webassembly mechanisation security and concurrency
play

WebAssembly: Mechanisation, Security, and Concurrency Conrad Watt - PDF document

Feb 20, 2023 •606 likes •868 views

WebAssembly: Mechanisation, Security, and Concurrency Conrad Watt University of Cambridge Verified Software Workshop 2019 Conrad Watt (Cambridge) Formal WebAssembly 1 / 24 A brief history of WebAssembly (Wasm) A low-level bytecode,

  1. WebAssembly: Mechanisation, Security, and Concurrency Conrad Watt University of Cambridge Verified Software Workshop 2019 Conrad Watt (Cambridge) Formal WebAssembly 1 / 24

  2. A brief history of WebAssembly (Wasm) A low-level bytecode, supported by all major browsers. A “compilation target for the Web”. Has a principled formal specification. Conrad Watt (Cambridge) Formal WebAssembly 2 / 24

  3. How WebAssembly can be Used Wasm bytecode files are packaged and distributed without their original source files. Conrad Watt (Cambridge) Formal WebAssembly 3 / 24

  4. WebAssembly is Stack-Based WebAssembly is specified using a small-step formal semantics. WebAssembly programs must be validated (type-checked) before they can be run. Only well-typed programs may be executed. p i32.const 2 q p i32.const 3 q p i32.add q ; p i32.add q ; p i32.add q ; 3 p i32.const 3 q ✏ 2 2 5 Conrad Watt (Cambridge) Formal WebAssembly 4 / 24

  5. Stack Typing Typing program fragments: p i32.const 2 q p f64.const 0 q p i32.const 2 q p i32.add q p i32.const 3 q p i32.const 3 q p i32.add q p i32.add q rs Ñ r i32 s r i32 , i32 s Ñ r i32 s rs Ñ r i32 s K Some structural typing rules: e ˚ : t ˚ a Ñ t ˚ e ˚ 1 : t ˚ a Ñ t ˚ e ˚ 2 : t ˚ b Ñ t ˚ c b b e ˚ : t ˚ ; t ˚ a Ñ t ˚ ; t ˚ e ˚ 1 ; e ˚ 2 : t ˚ a Ñ t ˚ c b Conrad Watt (Cambridge) Formal WebAssembly 5 / 24

  6. WebAssembly type system Progress For any validated program P that has not terminated with a result, there exists P’ such that P reduces to P’ Preservation If a program P is validated with a type ts, any program obtained by reducing P to P’ can also be validated with type ts. These properties together guarantee syntactic type soundness. 1 1 A.K. Wright and M. Felleisen. “A Syntactic Approach to Type Soundness”. In: Information and Computation 115.1 (1994). issn : 0890-5401. Conrad Watt (Cambridge) Formal WebAssembly 6 / 24

  7. Mechanisation An unambiguous formal specification and an unambiguous correctness condition. Perfect for mechanisation! „ 11,000 lines of Isabelle/HOL. 2 Found several errors in the draft specification. Also included: Verified sound and complete type-checking algorithm. Verified sound run-time interpreter. 2 Conrad Watt. “Mechanising and Verifying the WebAssembly Specification”. In: Certified Programs and Proofs (CPP 2018) . Conrad Watt (Cambridge) Formal WebAssembly 7 / 24

  8. Mechanisation Wasm Logic CT-Wasm A separation logic for WebAssembly. Secure information flow type system. c ˚ Neel Krishnaswami : Petar Maksimovi´ John Renner Natalie Popescu Philippa Gardner ˚ Sunjay Cauligi Deian Stefan Imperial College London ˚ /Cambridge : UC San Diego Conrad Watt (Cambridge) Formal WebAssembly 8 / 24

  9. Wasm Logic 3 WebAssembly’s stack is very static. The type system guarantees a precise structure. A program logic should mirror/take advantage of this structure. 3 Conrad Watt, Petar Maksimovic, Neelakantan R. Krishnaswami, and Philippa Gardner. “A Program Logic for First-Order Encapsulated WebAssembly”. In: European Conference on Object-Oriented Programming (ECOOP 2019) . Conrad Watt (Cambridge) Formal WebAssembly 9 / 24

