Loading in 5 sec....

Current Techniques in Language-based SecurityPowerPoint Presentation

Current Techniques in Language-based Security

- 224 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'stackinspect3' - Gabriel

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Current Techniques in Language-based Security

David Walker

COS 597B

With slides stolen from:

Steve Zdancewic

University of Pennsylvania

Security Talks this Week

- My Dad's Computer, Microsoft, and the Future of Internet Security.
- Bill Cheswick, Lumeta, co-inventor of the Internet firewall
- Today at 4PM (We’ll stop class early)

- Extensible Semantics for XrML
- Vicky Weissman, Cornell
- Friday at 2:30, CS 402
- XrML (the eXtensible rights Markup Language) is a popular language in which to write software licenses. See what it is all about and how to give it a semantics.

COS 597B

Types for Stack Inspection

- Want to do static checking of lsec code
- Statically detect security failures.
- Eliminate redundant checks.
- Example of nonstandard type system for enforcing security properties.

- Type system based on work by Pottier, Skalka, and Smith:
- “A Systematic Approach to Static Access Control”

- Explain the type system by taking a detour through “security-passing” style.
- Wallach’s & Felten’s “Understanding Stack Inspection”

COS 597B

Security-passing Style

- Basic idea: Convert the “stack-crawling” form of stack inspection into a “permission-set passing style”
- Compute the set of current permissions at any point in the code.
- Make the set of permissions explicit as an extra parameter to functions (hence “security-passing style)

- Target language is a lambda calculus with a primitive datatype of sets.

COS 597B

Target Language: lset

- Language syntax:e,f ::= expressions x variablelx.e function e f application fail failure let x = e in f local decl.if pse then e else f member test se set expr.
- se ::=
S perm. set se se union se se intersection x

COS 597B

Translation: lsec to lset

- [[e]]R = “translation of e in domain R
- with s = current permissions”
- [[x]]R = x
- [[lx.e]]R = lx.ls.[[e]]R
- [[e f]]R = [[e]]R [[f]]R s
- [[let x = e in f]]R = let x = [[e]]R in [[f]R
- [[enable p in e]]R = let s = s ({p} R) in [[e]]R
- [[R’{e}]]R = let s = s R’ in [[e]]R’
- [[check p e]]R = if p s then [[e]]R else fail
- [[test p then e1 else e2]]R= if p s then [[e1]]R else [[e2]]R
- Top level translation: [[e]] = [[e]]P{P/s}

COS 597B

Example Translation

System = {“f1, “f2”, “f3”}

Applet = {“f1”}

h = System{enable “f1” in Applet{(lx. System{check “f1” then write x})“kwijibo”}}

COS 597B

Example Translation

[[h]] =

(* System *)

let s = P {“f1”, “f2”, “f3”} in

(* enable “f1” *)

let s = s ({“f1”} {“f1”, “f2”, “f3”}) in

(* Applet *)

let s = s {“f1”} in

(lx.ls.(* System *)

let s = s {“f1”, “f2”, “f3”} in if “f1” s then write x else fail)

“kwijibo” s

COS 597B

Example Translation

[[h]] =

(* System *)

let s = P {“f1”, “f2”, “f3”} in

(* enable “f1” *)

let s = s ({“f1”} {“f1”, “f2”, “f3”}) in

(* Applet *)

let s = s {“f1”} in

(lx.ls.(* System *)

let s = s {“f1”, “f2”, “f3”} in if “f3” s then write x else fail)

“kwijibo” s

Change permission check

COS 597B

Stepping Back

- Have two formulations of stack inspection: “original” and “eager”
- Have a translation to a language that manipulates sets of permissions explicitly.
- Includes the “administrative” reductions that just compute sets of permissions.
- Similar computations can be done statically!

COS 597B

Type

Current protection domain

Term

Subset of current runtime perms

Typing JudgmentsR;S;G|-- e : t

COS 597B

Form of types

- Only interesting (non administrative) change during compilation was for functions:
[[lx.e]]R = lx.ls.[[e]]R

- Source type: t u
- Target type: t s u
- The 2nd argument, is always a set, so we “specialize” the type to:t –{S} u

COS 597B

R;S’;G,x:t1 |-- e : t2

R;S;G|-- lx.e : t1 –{S’} t2

Simple Typing RulesVariables:

R;S;G|-- x : G(x)

Abstraction:

COS 597B

R;S;G|-- e : t –{S}t’

R;S;G|-- e : u

R;S;G|-- f : t

R;S;G,x:u |-- f : t

R;S;G|-- e f : t’

R;S;G|-- let x = e in f : t

More Simple Typing RulesApplication:

Let:

COS 597B

Rule for Check

Note that this typing rule requires

that the permission p is statically

known to be available.

R; S{p};G|-- e : t

R; S{p};G|-- check p then e : t

COS 597B

Typing Rules for Enable

Enable succeed:

R;S{p};G|-- e : t p R

R;S;G|-- enable p in e : t

R;S;G|-- e : t p R

Enable fail:

R;S;G|-- enable p in e : t

-- latter should be flagged as useless code

COS 597B

Rule for Test

Check the first branch under assumption

that p is present, check the else branch under assumption that p is absent.

R; S{p};G|-- e : t

R;S;G|-- f : t

R;S;G|-- test p then e else f: t

COS 597B

Rule for Protection Domains

Intersect the permissions in the static protection domain with the current permission set.

S’;SS’;G|-- e : t

R;S;G|-- S’{e}: t

COS 597B

R;S’;G|-- e : t

S’ S

R;S;G|-- e : t

Weakening (Subsumption)It is always safe to “forget” permissions.

COS 597B

Type Safety

- Theorem:If P;P;|-- e : t then either e * v or ediverges.
- In particular: e never fails. (i.e. check always succeeds)
- Proof:Preservation & Progress.

COS 597B

Example: Good Code

h = System{enable “f1” in Applet{(lx. System{check “f1” then write x})“kwijibo”}}

Then P;S;|-- h : unit for any S

COS 597B

Example: Bad Code

g = System{enable “f1” in Applet{(lx. System{check “f2” then write x})“kwijibo”}}

Then R;S;|-- g : t is not derivablefor any R,S, and t.

COS 597B

Static vs. Dynamic Checks

Calling this function requires the static permission p:

;;|-- lx.check p in x : int –{p}int

Only way to call it (assuming initial perms.are empty) is to put it in the scope of adynamic test:

test p then …can call it here…

else …may not call it here…

COS 597B

Expressiveness

- This type system is very simple
- No subtyping
- No polymorphism
- Not algorithmic
- Hard to do inference

- Can add all of these features…
- See François Pottier’s paper for a nice example.
- Uses Didier Rémy’s row types to describe the sets of permission.
- Uses HM(X) – Hindley Milner with constraints
- Also shows how to derive a type system for the source language from the translation!

COS 597B

Conclusions

- Stack inspection is a complex security mechanism
- In practice, useful for preventing some attacks
- Formal reasoning useful for understanding what optimizations preserve semantics
- Type systems or program analysis have the potential to catch “obvious” security violations at compile time where they can easily be fixed

COS 597B

Download Presentation

Connecting to Server..