Current Techniques in Language-based Security

David WalkerCOS 597B

With slides stolen from:Steve ZdancewicUniversity of Pennsylvania

COS 597B 2

Abstract Stack Inspection Abstract permissions

p,q Permissions R,S Principals (sets of permissions)

Hide the details of classloading, etc. Examples:

System = {fileWrite(“f1”), fileWrite(“f2”),…}Applet = {fileWrite(“f1”)}

COS 597B 3

sec Syntax Language syntax:

e,f ::= expressions x variable x.e function e f application R{e} framed expr enable p in e enable test p then e else f check perm. fail failure

v ::= x | x.e valueso ::= v | fail outcome

COS 597B 4

Framing a Term Models the Classloader that marks the

(unframed) code with its protection domain:

R[x] = xR[x.e] = x.R{R[e]}

R[e f] = R[e] R[f] R[enable p in e] = enable p in R[e]

R[test p then e else f] = test p then R[e] else R[f]

R[fail] = fail

COS 597B 5

Example

readFile = fileName.System{ test fileWrite(fileName) then

… // primitive file IO (native code) else fail }

Applet{readFile “f2”} fail System{readFile “f2”} <f2 contents>

COS 597B 6

sec Operational Semantics Evaluation contexts:

E ::= [] Hole E e Eval. Function

v E Eval. Arg.enable p in E Tagged frame

R{E} Frame

E models the control stack

COS 597B 7

sec Operational Semantics E[(x.e) v] E[e{v/x}]

E[enable p in v] E[v]E[R{v}] E[v] E[fail] failE[test p then e else f] E[e] if Stack(E) |-- pE[test p then e else f] E[f] if (Stack(E) |-- p)

e o iff e * o

Stack Inspection

COS 597B 8

Example Evaluation Context

Applet{readFile “f2”}

E = Applet{[]}r = readFile “f2”

COS 597B 9

Example Evaluation Context

E = Applet{[]}r = (fileName.System{ test fileWrite(fileName) then

… // primitive file IO (native code) else fail } ) “f2”

Applet{readFile “f2”}

COS 597B 10

Example Evaluation Context

Applet{readFile “f2”}

E = Applet{[]}r = System{ test fileWrite(“f2”) then

… // primitive file IO (native code) else fail }

COS 597B 11

Example Evaluation Context

Applet{System{ test fileWrite(“f2”) then

… // primitive file IO (native code) else fail }}

COS 597B 12

Example Evaluation Context

Applet{System{ test fileWrite(“f2”) then

… // primitive file IO (native code) else fail }}

E’ = Applet{System{[]}}r’ = test fileWrite(“f2”) then

… // primitive file IO (native code) else fail

COS 597B 13

Formal Stack Inspection

E’ = Applet{System{[]}}r’ = test fileWrite(“f2”) then

… // primitive file IO (native code) else fail

When does stack E’ allow permissionfileWrite(“f2”)?

Stack(E’) |-- fileWrite(“f2”)

COS 597B 14

Stack of an Eval. Context

Stack([]) = .Stack(E e) = Stack(E)Stack(v E) = Stack(E)Stack(enable p in E) = enable(p).Stack(E)Stack(R{E}) = R.Stack(E)

Stack(E’) = Stack(Applet{System{[]}}) = Applet.Stack(System{[]}) = Applet.System.Stack([]) = Applet.System.

COS 597B 15

Abstract Stack Inspection

. |-- p empty stack axiom

x |-- p p Rx.R |-- p

x |-- px.enable(q) |-- p

protection domain check

p q irrelevant enable

x |= px.enable(p) |-- p

check enable

COS 597B 16

Abstract Stack Inspection

. |= p empty stack enables all

p Rx.R |= p enable succeeds*

x |= px.enable(q) |=

p

irrelevant enable

* Enables should occur only in trusted code

COS 597B 17

Equational Reasoning

e iff there exists o such that e o

Let C[] be an arbitrary program context.

Say that e = e’ iff for all C[], if C[e] and C[e’] are closed then C[e] iff C[e’].

COS 597B 18

Equational Reasoning

Question: Why not:

e = e’ iff for all C[], if C[e] and C[e’] are closed then C[e]o iff C[e’]o’ and o = o’.

COS 597B 19

Equational Reasoning

Question: Why not:

e = e’ iff for all C[], if C[e] and C[e’] are closed then C[e]o iff C[e’]o’ and o = o’.

Reasoning is cyclic if o and o’ are functions x.e’’ and x.e’’’: we suddenly need to ask ife’’ = e’’’

COS 597B 20

Equational Reasoning

Question: Why not:

e = e’ iff for all C[], if C[e] and C[e’] are closed then C[e]o iff C[e’]o’ and o = o’.

If we want to test whether e v and e’ v’and v = v’ we can always do it using theappropriate context:

C = if [ ] then loop () else ()

COS 597B 21

Example Inequality

ok = x.xloop = (x.x x)(x.x x) (note: loop )

f = x. let z = x ok in _.zg = x. let z = x ok in _.(x ok)

Claim: f ≠ g

Proof:Let C[] = {[] _.test p then loop else ok} ok

COS 597B 22

Example Continued

C[f] = {f _.test p then loop else ok} ok • {let z = (_.test p then loop else ok) ok in _.z} ok• {let z = test p then loop else ok in _.z} ok• {let z = ok in _.z} ok• {_.ok} ok• (_.ok) ok• ok

COS 597B 23

Example Continued

C[g] = {g _.test p then loop else ok} ok• {let z = (_.test p then loop else ok) ok in _.((_.test p then loop else ok) ok)} ok• {let z = test p then loop else ok in _. ((_.test p then loop else ok) ok)} ok• {let z = ok in _. ((_.test p then loop else ok) ok)} ok• {_. ((_.test p then loop else ok) ok)} ok• (_. ((_.test p then loop else ok) ok)) ok• (_.test p then loop else ok) ok• test p then loop else ok• loop loop loop loop …

COS 597B 24

Example Applications

Eliminate redundant annotations:

x.R{y.R{e}} = x.y.R{e}

Decrease stack inspection costs:

e = test p then (enable p in e) else e

COS 597B 25

Axiomatic Equivalence

Can give a sound set of equations that characterize =. Example axioms:

• is a congruence (preserved by contexts)

• (x.e) v e{v/x} (beta equivalence)

• enable p in (enable q in e) enable q in (enable p in e)

• R S R{S{e}} S{e} • R{S{enable p in e}} R{p}{S{enable p in e}}…

COS 597B 26

Example: Tail Calls

Ordinary evaluation:R{(x.S{e}) v} R{S{e{v/x}}}

Tail-call eliminated evaluation:R{(x.S{e}) v} S{e{v/x}}

Not sound in general!

But OK in special cases.

COS 597B 27

Example: Tail Calls

Suppose R S. Then:

R{(x.S{e}) v} R{S{e{v/x}}} S{e{v/x}} S{e}{v/x} (x.S{e}) v

In particular, code within a protection domain can safely make tail calls to

other code in that domain.

COS 597B 31

Conclusions What security principles does the Java

model obey? To what extent? Open design? Economy of mechanism? Minimal trusted computing base? Security as process? Least privilege? Fail-safe defaults? Psychological acceptability?