May 7-10, 2017 Asilomar, California

Fission: Dynamic code-splitting for JavaScript

Arjun Guha, Jean Baptiste Jeannin, Rachit Nigam, Rian Shambaugh and Jane Tangen

JUSTIFICATION STATEMENT
Two decades after the introduction of JavaScript, Web security remains
a challenging problem. Although modern JavaScript has several
cutting-edge features, it cannot escape its historical baggage that
makes it hard to write secure code. Popular server-side technologies,
such as Django, Ruby on Rails, and NodeJS suffer similar security
issues. Moreover, many security problems, such as input validation and
code injection errors, occur at the interface between the client and
the server.
The programming languages research community has proposed many
solutions to the Web security problem. On one hand, sophisticated type
systems and program analyses have been developed to ``tame''
JavaScript, though static disciplines usually restrict JavaScript's
most dynamic features. On the other hand, several new languages have
been designed from the ground up to make secure web applications easy
to write and thus these languages completely abandon the JavaScript
ecosystem. However, the JavaScript ecosystem has useful libraries
(e.g., jQuery), expressive language extensions (e.g., JSX), powerful
developer tools (e.g., Visual Studio), and popular type systems (e.g.,
TypeScript) that make web programming easy and are hard to give up.
In this SNAPL talk, we'll address the question,``Can we secure the web
without abandoning the JavaScript ecosystem?'' We'll present our
solution to this problem, Fission, which is a JavaScript interpreter
and runtime system that uses faceted execution (a form of dynamic
information flow control) and abstract interpretation at runtime to
automatically and securely tier-split a single JavaScript program
across the client and server. A key feature of Fission is that it
places almost no restrictions on JavaScript. Fission supports
ECMAScript 5, including characteristic JavaScript features, such as
prototype inheritance and eval.
It takes effort to be this faithful to JavaScript, but it pays off in several ways:
- We apply Fission to several large programs that use ECMAScript 6
(via Babel), JSX, React, and NodeJS. Fission lets us delete a lot
brittle serialization and communication boilerplate code.
- We present ``Typed Fission'' using TypeScript, where types ensure
that client-server communication does not go wrong. Fission can be
used with other JavaScript type systems too.
- We use Fission to develop server-side APIs (file I/O, etc.) for
Elm. Elm is a wonderful alternative to JavaScript, but without
Fission, Elm programmers have to step outside the language to get
any work done on the server. Fission could be used with other
compilers too (e.g., Scala.js or js_of_ocaml).
We argue that Fission has the potential to transform web security
using dynamic information flow control and tier-splitting without
abandoning compatibility with the JavaScript ecosystem. In this
regard, Fission is very different from related work, which requires
infrastructural changes. Fission lends itself to several different
implementations. We will give an overview of our approach, which
involves two cooperating faceted CEK machines, and outline our plans
to JIT Fission to JavaScript.
ATTENDANCE STATEMENT
Arjun Guha and Jean-Baptiste Jeannin, who are the senior authors of
this submission, commit to attending SNAPL. Arjun will present the talk.