Current Techniques in Language-based Security

David WalkerCOS 597B

With slides stolen from:Steve ZdancewicUniversity of Pennsylvania

COS 597B 2

Security Talks this Week My Dad's Computer, Microsoft, and the Future

of Internet Security. Bill Cheswick, Lumeta, co-inventor of the Internet

firewall Today at 4PM (We’ll stop class early)

Extensible Semantics for XrML Vicky Weissman, Cornell Friday at 2:30, CS 402 XrML (the eXtensible rights Markup Language) is a

popular language in which to write software licenses. See what it is all about and how to give it a semantics.

COS 597B 3

Types for Stack Inspection Want to do static checking of sec code

Statically detect security failures. Eliminate redundant checks. Example of nonstandard type system for

enforcing security properties. Type system based on work by Pottier,

Skalka, and Smith: “A Systematic Approach to Static Access

Control” Explain the type system by taking a

detour through “security-passing” style. Wallach’s & Felten’s “Understanding Stack

Inspection”

COS 597B 4

Security-passing Style Basic idea: Convert the “stack-crawling”

form of stack inspection into a “permission-set passing style” Compute the set of current permissions at

any point in the code. Make the set of permissions explicit as an

extra parameter to functions (hence “security-passing style)

Target language is a lambda calculus with a primitive datatype of sets.

COS 597B 5

Target Language: set Language syntax:e,f ::= expressions x variable x.e function e f application fail failure let x = e in f local decl. if pse then e else f member test se set expr.

se ::= S perm. set se se union se se intersection x

COS 597B 6

Translation: sec to set

• [[e]]R = “translation of e in domain R with s = current permissions”

• [[x]]R = x• [[x.e]]R = x.s.[[e]]R• [[e f]]R = [[e]]R [[f]]R s• [[let x = e in f]]R = let x = [[e]]R in [[f]R• [[enable p in e]]R = let s = s ({p} R) in [[e]]R• [[R’{e}]]R = let s = s R’ in [[e]]R’ [[check p e]]R = if p s then [[e]]R else fail• [[test p then e1 else e2]]R= if p s then [[e1]]R else [[e2]]R

• Top level translation: [[e]] = [[e]]P{P/s}

COS 597B 7

Example Translation

System = {“f1, “f2”, “f3”}Applet = {“f1”}

h = System{enable “f1” in Applet{(x. System{check “f1” then write x}) “kwijibo”}}

COS 597B 8

Example Translation

[[h]] = (* System *)let s = P {“f1”, “f2”, “f3”} in(* enable “f1” *)let s = s ({“f1”} {“f1”, “f2”, “f3”}) in(* Applet *)let s = s {“f1”} in (x.s. (* System *) let s = s {“f1”, “f2”, “f3”} in if “f1” s then write x else fail) “kwijibo” s

COS 597B 9

Example Translation

[[h]] = (* System *)let s = P {“f1”, “f2”, “f3”} in(* enable “f1” *)let s = s ({“f1”} {“f1”, “f2”, “f3”}) in(* Applet *)let s = s {“f1”} in (x.s. (* System *) let s = s {“f1”, “f2”, “f3”} in if “f3” s then write x else fail) “kwijibo” s

Change permission check

COS 597B 10

Stepping Back Have two formulations of stack

inspection: “original” and “eager”

Have a translation to a language that manipulates sets of permissions explicitly. Includes the “administrative” reductions

that just compute sets of permissions. Similar computations can be done statically!

COS 597B 11

Typing Judgments

R;S; |-- e : t

Current protection

domain Subset of current runtime perms

Variable context

Term

Type

COS 597B 12

Form of types Only interesting (non administrative)

change during compilation was for functions:

[[x.e]]R = x.s.[[e]]R

Source type: t u Target type: t s u The 2nd argument, is always a set, so we

“specialize” the type to:t –{S} u

COS 597B 13

Types Types:

t ::= typesint, string, … base typest –{S} t functions

COS 597B 14

Simple Typing Rules

R;S; |-- x : (x)

R;S; |-- x.e : t1 –{S’} t2

R;S’;,x:t1 |-- e : t2

Abstraction:

Variables:

COS 597B 15

More Simple Typing Rules

R;S; |-- e f : t’

R;S; |-- e : t –{S}t’

R;S; |-- f : tApplication:

R;S; |-- let x = e in f : t

R;S; |-- e : u

R;S;,x:u |-- f : tLet:

COS 597B 16

Rule for Check

R; S{p}; |-- check p then e : t

R; S{p}; |-- e : t

Note that this typing rule requiresthat the permission p is statically

known to be available.

COS 597B 17

Typing Rules for Enable

Enable fail:R;S; |-- enable p in e : t

R;S; |-- e : t p R

Enable succeed:

R;S; |-- enable p in e : t

R;S{p}; |-- e : t p R

-- latter should be flagged as useless code

COS 597B 18

Rule for Test

R;S; |-- test p then e else f: t

R;S; |-- f : t

R; S{p}; |-- e : t

Check the first branch under assumptionthat p is present, check the else branch under assumption that p is absent.

COS 597B 19

Rule for Protection Domains

R;S; |-- S’{e}: t

S’;SS’; |-- e : t

Intersect the permissions in the static protection domain with the current permission set.

COS 597B 20

Weakening (Subsumption)

R;S; |-- e : t

R;S’; |-- e : t S’ S

It is always safe to “forget” permissions.

COS 597B 21

Type Safety Theorem:

If P;P; |-- e : t then either e * v or ediverges.

In particular: e never fails. (i.e. check always succeeds)

Proof:Preservation & Progress.

COS 597B 22

Example: Good Code

h = System{enable “f1” in Applet{(x. System{check “f1” then write x}) “kwijibo”}}

Then P;S; |-- h : unit for any S

COS 597B 23

Example: Bad Code

g = System{enable “f1” in Applet{(x. System{check “f2” then write x}) “kwijibo”}}

Then R;S; |-- g : t is not derivablefor any R,S, and t.

COS 597B 24

Static vs. Dynamic Checks

;; |--x.check p in x : int –{p}int

Calling this function requires the static permission p:

Only way to call it (assuming initial perms.are empty) is to put it in the scope of adynamic test: test p then …can call it here… else …may not call it here…

COS 597B 25

Expressiveness This type system is very simple

No subtyping No polymorphism Not algorithmic Hard to do inference

Can add all of these features… See François Pottier’s paper for a nice

example. Uses Didier Rémy’s row types to describe the sets of

permission. Uses HM(X) – Hindley Milner with constraints Also shows how to derive a type system for the

source language from the translation!

COS 597B 26

Conclusions Stack inspection is a complex security

mechanism In practice, useful for preventing some

attacks Formal reasoning useful for

understanding what optimizations preserve semantics

Type systems or program analysis have the potential to catch “obvious” security violations at compile time where they can easily be fixed