Current Techniques in Language-based Security - PowerPoint PPT Presentation

About This Presentation
Title:

Current Techniques in Language-based Security

Description:

Stack inspection. Concrete examples ... Stack Inspection ... During inspection, stack frames are searched from most to least recent: ... – PowerPoint PPT presentation

Number of Views:20
Avg rating:3.0/5.0
Slides: 53
Provided by: steve943
Category:

less

Transcript and Presenter's Notes

Title: Current Techniques in Language-based Security


1
Current Techniques in Language-based Security
  • David Walker
  • COS 441
  • With slides stolen from
  • Steve Zdancewic
  • University of Pennsylvania

2
Mobile Code
  • Modern languages like Java and C have been
    designed for Internet applications and extensible
    systems
  • PDAs, Cell Phones, Smart Cards,

applet
applet
applet
web browser
operating system
3
Applet Security Problems
  • Protect OS other valuable resources.
  • Applets should not
  • crash browser or OS
  • execute rm rf /
  • be able to exhaust resources
  • Applets should
  • be able to access some system resources (e.g. to
    display a picture)
  • be isolated from each other
  • Principles of least privileges and complete
    mediation apply

4
Java and C Security
  • Static Type Systems
  • Memory safety and jump safety
  • Run-time checks for
  • Array index bounds
  • Downcasts
  • Access controls
  • Virtual Machine / JIT compilation
  • Bytecode verification
  • Enforces encapsulation boundaries (e.g. private
    field)
  • Garbage Collected
  • Eliminates memory management errors
  • Library support
  • Cryptography, authentication,

These lectures
5
Access Control for Applets
  • What level of granularity?
  • Applets can touch some parts of the file system
    but not others
  • Applets can make network connections to some
    locations but not others
  • Different code has different levels of
    trustworthiness
  • www.l33t-hax0rs.com vs. www.java.sun.com
  • Trusted code can call untrusted code
  • e.g. to ask an applet to repaint its window
  • Untrusted code can call trusted code
  • e.g. the paint routine may load a font
  • How is the access control policy specified?

6
Outline
  • Java Security Model (C similar)
  • Stack inspection
  • Concrete examples
  • To discuss what security principles does the
    Java security model obey or not obey?
  • Semantics from a PL perspective
  • Formalizing stack inspection
  • how exactly does it work?
  • Reasoning about programs that use stack
    inspection

7
Java Security Model
Security Policy
VM Runtime
a.class b.class c.class d.class e.class
Permissions
Domain A
Permissions
Domain B
ClassloaderSecurityManager
http//java.sun.com/j2se/1.4.2/docs/guide/security
/spec/security-specTOC.fm.html
8
Kinds of Permissions
  • java.security.Permission Class
  • perm new java.io.FilePermission("/tmp/abc","read
    ")
  • java.security.AllPermission
  • java.security.SecurityPermission
  • java.security.UnresolvedPermission
  • java.awt.AWTPermission
  • java.io.FilePermission
  • java.io.SerializablePermission
  • java.lang.reflect.ReflectPermission
  • java.lang.RuntimePermission
  • java.net.NetPermission
  • java.net.SocketPermission

9
Code Trustworthiness
  • How does one decide what protection domain the
    code is in?
  • Source (e.g. local or applet)
  • Digital signatures
  • C calls this evidence based
  • How does one decide what permissions a protection
    domain has?
  • Configurable administrator file or command line
  • Enforced by the classloader

10
Classloaders
  • In order to pull new code into the virtual
    machine, we use an object from the ClassLoader
    class
  • A class loader will look in the file system, or
    across the network for a class file, or possibly
    dynamically generate the class
  • When loading the first class of an application, a
    new instance of the URLClassLoader is used.
  • When loading the first class of an applet, a new
    instance of the AppletClassLoader is used.
  • Class loaders are responsible for placing classes
    into their security domains
  • AppletClassLoader places classes in domains
    depending on where they are from
  • Other ClassLoaders places classes in domains
    based on digital signatures, or origin (such as
    local file system)

