The Next 700 Semantics: A Research Challenge

Modern systems consist of large numbers of languages, frameworks, libraries, APIs, and more. Each has characteristic behavior and data. Capturing these in semantics is valuable not only for understanding them but also essential for formal treatment (such as proofs). Unfortunately, most of these systems are defined primarily through implementations, which means the semantics needs to be learned. We describe the problem of learning a semantics, provide a structuring process that is of potential value, and also outline our failed attempts at achieving this so far

A Formal Model for Checking Cryptographic API Usage in JavaScript

Grade 4 Classroomhttps://egrove.olemiss.edu/phay_yalo/1072/thumbnail.jp

Validating Formal Semantics by Property-Based Cross-Testing

To describe the behaviour of programs in a programming language we can define a formal semantics for the language, and formalise it in a proof assistant. From this semantics we can derive the behaviour of each particular program in the language. But there remains the question of validating the formal semantics: have we got the formalisation right? Our approach is to use property-based cross-testing of formal semantics, which is based on the combination of a number of existing approaches to validation. In particular, we give a concrete implementation of our ideas for a set of formalisations of Erlang and Core Erlang. We describe the adjustments that need to be made to execute these seman- tics, then we present and evaluate property-based testing in the context of cross-checking semantics, including random program generation and counterexample shrinking

Information Flow Control in WebKit's JavaScript Bytecode

Websites today routinely combine JavaScript from multiple sources, both trusted and untrusted. Hence, JavaScript security is of paramount importance. A specific interesting problem is information flow control (IFC) for JavaScript. In this paper, we develop, formalize and implement a dynamic IFC mechanism for the JavaScript engine of a production Web browser (specifically, Safari's WebKit engine). Our IFC mechanism works at the level of JavaScript bytecode and hence leverages years of industrial effort on optimizing both the source to bytecode compiler and the bytecode interpreter. We track both explicit and implicit flows and observe only moderate overhead. Working with bytecode results in new challenges including the extensive use of unstructured control flow in bytecode (which complicates lowering of program context taints), unstructured exceptions (which complicate the matter further) and the need to make IFC analysis permissive. We explain how we address these challenges, formally model the JavaScript bytecode semantics and our instrumentation, prove the standard property of termination-insensitive non-interference, and present experimental results on an optimized prototype

JaVerT: JavaScript verification toolchain

The dynamic nature of JavaScript and its complex semantics make it a difficult target for logic-based verification. We introduce JaVerT, a semi-automatic JavaScript Verification Toolchain, based on separation logic and aimed at the specialist developer wanting rich, mechanically verified specifications of critical JavaScript code. To specify JavaScript programs, we design abstractions that capture its key heap structures (for example, prototype chains and function closures), allowing the developer to write clear and succinct specifications with minimal knowledge of the JavaScript internals. To verify JavaScript programs, we develop JaVerT, a verification pipeline consisting of: JS-2-JSIL, a well-tested compiler from JavaScript to JSIL, an intermediate goto language capturing the fundamental dynamic features of JavaScript; JSIL Verify, a semi-automatic verification tool based on a sound JSIL separation logic; and verified axiomatic specifications of the JavaScript internal functions. Using JaVerT, we verify functional correctness properties of: data-structure libraries (key-value map, priority queue) written in an object-oriented style; operations on data structures such as binary search trees (BSTs) and lists; examples illustrating function closures; and test cases from the official ECMAScript test suite. The verification times suggest that reasoning about larger, more complex code using JaVerT is feasible

Formalización de la semántica del lenguaje de programacion Lua

Los lenguajes de "script" cumplen hoy un papel importante en el desarrollo de aplicaciones, ofreciendo conceptos para la programación, que pueden extender aquellos presentes en el lenguaje empleado para implementar la arquitectura de una aplicación. Lua es un lenguaje pensado para ser utilizado como una herramienta para la programación, de propósito específico, para implementar código a ejecutarse embebido en una aplicación anfitrión. Presenta conceptos útiles para el desarrollo ágil de código, como tipado dinámico y gestión automática de memoria, como también mecanismos de reflexión, que permiten adaptarlo a dominios específicos. Actualmente, existe un interes en disponer de un modelo formal del lenguaje que permita el desarrollode herramientas para verificar propiedades sobre programas escritos en Lua. En el presente trabajo, proponemos una semántica operacional para un subconjunto de los conceptos del lenguaje Lua y los servicios ofrecidos por su librera estandar. Empleando la herramienta PLT Redex, realizamos una transcripción del modelo obtenido y efectuamos pruebas de conformidad del mismo con respecto al intérprete de Lua, version 5.2, empleando su propia suite de pruebas

