Confined Types Encapsulation and modularity Seminar November, 2005 presented by: Guy Gueta

Writing secure code Difficult task –A lot of security problems Software systems that permit untrusted and trusted code together –Loadable components

Object-oriented An objects can be pointed by many other objects Every method can be called by an adversary Defensive style – dynamic security checks –Performance problem –Bugs Protection domains

Internal (without security checks) and external objects (with security checks) –The core code can be written without security checks –Easier for security analysis (programmer, automatic) No means to enforce such a distinction –Access modifiers (visibility of methods and fields, scope of types) –Reference to sensitive objects may leak to other protection domains

Confined Types Prevent escaping of internal objects T is confined in D iff all references to instances of T are in D Enforce static scoping of dynamic object references –stronger than “ private type ”

Achieving confinement Static constraints on the definition and use of objects Compile time (better performance, compilation errors) Java –Two additional modifiers (confined, anon) –Restrictions on programs Certain programming tasks may be clumsier –Package = protection domain –Don ’ t affect the program semantics ! –Modular (dynamic loading is possible) –Simple implementation

Security breach in JDK Untrusted code can acquire extended access rights class java.lang.Class { private Identity[] signers ; public Identity[] getSigners() { return signers ; } } java.security.IdentityScope.IdentityScope.identities() = an enumeration of all identities known to the local system

Simple fix: return a copy of the internal array Nothing guarantees that similar defects are not present in other parts of the package The attack doesn ’ t interact with Identity ( ‘ private ’ can ’ t help use) Confined types: References to identity objects will never escape from the java.security package

Anonymous Methods Do not depend on the identity of the current instance Behavior is determined by: arguments and fields Essential to allow confined types to inherit methods from unconfined parents

Anonymous Methods in Java anon Anonymous method does not invoke a non- anonymous method of the same object

 Potential callers can rely on anonymity  Constructors are a special case of instance methods  Constructors may be declared anonymous  Explicit and implicit calls are made only to anonymous constructors  The Object constructor is anonymous by definition

Anonymous methods in existing code

Confined Types

Confinement in declarations C1 – confined types have private or package-local access The unnamed global package is open to extension All subtypes of a confined type are confined

Reference widening Each instance object can be stored in a object variable (java.lang.Object is not confined) Reference widening from a confined type to an unconfined supertype shouldn ’ t be allowed // package one class A { …. } // package two confined class B extends A { ….} A a = (A)(new B()); // a can leak out of package two

Reference widening assignmentvar = expdec_type(var) > static_type(exp) method callvoid method(A a) method(exp) A > static_type(exp) returnA method () {.... ; return exp;} A > static_type(exp) cast (A)(new B)A > B

Collections Confined objects should not be stored in unconfined collections –For arrays: if T is confined then T[] is confined –For the other collections: can ’ t cast to java.lang.object Use confined collections Generics

Hidden Widening class A { protected void foo() { // store this } confined class B extends A { public void boo() { foo(); ….; } this can escape from the package Solution: confined classed are not allowed to inherit from non-trivial unconfined class Better solution with anonymous methods....

class A { public void anon foo() { // …… } confined class B extends A { public void boo() { foo(); } can be checked in the defining package

Preventing transfer from the outside Can be omitted !?

Example: Public-Key Cryptography

Other Aspects Protection domain ≠ package Generics –Reduce the need for reference widening –Less code (public-key example) Software Engineering –“ strong private ” Optimizations

Summary We saw two new language mechanisms –Confined types –Anonymous methods Enforced by a set of simple syntactic constraints which can be verified statically Can be used for controlling the dissemination of object reference