11
Classloader Hierarchy
Primordial ClassLoader
ClassLoader
SecureClassLoader
URLClassLoader
AppletClassLoader
12
Associating Privileges with Domains
grant codeBase http//www.l33t-hax0rz.com/
permission java.io.FilePermission(/tmp/,
read,write) grant codeBase
file//JAVA_HOME/lib/ext/ permission
java.security.AllPermission grant signedBy
trusted-company.com permission
java.net.SocketPermission() permission
java.io.FilePermission(/tmp/, read,write)

Policy information stored in
JAVA_HOME/lib/security/java.policy
USER_HOME/.java.policy (or passed on
command line)
13
Example Trusted Code
Code in the System protection domain
void fileWrite(String filename, String s)
SecurityManager sm System.getSecurityManager()
if (sm ! null) FilePermission fp new
FilePermission(filename,write)
sm.checkPermission(fp) / write s to file
filename (native code) / else throw
new SecurityException()
public static void main() SecurityManager sm
System.getSecurityManager() FilePermission
fp new FilePermission(/tmp/,write,)
sm.enablePrivilege(fp) UntrustedApplet.run()
14
Example Client
Applet code obtained from http//www.l33t-hax0rz.
com/
class UntrustedApplet void run() ...
s.FileWrite(/tmp/foo.txt, Hello!) ...
s.FileWrite(/home/dpw/grades.txt, Ginsburg
A) ...
15
Stack Inspection
  • Stack frames are annotated with their protection
    domains and any enabled privileges.
  • During inspection, stack frames are searched from
    most to least recent
  • fail if a frame belonging to someone not
    authorized for privilege is encountered
  • succeed if activated privilege is found in frame

16
Stack Inspection Example
Policy Database
main() fp new FilePermission(/tmp/,write
,) sm.enablePrivilege(fp)
UntrustedApplet.run()
17
Stack Inspection Example
Policy Database
main() fp new FilePermission(/tmp/,write
,) sm.enablePrivilege(fp)
UntrustedApplet.run()
fp
18
Stack Inspection Example
void run() s.FileWrite(/tmp/foo.txt,
Hello!)
Policy Database
main() fp new FilePermission(/tmp/,write
,) sm.enablePrivilege(fp)
UntrustedApplet.run()
fp
19
Stack Inspection Example
void fileWrite(/tmp/foo.txt, Hello!) fp
new FilePermission(/tmp/foo.txt,write)
sm.checkPermission(fp) / write s to file
filename /
void run() s.FileWrite(/tmp/foo.txt,
Hello!)
Policy Database
main() fp new FilePermission(/tmp/,write
,) sm.enablePrivilege(fp)
UntrustedApplet.run()
fp
20
Stack Inspection Example
void fileWrite(/tmp/foo.txt, Hello!) fp
new FilePermission(/tmp/foo.txt,write)
sm.checkPermission(fp) / write s to file
filename /
void run() s.FileWrite(/tmp/foo.txt,
Hello!)
Policy Database
main() fp new FilePermission(/tmp/,write
,) sm.enablePrivilege(fp)
UntrustedApplet.run()
fp
Succeed!
21
Stack Inspection Example
void run() s.FileWrite(/home/dpw/grades.t
xt, Ginsburg A)
Policy Database
main() fp new FilePermission(/tmp/,write
,) sm.enablePrivilege(fp)
UntrustedApplet.run()
fp
22
Stack Inspection Example
void fileWrite(/important.txt, kwijibo)
fp new FilePermission(important.txt,
write) sm.checkPermission(f
p)
void run() s.FileWrite(/home/dpw/grades.t
xt, Ginsburg A)
Policy Database
Fail
main() fp new FilePermission(/tmp/,write
,) sm.enablePrivilege(fp)
UntrustedApplet.run()
fp
23
Other Possibilities
  • The fileWrite method could enable the write
    permission itself
  • Potentially dangerous, should not base the file
    to write on data from the applet
  • but no enforcement in Java
  • A trusted piece of code could disable a
    previously granted permission
  • Terminate the stack inspection early

