static enforcement of security with types christian skalka and scott smith johns hopkins university
Post on 20-Dec-2015
212 views
TRANSCRIPT
![Page 1: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/1.jpg)
Static Enforcement of Security with Types
Christian Skalka and Scott Smith
Johns Hopkins University
![Page 2: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/2.jpg)
Background: PL Security
• Non-local execution of code (e.g. Applets) presents new security problems
• Some PLs provide user-level abstractions for security (Ambit, Spi-calculus, Java)
• Built-in mechanisms allow expression and enforcement of various models/policies
![Page 3: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/3.jpg)
Varieties of Security
• Dataflow ensures security of data
• Certified Code (PCC) is an extremely general framework for extensible code security
• Access Control is a flexible system of code ownership and resource authorization
![Page 4: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/4.jpg)
Varieties of Security
• Dataflow ensures security of data
• Certified Code (PCC) is an extremely general framework for extensible code security
• Access Control is a flexible system of code ownership and resource authorization
![Page 5: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/5.jpg)
Overview
• Background: PL Security
• Java JDK 1.2 and stack inspection
• Using types instead of stack inspection
• Security Types: formal properties
• Possible improvements
• Work in Progress
• Conclusion
![Page 6: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/6.jpg)
Java Security
• Java JDK 1.2 provides a system for access control and code security– possibly non-local program execution requires
protection of resources
• All code has a specified owner, granted certain privileges locally
• Resources are protected by a dynamic check (stack inspection)
![Page 7: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/7.jpg)
Stack Inspection
• Stack frames are annotated with names of owners and any enabled privileges
• During inspection, stack frames are searched from most to least recent:– fail if a frame belonging to someone not
authorized for privilege is encountered– succeed if activated privilege is found in frame
![Page 8: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/8.jpg)
Example: privileged printing
privPrint(f) = (* owned by system *){checkPrivilege(PrintPriv);print(f);
}
foreignProg() = (* owned by Joe *)
{
…; privPrint(file); …;
}
![Page 9: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/9.jpg)
Stack Inspection
(* local policy *)AccessCreds = { Joe = {???},…}
(* owned by system *)enablePriv(PrintPriv);foreignProg();
![Page 10: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/10.jpg)
Stack Inspection
(* local policy *)AccessCreds = { Joe = {PrintPriv},…}
(* owned by system *)enablePriv(PrintPriv);foreignProg();
![Page 11: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/11.jpg)
Stack Inspection
systemsystem
Main
(* local policy *)AccessCreds = { Joe = {PrintPriv},…}
(* owned by system *)enablePriv(PrintPriv);foreignProg();
![Page 12: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/12.jpg)
Stack Inspection
system
PrintPriv
system
PrintPriv
Main
(* local policy *)AccessCreds = { Joe = {PrintPriv},…}
(* owned by system *)enablePriv(PrintPriv);foreignProg();
![Page 13: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/13.jpg)
Stack Inspection
system
PrintPriv
system
PrintPriv
joejoe
Main
foreignProg
(* local policy *)AccessCreds = { Joe = {PrintPriv},…}
(* owned by system *)enablePriv(PrintPriv);foreignProg();
![Page 14: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/14.jpg)
Stack Inspection
system
PrintPriv
system
PrintPriv
joejoe
systemsystem
Main
foreignProg
privPrint
(* local policy *)AccessCreds = { Joe = {PrintPriv},…}
(* owned by system *)enablePriv(PrintPriv);foreignProg();
![Page 15: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/15.jpg)
Stack Inspection
system
PrintPriv
system
PrintPriv
joejoe
systemsystem
Main
foreignProg
privPrint
(* local policy *)AccessCreds = { Joe = {PrintPriv},…}
(* owned by system *)enablePriv(PrintPriv);foreignProg();
![Page 16: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/16.jpg)
Stack Inspection
system
PrintPriv
system
PrintPriv
joejoe
systemsystem
Main
foreignProg
privPrint
success(* local policy *)AccessCreds = { Joe = {PrintPriv},…}
(* owned by system *)enablePriv(PrintPriv);foreignProg();
![Page 17: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/17.jpg)
Stack Inspection
(* local policy *)AccessCreds = { Joe = {},…}
(* owned by system *)enablePriv(PrintPriv);foreignProg();
![Page 18: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/18.jpg)
Stack Inspection
system
PrintPriv
system
PrintPriv
joejoe
systemsystem
Main
foreignProg
privPrint
(* local policy *)AccessCreds = { Joe = {},…}
(* owned by system *)enablePriv(PrintPriv);foreignProg();
![Page 19: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/19.jpg)
Stack Inspection
system
PrintPriv
system
PrintPriv
joejoe
systemsystem
Main
foreignProg
privPrint
failure
(* local policy *)AccessCreds = { Joe = {},…}
(* owned by system *)enablePriv(PrintPriv);foreignProg();
![Page 20: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/20.jpg)
Why Stack Inspection?