  10. Wasm Proof Rules - Control Notice how closely these proof rules follow the typing rules! t m ; labs $ e ˚ : t n Ñ t m block typing labs $ p block p t n Ñ t m q e ˚ end q : t n Ñ t m Q m ; L $ t P n u e ˚ t Q m u [block] L $ t P n u block p t n Ñ t m q e ˚ end t Q m u labs ! k “ t ˚ L ! k “ P br typing [br] labs $ p br k q : t ˚ Ñ t ˚ L $ t P u br k t Q u Conrad Watt (Cambridge) Formal WebAssembly 10 / 24

  11. Wasm Proof Rules - Control Wasm’s loop opcode works like block , except executing br restarts the loop, like a continue statement. a ; labs $ e ˚ : t ˚ t ˚ a Ñ t ˚ b loop typing b q e ˚ end q : t ˚ labs $ p loop p t ˚ a Ñ t ˚ a Ñ t ˚ b P n ; L $ t P n u e ˚ t Q m u [loop] L $ t P n u loop p t n Ñ t m q e ˚ end t Q m u Conrad Watt (Cambridge) Formal WebAssembly 11 / 24

  12. CT-Wasm 4 WebAssembly’s type system is very simple and static. We can easily add additional security annotations. Key insight - best practice cryptographic algorithms already obey a course-grained ”type system” - constant time principles. 4 Conrad Watt, John Renner, Natalie Popescu, Sunjay Cauligi, and Deian Stefan. “CT-Wasm: Type-Driven Secure Cryptography for the Web Ecosystem”. In: Principles of Programming Languages (POPL 2019) . Conrad Watt (Cambridge) Formal WebAssembly 12 / 24

  13. CT-Wasm We turn violations of these principles into type errors. Security properties fully mechanised. s32.const 2 s32.const 2 s32.const 2 i32.const 3 br if i32.add rs Ñ r s32 s K K Conrad Watt (Cambridge) Formal WebAssembly 13 / 24

  14. Relaxed Memory Guillaume Barbier (ENS Rennes) Stephen Dolan (University of Cambridge) Shaked Flur (University of Cambridge) Shu-yu Guo (Google / Bloomberg LP) Jean Pichon-Pharabod (University of Cambridge) Anton Podkopaev (HSE / MPI-SWS) Christopher Pulte (University of Cambridge) Andreas Rossberg (Dfinity Stiftung) Conrad Watt (Cambridge) Formal WebAssembly 14 / 24

  15. Relaxed Memory WebAssembly program can read from and write to a linear bu ff er of raw bytes. Adding threads, these bu ff ers can now be shared. Need a relaxed memory model. x = buff[i] i32.load WebAssembly Atomics.store(buff,i,v) i32.atomic.store WebAssembly i32.load i32.atomic.store Conrad Watt (Cambridge) Formal WebAssembly 15 / 24

  16. Relaxed Memory JavaScript also has threads (“web workers”) and shared bu ff ers, even a memory model! The WebAssembly memory will be exposed to JavaScript as a shared bu ff er. x = buff[i] JavaScript Atomics.store(buff,i,v) WebAssembly i32.load i32.atomic.store Conrad Watt (Cambridge) Formal WebAssembly 16 / 24

  17. Relaxed Memory Committee: JS/Wasm interop should “just work”. So a lot of Wasm consistency behaviour is inherited from JS. x = buff[i] JavaScript Atomics.store(buff,i,v) WebAssembly i32.load i32.atomic.store Conrad Watt (Cambridge) Formal WebAssembly 17 / 24

  18. Relaxed Memory But Wasm has additional feature - memory growth. Now, the size of the memory needs to become part of the axiomatic model. x = buff[i] JavaScript Atomics.store(buff,i,v) mem.grow WebAssembly Conrad Watt (Cambridge) Formal WebAssembly 18 / 24

  19. Relaxed Memory Implementers don’t want to guarantee SC bounds-checking behaviour. Updates to memory size can create “data” races. 5 y x store x 42 load y grow 2 load x 5 Conrad Watt, Andreas Rossberg, and Jean Pichon-Pharabod. “Weakening WebAssembly”. In: Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 2019) . Conrad Watt (Cambridge) Formal WebAssembly 19 / 24

  20. Relaxed Memory We said Wasm follows JS. What if the JS model is wrong? Ideally, we fix it. JS standards body has been very welcoming. Shu-yu Guo (Bloomberg LP) has been a great point of contact. Conrad Watt (Cambridge) Formal WebAssembly 20 / 24

