webassembly mechanisation security and concurrency
play

WebAssembly: Mechanisation, Security, and Concurrency Conrad Watt - PDF document

Feb 20, 2023 •606 likes •868 views

WebAssembly: Mechanisation, Security, and Concurrency Conrad Watt University of Cambridge Verified Software Workshop 2019 Conrad Watt (Cambridge) Formal WebAssembly 1 / 24 A brief history of WebAssembly (Wasm) A low-level bytecode,

  1. WebAssembly: Mechanisation, Security, and Concurrency Conrad Watt University of Cambridge Verified Software Workshop 2019 Conrad Watt (Cambridge) Formal WebAssembly 1 / 24

  2. A brief history of WebAssembly (Wasm) A low-level bytecode, supported by all major browsers. A “compilation target for the Web”. Has a principled formal specification. Conrad Watt (Cambridge) Formal WebAssembly 2 / 24

  3. How WebAssembly can be Used Wasm bytecode files are packaged and distributed without their original source files. Conrad Watt (Cambridge) Formal WebAssembly 3 / 24

  4. WebAssembly is Stack-Based WebAssembly is specified using a small-step formal semantics. WebAssembly programs must be validated (type-checked) before they can be run. Only well-typed programs may be executed. p i32.const 2 q p i32.const 3 q p i32.add q ; p i32.add q ; p i32.add q ; 3 p i32.const 3 q ✏ 2 2 5 Conrad Watt (Cambridge) Formal WebAssembly 4 / 24

  5. Stack Typing Typing program fragments: p i32.const 2 q p f64.const 0 q p i32.const 2 q p i32.add q p i32.const 3 q p i32.const 3 q p i32.add q p i32.add q rs Ñ r i32 s r i32 , i32 s Ñ r i32 s rs Ñ r i32 s K Some structural typing rules: e ˚ : t ˚ a Ñ t ˚ e ˚ 1 : t ˚ a Ñ t ˚ e ˚ 2 : t ˚ b Ñ t ˚ c b b e ˚ : t ˚ ; t ˚ a Ñ t ˚ ; t ˚ e ˚ 1 ; e ˚ 2 : t ˚ a Ñ t ˚ c b Conrad Watt (Cambridge) Formal WebAssembly 5 / 24

  6. WebAssembly type system Progress For any validated program P that has not terminated with a result, there exists P’ such that P reduces to P’ Preservation If a program P is validated with a type ts, any program obtained by reducing P to P’ can also be validated with type ts. These properties together guarantee syntactic type soundness. 1 1 A.K. Wright and M. Felleisen. “A Syntactic Approach to Type Soundness”. In: Information and Computation 115.1 (1994). issn : 0890-5401. Conrad Watt (Cambridge) Formal WebAssembly 6 / 24

  7. Mechanisation An unambiguous formal specification and an unambiguous correctness condition. Perfect for mechanisation! „ 11,000 lines of Isabelle/HOL. 2 Found several errors in the draft specification. Also included: Verified sound and complete type-checking algorithm. Verified sound run-time interpreter. 2 Conrad Watt. “Mechanising and Verifying the WebAssembly Specification”. In: Certified Programs and Proofs (CPP 2018) . Conrad Watt (Cambridge) Formal WebAssembly 7 / 24

  8. Mechanisation Wasm Logic CT-Wasm A separation logic for WebAssembly. Secure information flow type system. c ˚ Neel Krishnaswami : Petar Maksimovi´ John Renner Natalie Popescu Philippa Gardner ˚ Sunjay Cauligi Deian Stefan Imperial College London ˚ /Cambridge : UC San Diego Conrad Watt (Cambridge) Formal WebAssembly 8 / 24

  9. Wasm Logic 3 WebAssembly’s stack is very static. The type system guarantees a precise structure. A program logic should mirror/take advantage of this structure. 3 Conrad Watt, Petar Maksimovic, Neelakantan R. Krishnaswami, and Philippa Gardner. “A Program Logic for First-Order Encapsulated WebAssembly”. In: European Conference on Object-Oriented Programming (ECOOP 2019) . Conrad Watt (Cambridge) Formal WebAssembly 9 / 24