• How is it different from a capability system?
• Why not just use an access control matrix and a global set of allowable privileges?– Privileges not held by current code owner are
removed from allowable set
![Page 21: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/21.jpg)
Stack Inspection: Callbacks
• Stack inspection allows security contexts
to be temporarily raised.
![Page 22: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/22.jpg)
Stack Inspection: Callbacks
(* owned by system *)
getIPaddr(url) =
{
checkPriv(IPPriv);
addr = IPlookup(url);
return addr;
}
• Stack inspection allows security contexts
to be temporarily raised:
![Page 23: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/23.jpg)
Callbacks
(* owned by system *)
appletIP(applet) =
{
enablePriv(IPPriv);
url = applet.source();return getIPaddr(url);
}
(* owned by Joe, not
authorized for IPPriv *)
getMyIP() = appletIP(this);
![Page 24: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/24.jpg)
Callbacks
(* owned by system *)
appletIP(applet) =
{
enablePriv(IPPriv);
url = applet.source();return getIPaddr(url);
}
(* owned by Joe, not
authorized for IPPriv *)
getMyIP() = appletIP(this);
joejoe
getMyIP
![Page 25: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/25.jpg)
Callbacks
(* owned by system *)
appletIP(applet) =
{
enablePriv(IPPriv);
url = applet.source();return getIPaddr(url);
}
(* owned by Joe, not
authorized for IPPriv *)
getMyIP() = appletIP(this);
joejoe
systemsystem
getMyIP
appletIP
![Page 26: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/26.jpg)
Callbacks
(* owned by system *)
appletIP(applet) =
{
enablePriv(IPPriv);
url = applet.source();return getIPaddr(url);
}
(* owned by Joe, not
authorized for IPPriv *)
getMyIP() = appletIP(this);
joejoe
system
IPPriv
system
IPPriv
getMyIP
appletIP
![Page 27: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/27.jpg)
Callbacks
(* owned by system *)
appletIP(applet) =
{
enablePriv(IPPriv);
url = applet.source();return getIPaddr(url);
}
(* owned by Joe, not
authorized for IPPriv *)
getMyIP() = appletIP(this);
joejoe
system
IPPriv
system
IPPriv
joejoe
getMyIP
appletIP
this.source
![Page 28: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/28.jpg)
Callbacks
(* owned by system *)
appletIP(applet) =
{
enablePriv(IPPriv);
url = applet.source();return getIPaddr(url);
}
(* owned by Joe, not
authorized for IPPriv *)
getMyIP() = appletIP(this);
joejoe
system
IPPriv
system
IPPriv
getMyIP
appletIP
![Page 29: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/29.jpg)
Callbacks
(* owned by system *)
appletIP(applet) =
{
enablePriv(IPPriv);
url = applet.source();return getIPaddr(url);
}
(* owned by Joe, not
authorized for IPPriv *)
getMyIP() = appletIP(this);
joejoe
system
IPPriv
system
IPPriv
systemsystem
getMyIP
appletIP
getIPaddr
![Page 30: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/30.jpg)
Callbacks
(* owned by system *)
appletIP(applet) =
{
enablePriv(IPPriv);
url = applet.source();return getIPaddr(url);
}
(* owned by Joe, not
authorized for IPPriv *)
getMyIP() = appletIP(this);
joejoe
system
IPPriv
system
IPPriv
systemsystem
getMyIP
appletIP
getIPaddr
success
![Page 31: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/31.jpg)
A Static Approach
Our thesis: types can statically enforce the Java security model.
