1 / 47

Building a Virus-Safe Platform Don’t add security, remove insecurity

Building a Virus-Safe Platform Don’t add security, remove insecurity. Mark S. Miller Virus-Safe Computing Initiative Hewlett Packard Laboratories. This program can delete any file you can. A Very Powerful Program. Functionality vs. Security?. Integratable. Applications:

gayora
Download Presentation

Building a Virus-Safe Platform Don’t add security, remove insecurity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Building a Virus-Safe PlatformDon’t add security, remove insecurity • Mark S. Miller • Virus-Safe Computing Initiative • Hewlett Packard Laboratories

  2. This program can delete any file you can. A Very Powerful Program Virus-Safe Computing Initiative

  3. Functionality vs. Security? Integratable Applications: User’s Authority E & CapDesk Least Authority “Sandboxing” Firewalls Applets: No Authority Isolated Dangerous Safe Virus Safe Computing Initiative

  4. A Tale of Two Copies $ cp foo.txt bar.txt vs. $ cat < foo.txt > bar.txt • Bundle permission with designation • Let “knowledge of” shape “access to” • Remove ambient authority Virus-Safe Computing Initiative

  5. CapDesk: Usable POLA • Double click launch • File Explorer • Open dialog • Drag/Drop • Etc... Moral: Bundle permission with designation Virus-Safe Computing Initiative

  6. by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions How do I designate thee? How might object Bob come to know of object Carol? Virus-Safe Computing Initiative

  7. by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions How do I designate thee? Alice says: bob.foo(carol) Virus-Safe Computing Initiative

  8. by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions How do I designate thee? Alice says: bob.foo(carol) Virus-Safe Computing Initiative

  9. by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions How do I designate thee? Alice says: bob.foo(carol) Virus-Safe Computing Initiative

  10. by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions How do I designate thee? Alice says: bob.foo(carol) Think in names. Speak in references. Virus-Safe Computing Initiative

  11. by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions How do I designate thee? Alice says: bob.foo(carol) Virus-Safe Computing Initiative

  12. by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions How do I designate thee? Bob says: defcarol { ... } Virus-Safe Computing Initiative

  13. by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions How do I designate thee? Alice says: defbob { ... carol ... } Virus-Safe Computing Initiative

  14. by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions How do I designate thee? At t0: Virus-Safe Computing Initiative

  15. by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions What are Object-Capabilities? Reference Graph == Access Graph • Absolute encapsulation—causality only by messages • Only references permit causality Virus-Safe Computing Initiative

  16. by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions Not Discretionary! Alice says: bob.foo(carol) • Overlooked requirement. Enables confinement. • Only connectivity begets connectivity. Virus-Safe Computing Initiative

  17. Distributed Crypto Object-Caps Alice says: bob <- foo(carol) Virus-Safe Computing Initiative

  18. Distributed Crypto Object-Caps Virus-Safe Computing Initiative

  19. Distributed Crypto Object-Caps Virus-Safe Computing Initiative

  20. Distributed Crypto Object-Caps Virus-Safe Computing Initiative

  21. The Two Impostor Problems VatID: Is this the Carol Alice Meant? SwissNumber: Is this the Bob Alice Meant? Virus-Safe Computing Initiative

  22. Roadmap, in Hindsight What about Security? Scheme W7 E Message Passing, Encapsulation Lexical Nesting POLA Objects Object-Capabilities SafeReflection Memory Safety, GC, Eval / Loading Safe Loading Virus Safe Computing Mutable Static State Static Native “Devices” Shared State Concurrency Unprincipled Libraries What about Security? Oak, pre.NET, Squeak , Oz No problemo ClassLoaders as Principals Stack Introspection Security Managers Signed Applets Java, .NET

  23. Virus Safe Computing Detour is Non-Object Causality Scheme W7 E Message Passing, Encapsulation Lexical Nesting POLA Objects Object-Capabilities SafeReflection Memory Safety, GC, Eval / Loading Safe Loading Mutable Static State Static Native “Devices” Shared State Concurrency Unprincipled Libraries What about Security? Squeak-E, Oz-E No problemo ClassLoaders as Principals Stack Introspection Security Managers Signed Applets Java, .NET