  21. Relaxed Memory Several JS memory model problems discovered. Missing synchronization for wait/wake ops. 6 SC-DRF violation. 7 ARMv8 lda/stl not supported (Stephen Dolan, Cambridge). 8 6 Conrad Watt. Normative: Strengthen Atomics.wait/wake synchronization to the level of other Atomics operations . Mar. 2018. url : https://github.com/tc39/ecma262/pull/1127 . 7 Shu-yu Guo. Normative: Fix memory model so DRF-SC holds . Nov. 2018. url : https://github.com/tc39/ecma262/pull/1362 . 8 Shu-yu Guo. Memory Model Support for ARMv8 LDA/STL . Jan. 2019. url : https://docs.google.com/presentation/d/1qif7z-Y8C- nvJM20UNJQzAKJgLN4wmXS_5NN2Wgipb4/edit?usp=sharing . Conrad Watt (Cambridge) Formal WebAssembly 21 / 24

  22. SC-DRF violation Atomics.store(v,0,2); if (Atomics.load(v,0) === 1) { Atomics.store(v,0,1); r = v[0]; } You might think that r must always be assigned 1. Not so, before our corrections! This example, and others, found by model checking (in Alloy). 9 9 John Wickerson, Mark Batty, Tyler Sorensen, and George A. Constantinides. “Automatically Comparing Memory Consistency Models”. In: Principles of Programming Languages (POPL 2017) . Conrad Watt (Cambridge) Formal WebAssembly 22 / 24

  23. bit.ly/2M8cZ2v Android/Desktop Chrome for best results. You will almost certainly observe store bu ff ering (SB) relaxed behaviour. 10 store x 1 store y 1 load y load x Do you observe the JavaScript Violation? This is the ARMv8 compilation violation. 10 https://www.cl.cam.ac.uk/ pes20/ppc-supplemental/test6.pdf Conrad Watt (Cambridge) Formal WebAssembly 23 / 24

  24. Thanks for listening! Conrad Watt (Cambridge) Formal WebAssembly 24 / 24

Recommend

WEBPACK + WEBASSEMBLY W E B A S S E M B L Y W E B P A C K A N D T H E C H A L L E N G E O F

WEBPACK + WEBASSEMBLY W E B A S S E M B L Y W E B P A C K A N D T H E C H A L L E N G E O F

WEBPACK + WEBASSEMBLY W E B A S S E M B L Y W E B P A C K A N D T H E C H A L L E N G E O F INTRODUCTION WEBASSEMBLY AND ESM WEBASSEMBLY? L OW -L EVEL B INARY F ORMAT FOR C ODE T YPED ( I 8 I 64, F 32, F 64) M EMORY U

657 views • 39 slides
Mechanisation to Automation Mechanisation to Automation Title Sponsor Platinum Sponsor The

Mechanisation to Automation Mechanisation to Automation Title Sponsor Platinum Sponsor The

Organised By Mechanisation to Automation Mechanisation to Automation Title Sponsor Platinum Sponsor The Future of Cashew Processing JC Reddy Manufacturing & Technical Head VINK CORPORATION DMCC 25 th Jan 2019 24-26 January, 2019

482 views • 11 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 WebAssembly WebAssembly WebAssembly is a low-level

CS/COE 1520 pitt.edu/~ach54/cs1520 WebAssembly WebAssembly WebAssembly is a low-level

CS/COE 1520 pitt.edu/~ach54/cs1520 WebAssembly WebAssembly WebAssembly is a low-level language that runs within the web browser with near-native performance for those tasks that demand that level of performance Eg. Augmented/Virtual

312 views • 14 slides
WebAssembly WebAssembly Here Be Dragons JF Bastien Dan Gohman Google Mozilla @jfbastien

WebAssembly WebAssembly Here Be Dragons JF Bastien Dan Gohman Google Mozilla @jfbastien

WebAssembly WebAssembly Here Be Dragons JF Bastien Dan Gohman Google Mozilla @jfbastien @sunfishcode Presentation given at the 2015 LLVM Developers Meeting on October 29th in San Jose, California. JF narrates: WebAssembly is a tale

654 views • 17 slides
Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic Why do we need WebAssembly?

Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic Why do we need WebAssembly?

Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic Why do we need WebAssembly? JavaScript is a compilation target > WebAssembly or wasm is a new portable, size- and load-time-efficient format suitable for compilation to the

800 views • 62 slides
WebAssembly neither Web nor Assembly, but Revolutionary Jay Phelps | @_jayphelps The WebAssembly

WebAssembly neither Web nor Assembly, but Revolutionary Jay Phelps | @_jayphelps The WebAssembly

WebAssembly neither Web nor Assembly, but Revolutionary Jay Phelps | @_jayphelps The WebAssembly revolution has begun Jay Phelps | @_jayphelps Jay Phelps Chief Software Architect | previously @_jayphelps Support, Dev Rel, Staff Augmentation,

1.33k views • 130 slides
Lets embrace WebAssembly! Lets embrace WebAssembly! EuroPython 2018 - Edinburgh Almar

Lets embrace WebAssembly! Lets embrace WebAssembly! EuroPython 2018 - Edinburgh Almar

Lets embrace WebAssembly! Lets embrace WebAssembly! EuroPython 2018 - Edinburgh Almar Klein What is WebAssembly? What is WebAssembly? WebAssembly == WASM WASM is an OPEN standard ... WASM is an OPEN standard ... Collaborative effort

827 views • 43 slides
Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic https://wasmweekly.news/ Why

Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic https://wasmweekly.news/ Why

Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic https://wasmweekly.news/ Why do we need WebAssembly? JavaScript is a compilation target > WebAssembly or wasm is a new portable, size- and load-time-efficient format

658 views • 62 slides
Level up with WebAssembly OSCON 2019 Robert Aboukhalil @RobAboukhalil What is WebAssembly?

Level up with WebAssembly OSCON 2019 Robert Aboukhalil @RobAboukhalil What is WebAssembly?

Level up with WebAssembly OSCON 2019 Robert Aboukhalil @RobAboukhalil What is WebAssembly? What is WebAssembly? JavaScript WebAssembly char char * hello() { ( module module return return "Hello OSCON 2019!"; ( table table 0

667 views • 29 slides
WebAssembly: Status & Web IDL Bindings W3C Games Workshop - June, 2019 Luke Wagner Based on

WebAssembly: Status & Web IDL Bindings W3C Games Workshop - June, 2019 Luke Wagner Based on

WebAssembly: Status & Web IDL Bindings W3C Games Workshop - June, 2019 Luke Wagner Based on joint Mozilla/Google presentation to WebAssembly CG last week (link) WebAssembly Status 2017: "MVP" ships in 4 browsers \o/

425 views • 14 slides
Revolution has begun Jay Phelps | @_jayphelps WebAssembly will change the way we think of

Revolution has begun Jay Phelps | @_jayphelps WebAssembly will change the way we think of

The WebAssembly Revolution has begun Jay Phelps | @_jayphelps WebAssembly will change the way we think of "web apps" Jay Phelps | @_jayphelps Jay Phelps Senior Software Engineer | @_jayphelps So... what is WebAssembly? aka wasm Jay

1.48k views • 103 slides
frameworks using WebAssembly Boyan Mihaylov @boyanio boyan.io WebAssembly ( WASM ) is compiler

frameworks using WebAssembly Boyan Mihaylov @boyanio boyan.io WebAssembly ( WASM ) is compiler

The rise of non-JavaScript frameworks using WebAssembly Boyan Mihaylov @boyanio boyan.io WebAssembly ( WASM ) is compiler target for programs on the Web @boyanio @boyanio https://vimeo.com/272924131 The Web of JavaScript frameworks

588 views • 29 slides
Industrial Revolution INDUSTRY 1.0 INDUSTRY 2.0 INDUSTRY 3.0 INDUSTRY 4.0 Mechanisation, Mass

Industrial Revolution INDUSTRY 1.0 INDUSTRY 2.0 INDUSTRY 3.0 INDUSTRY 4.0 Mechanisation, Mass

Industrial Revolution INDUSTRY 1.0 INDUSTRY 2.0 INDUSTRY 3.0 INDUSTRY 4.0 Mechanisation, Mass production, Automation, Internet of things, steam power, assembly line, computers, networks. weaver loom. electrical energy. electronics.

