silly code:

This integrator will eval the result from calling the foo method of the opaque object handle opq_obj.

The gadget might return some string representing a malicious JavaScript program. Then the integrator will execute the malicious code with its own privilege. To avoid this kind of vulnerabilities, analysis of the integrator’s code is required. This is orthogonal to the current Mashic compilation: information flow analyses for JavaScript can be found for example in [16,19].

Mashic offers correctness guarantees only if untrusted gadgets are benign. This is a goal of the compiler and not a disadvantage: mashup behavior should not be the same if a gadget is malicious. If the gadget is malicious the programmer does not get any alert that the compiled secured mashup does not behave as the original mashup: an interesting future direction will be to provide JavaScript code analysis that will conservatively detect non-benign gadgets in order to alert the programmer.

Footnotes

Acknowledgments

We acknowledge anonymous reviewers for their useful comments on this article. This work has been partially supported by the ANR project AJACS ANR-14-CE28-0008.

References

[1]

Akhawe,

Barth,

P.E.

Lam,

J.C.

Mitchell and

Song, Towards a formal foundation of web security, in: CSF, 2010, pp. 290–304.

[2]

Barth,

Jackson and

Li, Attacks on JavaScript Mashup communication, in: W2SP2009, 2009.

[3]

Barth,

Jackson and

J.C.

Mitchell, Securing frame communication in browsers, Commun. ACM 52(6) (2009), 83–91.

[4]

Barth,

Weinberger and

Song, Cross-origin JavaScript capability leaks: Detection, exploitation, and defense, in: USENIX Security Symposium, 2009, pp. 187–198.

[5]

Bogle and

Liskov, Reducing cross domain call overhead using batched futures, in: OOPSLA, 1994.

[6]

Bohannon and

B.C.

Pierce, Featherweight Firefox: Formalizing the core of a web browser, in: Usenix Conference on Web Application Development (WebApps), 2010.

[7]

Boudol, Typing termination in a higher-order concurrent imperative language, Inf. Comput. 208 (2010), 716–736.

[8]

Crites,

Hsu and

Chen, OMash: Enabling secure web mashups via object abstractions, in: CCS, 2008, pp. 99–108.

[9]

Crockford, The <module> tag, 2010, available at: http://www.json.org.

10.

[10]

Crockford, ADsafe, 2011, available at: http://www.adsafe.org/.

11.

[11]

De Keukelaere,

Bhola,

Steiner,

Chari and

Yoshihama, Smash: Secure component model for cross-domain mashups on unmodified browsers, in: WWW, 2008.

12.

[12]ECMA, ECMAScript language specification, Technical report, ECMA, 2009, available at: http://www.ecma-international.org/.

13.

[13]

Efstathopoulos,

Krohn,

VanDeBogart,

Frey,

Ziegler,

Kohler,

Mazières,

Kaashoek and

Morris, Labels and event processes in the asbestos operating system, SIGOPS Oper. Syst. Rev. 39(5) (2005), 17–30.

14.

[14]Facebook Inc., Facebook JavaScript subset, 2011, available at: https://github.com/facebook/fbjs.

15.

[15]

Fournet,

Swamy,

Chen,

Dagand,

Strub and

Livshits, Fully abstract compilation to JavaScript, in: The 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL’13, 2013.

16.

[16]

Fragoso Santos and

Rezk, An information flow monitor-inlining compiler for securing a core of JavaScript, in: SEC,

Cuppens-Boulahia,

Cuppens,

Jajodia,

A.A.

El Kalam and

Sans, eds, IFIP Advances in Information and Communication Technology, Vol. 428, Springer, 2014, pp. 278–292, ISBN 978-3-642-55414-8.

17.

[17]Google Inc., Google Caja project, 2011, available at: http://code.google.com/p/google-caja/.

18.

[18]

Grossman,

J.G.

Morrisett and

Zdancewic, Syntactic type abstraction, TOPLAS 22 (2000), 1037–1080.

19.

[19]

Hedin and

Sabelfeld, Information-flow security for a core of JavaScript, in: IEEE Computer Security Foundations Symposium, CSF 2012, 2012.

20.

[20]

Hickson, HTML5, Technical report, W3C, May 2011.

21.

[21]

Ibrahim,

Jiao,

Tilevich and

W.R.

Cook, Remote batch invocation for compositional object services, in: ECOOP, 2009.

22.

[22]

Jackson and

H.J.

Wang, Subspace: Secure cross-domain communication for web mashups, in: WWW, 2007.

23.

[23]

Jang,

Jhala,

Lerner and

Shacham, An empirical study of privacy-violating information flows in JavaScript web applications, in: CCS, 2010.

24.

[24]

Le Hors,

Le Hegaret,

Nicol,

Robie,

Champion and

Byrne, Document Object Model (DOM) level 2 core specification, Technical report, W3C, November 2000.

25.

[25]

Loitsch, Scheme to JavaScript compilation, PhD thesis, Université de Nice-Sophia Antipolis, March 2009.

26.

[26]

M.T.