  10. Wasm Proof Rules - Control Notice how closely these proof rules follow the typing rules! t m ; labs $ e ˚ : t n Ñ t m block typing labs $ p block p t n Ñ t m q e ˚ end q : t n Ñ t m Q m ; L $ t P n u e ˚ t Q m u [block] L $ t P n u block p t n Ñ t m q e ˚ end t Q m u labs ! k “ t ˚ L ! k “ P br typing [br] labs $ p br k q : t ˚ Ñ t ˚ L $ t P u br k t Q u Conrad Watt (Cambridge) Formal WebAssembly 10 / 24

  11. Wasm Proof Rules - Control Wasm’s loop opcode works like block , except executing br restarts the loop, like a continue statement. a ; labs $ e ˚ : t ˚ t ˚ a Ñ t ˚ b loop typing b q e ˚ end q : t ˚ labs $ p loop p t ˚ a Ñ t ˚ a Ñ t ˚ b P n ; L $ t P n u e ˚ t Q m u [loop] L $ t P n u loop p t n Ñ t m q e ˚ end t Q m u Conrad Watt (Cambridge) Formal WebAssembly 11 / 24

  12. CT-Wasm 4 WebAssembly’s type system is very simple and static. We can easily add additional security annotations. Key insight - best practice cryptographic algorithms already obey a course-grained ”type system” - constant time principles. 4 Conrad Watt, John Renner, Natalie Popescu, Sunjay Cauligi, and Deian Stefan. “CT-Wasm: Type-Driven Secure Cryptography for the Web Ecosystem”. In: Principles of Programming Languages (POPL 2019) . Conrad Watt (Cambridge) Formal WebAssembly 12 / 24

  13. CT-Wasm We turn violations of these principles into type errors. Security properties fully mechanised. s32.const 2 s32.const 2 s32.const 2 i32.const 3 br if i32.add rs Ñ r s32 s K K Conrad Watt (Cambridge) Formal WebAssembly 13 / 24

  14. Relaxed Memory Guillaume Barbier (ENS Rennes) Stephen Dolan (University of Cambridge) Shaked Flur (University of Cambridge) Shu-yu Guo (Google / Bloomberg LP) Jean Pichon-Pharabod (University of Cambridge) Anton Podkopaev (HSE / MPI-SWS) Christopher Pulte (University of Cambridge) Andreas Rossberg (Dfinity Stiftung) Conrad Watt (Cambridge) Formal WebAssembly 14 / 24

  15. Relaxed Memory WebAssembly program can read from and write to a linear bu ff er of raw bytes. Adding threads, these bu ff ers can now be shared. Need a relaxed memory model. x = buff[i] i32.load WebAssembly Atomics.store(buff,i,v) i32.atomic.store WebAssembly i32.load i32.atomic.store Conrad Watt (Cambridge) Formal WebAssembly 15 / 24

  16. Relaxed Memory JavaScript also has threads (“web workers”) and shared bu ff ers, even a memory model! The WebAssembly memory will be exposed to JavaScript as a shared bu ff er. x = buff[i] JavaScript Atomics.store(buff,i,v) WebAssembly i32.load i32.atomic.store Conrad Watt (Cambridge) Formal WebAssembly 16 / 24

  17. Relaxed Memory Committee: JS/Wasm interop should “just work”. So a lot of Wasm consistency behaviour is inherited from JS. x = buff[i] JavaScript Atomics.store(buff,i,v) WebAssembly i32.load i32.atomic.store Conrad Watt (Cambridge) Formal WebAssembly 17 / 24

  18. Relaxed Memory But Wasm has additional feature - memory growth. Now, the size of the memory needs to become part of the axiomatic model. x = buff[i] JavaScript Atomics.store(buff,i,v) mem.grow WebAssembly Conrad Watt (Cambridge) Formal WebAssembly 18 / 24

  19. Relaxed Memory Implementers don’t want to guarantee SC bounds-checking behaviour. Updates to memory size can create “data” races. 5 y x store x 42 load y grow 2 load x 5 Conrad Watt, Andreas Rossberg, and Jean Pichon-Pharabod. “Weakening WebAssembly”. In: Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 2019) . Conrad Watt (Cambridge) Formal WebAssembly 19 / 24

  20. Relaxed Memory We said Wasm follows JS. What if the JS model is wrong? Ideally, we fix it. JS standards body has been very welcoming. Shu-yu Guo (Bloomberg LP) has been a great point of contact. Conrad Watt (Cambridge) Formal WebAssembly 20 / 24

