Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania
COS 597B2 Abstract Stack Inspection Abstract permissions p,q Permissions R,S Principals (sets of permissions) Hide the details of classloading, etc. Examples: System = {fileWrite(“f1”), fileWrite(“f2”),…} Applet = {fileWrite(“f1”)}
COS 597B3 sec Syntax Language syntax: e,f ::= expressions xvariable x.efunction e fapplication R{e}framed expr enable p in eenable test p then e else fcheck perm. fail failure v ::= x | x.evalues o ::= v | failoutcome
COS 597B4 Framing a Term Models the Classloader that marks the (unframed) code with its protection domain: R[x] = x R[ x.e] = x.R{R[e]} R[e f] = R[e] R[f] R[enable p in e] = enable p in R[e] R[test p then e else f] = test p then R[e] else R[f] R[fail] = fail
COS 597B5 Example readFile = fileName.System{ test fileWrite(fileName) then … // primitive file IO (native code) else fail } Applet{readFile “f2”} fail System{readFile “f2”}
COS 597B6 sec Operational Semantics Evaluation contexts: E ::= []Hole E eEval. Function v EEval. Arg. enable p in ETagged frame R{E} Frame E models the control stack
COS 597B7 sec Operational Semantics E[( x.e) v] E[e{v/x}] E[enable p in v] E[v] E[R{v}] E[v] E[fail] fail E[test p then e else f] E[e] if Stack(E) |-- p E[test p then e else f] E[f] if (Stack(E) |-- p) e o iff e * o Stack Inspection
COS 597B8 Example Evaluation Context Applet{readFile “f2”} E = Applet{[]} r = readFile “f2”
COS 597B9 Example Evaluation Context E = Applet{[]} r = ( fileName.System{ test fileWrite(fileName) then … // primitive file IO (native code) else fail } ) “f2” Applet{readFile “f2”}
COS 597B10 Example Evaluation Context Applet{readFile “f2”} E = Applet{[]} r = System{ test fileWrite(“f2”) then … // primitive file IO (native code) else fail }
COS 597B11 Example Evaluation Context Applet{System{ test fileWrite(“f2”) then … // primitive file IO (native code) else fail }}
COS 597B12 Example Evaluation Context Applet{System{ test fileWrite(“f2”) then … // primitive file IO (native code) else fail }} E’ = Applet{System{[]}} r’ = test fileWrite(“f2”) then … // primitive file IO (native code) else fail
COS 597B13 Formal Stack Inspection E’ = Applet{System{[]}} r’ = test fileWrite(“f2”) then … // primitive file IO (native code) else fail When does stack E’ allow permission fileWrite(“f2”)? Stack(E’) |-- fileWrite(“f2”)
COS 597B14 Stack of an Eval. Context Stack([]) =. Stack(E e) = Stack(E) Stack(v E) = Stack(E) Stack(enable p in E) = enable(p).Stack(E) Stack(R{E}) = R.Stack(E) Stack(E’) = Stack(Applet{System{[]}}) = Applet.Stack(System{[]}) = Applet.System.Stack([]) = Applet.System.
COS 597B15 Abstract Stack Inspection. |-- p empty stack axiom x |-- p p R x.R |-- p x |-- p x.enable(q) |-- p protection domain check p q irrelevant enable x |= p x.enable(p) |-- p check enable
COS 597B16 Abstract Stack Inspection. |= p empty stack enables all p R x.R |= p enable succeeds* x |= p x.enable(q) |= p irrelevant enable * Enables should occur only in trusted code
COS 597B17 Equational Reasoning e iff there exists o such that e o Let C[] be an arbitrary program context. Say that e = e’ iff for all C[], if C[e] and C[e’] are closed then C[e] iff C[e’] .
COS 597B18 Equational Reasoning Question: Why not: e = e’ iff for all C[], if C[e] and C[e’] are closed then C[e] o iff C[e’] o’ and o = o’.
