Checking Cryptographic API Specifications in JavaScript Duncan Mitchell Submitted in fulfillment for the degree of Doctor of Philosophy Department of Computer Science Royal Holloway, University of London Declaration of Authorship The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Depart- ment of Computer Science as a candidate for the degree of Doctor of Phi- losophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Duncan Mitchell September 2019 i Acknowledgments I would like to thank my supervisor and academic mentor Johannes Kinder for his advice and guidance throughout this journey. His faith in me and drive for me to succeed have been an invaluable source of encouragement. I would like to thank all my lab mates for creating an enjoyable and con- genial place to undertake this PhD. In particular, to Blake Loring for our fruitful collaborations and his work on ExpoSE, and to Thomas van Bins- bergen for being so welcoming and generous with his time. I would also like to thank Claudio Rizzo and James Patrick-Evans for proof-reading and technical discussions, but most importantly good company. To Dave Cohen, Carlos Matos, Jasper Lyons and Matthew Hague: thank you for the opportunity to enrich my research life through teaching. I would like to thank Calum and Dan for taking a close interest in my work and their enthusiasm for my future. To my parents, for fostering my love of science, technology and mathe- matics, for their unfailing support and for every opportunity that bought me to this point. Finally, to Holly, my rock: without you, I would not be writing this. iii Abstract Increased awareness of privacy concerns on the Internet has encouraged developers towards implementing strong cryptography by default, in a trend dubbed “ubiquitous encryption”. For instance, web applications for messaging platforms routinely implement client-side cryptography in JavaScript for true end-to-end encryption. The standardization of cryp- tographic APIs in JavaScript through the W3C Web Cryptography API, WebCrypto, has made strong cryptography available to non-expert web developers. However, cryptographic APIs are often hard to use correctly; the clash between the agile mindset of JavaScript developers and the re- quirements of secure software engineering leads to lingering problems. Further, JavaScript’s dynamic types and often surprising semantics make it difficult to spot subtle security bugs, and such errors do not lead to fail- ing test cases or visible errors. In this thesis, we propose an automatic mechanism for the detection of incorrect usage of cryptographic APIs in JavaScript. We introduce a sys- tem of Security Annotations: type-like tags which express security proper- ties of values, e.g., whether a value is a ciphertext, or a cryptographically secure random value. Security Annotations are transparent to client code until they encounter an error, in which case the program under test fails. We formalize the notion of Security Annotations in a small lambda calcu- lus, and use this to motivate the design of Security Annotations within an executable formal semantics for JavaScript. We construct a specification of v the WebCrypto API and prove security guarantees in this setting. Finally, we implement Security Annotations within full JavaScript via source code instrumentation and use this to analyze both hand-crafted examples and real-world JavaScript applications. vi Contents 1 Introduction1 1.1 Context . .1 1.1.1 Cryptography . .1 1.1.2 Implementing Cryptography . .2 1.1.3 Detecting Cryptographic Errors . .4 1.1.4 JavaScript and Cryptography . .5 1.2 The Problem . .7 1.3 The Approach . .8 1.4 Analyzing String Manipulating Programs . 10 1.5 Contributions . 12 2 Background 15 2.1 Analyzing Cryptographic Implementations . 15 2.2 Analyzing JavaScript Programs . 18 2.3 JavaScript and Cryptography . 22 2.4 Test Generation for JavaScript . 27 2.4.1 A Primer on Dynamic Symbolic Execution . 28 2.4.2 ExpoSE: Practical DSE for JavaScript . 30 3 Structure of Security Annotations 33 3.1 What are Security Annotations? . 34 3.2 Formalizing Security Annotations . 39 3.3 The cut Operator . 47 vii Contents 3.4 Related Work . 49 4 A Lambda Calculus of Security Annotations 51 4.1 Design Decisions for λSA ..................... 51 4.2 Syntax of λSA ............................ 55 4.3 Dynamics . 57 4.4 Statics . 59 4.4.1 A Subtyping Relation . 59 4.4.2 Annotated typing rules for λSA ............. 61 4.5 Manipulating Security Annotations in λSA ........... 63 4.6 Annotated Type Safety for λSA .................. 68 4.6.1 Preservation for λSA ................... 68 4.6.2 Progress for λSA ...................... 76 4.6.3 Discussion . 78 4.7 Related Work . 80 5 A Semantics for Security Annotations in JavaScript 81 5.1 Working with a semantics for JavaScript . 