A trusted infrastructure for symbolic analysis of event-based web APIs

JavaScript has been widely adopted for the development of Web applications, being used for both client and server-side code. Client-side JavaScript programs commonly interact with Web APIs, for instance, to capture the user interaction with the Web page via events. The use of such APIs increases the complexity of JavaScript programs. In fact, most errors in these programs are caused by the misuse of Web APIs. There are several approaches for detecting errors in client-side JavaScript programs, but they either assume the use of a single API or do not model APIs faithfully, giving rise to inconsistent behaviour and lack of trust. We address the problem by developing a trustworthy infrastructure for the static analysis of Web APIs. We focus on two aspects of JavaScript programs: event-driven and message-passing programming, as these paradigms are common sources of confusion among developers. We choose to target the DOM event model and the JavaScript Promises and JavaScript async/await, which facilitate event-driven programming. Additionally, we target the message-passing model of the WebMessaging and WebWorkers APIs. We design formal semantics for events and message-passing to capture fundamental operations required by those APIs, and API reference implementations which are trustworthy in that they follow the respective standards and have been thoroughly tested against their official test suites. Using our formal semantics and reference implementations, we develop JaVerT.Click, the first static symbolic execution tool for JavaScript supporting both event-based and message-passing APIs. We evaluated both the reference implementations and the symbolic execution engine of JaVerT.Click. By testing the reference implementations against their official test suites, we found coverage gaps and issues in the test suites, most of which have been since fixed. By testing the symbolic execution engine against three open-source libraries, we established the bounded correctness of functional properties and found real bugs.Open Acces

Semántica operacional y su aplicación para el estudio de recolección de basura, en Lua 5.2

Tesis (Doctor en Ciencias de la Computación)--Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía, Física y Computación, 2021.Lua es un lenguaje de programación imperativo de scripting, que ofrece tipado dinámico, manejo automático de memoria, facilidades para la descripción de datos, y mecanismos de metaprogramación para adaptar el lenguaje a dominios específicos. Es utilizado en proyectos de diversa naturaleza, desde desarrollo de juegos, de manera notable en juegos “AAA”, desarrollo de plugins, firewall de aplicaciones web, y en sistemas embebidos. Gracias al éxito de Lua es posible encontrar diversas implementaciones alternativas y analizadores estáticos. Sin embargo, la naturaleza informal de la especificación del lenguaje implica que quienes desarrollan esas herramientas no pueden proveer garantías formales de corrección para las mismas. En este trabajo presentamos una formalización de la semántica operacional de Lua 5.2, incluyendo recolección de basura (GC) y sus interfaces (finalizadores y tablas débiles; una forma de implementar referencias débiles). Validamos la semántica mediante su mecanización, utilizando PLT Redex, y el testeo de la misma con respecto a la suite de tests del intérprete oficial de Lua. A su vez, utilizamos las facilidades ofrecidas por PLT Redex para la mecanización de sistemas formales y testeo aleatorio de propiedades, para obtener evidencia de la propiedad de progreso de la semántica. Para GC proveemos un framework para razonar formalmente sobre propiedades de cualquier algoritmo de GC basado en un criterio sintáctico. Dentro del framework podemos formalizar y esbozar la demostración de propiedades sobre GC, incluyendo su corrección (sin considerar sus interfaces). La semántica formalizada y su mecanización podrían ayudar a proveer garantías formales de corrección para herramientas que realicen análisis estático de programas Lua, como también en el prototipado de nuevos conceptos de programación y extensiones para Lua.Lua is a lightweight imperative scripting language, featuring dynamic typing, automatic memory management, data description facilities, and metaprogramming mechanisms to adapt the language to specific domains. It is extensively used in projects ranging from game development, most notably by “AAA” games, plugin development, web application firewalls, and embedded systems. Thanks to Lua’s success,several alternative implementations and static analyzers can be found in the wild. However, the informal nature of the language’s specification means that developers of those tools cannot provide formal guarantees of correctness for them. In this work we present a formalization of Lua 5.2’s operational semantics, including garbage collection (GC) and its interfaces (finalizers and weak tables; a particular implementation of weak references). We validate our model by mechanizing it, using PLT Redex, and testing it against the test suite of the reference interpreter of Lua. Also, we use the features provided by PLT Redex for the mechanization of formal systems and random testing of properties, to gather evidence for the progress property of the semantics. For GC we provide a framework for formal reasoning of properties of any GC algorithm based on a syntactic criterion. Within the given framework we are able to formalize and sketch the proof of several claims about GC, including its correctness (without its interfaces). The formalized semantics and its mechanization could help to provide formal guarantees of correctness for tools that perform static analysis of Lua programs, as well as for the prototyping of new features and extensions to Lua.publishedVersionFil: Soldevila Raffa, Mallku Ernesto. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía, Física y Computación; Argentina