COS 597B19 Equational Reasoning Question: Why not: e = e’ iff for all C[], if C[e] and C[e’] are closed then C[e] o iff C[e’] o’ and o = o’. Reasoning is cyclic if o and o’ are functions x.e’’ and x.e’’’: we suddenly need to ask if e’’ = e’’’
COS 597B20 Equational Reasoning Question: Why not: e = e’ iff for all C[], if C[e] and C[e’] are closed then C[e] o iff C[e’] o’ and o = o’. If we want to test whether e v and e’ v’ and v = v’ we can always do it using the appropriate context: C = if [ ] then loop () else ()
COS 597B21 Example Inequality ok = x.x loop = ( x.x x)( x.x x) (note: loop ) f = x. let z = x ok in _.z g = x. let z = x ok in _.(x ok) Claim: f ≠ g Proof: Let C[] = {[] _.test p then loop else ok} ok
COS 597B22 Example Continued C[f]= {f _.test p then loop else ok} ok {let z = ( _.test p then loop else ok) ok in _.z} ok {let z = test p then loop else ok in _.z} ok {let z = ok in _.z} ok { _.ok} ok ( _.ok) ok ok
COS 597B23 Example Continued C[g]= {g _.test p then loop else ok} ok {let z = ( _.test p then loop else ok) ok in _.(( _.test p then loop else ok) ok)} ok {let z = test p then loop else ok in _. (( _.test p then loop else ok) ok)} ok {let z = ok in _. (( _.test p then loop else ok) ok)} ok { _. (( _.test p then loop else ok) ok)} ok ( _. (( _.test p then loop else ok) ok)) ok ( _.test p then loop else ok) ok test p then loop else ok loop loop loop loop …
COS 597B24 Example Applications Eliminate redundant annotations: x.R{ y.R{e}} = x. y.R{e} Decrease stack inspection costs: e = test p then (enable p in e) else e
COS 597B25 Axiomatic Equivalence Can give a sound set of equations that characterize =. Example axioms: is a congruence (preserved by contexts) ( x.e) v e{v/x} (beta equivalence) enable p in (enable q in e) enable q in (enable p in e) R S R{S{e}} S{e} R{S{enable p in e}} R {p}{S{enable p in e}} …
COS 597B26 Example: Tail Calls Ordinary evaluation: R{( x.S{e}) v} R{S{e{v/x}}} Tail-call eliminated evaluation: R{( x.S{e}) v} S{e{v/x}} Not sound in general! But OK in special cases.
COS 597B27 Example: Tail Calls Suppose R S. Then: R{( x.S{e}) v} R{S{e{v/x}}} S{e{v/x}} S{e}{v/x} ( x.S{e}) v In particular, code within a protection domain can safely make tail calls to other code in that domain.
COS 597B28 Example: Higher-order Code main = System [ h.(h ok ok)] fileHandler = System[ s. c. _.c (readFile s)] leak = Applet[ s.output s] main( _.Applet{fileHandler “f2” leak})
COS 597B29 Example: Higher-order Code main( _.Applet{fileHandler “f2” leak}) *System{Applet{fileHandler “f2” leak} okS} *System{Applet{System{System{ _.System{leak (readFile “f2”)}}}} okS} *System{ _.System{leak (readFile “f2”)} okS} * System{System{leak }} * System{System{Applet{output }}} * System{System{Applet{ok}}} * ok
COS 597B30 Discussion Problem: Applets returning closures that circumvent stack inspection. Possible solution: Values of the form: R{v} (i.e. keep track of the protection domain of the source) Similarly, one could have closures capture their current security context Integrity analysis (i.e. where data comes from) Fournet & Gordon prove some properties of strengthened versions of stack inspection.
COS 597B31 Conclusions What security principles does the Java model obey? To what extent? Open design? Economy of mechanism? Minimal trusted computing base? Security as process? Least privilege? Fail-safe defaults? Psychological acceptability?