  21. Relaxed Memory Several JS memory model problems discovered. Missing synchronization for wait/wake ops. 6 SC-DRF violation. 7 ARMv8 lda/stl not supported (Stephen Dolan, Cambridge). 8 6 Conrad Watt. Normative: Strengthen Atomics.wait/wake synchronization to the level of other Atomics operations . Mar. 2018. url : https://github.com/tc39/ecma262/pull/1127 . 7 Shu-yu Guo. Normative: Fix memory model so DRF-SC holds . Nov. 2018. url : https://github.com/tc39/ecma262/pull/1362 . 8 Shu-yu Guo. Memory Model Support for ARMv8 LDA/STL . Jan. 2019. url : https://docs.google.com/presentation/d/1qif7z-Y8C- nvJM20UNJQzAKJgLN4wmXS_5NN2Wgipb4/edit?usp=sharing . Conrad Watt (Cambridge) Formal WebAssembly 21 / 24

  22. SC-DRF violation Atomics.store(v,0,2); if (Atomics.load(v,0) === 1) { Atomics.store(v,0,1); r = v[0]; } You might think that r must always be assigned 1. Not so, before our corrections! This example, and others, found by model checking (in Alloy). 9 9 John Wickerson, Mark Batty, Tyler Sorensen, and George A. Constantinides. “Automatically Comparing Memory Consistency Models”. In: Principles of Programming Languages (POPL 2017) . Conrad Watt (Cambridge) Formal WebAssembly 22 / 24

  23. bit.ly/2M8cZ2v Android/Desktop Chrome for best results. You will almost certainly observe store bu ff ering (SB) relaxed behaviour. 10 store x 1 store y 1 load y load x Do you observe the JavaScript Violation? This is the ARMv8 compilation violation. 10 https://www.cl.cam.ac.uk/ pes20/ppc-supplemental/test6.pdf Conrad Watt (Cambridge) Formal WebAssembly 23 / 24

  24. Thanks for listening! Conrad Watt (Cambridge) Formal WebAssembly 24 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WEBPACK + WEBASSEMBLY W E B A S S E M B L Y W E B P A C K A N D T H E C H A L L E N G E O F

WEBPACK + WEBASSEMBLY W E B A S S E M B L Y W E B P A C K A N D T H E C H A L L E N G E O F

WEBPACK + WEBASSEMBLY W E B A S S E M B L Y W E B P A C K A N D T H E C H A L L E N G E O F INTRODUCTION WEBASSEMBLY AND ESM WEBASSEMBLY? L OW -L EVEL B INARY F ORMAT FOR C ODE T YPED ( I 8 I 64, F 32, F 64) M EMORY U

657 views • 39 slides
Mechanisation to Automation Mechanisation to Automation Title Sponsor Platinum Sponsor The

Mechanisation to Automation Mechanisation to Automation Title Sponsor Platinum Sponsor The

Organised By Mechanisation to Automation Mechanisation to Automation Title Sponsor Platinum Sponsor The Future of Cashew Processing JC Reddy Manufacturing & Technical Head VINK CORPORATION DMCC 25 th Jan 2019 24-26 January, 2019

482 views • 11 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 WebAssembly WebAssembly WebAssembly is a low-level

CS/COE 1520 pitt.edu/~ach54/cs1520 WebAssembly WebAssembly WebAssembly is a low-level

CS/COE 1520 pitt.edu/~ach54/cs1520 WebAssembly WebAssembly WebAssembly is a low-level language that runs within the web browser with near-native performance for those tasks that demand that level of performance Eg. Augmented/Virtual

312 views • 14 slides
WebAssembly WebAssembly Here Be Dragons JF Bastien Dan Gohman Google Mozilla @jfbastien

WebAssembly WebAssembly Here Be Dragons JF Bastien Dan Gohman Google Mozilla @jfbastien

WebAssembly WebAssembly Here Be Dragons JF Bastien Dan Gohman Google Mozilla @jfbastien @sunfishcode Presentation given at the 2015 LLVM Developers Meeting on October 29th in San Jose, California. JF narrates: WebAssembly is a tale

654 views • 17 slides
Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic Why do we need WebAssembly?

Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic Why do we need WebAssembly?

Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic Why do we need WebAssembly? JavaScript is a compilation target > WebAssembly or wasm is a new portable, size- and load-time-efficient format suitable for compilation to the

800 views • 62 slides
WebAssembly neither Web nor Assembly, but Revolutionary Jay Phelps | @_jayphelps The WebAssembly

WebAssembly neither Web nor Assembly, but Revolutionary Jay Phelps | @_jayphelps The WebAssembly

WebAssembly neither Web nor Assembly, but Revolutionary Jay Phelps | @_jayphelps The WebAssembly revolution has begun Jay Phelps | @_jayphelps Jay Phelps Chief Software Architect | previously @_jayphelps Support, Dev Rel, Staff Augmentation,

1.33k views • 130 slides
Lets embrace WebAssembly! Lets embrace WebAssembly! EuroPython 2018 - Edinburgh Almar

Lets embrace WebAssembly! Lets embrace WebAssembly! EuroPython 2018 - Edinburgh Almar

Lets embrace WebAssembly! Lets embrace WebAssembly! EuroPython 2018 - Edinburgh Almar Klein What is WebAssembly? What is WebAssembly? WebAssembly == WASM WASM is an OPEN standard ... WASM is an OPEN standard ... Collaborative effort

827 views • 43 slides
Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic https://wasmweekly.news/ Why

Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic https://wasmweekly.news/ Why

Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic https://wasmweekly.news/ Why do we need WebAssembly? JavaScript is a compilation target > WebAssembly or wasm is a new portable, size- and load-time-efficient format

658 views • 62 slides
Level up with WebAssembly OSCON 2019 Robert Aboukhalil @RobAboukhalil What is WebAssembly?

Level up with WebAssembly OSCON 2019 Robert Aboukhalil @RobAboukhalil What is WebAssembly?

Level up with WebAssembly OSCON 2019 Robert Aboukhalil @RobAboukhalil What is WebAssembly? What is WebAssembly? JavaScript WebAssembly char char * hello() { ( module module return return "Hello OSCON 2019!"; ( table table 0

667 views • 29 slides
WebAssembly: Status & Web IDL Bindings W3C Games Workshop - June, 2019 Luke Wagner Based on

WebAssembly: Status & Web IDL Bindings W3C Games Workshop - June, 2019 Luke Wagner Based on

WebAssembly: Status & Web IDL Bindings W3C Games Workshop - June, 2019 Luke Wagner Based on joint Mozilla/Google presentation to WebAssembly CG last week (link) WebAssembly Status 2017: "MVP" ships in 4 browsers \o/

425 views • 14 slides
Revolution has begun Jay Phelps | @_jayphelps WebAssembly will change the way we think of

Revolution has begun Jay Phelps | @_jayphelps WebAssembly will change the way we think of

The WebAssembly Revolution has begun Jay Phelps | @_jayphelps WebAssembly will change the way we think of "web apps" Jay Phelps | @_jayphelps Jay Phelps Senior Software Engineer | @_jayphelps So... what is WebAssembly? aka wasm Jay

1.48k views • 103 slides
frameworks using WebAssembly Boyan Mihaylov @boyanio boyan.io WebAssembly ( WASM ) is compiler

frameworks using WebAssembly Boyan Mihaylov @boyanio boyan.io WebAssembly ( WASM ) is compiler

The rise of non-JavaScript frameworks using WebAssembly Boyan Mihaylov @boyanio boyan.io WebAssembly ( WASM ) is compiler target for programs on the Web @boyanio @boyanio https://vimeo.com/272924131 The Web of JavaScript frameworks

588 views • 29 slides
Industrial Revolution INDUSTRY 1.0 INDUSTRY 2.0 INDUSTRY 3.0 INDUSTRY 4.0 Mechanisation, Mass

Industrial Revolution INDUSTRY 1.0 INDUSTRY 2.0 INDUSTRY 3.0 INDUSTRY 4.0 Mechanisation, Mass

Industrial Revolution INDUSTRY 1.0 INDUSTRY 2.0 INDUSTRY 3.0 INDUSTRY 4.0 Mechanisation, Mass production, Automation, Internet of things, steam power, assembly line, computers, networks. weaver loom. electrical energy. electronics.