24
Stack Inspection Algorithm
checkPermission(T) // loop newest to oldest
stack frame foreach stackFrame if (local
policy forbids access to T by class executing in
stack frame) throw ForbiddenException
if (stackFrame has enabled privilege for T)
return // allow access if (stackFrame has
disabled privilege for T) throw
ForbiddenException // end of stack if
(Netscape ) throw ForbiddenException if
(MS IE4.0 JDK 1.2 ) return
25
Two Implementations
  • On demand
  • On a checkPermission invocation, actually crawl
    down the stack, checking on the way
  • Used in practice
  • Eagerly
  • Keep track of the current set of available
    permissions during execution (security-passing
    style Wallach Felten)
  • more apparent (could print current perms.)
  • more expensive (checkPermission occurs
    infrequently)

26
Stack Inspection
  • Stack inspection seems appealing
  • Fine grained, flexible, configurable policies
  • Distinguishes between code of varying degrees of
    trust
  • But
  • How do we understand what the policy is?
  • Semantics tied to the operational behavior of the
    program (defined in terms of stacks!)
  • How do we compare implementations
  • Changing the program (e.g. optimizing it) may
    change the security policy
  • Policy is distributed throughout the software,
    and is not apparent from the program interfaces.
  • Is it any good?

27
Stack Inspection Literature
  • Stack Inspection Theory and VariantsCédric
    Fournet and Andrew D. Gordon
  • Use operational semantics like in class
  • Understanding Java Stack InspectionDan S.
    Wallach and Edward W. Felten
  • Formalize Java Stack Inspection using a special
    logic of authentication

28
Formalizing Stack Inspection
29
Abstract Stack Inspection
  • Abstract permissions
  • p,q Permissions (left abstract in the theory)
  • R,S Principals (sets of permissions)
  • Hide the details of classloading, etc.
  • ExamplesSystem fileWrite(f1),
    fileWrite(f2),Applet fileWrite(f1)

30
lsec Syntax
  • Language syntaxe expressions
    x variable lx.e function e1
    e2 application Re framed expr
    enable p in e enable test p then e1 else
    e2 check perm. fail failure v x
    lx.e valueso v fail outcome

31
Framing a Term
  • Models the Classloader that marks the (unframed)
    code with its protection domainLoad(R,x) x
  • Load(R,lx.e) lx. R Load(R,e)
  • Load(R,e1 e2) Load(R,e1) Load(R,e2)
  • Load(R,enable p in e)
  • enable p in Load(R,e)
  • Load(R,test p then e2 else e2)
  • test p then Load(R,e1) else Load(R,e2)
  • Load(R,fail) fail

32
Example
readFile lfileName.System test
fileWrite(fileName) then // primitive file IO
(native code) else fail
AppletreadFile f2 --gt fail
SystemreadFile f2 --gt ltf2 contentsgt
33
lsec Operational Semantics
  • Evaluation contextsE Hole E
    e Eval function v E Eval arg enable p
    in E Tag on stack frame RE
    Stack frame
  • E models the control stack

34
lsec Operational Semantics
  • E(lx.e) v --gt Eev/x
  • Eenable p in v --gt Ev
  • ERv --gt Ev
  • Efail --gt fail
  • Etest p then e else f --gt Ee
    if Stack(E) -- p
  • Etest p then e else f --gt Ef
    if ?(Stack(E) -- p)