  24. Objects as Closures defmakePoint { torun(x :int, y :int) :any { defpoint { togetX() :int { return x } togetY() :int { return y } toadd(otherPt) :any { defx2 := x.add(otherPt.getX()) defy2 := y.add(otherPt.getY()) return makePoint.run(x2, y2) } } return point } } Virus-Safe Computing Initiative

  25. + a pinch of sugar defmakePoint { torun(x :int, y :int) :any { defpoint { togetX() :int { return x } togetY() :int { return y } toadd(otherPt) :any { defx2 := x.add(otherPt.getX()) defy2 := y.add(otherPt.getY()) return makePoint.run(x2, y2) } } return point } } defmakePoint(x :int, y :int) :any { defpoint { togetX() :int { return x } togetY() :int { return y } toadd(otherPt) :any { defx2 := x + otherPt.getX() defy2 := y + otherPt.getY() return makePoint(x2, y2) } } return point } Virus-Safe Computing Initiative

  26. Redell’s 1974 Caretaker Pattern defmakeCaretaker(vartarget) :any { defcaretaker { match [verb :String, args :any[]] { E.call(target, verb, args) } } defrevoker { torevoke() :void { target := null } } return [caretaker, revoker] } Virus-Safe Computing Initiative

  27. Redell’s 1974 Caretaker Pattern Alice says: def [carol2, carol2revoker] := makeCaretaker(carol) bob.foo(carol2) defmakeCaretaker(vartarget) :any { defcaretaker { match [verb :String, args :any[]] { E.call(target, verb, args) } } defrevoker { torevoke() :void { target := null } } return [caretaker, revoker] } Virus-Safe Computing Initiative

  28. Can’t Revoke Permissions, but... Bob says: carol2.doThis(...) Alice says: carol2revoker.revoke() Bob says: carol2.doThat(...) Virus-Safe Computing Initiative

  29. ... Can Revoke Authority Bob says: carol2.doThis(...) Alice says: carol2revoker.revoke() Bob says: carol2.doThat(...) Virus-Safe Computing Initiative

  30. No Permissions Were Revoked Bob says: carol2.doThis(...) Alice says: carol2revoker.revoke() Bob says: carol2.doThat(...) Virus-Safe Computing Initiative

  31. buy deposit makePurse $0 deposit Cashing in on Distributed Objects defpayment := myPurse <- makePurse() payment <-deposit(10, myPurse) bob <- buy(..., payment) when (payment) -> ... { when (myPurse <- deposit(10, payment)) ... { ... # dispense value } } Alice Bob mint $10 namesealerunsealer $100 $200 $90 $210 Virus-Safe Computing Initiative

  32. Distributed Secure Money in E defmakeMint(name :String) :any { def [sealer, unsealer] := makeBrandPair(name) defmint { tomakePurse(varbalance :(int >= 0)) :any { defdecr(amount :(0..balance)) :void { balance -= amount } defpurse { togetBalance() :int { return balance } tomakePurse() :any { return mint.makePurse(0) } togetDecr() :any { return sealer.seal(decr) } todeposit(amount :int, src) :void { unsealer.unseal(src.getDecr())(amount) balance += amount } } return purse } } return mint } Virus-Safe Computing Initiative

  33. Rights Amplification ? def [sealer, unsealer] := makeBrandPair("MarkM") # value: [<MarkM sealer>, <MarkM unsealer>] ?defenvelope := sealer.seal("Tuna") # value: <sealed by MarkM> ? unsealer.unseal(envelope) # value: "Tuna" Virus-Safe Computing Initiative

  34. Distributed Secure Money in E defmakeMint(name :String) :any { def [sealer, unsealer] := makeBrandPair(name) defmint { tomakePurse(varbalance :(int >= 0)) :any { defdecr(amount :(0..balance)) :void { balance -= amount } defpurse { togetBalance() :int { return balance } tomakePurse() :any { return mint.makePurse(0) } togetDecr() :any { return sealer.seal(decr) } todeposit(amount :int, src) :void { unsealer.unseal(src.getDecr())(amount) balance += amount } } return purse } } return mint } Virus-Safe Computing Initiative