• Unsafe programs rejected at compile time
• Need for runtime checks eliminated
• Types are a declaritive form of security policy expression and enforcement
![Page 32: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/32.jpg)
Security Type Examples
(* privPrint needs PrintPriv *)
privPrint : file -{PrintPriv}-> unit
(* PrintPriv in AccessCreds(Joe) *)
foreignProg : unit -{PrintPriv}-> t
(* PrintPriv not in AccessCreds(Joe) *)
foreignProg : *ERROR*, cannot be typed
![Page 33: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/33.jpg)
Security Type Examples
(* enables SomePriv for parameter f *)
privWrap(f) =
{enablePriv(SomePriv);
f();
}
privWrap : (unit -{SomePriv}-> unit) -{}-> unit
![Page 34: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/34.jpg)
Subtyping Security Types
• With monotypes, subtypes allow typing of more safe programs:– privWrap can safely use the identity function id, so privWrap(id)
should be typable
id : unit -{}-> unit
privWrap : (unit -{SomePriv}-> unit) -{}-> unit
![Page 35: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/35.jpg)
Subtyping Security Types
• Security requirements may safely be overestimated
C(fnlt)
u
’’’
C ’’’
unit -{}-> unit <: unit -{SomePriv}-> unitprivWrap(id) : unit
![Page 36: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/36.jpg)
Security Type Judgements
![Page 37: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/37.jpg)
p checkPriv for e : p e :
(checkpriv)
u
Security Type Judgements
![Page 38: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/38.jpg)
p ee’ : p e : ’ p e’ : ’’
u
’ (appl)
p checkPriv for e : p e :
(checkpriv)
u
Security Type Judgements
![Page 39: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/39.jpg)
p ee’ : p e : ’ p e’ : ’’
u
’ (appl)
p checkPriv for e : p e :
(checkpriv)
u
p enablePriv for e : up e :
(enablepriv)
u
A(p)
Security Type Judgements
![Page 40: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/40.jpg)
Formal Properties of the System
S, A e v
S (p, ) :: S’
S, A e secfail
• Stack Inspection is modeled in a language
with well-defined operational semantics:
(secstacks)
• Unsafe expressions reduce to secfail:
![Page 41: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/41.jpg)
Formal Properties of the System
• We prove subject reduction and type safety results for the system– Well-typed programs are not unsafe.
• We prove soundness and completeness results for a type inference algorithm– type system can be transparently layered over
existing system
![Page 42: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/42.jpg)
Type Inference
• Algorithm is standard constraint inference, plus a new constraint satisfiability check:– Privilege sets may contain variables– Privilege set variable constraints may be
recursive
• Satisfiability check is novel, efficient; correctness is proved
![Page 43: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/43.jpg)
Incompleteness of the System
• Java privileges are first-class
• Java programs can conditionally branch on presence/absence of privileges
• Paramaterized privileges, e.g.: fileRead(filename)
• Dynamic access control lists
![Page 44: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/44.jpg)
Work in Progress
• Extend type system to accurately type privilege tests
• Polymorphism
• More sophisticated language features (Java features, modules)
• Readability of types
![Page 45: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/45.jpg)
Conclusion
• Java security model is sound, but dynamic checks impose penalties
• Types can be used to enforce the model, and eliminate these penalties
• Security Types may be inferred efficiently
http://www.cs.jhu.edu/~ces/work.html
![Page 46: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/46.jpg)
Conclusion
• Java security model is sound, but dynamic checks impose penalties
• Types can be used to enforce the model, and eliminate these penalties
• Security Types may be inferred efficiently
http://www.cs.jhu.edu/~ces/work.html
![Page 47: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/47.jpg)
Conclusion
• Java security model is sound, but dynamic checks impose penalties
• Types can be used to enforce the model, and eliminate these penalties
• Security Types may be inferred efficiently
http://www.cs.jhu.edu/~ces/work.html
![Page 48: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/48.jpg)
Conclusion
• Java security model is sound, but dynamic checks impose penalties
• Types can be used to enforce the model, and eliminate these penalties
• Security Types may be inferred efficiently
http://www.cs.jhu.edu/~ces/work.html
![Page 49: Static Enforcement of Security with Types Christian Skalka and Scott Smith Johns Hopkins University](https://reader031.vdocument.in/reader031/viewer/2022032800/56649d4d5503460f94a2c649/html5/thumbnails/49.jpg)
Conclusion
• Java security model is sound, but dynamic checks impose penalties
• Types can be used to enforce the model, and eliminate these penalties
• Security Types may be inferred efficiently
http://www.cs.jhu.edu/~ces/work.html