Upload
d0nn9n
View
958
Download
0
Tags:
Embed Size (px)
Citation preview
Really. JavaScript.
Douglas Crockford
Yahoo!
The World’s Most Popular Programming Language
The World’s Most Popular Programming Language
The World’s Most Unpopular Programming Language
Scheme SelfJava
LiveScript
Scheme SelfJava
LiveScriptJavaScript
Scheme SelfJava
LiveScriptJavaScript
ECMAScript
The web was a disappointment as an
application delivery system.
Page replacement too inefficient.
Java applets failed.
No one believed in JavaScript.
The Web Is Dead.
The future is not document retrieval.
The future is distributed programming.
“Another software technology will come along and kill off the Web... And that judgment day
will arrive very soon -- in the next two to three
years.”
George F. Colony
Chairman of the Board and CEO
Forrester Research, Inc. [2000]http://web.archive.org/web/20001019084041/http://www.forrester.com/ER/Marketing/1,1503,21
4,FF.html
Microsoft abandoned the web.
AJAX!JavaScript gets a second
chance.
Reasons to Hate JavaScript
• It has bad parts.
• The DOM is awful.
• It isn’t Java, C#, C++, Python, Ruby, …
• It didn’t die.
There are reasons to like JavaScript
It has good parts.
JavaScript is a functional language with dynamic
objects and familiar syntax.
It scales from beginners to masters.
JavaScript is especially effective in an event-driven
application model.
Programs in JavaScript can be significantly smaller than
equivalent programs in other languages.
But you must learn to think in JavaScript.
Beyond the browser
• Applications.
• Operating Systems.
• Databases.
• Mobile.
• Consumer electronics.
• Servers.
Can we make JavaScript a better language?
The web is difficult to change.
The most effective way to make JavaScript a better
language is to remove the bad parts.
JSLint.com
Avoid forms that are difficult to distinguish from
errors.
JSLint.com
Correct the {block scope} problem.
New let and const statements to replace var.
Better support for variadic functions
The arguments array has lots of problems.
New syntax is useless if you must support older
browsers.New syntax === syntax errors
IE6 is fading very slowly.
Five years ago I predicted that IE6 would fade away in five
years.
There are more obsolete copies of IE in use than Opera, Safari, and Chrome combined.
IE6 is hanging on because we are allowing it to hang on.
IE6MUSTDIE!
Decimal?
0.1 + 0.2 !== 0.3
A better target for compilation?
JavaScript has become the world’s virtual machine.
An intermediate representation?
Macros?
Threads?
Tail Calls?
return func();
More like _______?
Exciting new features?
Readability.
Significant efficiency.
Security?
XSS
What can an attacker do if he gets some script into
your page?
An attacker can request additional scripts from any
server in the world.
Once it gets a foothold, it can obtain all of the scripts it
needs.
An attacker can read the document.
The attacker can see everything the user sees.
An attacker can make requests of your server.
Your server cannot detect that the request did not originate
with your application.
If your server accepts SQL queries, then the attacker gets
access to your database.
SQL was optimized forSQL Injection Attacks
An attacker has control over the display and can request information from the user.
The user cannot detect that the request did not originate with
your application.
An attacker can send information to servers anywhere in the world.
The browser does not prevent any of these.
Web standards require these weaknesses.
The consequences of a successful attack are horrible.
Harm to customers. Loss of trust.
Legal liabilities.
Cross site scripting attacks were invented in 1995.
We made no progress on the fundamental problems in 14
years.
Why is there XSS?
• The web stack is too complicated.Too many languages, each with its own
encoding, quoting, commenting, and escapement conventions.
Each can be nested inside of the others.
Browsers do heroic things to make sense of malformed content.
• Template-based web frameworks are optimized for XSS injection.
Why is there XSS?
• The JavaScript global object gives every scrap of script the same set of powerful capabilities.
• As bad as it is at security, the browser is a vast improvement over everything else.
• The browser does distinguish between the interests of the user and the interests of the site.
• The browser failed to anticipate that there could be additional interests.
Fundamentally, XSS is a confusion of interests.
It is dangerous and must be corrected now.
Solving the XSS problem should be our #1 priority.
We cannot tolerate web standards that make things
worse.
Mashups!
A mashup is a self-inflicted XSS attack.
Advertising is a mashup.
Advertising is a self-inflicted XSS attack.
Safe JavaScript Subsets
Deny access to the global object and the DOM.
Caja. http://code.google.com/p/google-caja/
ADsafe. http://www.ADsafe.org/
ECMAScript Fifth Edition Strict
December 2009
ES5/Strict makes it possible to have static verification of
third party code without over-constraining the programming model.
The best of both Caja and ADsafe.
There is still more work to be done
• ES5/Strict cannot protect the page from XSS script injection.
• ES5/Strict can protect the page from the widgets, but it cannot protect the widgets from the page.
• ES5/Strict is an important step toward a programming model in which multiple interests can cooperate for the user’s benefit without compromising each other or the user.
IE6MUSTDIE!
ES5/Strict does not solve the XSS problem.
Fixing ECMAScript is a necessary step.
But it is also necessary to fix the DOM.
The DOM is an awful API.
It inflicts tremendous pain on developers.
It enables XSS attacks.
HTML5
A big step in the wrong direction.
How HTML5 makes things worse
1. It is complicated. Complexity is the enemy of security.
2. It gives powerful new capabilities to the attacker, include access to the local database.
3. HTML5 will take a long time to complete. Does a solution to the XSS problem have to wait until HTML6?
Reset.
• Throw the current HTML5 proposal out and start over.
• The new charter makes the timely solution of the XSS problem the highest priority.
• The old HTML5 set can be mined for good ideas as long as that does not undermine the prime directive.
The Next Browser Standard
• HTML4/ECMAScript 5 Compatibility mode to support old applications.
• An opt-in safe mode that has a new HTML language, ECMAScript 6, and a new DOM.
• The new DOM should look like an Ajax library.
Many popular approaches to security fail.
• Security by inconvenience. (TSA)
• Security by obscurity.
• Security as identity.
• Security by vigilance.
Security can fall out of good software design.
Information HidingNeed to know
David ParnasOn the Criteria to Be Used in Decomposing Systems
into Modules. (1972)
Information HidingNeed to know
A reference is a capability.
Capability HidingNeed to do
There are exactly three ways to obtain a reference in an
object capability security system.
1. By Creation.
2. By Construction.
3. By Introduction.
1. By Creation
If a function creates an object, it gets a reference to that
object.
2. By Construction
An object may be endowed by its constructor with references.
This can include references in the constructor’s context and inherited
references.
3. By Introduction
A
BC
A has a references to B and C.B has no references, so it cannot communicate with A or C.C has no references, so it cannot communicate with A or B.
3. By Introduction
A
BC
A calls B, passing a reference to C.
3. By Introduction
A
BC
B is now able to communicate with C.
It has the capability.
If references can only be obtained by Creation,
Construction, or Introduction, then you may have a safe
system.
If references can be obtained in any
other way, you do not have a safe
system.
ECMAScript is being transformed into an Object
Capability Language.
The browser must be transformed into an Object
Capability System.
The Lazy Programmer’s Guide to Secure Computing
Marc Stiegler
http://www.youtube.com/watch?
v=eL5o4PFuxTY
The Web is important
enough to fix.HTML5 does not fix the web.
It makes it worse.
Reset HTML5 and start over.