  35. Good software engineering Responsibility driven design Omit needless coupling assert(..) preconditions Information hiding Designation, need to know Dynamics of knowledge Lexical naming Think names, speak refs Avoid global variables Abstraction Procedural, data, control, ... Patterns and frameworks Say what you mean Capability discipline Authority driven design Omit needless vulnerability Validate inputs Principle of Least Authority Permission, need to do Dynamics of authorization No global name spaces Think names, speak refs Forbid mutable static state Abstraction ... and access abstractions Patterns of safe cooperation Mean only what you say Security is Just Extreme Modularity Virus-Safe Computing Initiative

  36. Our Logo The POLA Bear Virus-Safe Computing Initiative

  37. Bibliography • E in a Walnut skyhunter.com/marcs/ewalnut.htmlDownload E from erights.org and try it! (It’s open source.) • Paradigm Regained (HPL-2003-222) erights.org/talks/asian03/ • A Security Kernel Based on the Lambda-Calculus mumble.net/jar/pubs/secureos/ • Capability-based Financial Instruments (the “Ode”)erights.org/elib/capability/ode/index.html • Intro to Capability-based Securityskyhunter.com/marcs/capabilityIntro/index.html • Statements of Consensus erights.org/elib/capability/consensus-9feb01.html • Web Calculus www.waterken.com/dev/Web/Calculus/ • Web sites: erights.org , combex.com , eros-os.org ,cap-lore.com/CapTheory , www.waterken.com Virus-Safe Computing Initiative

  38. Thank You Virus-Safe Computing Initiative

  39. Paradigm Lost: Unchallenged Myths “On the Inability of an Unmodified Capability Machine to Enforce the *-Property” “... an unmodified or classic capability system cannot ... solve the confinement problem” “Since a capability is just a bit string, it can propagate in many ways without the detection of the kernel or the server...” “Capability systems modeled as unforgeable references present the other extreme, where delegation is trivial, and revocation is infeasible” • Capabilities vs. ACLs are just rows vs. columns • Capabilities are “tickets” or “keys” • Capabilities are discretionary • ACLs won. Capabilities lost. Virus-Safe Computing Initiative

  40. Example: Oak’s Detour • Mutable static state (class variables) • even when private, prevents confinement • Static, native, authority-bearing methods • example: File opening, clock • Ambient access to non-determinism • System.identityHashcode(obj), threads • Locks as communication channels • synchronized(“foo”.intern()) {...} • Non-POLA legacy libraries Virus-Safe Computing Initiative

  41. Stay on the Pure Object Road • Pure object (instance) model is fine as is • No features need be added or removed • Though some new primitives are convenient • Non-object causality must be prohibited • Authority only according to references held & used • Loading separately provided code and state • No implicit state bindings, no global scopes • Must support lexical nesting in the large • All free variables are virtualizable • Only main() starts with all authority, as instances Virus-Safe Computing Initiative

  42. Let Knowledge Shape Access “Make the Computer Recursive”—Alan Kay • “Knows about” has fractal structure. • People know people. Organs know organs. Cells know cells. • Make access rights similarly self-similar! • Information hiding: “Need to know” • POLA: “Need to do” Virus-Safe Computing Initiative

  43. Spectrum of Models Tractable Realistic Direct access +Indirect causality Overt behavior +Covert+Side+Bugs Permission Rules Arcs Protection State Permit Authority Legal Outcomes Paths (with behavior) Op. Semantics Authorize Ability Actual Outcomes Non-determinism Implementation Enable Virus-Safe Computing Initiative

  44. Paradigm Regained: Access Abstraction Bob says: carol2.doThis(...) • Caretaker is smart ref • Alice uses behaviour to express policy • Further limits Bob’s authority • Tighter POLA Alice says: carol2revoker.revoke() Bob says: carol2.doThat(...) Virus-Safe Computing Initiative

  45. No Permissions Were Granted • She’s only authorizing Bob. • By practicing POLA, as she should, Alice has inadvertently thwarted the intent of this prohibition. • Policy ignores Alice’s possible behaviour • Confinement of permissions, by itself, is mostly pointless • Confinement of authority, isn’t enough if we’ve got covert channels What if Alice couldn’t permit Bob to access Carol? Virus-Safe Computing Initiative

  46. Other Capability Models Capabilities as Rows Capabilities as Keys Equivalence? Revocability? Confinement?

  47. Capability Myths DemolishedModels mostly missed virtues of actual systems Virus-Safe Computing Initiative

More Related