296 views • 3 slides
Web Evolution and WebAssembly David Herrera Contents Limitations of JavaScript

Web Evolution and WebAssembly David Herrera Contents Limitations of JavaScript

Web Evolution and WebAssembly David Herrera Contents Limitations of JavaScript Evolution of Web performance via asm.js WebAssembly Design Pipeline Decoding Validation Execution Examples

1.93k views • 67 slides
Concurrency What is concurrency? In computer science, concurrency is a property of systems which

Concurrency What is concurrency? In computer science, concurrency is a property of systems which

C Concurrency and Synchronization Concurrency What is concurrency? In computer science, concurrency is a property of systems which consist of computations that execute overlapped in time, and which may permit the sharing of common resources

621 views • 34 slides
Asynchronous Programming Model for Concurrency concurrency Concurrency is when two or more tasks

Asynchronous Programming Model for Concurrency concurrency Concurrency is when two or more tasks

Asynchronous Programming Model for Concurrency concurrency Concurrency is when two or more tasks can start, run, and complete in overlapping time periods. It doesn't necessarily mean they'll ever both be running at the same instant. For

915 views • 24 slides
with WebAssembly Boyan Mihaylov @boyanio boyan.io https://github.com/boyanio/wasm-class/

with WebAssembly Boyan Mihaylov @boyanio boyan.io https://github.com/boyanio/wasm-class/

In-depth hands-on experience with WebAssembly Boyan Mihaylov @boyanio boyan.io https://github.com/boyanio/wasm-class/ @boyanio WebAssembly ( WASM ) is compiler target for programs on the Web @boyanio function add(a, b) { return a + b; }

962 views • 41 slides
Concurrency Control Ensuring Isolation 354 Concurrency control Concurrency To increase

Concurrency Control Ensuring Isolation 354 Concurrency control Concurrency To increase

Concurrency Control Ensuring Isolation 354 Concurrency control Concurrency To increase throughput and response time, a DBMS will execute multiple trans- actions at the same time. Concurrency control ensures that transactions have the same e ff

628 views • 29 slides
Adventures in Mechanising and Verifying WebAssembly Conrad Watt University of Cambridge, UK

Adventures in Mechanising and Verifying WebAssembly Conrad Watt University of Cambridge, UK

Adventures in Mechanising and Verifying WebAssembly Conrad Watt University of Cambridge, UK Formal Methods Meets JavaScript, VeTSS Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 1 / 21 The webs evolution We want richer web

521 views • 21 slides
Concurrency: Mutual Exclusion and Synchronization Chapter 5 1 Concurrency Concurrency arises

Concurrency: Mutual Exclusion and Synchronization Chapter 5 1 Concurrency Concurrency arises

Concurrency: Mutual Exclusion and Synchronization Chapter 5 1 Concurrency Concurrency arises in 3 different contexts: Multiple applications Multiprogramming: time slicing Structured applications Develop a single application

1.09k views • 62 slides
A constructive Coq library for the mechanisation of undecidability Yannick Forster and Dominique

A constructive Coq library for the mechanisation of undecidability Yannick Forster and Dominique

A constructive Coq library for the mechanisation of undecidability Yannick Forster and Dominique Larchey-Wendling MLA 2019 March 13 saarland university computer science Y. Forster and D. Larchey-Wendling Coq library of undecidability MLA

1.32k views • 92 slides
New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild Marius Musch TU

New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild Marius Musch TU

New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild Marius Musch TU Braunschweig Together with Christian Wressnegger, Martin Johns, and Konrad Rieck The native Web Previous attempts at native performance Adobes

783 views • 18 slides
Concurrency: Mutual Exclusion and Synchronization Chapter 5 1 Concurrency Multiple

Concurrency: Mutual Exclusion and Synchronization Chapter 5 1 Concurrency Multiple

2/24/10 Concurrency: Mutual Exclusion and Synchronization Chapter 5 1 Concurrency Multiple applications Structured applications Operating system structure 2 1 2/24/10 Concurrency 3 Difficulties of Concurrency Sharing of

217 views • 11 slides
The Internet Computer Tonight well explore . . . The need for a new global business and

The Internet Computer Tonight well explore . . . The need for a new global business and

The Internet Computer Tonight well explore . . . The need for a new global business and information infrastructure The emergence of a new computing paradigm: WebAssembly & Cloud 3.0 Combining WebAssembly & Blockchain The importance

752 views • 28 slides

More recommend