82 5.2 A More Complex Language . 83 5.3 Syntax of S5SA ........................... 87 5.4 Semantics for S5SA ........................ 88 5.4.1 Coercing Security Annotations . 88 5.4.2 Checking Security Annotations . 90 5.4.3 Completing S5SA ..................... 91 5.5 Implementing S5SA ........................ 93 5.5.1 Declaring Annotations . 93 5.5.2 Deciding ≺:......................... 96 5.5.3 Adapting The Semantics of S5SA ............ 96 5.5.4 Mechanizing Functions . 98 5.6 Executing JavaScript in S5SA ................... 99 viii Contents 5.7 Using S5SA: A Case Study . 102 5.8 Properties of S5SA Programs . 106 5.8.1 Safety Guarantees . 106 5.8.2 Security Guarantees . 109 5.8.3 Security Guarantees in Practice . 110 5.8.4 Limitations . 112 5.9 Related Work . 115 6 Sound Regular Expression Semantics for the Dynamic Sym- bolic Execution of JavaScript 117 6.1 ECMAScript Regex . 119 6.2 Approach . 122 6.3 Modeling ES6 Regex . 127 6.3.1 Preprocessing . 127 6.3.2 Operators and Capture Groups . 129 6.3.3 Backreferences . 131 6.3.4 Modeling Non-membership . 134 6.4 Matching Precedence Refinement . 135 6.4.1 Matching Precedence . 135 6.4.2 Termination of the Scheme . 138 6.4.3 Soundness of the Model . 138 6.5 Modeling the ES6 Regex API . 139 6.6 Consequences of this Model . 140 6.7 Related Work . 141 7 Security Annotations for JavaScript 145 7.1 Implementation . 145 7.1.1 Security Annotations . 146 7.1.2 Attaching Annotations . 147 7.1.3 Complications: Annotating Objects. 148 ix Contents 7.1.4 Manipulating Annotations . 151 7.2 Establishing Faithfulness . 153 7.3 A Testing Strategy for the Detection of Cryptographic Errors 155 7.4 From S5SA to ExpoSESA ...................... 156 7.5 Case Studies . 162 7.5.1 secret-notes . 162 7.5.2 hat.sh: A File Encryption Serivce . 167 8 Conclusions 173 Bibliography 177 x List of Figures 2.1 The ExpoSE architecture [60]. 31 3.1 The atomic Security Annotation hierarchy for Listing 3.1. 41 4.1 Syntax of λSA: programs, terms, values and prevalues. 56 4.2 Syntax of λSA: types, environments and Security Annotations. 57 4.3 Runtime semantics for λSA.................... 59 4.4 Annotated subtyping rules for λSA................ 60 4.5 Static semantics for λSA...................... 61 4.6 Adding Security Annotations within λSA............ 64 4.7 Removing Security Annotations within λSA........... 65 4.8 Copying Security Annotations within λSA............ 66 5.1 The reduction relations for S5 [81]. 82 5.2 The syntax of S5 [81]. 84 5.3 Syntax modifications to add Security Annotations to S5. 86 5.4 Judgments for coercing annotations: as, drop and cpAnn... 89 5.5 Function application with Security Annotation enforcement. 90 5.6 Judgments for setting, deleting and adding fields. 92 5.7 Judgments for SecAnn....................... 94 5.8 Judgments for SecAnn Extends................. 95 5.9 Reduction relations enriched with the annotation store. 98 5.10 Judgments for as enriched with the annotation store. 99 xi List of Figures 5.11 Function application enriched with an annotation store. 100 xii List of Listings 2.1 A program using async/await ................. 25 2.2 A simple branching JavaScript program. 29 3.1 An annotated shim of WebCrypto’s encrypt API. 38 4.1 Typing the if construct. 63 4.2 Typing the drop operator. 65 4.3 Typing the cpAnn operator. 66 5.1 A simple JavaScript program using Security Annotations. 85 5.2 The S5SA program corresponding to Listing 5.1. 85 5.3 An annotated shim for a fragment of the WebCrypto API. 104 5.4 Case Study: constructing the IV. 105 5.5 Case Study: the developer’s encrypt function. 105 6.1 Using complex regex features to match an XML tag. 124 7.1 Annotating a JavaScript Value. 148 7.2 Annotating objects vs. their references. 149 7.3 A mock for WebCrypto’s decrypt method. 158 7.4 A shim for WebCrypto’s decrypt method. 159 7.5 Modifications to test an application in ExpoSESA........ 160 7.6 Processing the message to be sent. 161 xiii List of Listings 7.7 A testing harness for the integrity tutorial in secret-notes. 164 7.8 Shims for digest and verify.................. 165 7.9 Extending the shim for deriveKey................ 166 7.10 Deriving a key from a password in hat.sh [93]. 169 7.11 Automatically generating a password in hat.sh [93]. 170 xiv List of Tables 2.1 Cryptographic algorithms supported by WebCrypto. 26 6.1 Regular expression operators, separated by classes of prece- dence. 122 6.2 Models for regex operators. 130 6.3 Modeling backreferences. 132 6.4 Contribution of different components of the model to test- ing 1; 131 NPM packages, showing number (#) and fraction (%) of packages with line coverage improvements. 141 xv Introduction 1 1.1 Context 1.1.1 Cryptography In the modern world, cryptography is ubiquitous.