Upload
etan
View
40
Download
0
Embed Size (px)
DESCRIPTION
Current Techniques in Language-based Security. David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania. Abstract Stack Inspection. Abstract permissions p,q Permissions R,S Principals (sets of permissions) Hide the details of classloading, etc. - PowerPoint PPT Presentation
Citation preview
Current Techniques in Language-based Security
David WalkerCOS 597B
With slides stolen from:Steve ZdancewicUniversity of Pennsylvania
COS 597B 2
Abstract Stack Inspection Abstract permissions
p,q Permissions R,S Principals (sets of permissions)
Hide the details of classloading, etc. Examples:
System = {fileWrite(“f1”), fileWrite(“f2”),…}Applet = {fileWrite(“f1”)}
COS 597B 3
sec Syntax Language syntax:
e,f ::= expressions x variable x.e function e f application R{e} framed expr enable p in e enable test p then e else f check perm. fail failure
v ::= x | x.e valueso ::= v | fail outcome
COS 597B 4
Framing a Term Models the Classloader that marks the
(unframed) code with its protection domain:
R[x] = xR[x.e] = x.R{R[e]}
R[e f] = R[e] R[f] R[enable p in e] = enable p in R[e]
R[test p then e else f] = test p then R[e] else R[f]
R[fail] = fail
COS 597B 5
Example
readFile = fileName.System{ test fileWrite(fileName) then
… // primitive file IO (native code) else fail }
Applet{readFile “f2”} fail System{readFile “f2”} <f2 contents>
COS 597B 6
sec Operational Semantics Evaluation contexts:
E ::= [] Hole E e Eval. Function
v E Eval. Arg.enable p in E Tagged frame
R{E} Frame
E models the control stack
COS 597B 7
sec Operational Semantics E[(x.e) v] E[e{v/x}]
E[enable p in v] E[v]E[R{v}] E[v] E[fail] failE[test p then e else f] E[e] if Stack(E) |-- pE[test p then e else f] E[f] if (Stack(E) |-- p)
e o iff e * o
Stack Inspection
COS 597B 8
Example Evaluation Context
Applet{readFile “f2”}
E = Applet{[]}r = readFile “f2”
COS 597B 9
Example Evaluation Context
E = Applet{[]}r = (fileName.System{ test fileWrite(fileName) then
… // primitive file IO (native code) else fail } ) “f2”
Applet{readFile “f2”}
COS 597B 10
Example Evaluation Context
Applet{readFile “f2”}
E = Applet{[]}r = System{ test fileWrite(“f2”) then
… // primitive file IO (native code) else fail }
COS 597B 11
Example Evaluation Context
Applet{System{ test fileWrite(“f2”) then
… // primitive file IO (native code) else fail }}
COS 597B 12
Example Evaluation Context
Applet{System{ test fileWrite(“f2”) then
… // primitive file IO (native code) else fail }}
E’ = Applet{System{[]}}r’ = test fileWrite(“f2”) then
… // primitive file IO (native code) else fail
COS 597B 13
Formal Stack Inspection
E’ = Applet{System{[]}}r’ = test fileWrite(“f2”) then
… // primitive file IO (native code) else fail
When does stack E’ allow permissionfileWrite(“f2”)?
Stack(E’) |-- fileWrite(“f2”)
COS 597B 14
Stack of an Eval. Context
Stack([]) = .Stack(E e) = Stack(E)Stack(v E) = Stack(E)Stack(enable p in E) = enable(p).Stack(E)Stack(R{E}) = R.Stack(E)
Stack(E’) = Stack(Applet{System{[]}}) = Applet.Stack(System{[]}) = Applet.System.Stack([]) = Applet.System.
COS 597B 15
Abstract Stack Inspection
. |-- p empty stack axiom
x |-- p p Rx.R |-- p
x |-- px.enable(q) |-- p
protection domain check
p q irrelevant enable
x |= px.enable(p) |-- p
check enable
COS 597B 16
Abstract Stack Inspection
. |= p empty stack enables all
p Rx.R |= p enable succeeds*
x |= px.enable(q) |=
p
irrelevant enable
* Enables should occur only in trusted code
COS 597B 17
Equational Reasoning
e iff there exists o such that e o
Let C[] be an arbitrary program context.
Say that e = e’ iff for all C[], if C[e] and C[e’] are closed then C[e] iff C[e’].
COS 597B 18
Equational Reasoning
Question: Why not:
e = e’ iff for all C[], if C[e] and C[e’] are closed then C[e]o iff C[e’]o’ and o = o’.
COS 597B 19
Equational Reasoning
Question: Why not:
e = e’ iff for all C[], if C[e] and C[e’] are closed then C[e]o iff C[e’]o’ and o = o’.
Reasoning is cyclic if o and o’ are functions x.e’’ and x.e’’’: we suddenly need to ask ife’’ = e’’’
COS 597B 20
Equational Reasoning
Question: Why not:
e = e’ iff for all C[], if C[e] and C[e’] are closed then C[e]o iff C[e’]o’ and o = o’.
If we want to test whether e v and e’ v’and v = v’ we can always do it using theappropriate context:
C = if [ ] then loop () else ()
COS 597B 21
Example Inequality
ok = x.xloop = (x.x x)(x.x x) (note: loop )
f = x. let z = x ok in _.zg = x. let z = x ok in _.(x ok)
Claim: f ≠ g
Proof:Let C[] = {[] _.test p then loop else ok} ok
COS 597B 22
Example Continued
C[f] = {f _.test p then loop else ok} ok • {let z = (_.test p then loop else ok) ok in _.z} ok• {let z = test p then loop else ok in _.z} ok• {let z = ok in _.z} ok• {_.ok} ok• (_.ok) ok• ok
COS 597B 23
Example Continued
C[g] = {g _.test p then loop else ok} ok• {let z = (_.test p then loop else ok) ok in _.((_.test p then loop else ok) ok)} ok• {let z = test p then loop else ok in _. ((_.test p then loop else ok) ok)} ok• {let z = ok in _. ((_.test p then loop else ok) ok)} ok• {_. ((_.test p then loop else ok) ok)} ok• (_. ((_.test p then loop else ok) ok)) ok• (_.test p then loop else ok) ok• test p then loop else ok• loop loop loop loop …
COS 597B 24
Example Applications
Eliminate redundant annotations:
x.R{y.R{e}} = x.y.R{e}
Decrease stack inspection costs:
e = test p then (enable p in e) else e
COS 597B 25
Axiomatic Equivalence
Can give a sound set of equations that characterize =. Example axioms:
• is a congruence (preserved by contexts)
• (x.e) v e{v/x} (beta equivalence)
• enable p in (enable q in e) enable q in (enable p in e)
• R S R{S{e}} S{e} • R{S{enable p in e}} R{p}{S{enable p in e}}…
COS 597B 26
Example: Tail Calls
Ordinary evaluation:R{(x.S{e}) v} R{S{e{v/x}}}
Tail-call eliminated evaluation:R{(x.S{e}) v} S{e{v/x}}
Not sound in general!
But OK in special cases.
COS 597B 27
Example: Tail Calls
Suppose R S. Then:
R{(x.S{e}) v} R{S{e{v/x}}} S{e{v/x}} S{e}{v/x} (x.S{e}) v
In particular, code within a protection domain can safely make tail calls to
other code in that domain.
COS 597B 31
Conclusions What security principles does the Java
model obey? To what extent? Open design? Economy of mechanism? Minimal trusted computing base? Security as process? Least privilege? Fail-safe defaults? Psychological acceptability?