Louw,

K.T.

Ganesh and

V.N.

Venkatakrishnan, AdJail: Practical enforcement of confidentiality and integrity policies on web advertisements, in: USENIX Security Symposium, 2010.

27.

[27]

Luo and

Rezk, Mashic compiler: Sandboxing using inter-frame communication, in: IEEE Computer Security Foundations Symposium, CSF 2012, 2012.

28.

[28]

Maffeis,

J.C.

Mitchell and

Taly, An operational semantics for JavaScript, in: APLAS, LNCS, Vol. 5356, 2008, pp. 307–325.

29.

[29]

Maffeis,

J.C.

Mitchell and

Taly, Object capabilities and isolation of untrusted web applications, in: IEEE Security and Privacy, 2010.

30.

[30]

Maffeis and

Taly, Language-based isolation of untrusted JavaScript, in: CSF, IEEE, 2009, pp. 77–91.

31.

[31]

Nikiforakis,

Invernizzi,

Kapravelos,

Van Acker,

Joosen,

Kruegel,

Piessens and

Vigna, You are what you include: Large-scale evaluation of remote JavaScript inclusions, in: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS’12, 2012.

32.

[32]

J.G.

Politz,

Guha and

Krishnamurthi, Typed-based verification of web sandboxes, Journal of Computer Security 22(4) (2014), 511–565, doi:10.3233/JCS-140504.

33.

[33]

Sabelfeld and

A.C.

Myers, Language-based information-flow security, IEEE Journal on Selected Areas in Communications 21(1) (2006), 5–19.

34.

[34]

Sabelfeld and

A.C.

Myers, A model for delimited information release, in: Software Security – Theories and Systems, Second Mext-NSF-JSPS International Symposium, ISSS 2003, Tokyo, Japan, 4–6 November 2003, Revised Papers, LNCS, 2004, pp. 174–191.

35.

[35]The Mashic compiler website, available at: http://www-sop.inria.fr/indes/mashic/.

36.

[36]

Vinoski, CORBA: Integrating diverse applications within distributed heterogeneous environments, IEEE Communications Magazine 35(2) (1997), 46–55.

37.

[37]

H.J.

Wang,

Fan,

Howell and

Jackson, Protection and communication abstractions for web browsers in MashupOS, in: SOSP’07, 2007, pp. 1–16, ISBN 978-1-59593-591-5.

38.

[38]

Yue and

Wang, A measurement study of insecure JavaScript practices on the web, ACM Trans. Web 7(2) (2013), Article No. 7.

39.

[39]

Zeldovich,

Boyd-Wickizer,

Kohler and

Mazières, Making information flow explicit in histar, in: Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, OSDI’06, Vol. 7, 2006.

Mashic compiler: Mashup sandboxing based on inter-frame communication

Abstract

Keywords

1. Introduction

3.2. Heaps

3.5. Semantics rules

3.6. DOM semantics rules

2 We do not explicitly mention the heap h when there is no ambiguity.

Example 3 (Decorated global object).

4. Compilation overview

4.1. Opaque object handle

Definition 1 (Decorated original mashup).

Definition 2 (Mashic compilation).

Definition 3 (Bootstrapping script).

5. Correctness theorem

5.1. Preliminary definitions

Definition 4 (Correct marshal/unmarshal for S).

Definition 5 (Benign gadget heap).

Example 7 (Benign heap).

Example 8 (Benign gadget example).

Definition 7 (Reachability).

Definition 8 (Correct integrator for f, f − 1 , V ).

Example 9 (Correct integrator prototype chain).

5.2. Indistinguishability and correctness

Definition 9 (Scope object).

Definition 10 (Scope chain).

Definition 12 (Value indistinguishability).

Definition 13 (Object indistinguishability).

Example 10 (Object indistinguishability).

Definition 14 (Heap indistinguishability).

Theorem 1 (Correctness).

5.3. Auxiliary definitions and lemmas

Definition 15 (Decorated intermediate compilation).

Definition 17 (Strong heap indistinguishability).

Lemma 3 (Scope look-up).

Proof. Straightforward by Definition 11 and Definition of Scope ( _ , _ , _ ) in semantics rules. □ We formally define the shape of an opaque object handle. Definition 18 (Opaque object handle).

Example 11 (Gadget modifies native functions).

Definition 20 (Decorated Mashic compilation (for security theorem)).

Example 12 (Integrity violation).

Example 13 (Confidentiality violation).

Theorem 2 (Security guarantee of integrator).

7. Implementation and case studies

3 http://www-sop.inria.fr/mimosa/fp/Bigloo/.

Footnotes

Acknowledgments

References

²
We do not explicitly mention the heap h when there is no ambiguity.

Definition 8 (Correct integrator for f, $f^{- 1}$ , $V$ ).

Proof.
Straightforward by Definition 11 and Definition of $Scope (_,_,_)$ in semantics rules. □

We formally define the shape of an opaque object handle.
Definition 18 (Opaque object handle).

³
http://www-sop.inria.fr/mimosa/fp/Bigloo/.