Static Verification for Web Scripting Languages
Ravi Chugh (UC San Diego)
CSE 520 Colloquium
Thursday, April 18, 2013, 3:30pm
EEB-105
Abstract
Modern web applications are developed largely in so-called "dynamic" or "scripting" languages like JavaScript, PHP, and Python. In addition to being untyped, these languages sport several features -- run-time type tests, value-indexed dictionaries, and dynamic code loading -- that make it easy to rapidly prototype and to glue together applications from disparate components. As applications grow large, however, the lack of static typing makes it difficult to achieve reliability and
maintainability. Moreover, third-party code like ads and browser extensions are routinely downloaded and run in the client's browser, and the flexibility of scripting languages makes it hard to ensure security.
In the first part of this talk, I will present Dependent JavaScript (DJS), a statically typed dialect that facilitates precise reasoning about JavaScript and other web scripting languages. I will describe the major obstacles that have stymied prior attempts at static reasoning for JavaScript, and I'll outline how DJS overcomes them using several key innovations based on refinement types.
In the second part of the talk, I will show how to build on DJS to verify security properties of third-party JavaScript. After describing preliminary experiments that use DJS to author provably-secure JavaScript browser extensions, I will identify several future directions of work that will lead to a platform for fine-grained web security.
Bio:
Ravi Chugh is a Computer Science Ph.D. student at UC San Diego and holds master's and bachelor's degrees from the University of Pennsylvania. Ravi's research interests include developing programming language techniques (such as type systems, dataflow analyses, and run-time instrumentation) to improve software reliability.