Wednesday, February 13, 2013 - 10:00am to 11:10am
KEC 1007

Speaker Information

Ravi Chugh
PhD student
Department of Computer Science
UC San Diego

Abstract

Modern web applications are developed largely in so-called "dynamic" or "scripting" languages like JavaScript, PHP, and Python. In addition to being untyped, these languages sport several features --- run-time type tests, value-indexed dictionaries, and dynamic code loading --- that make it easy to rapidly prototype and to glue together applications from disparate components. As applications grow large, however, the lack of static typing makes it difficult to achieve reliability and maintainability. Moreover, third-party code like ads are routinely downloaded and run in the client's browser, and the flexibility of scripting languages makes it hard to ensure security.

In the first part of this talk, I will present Dependent JavaScript (DJS), a statically typed dialect that facilitates precise reasoning about JavaScript and other web scripting languages. I will describe the major obstacles that have stymied prior attempts at static reasoning for JavaScript, and I'll outline how DJS overcomes them using several key innovations based on refinement types.

In the second part of the talk, I will show how to build on DJS to verify security properties of third-party JavaScript. After describing preliminary experiments that use DJS to author provably-secure JavaScript browser extensions, I will identify several future directions of work that will lead to a platform for fine-grained web security.

Speaker Bio

Ravi Chugh is a Computer Science Ph.D. student at UC San Diego and holds master's and bachelor's degrees from the University of Pennsylvania. Ravi's primary research interest is developing programming language techniques, such as type systems and program analysis, to improve the reliability and security of modern web applications.