296 views • 3 slides
Web Evolution and WebAssembly David Herrera Contents Limitations of JavaScript

Web Evolution and WebAssembly David Herrera Contents Limitations of JavaScript

Web Evolution and WebAssembly David Herrera Contents Limitations of JavaScript Evolution of Web performance via asm.js WebAssembly Design Pipeline Decoding Validation Execution Examples

1.93k views • 67 slides
Concurrency What is concurrency? In computer science, concurrency is a property of systems which

Concurrency What is concurrency? In computer science, concurrency is a property of systems which

C Concurrency and Synchronization Concurrency What is concurrency? In computer science, concurrency is a property of systems which consist of computations that execute overlapped in time, and which may permit the sharing of common resources

621 views • 34 slides
Asynchronous Programming Model for Concurrency concurrency Concurrency is when two or more tasks

Asynchronous Programming Model for Concurrency concurrency Concurrency is when two or more tasks

Asynchronous Programming Model for Concurrency concurrency Concurrency is when two or more tasks can start, run, and complete in overlapping time periods. It doesn't necessarily mean they'll ever both be running at the same instant. For

915 views • 24 slides
Binding Rules Can Binding Rules Be Used to Play Democracy as a Strategic Game? Zden ek

Binding Rules Can Binding Rules Be Used to Play Democracy as a Strategic Game? Zden ek

Binding Rules Can Binding Rules Be Used to Play Democracy as a Strategic Game? Zden ek Rosenberg Masaryk University Cambridge, 24 th June 2014 Cambridge, 24 th June 2014 Zden ek Rosenberg (Masaryk University) Binding Rules 1 / 8

437 views • 16 slides
Researching The Demands on Policing in a Digital and Networked Age (EPSRC CeRes) Cambridge Cloud

Researching The Demands on Policing in a Digital and Networked Age (EPSRC CeRes) Cambridge Cloud

Cybercrime Research Unit, Centre for Criminal Justice Studies School of something School of Law FACULTY OF OTHER Researching The Demands on Policing in a Digital and Networked Age (EPSRC CeRes) Cambridge Cloud Cybercrime Centre Cybercrime

506 views • 22 slides
Introduction to Social Choice Lirong Xia Change the world: 2011 UK Referendum The second

Introduction to Social Choice Lirong Xia Change the world: 2011 UK Referendum The second

Introduction to Social Choice Lirong Xia Change the world: 2011 UK Referendum The second nationwide referendum in UK history The first was in 1975 Member of Parliament election: Plurality rule Alternative vote rule 68% No vs. 32%

776 views • 29 slides
Characterization of Efficient Simple Liability Rules with Multiple Tortfeasors Satish K. Jain

Characterization of Efficient Simple Liability Rules with Multiple Tortfeasors Satish K. Jain

Characterization of Efficient Simple Liability Rules with Multiple Tortfeasors Satish K. Jain Rajendra P. Kundu Centre for Economic Studies and Planning School of Social Sciences Jawaharlal Nehru University New Delhi 110 067 India

313 views • 20 slides
Algorithmic Accountability Inscrutability of Big Tech Black Box Society (Pasquale) Weapons

Algorithmic Accountability Inscrutability of Big Tech Black Box Society (Pasquale) Weapons

Algorithmic Accountability Inscrutability of Big Tech Black Box Society (Pasquale) Weapons of Math Destruction (ONeil) The Platform is Political (Gillespie) AI ethics in place Autonomous vehicles, Uber At the

806 views • 52 slides
22 The Israelites said to Gideon, Rule over us you, your son and your grandson because

22 The Israelites said to Gideon, Rule over us you, your son and your grandson because

22 22 The Israelites said to Gideon, Rule over us you, your son and your grandson because you have saved us from the hand of Midian . 23 23 But Gideon told them, I will not rule over you, nor will my son rule over you. The L ORD

341 views • 22 slides
IN THEIR OWN WORDS. HOW IMPERIAL TOBACCO RAN A FEAR Imperial Tobacco (ITL) is the largest

IN THEIR OWN WORDS. HOW IMPERIAL TOBACCO RAN A FEAR Imperial Tobacco (ITL) is the largest

IN THEIR OWN WORDS. HOW IMPERIAL TOBACCO RAN A FEAR Imperial Tobacco (ITL) is the largest tobacco CAMPAIGN ABOUT CONTRABAND manufacturer operatjng in Canada. CIGARETTES TO BLOCK TAXES AND The brands it makes include du Maurier, PREVENT

284 views • 5 slides
END

END

END

416 views • 22 slides

More recommend