Polyglot: An Extensible Compiler Framework for Java

Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers

Presentation by Aaron Kimball & Ben Lerner

Purpose of Polyglot

Allow easy extensions to Java language Security Support new language designs Optimization, static analysis Instructional uses

Polyglot Architecture

Polyglot base is a static checker for Java source code

Extensions add AST components and compiler passes

Size of extension code proportional to complexity of changes

Parse extended-language source code, and reduce code to Java AST which is output as .java files

javac then compiles to final bytecode form

Grammars & Passes

“PPG” parser generator used; provides grammar inheritance

Passes perform static analysis, type checking, compilation steps; run in a “scheduled” work queue

AST Rewriting is entirely functional

Example: Coffer

tracked(F) class FileReader { FileReader(File f) [] -> [F] throws IOException[]

{ ... } int read() [F] -> [F] throws IOException[F] { ... } void close() [F] -> [] { ...; free this; }}

Language includes annotations on functions to enforce linear use of “capability keys”; “free” statement destroys the capability key for an object

Extensions & Delegates

Simple subclassing does not provide rich-enough object extension; code duplication still happens

Extension objects allow additional methods to be attached to a node

Delegate objects allow overriding of existing methods using user-defined dispatch protocols

Goal is “mixin extensibility”

Additional Notes & Results

Separate compilation through serialized class data

Qualitative measure of “code required” vs. “departure from Java” demonstrates simple language changes require simple compiler changes

Many languages (PolyJ, JMatch, others) implemented in Polyglot... Including Jif!

Untrusted Hosts and Confidentiality: Secure Program Partitioning

Steve Zdancewic, Lantian Zheng, Nathaniel Nystrom, Andrew C. Meyers

Presentation by Aaron Kimball & Ben Lerner

Purpose of Program Partitioning(PpoPP?) Run programs securely on trusted hosts

Hard parts: Not everyone trusts every host Not everyone trusts each other

How to ensure security is preserved?

Technical Terms

Principal: a person, machine, or entity Authority: a set of principals who can perform

some action Confidentiality: data isn’t leaked to principals

who shouldn’t see it Integrity: data isn’t modified by principals who

shouldn’t do so

Security Labels

Labels look like Data are tagged by labels Each owner o specifies a set of allowed

readers A principal can read data only if all owners

permit it More owners more restrictive policy

};,,,:{ 211 nrrro

Confidentiality Integrity

Integrity constraints look like {?:r} Data has no owner, but is trusted by r

Confidentiality: owner trusts readers not to do something bad

Integrity: reader trusts owner hadn’t done something bad

Side channels

If (b_secret) then x = true else x = false This leaks the secret data! Security is label is restricted at every p.c.

Example: Oblivious transfer

Variables are only accessible by Alice

Assignment ok because of authority clause

Endorse lets Alice blindly trust Bob’s data

Declassify lets Bob read Alice’s data

public class OTExample {

int {Alice:; ?:Alice}{Alice:; ?:Alice} m1;

int {Alice:; ?:Alice}{Alice:; ?:Alice} m2;

bool {Alice:; ?:Alice}{Alice:; ?:Alice} isAccessed;

int{Bob:}{Bob:} transfer{?:Alice}{?:Alice} (int{Bob:}{Bob:} n)

where authority(Alice)where authority(Alice) {

int tmp1 = m1;

int tmp2 = m2;

if (!isAccessed) {

isAccessed = true;

if (endorse(endorse(n, {?:Alice}{?:Alice}) == 1)

return declassify(declassify(tmp1, {Bob{Bob:}});

else

return declassify(declassify(tmp2, {Bob{Bob:}});

}

return 0;

} }

How to split

Each machine carries some security label All data carries some label “Just” split the computations such that

Label(f) <= Label(host) Host must be at least as confidential as the

data, and have at most as much integrity as the data

Interesting bits: ICS

Within a single host, security is easy to check Integrity Control Stack: security across hosts

Deep stack many data dependencies lower data integrity less trusted data

Stack policies enforced with nonce capabilities

Interesting bits: Label inference

Type checking extended to infer labels for all data and constraints for all flows

…where Polyglot is useful

Future work

Adding more interesting security relations “Alice Actsfor Bob” Dynamically generated labels – hard to split! …label polymorphism