Functional EDSLs for Web Applications

This thesis aims to make the development of complex web applications easier,faster and safer through the application of strongly typedfunctional programming techniques.Traditional web applications are commonly written in the de facto standardlanguage of the web, JavaScript, which, being untyped, provides no guaranteesregarding the data processed by programs, increasing the burden of testing anddefensive programming.Modern web applications are often highly complex, with multipleinterdependent parts interacting over the Internet.Such applications are traditionally implemented with each component as aseparate program, exposing its functionality to other components throughdifferent API:s over some communication protocol such as HTTP.This process is mostly manual, and thus error-prone and labour intensive,with accidental API incompatibility between components being particularlyproblematic.Even in a conventional typed language, the absence of such incompatibilitiesis not guaranteed.While the different components may well be type-safe in isolation, there is noguarantee that the whole is type-safe as the communication between componentsis not type-checked.We present a web application development framework, based on the Haskellprogramming language, to increase programmer productivity and software qualityby addressing these issues.In our framework, applications with an arbitrary number of components arewritten, compiled and type-checked as a single program, guaranteeing that theapplication as a whole, including network communication, is type-safe.Communication between components is automatically generated by our framework,eliminating the risk of API incompatibilities completely.Additionally, our framework includes astate-of-the-art compiler from Haskell to JavaScript,a novel, lightweight foreign function interface to allow programs to leverageexisting JavaScript code, an embedded language for integrating low-level,high-performance kernels into otherwise high-level web applications, as well asa highly expressive relational database language

Interactive computer vision through the Web

Computer vision is the computational science aiming at reproducing and improving the ability of human vision to understand its environment. In this thesis, we focus on two fields of computer vision, namely image segmentation and visual odometry and we show the positive impact that interactive Web applications provide on each. The first part of this thesis focuses on image annotation and segmentation. We introduce the image annotation problem and challenges it brings for large, crowdsourced datasets. Many interactions have been explored in the literature to help segmentation algorithms. The most common consist in designating contours, bounding boxes around objects, or interior and exterior scribbles. When crowdsourcing, annotation tasks are delegated to a non-expert public, sometimes on cheaper devices such as tablets. In this context, we conducted a user study showing the advantages of the outlining interaction over scribbles and bounding boxes. Another challenge of crowdsourcing is the distribution medium. While evaluating an interaction in a small user study does not require complex setup, distributing an annotation campaign to thousands of potential users might differ. Thus we describe how the Elm programming language helped us build a reliable image annotation Web application. A highlights tour of its functionalities and architecture is provided, as well as a guide on how to deploy it to crowdsourcing services such as Amazon Mechanical Turk. The application is completely opensource and available online. In the second part of this thesis we present our open-source direct visual odometry library. In that endeavor, we provide an evaluation of other open-source RGB-D camera tracking algorithms and show that our approach performs as well as the currently available alternatives. The visual odometry problem relies on geometry tools and optimization techniques traditionally requiring much processing power to perform at realtime framerates. Since we aspire to run those algorithms directly in the browser, we review past and present technologies enabling high performance computations on the Web. In particular, we detail how to target a new standard called WebAssembly from the C++ and Rust programming languages. Our library has been started from scratch in the Rust programming language, which then allowed us to easily port it to WebAssembly. Thanks to this property, we are able to showcase a visual odometry Web application with multiple types of interactions available. A timeline enables one-dimensional navigation along the video sequence. Pairs of image points can be picked on two 2D thumbnails of the image sequence to realign cameras and correct drifts. Colors are also used to identify parts of the 3D point cloud, selectable to reinitialize camera positions. Combining those interactions enables improvements on the tracking and 3D point reconstruction results

Optimizing JavaScript Engines for Modern-day Workloads

In modern times, we have seen tremendous increase in popularity and usage of web-based applications. Applications such as presentation softwareand word processors, which were traditionally considered desktop applications are being ported to the web by compiling them to JavaScript. Since JavaScript is the de facto language of the web, JavaScript engine performance significantly affects the overall web application experience. JavaScript, initially intended solely as a client-side scripting language for web browsers, is now being used to implement server-side web applications (node.js) that traditionally have been written in languages like Java. Web application developers expect "C"-like performance out of their applications. Thus, there is a need to reevaluate the optimization strategies implemented in the modern day engines.Thesis statement: I propose that by using run-time and ahead-of-time profiling and type specialization techniques it is possible to improve the performance of JavaScript engines to cater to the needs of modern-day workloads.In this dissertation, we present an improved synergistic type specialization strategy for optimized JavaScript code execution, implemented on top of a research JavaScript engine called MuscalietJS. Our technique combines type feedback and type inference to reinforce and augment each other in a unique way. We then present a novel deoptimization strategy that enables type specialized code generation on top of typed, stack-based virtual machines like CLR. We also describe a server-side offline profiling technique to collect profile information for web application which helps client JavaScript engines (running in the browser) avoid deoptimizations and improve performance of the applications. Finally, we describe a technique to improve the performance of server-side JavaScript code by making use of intelligent profile caching and two new type stability heuristics

Software-Based Techniques for Protecting Return Addresses

Protecting computing systems against cyberattacks should be put high on the agenda. For example, Colonial Pipeline, an American oil pipeline system, suffered a cyberattack that impacted its computerized equipment managing the pipeline, leading to a state of emergency declared by President Joe Biden in May, 2021. As reported by Microsoft Security Response Center, attackers are unanimously corrupting the stack and most Control Flow Guard (CFG) improvements will provide little value-add until stack protection loads. Shadow stacks play an important role in protecting backward edges (return addresses on the call stack) to mitigate Return-Oriented Programming (ROP) attacks. Control-Flow Integrity (CFI) techniques often focus on protecting forward edges (indirect calls via function pointers and virtual calls) and assume that backward edges are protected by shadow stacks. However, the cruel reality is that shadow stacks are still not widely deployed due to compatibility, performance or security deficiencies. In this thesis, we propose three novel techniques for protecting return addresses. First, by adding one level of indirection, we introduce BarRA, the first shadow stack mechanism that applies continuous runtime re-randomization to abstract return addresses for protecting their corresponding concrete return addresses (also protected by CFI) for single-threaded programs, thus avoiding expensive pointer tracking. As a nice side-effect, BarRA naturally combines the shadow stack, CFI and runtime re-randomization in the same framework. Second, without reserving any dedicated register, we propose a novel threadlocal storage mechanism, STK-TLS, that is both efficient and free of compatibility issues. We also present a new microsecond-level runtime re-randomization technique (without relying on information hiding or MMU), STK-MSR, to mitigate information disclosure attacks and protect the shadow stack with 64-bit entropy. Based on STK-TLS and STK-MSR, we have implemented a novel stack layout (referred to as Bustk), that is highly performant, compatible with existing code, and provides meaningful security for single- and multi-threaded server programs. Third, by fast-moving safe regions in the large 47-bit user space (based on MMU), we design a practical shadow stack, FlashStack, for protecting return addresses in single- and multi-threaded programs (including browsers) running under 64-bit Linux on x86-64. FlashStack introduces a novel lightweight instrumentation mechanism, a continuous shuffling scheme for the shadow stack in user space, and a new dual-prologue approach for a protected function to mitigate the TOCTTOU attacks (constructed by Microsoft s red team), information disclosure attacks, and crash-resistant probing attacks