35
Example Evaluation Context
AppletreadFile f2
E Applet r readfile f2
36
Example Evaluation Context
AppletreadFile f2
E Applet r (lfileName.System test
fileWrite(fileName) then // primitive file
IO (native code) else fail ) f2
37
Example Evaluation Context
AppletreadFile f2
E Applet r System test
fileWrite(f2) then // primitive file IO
(native code) else fail
38
Example Evaluation Context
AppletSystem test fileWrite(f2) then
// primitive file IO (native code) else
fail
39
Example Evaluation Context
AppletSystem test fileWrite(f2) then
// primitive file IO (native code) else
fail
E AppletSystemr test fileWrite(f2)
then // primitive file IO (native code)
else fail
40
Formal Stack Inspection
E AppletSystemr test fileWrite(f2)
then // primitive file IO (native code)
else fail
When does stack E allow permissionfileWrite(f2
)? Stack(E) -- fileWrite(f2)
41
Formal Stack Inspection
Structure of Stacks s .
(Empty Stack) s.R (Stack for code
of principal R) s.enable(p) (Privelege p
enabled)
42
Stack of an Eval. Context
Stack() . Stack(E e)
Stack(E)Stack(v E) Stack(E)Stack(enable p
in E) enable(p).Stack(E) Stack(RE)
R.Stack(E)
Stack(E) Stack(AppletSystem)
Applet.Stack(System) Applet.System.Stack(
) Applet.System.
43
Abstract Stack Inspection
. -- p empty stack axiom
protection domain check
p ? q irrelevant enable
check enable
44
Abstract Stack Inspection
. p empty stack enables all
enable succeeds
irrelevant enable
45
Equational Reasoning
e? iff there exists o such that e --gt o Let
C be an arbitrary program context. Say that
e e iff for all C, if Ce and Ce are
closed then Ce? iff Ce?.
46
Example Inequality
ok lx.x loop (lx.x x)(lx.x x)
(note loop ?) f lx. let z x ok in l_.z g
lx. let z x ok in l_.(x ok) Claim f ?
g Proof Let C ? l_.test p then loop
else ok ok
47
Example Continued
  • Cf ?f l_.test p then loop else ok ok
  • ? ?let z (l_.test p
    then loop else ok) ok in l_.z ok
  • ? ?let z test p then loop else ok
    in l_.z ok
  • ? ?let z ok in l_.z ok
  • ? ?l_.ok ok
  • ? (l_.ok) ok
  • ? ok

stack(? ) ..? ..? -- p is not valid
48
Example Continued
  • Cg ?g l_.test p then loop else ok ok
  • ? ?let z (l_.test p
    then loop else ok) ok in
    l_.((l_.test p then loop else ok) ok) ok
  • ? ?let z test p then loop else ok
    in l_. ((l_.test p then loop else ok)
    ok) ok
  • ? ?let z ok in l_.
    ((l_.test p then loop else ok) ok) ok
  • ? ?l_. ((l_.test p then loop else ok)
    ok) ok
  • ? (l_. ((l_.test p then loop else ok) ok))
    ok
  • ? (l_.test p then loop else ok) ok
  • ? test p then loop else ok
  • ? loop ? loop ? loop ?

return from function gt pop frame
stack( ) . . -- p is valid!
49
Example Applications
Formal reasoning about the semantics of stack
inspection makes it possible to perform safe
optimizations
Eliminate redundant annotations lx.Rly.Re
lx.ly.Re
Decrease stack inspection costs e test p then
(enable p in e) else e
50
Axiomatic Equivalence
Can give a sound set of equations ? that
characterize . Example axioms
  • (lx.e) v ? ev/x (beta equivalence)
  • x ? fv(v) ? lx.v ? v
  • enable p in o ? o
  • enable p in (enable q in e) ? enable q in
    (enable p in e)
  • R ? S ? RSe ? Se
  • RSenable p in e ? R?pSenable p in
    e
  • many, many more

? Implies
51
Example Higher-order Code
main System lh.(h ok ok) fileHandler
Systemls.lc.l_.c (readFile s) leak
Appletls.output s main(l_.AppletfileHandler
f2 leak)
52
Example Higher-order Code
  • main(l_.AppletfileHandler f2 leak)
  • ? SystemAppletfileHandler f2 leak okS
  • ? SystemAppletSystemSystem
    l_.Systemleak (readFile f2) okS
  • ? Systeml_.Systemleak (readFile f2) okS
  • ? SystemSystemleak ltf2 contentsgt
  • ? SystemSystemAppletoutput ltf2 contentsgt
  • ? SystemSystemAppletok
  • ? ok

53
Other Problems
  • Applets returning closures can circumvent stack
    inspection.
  • Possible solution
  • Values of the form Rv (i.e. keep track of the
    protection domain of the source)
  • Similarly, one could have closures capture their
    current security context
  • Integrity analysis (i.e. where data comes from)
  • Fournet Gordon prove some properties of
    strengthened versions of stack inspection.

54
Conclusions
  • What security properties does the Java security
    model guarantee?
  • What optimizations are legal?
  • Formal semantics helps us find the answers
    suggests improvements
Write a Comment
User Comments (0)
About PowerShow.com