Access permission contracts for scripting languages

The ideal software contract fully specifies the behavior of an operation. Often, in particular in the context of scripting languages, a full specification may be cumbersome to state and may not even be desired. In such cases, a partial specification, which describes selected aspects of the behavior, may be used to raise the confidence in an implementation of the operation to a reasonable level. We propose a novel kind of contract for object-based languages that specifies the side effects of an operation with access permissions. An access permission contract uses sets of access paths to express read and write permissions for the properties of the objects accessible from the operation. We specify a monitoring semantics for access permission contracts and implement this semantics in a contract system for JavaScript. We prove soundness and stability of violation under increasing aliasing for our semantics. Applications of access permission contracts include enforcing modularity, test-driven development, program understanding, and regression testing. With respect to testing and understanding, we find that adding access permissions to contracts increases the effectiveness of error detection through contract monitoring by 6-13%.

[1]  Jonathan Aldrich,et al.  Modular typestate checking of aliased objects , 2007, OOPSLA.

[2]  Gary T. Leavens,et al.  Modular specification of frame properties in JML , 2003, Concurr. Comput. Pract. Exp..

[3]  Peter Müller,et al.  Efficient Runtime Assertion Checking of Assignable Clauses with Datagroups , 2010, FASE.

[4]  Ankur Taly,et al.  Isolating JavaScript with Filters, Rewriting, and Wrappers , 2009, ESORICS.

[5]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[6]  Peter Müller,et al.  Universes: Lightweight Ownership for JML , 2005, J. Object Technol..

[7]  David K. Gifford,et al.  Integrating functional and imperative programming , 1986, LFP '86.

[8]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[9]  ThiemannPeter,et al.  Access permission contracts for scripting languages , 2012 .

[10]  Manuel Fähndrich,et al.  Embedded contract languages , 2010, SAC '10.

[11]  Murat Karaorman,et al.  jContractor: Bytecode Instrumentation Techniques for Implementing Design by Contract in Java , 2002, Electron. Notes Theor. Comput. Sci..

[12]  R. Kramer iContract - The Java(tm) Design by Contract(tm) Tool , 1998 .

[13]  Jeffrey Overbey,et al.  A type and effect system for deterministic parallel Java , 2009, OOPSLA '09.

[14]  Adam Barth,et al.  Preventing Capability Leaks in Secure JavaScript Subsets , 2010, NDSS.

[15]  Anne Rogers,et al.  Lazy Contract Checking for Immutable Data Structures , 2008, IFL.

[16]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[17]  Matthias Felleisen,et al.  Contracts for higher-order functions , 2002, ICFP '02.

[18]  Ralf Hinze,et al.  Typed Contracts for Functional Programming , 2006, FLOPS.

[19]  Peter Thiemann,et al.  Recency Types for Analyzing Scripting Languages , 2010, ECOOP.

[20]  A. Deutsch,et al.  A storeless model of aliasing and its abstractions using finite representations of right-regular equivalence relations , 1992, Proceedings of the 1992 International Conference on Computer Languages.

[21]  Peter Thiemann,et al.  A Heuristic Approach for Computing Effects , 2011, TOOLS.

[22]  Bertrand Meyer,et al.  Applying 'design by contract' , 1992, Computer.

[23]  Fausto Spoto,et al.  Static Analysis for JML's assignable Clauses , 2003 .

[24]  Jeffrey Overbey,et al.  A type and effect system for deterministic parallel Java , 2009, OOPSLA 2009.

[25]  Peter Thiemann,et al.  Contract-Driven Testing of JavaScript Code , 2010, TOOLS.

[26]  Philip Wadler,et al.  Well-Typed Programs Can't Be Blamed , 2009, ESOP.

[27]  John Tang Boyland,et al.  Capabilities for Sharing: A Generalisation of Uniqueness and Read-Only , 2001, ECOOP.

[28]  Shriram Krishnamurthi,et al.  The Essence of JavaScript , 2010, ECOOP.

[29]  Matthias Felleisen,et al.  Contract Soundness for object-oriented languages , 2001, OOPSLA '01.

[30]  Richard J. Lipton,et al.  Hints on Test Data Selection: Help for the Practicing Programmer , 1978, Computer.

[31]  Frank Piessens,et al.  Implicit Dynamic Frames: Combining Dynamic Frames and Separation Logic , 2009, ECOOP.

[32]  Benjamin C. Pierce,et al.  Contracts made manifest , 2010, POPL '10.

[33]  Yi Lu,et al.  Protecting representation with effect encapsulation , 2006, POPL '06.

[34]  Jens Palsberg,et al.  Lightweight confinement for featherweight java , 2003, OOPSLA '03.

[35]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[36]  Philip Wadler,et al.  Blame for all , 2011, POPL '11.

[37]  Craig Chambers,et al.  Ownership Domains: Separating Aliasing Policy from Mechanism , 2004, ECOOP.

[38]  Aaron Greenhouse,et al.  An Object-Oriented Effects System , 1999, ECOOP.

[39]  F. Petrus Cuperus,et al.  Eiffel Analysis, Design and Programming Language , 2005 .

[40]  Na Xu Static contract checking for Haskell , 2009, POPL '09.

[41]  Jan Vitek,et al.  Flexible Alias Protection , 1998, ECOOP.

[42]  Pierre Jouvelot,et al.  The Type and Effect Discipline , 1994, Inf. Comput..

[43]  簡聰富,et al.  物件導向軟體之架構(Object-Oriented Software Construction)探討 , 1989 .

[44]  Albert L. Baker,et al.  JML: A Notation for Detailed Design , 1999, Behavioral Specifications of Businesses and Systems.