Posted on by Achim D. Brucker, licensed under CC BY-ND 4.0.
phdlife

Formal Foundations for Provably Safe Web Components

In March, Michael passed successful his PhD viva. Now, his PhD thesis is available online herzberg:formal-web-components:2020?. The thesis investigates one of the cornerstones of modern software development that enables the creation of sophisticated software systems: the concept of reusable software components for web applications.

The abstract of the thesis entitled “Formal Foundations for Provably Safe Web Components” reads in its entirety:

One of the cornerstones of modern software development that enables the creation of sophisticated software systems is the concept of reusable software components. E Especially the fast-paced and business-driven web ecosystem is in need of a robust and safe way of reusing components. As it stands, however, the concepts and functions needed to create web components are spread out, immature, and not clearly defined, leaving much room for misunderstandings. To improve the situation, we need to look at the core of web browsers: the Document Object Model (DOM). It represents the state of a website with which users and client-side code (JavaScript) interact. Being in this central position makes the DOM the most central and critical part of a web browser with respect to safety and security, so we need to understand exactly what it does and which guarantees it provides. A well- established approach for this kind of highly critical system is to apply formal methods to mathematically prove certain properties. In this thesis, we provide a formal analysis of web components based on shadow roots, highlight their short-comings by proving them unsafe in many circumstances, and propose suggestions to provably improve their safety. In more detail, we build a formalisation of the Core DOM in Isabelle/HOL into which we introduce shadow roots. Then, we extract novel properties and invariants that improve the often implicit assumptions of the standard. We show that the model complies to the standard by symbolically evaluating all relevant test cases from the official compliance suite successfully on our model. We introduce novel definitions of web components and their safety and classify the most important DOM API accordingly, by which we uncover surprising behavior and shortcomings. Finally, we propose changes to the DOM standard by altering our model and proving that the safety of many DOM API methods improves while leading to a less ambiguous API. vv Parts of the PhD thesis herzberg:formal-web-components:2020? have been published in international conferences [1], [2]. Moreover, the formalization is available in the Archive of Formal Proofs:

References

[1]
A. D. Brucker and M. Herzberg, “A formal semantics of the Core DOM in Isabelle/HOL,” in The 2018 web conference companion (WWW), 2018, pp. 741–749. doi: 10.1145/3184558.3185980.
[2]
A. D. Brucker and M. Herzberg, “A formally verified model of web components,” in Formal aspects of component software (FACS), S.-S. Jongmans and F. Arbab, Eds. Heidelberg: Springer-Verlag, 2020. doi: 10.1007/978-3-030-40914-2_3.
[3]
A. D. Brucker and M. Herzberg, The Core DOM,” Archive of Formal Proofs, Dec. 2018,
[4]
A. D. Brucker and M. Herzberg, A formalization of web components,” Archive of Formal Proofs, Sep. 2020,
[5]
A. D. Brucker and M. Herzberg, Shadow DOM: A formal model of the document object model with shadow roots,” Archive of Formal Proofs, Sep. 2020,
[6]
A. D. Brucker and M. Herzberg, The safely composable DOM,” Archive of Formal Proofs, Sep. 2020,
[7]
A. D. Brucker and M. Herzberg, Shadow SC DOM: A formal model of the safelty composable document object model with shadow roots,” Archive of Formal Proofs, Sep. 2020,
[8]
A. D. Brucker and M. Herzberg, A formalization of safely composable web components,” Archive of Formal Proofs, Sep. 2020,

Welcome to the blog of the Software Assurance & Security Research Team at the University of Exeter. We blog regularly news, tips & tricks, as well as fun facts about software assurance, reliability, security, testing, verification, hacking, and logic.

You can also follow us on Twitter: @logicalhacking.

Categories

Archive

Tags

academia ai android apidesign appsec bitcoin blockchain bpmn browser browserextensions browsersecurity bug certification chrome composition cordova dast devops devsecops dom dsbd efsm epsrc event extensions fixeffort floss formaldocument formalmethods funding hol-ocl hol-testgen humanfactor hybridapps iast industry internetofthings iot isabelle/hol isabelledof isadof latex logic maintance malicous mbst mobile mobile apps modelinference modeling monads monitoring msc ocl ontology opensource owasp patches pet phd phdlife phishing policy protocols publishing reliability research safelinks safety sap sast sdlc secdevops secureprogramming security securityengineering securitytesting semantics servicecomposition skills smartcontract smartthings softwareeinginering softwaresecurity softwaresupplychain solidity staff&positions statemachine studentproject tcb test&proof testing tips&tricks tools transport tuos uk uoe upgrade usability verification vulnerabilities vulnerableapplication webinar websecurity

Search


blog whole site