expressing security constraints using capabilities
play

Expressing Security Constraints using capabilities Mark S. Miller - PowerPoint PPT Presentation

Jun 14, 2023 •171 likes •853 views

Expressing Security Constraints using capabilities Mark S. Miller and the Cajadores Overview This talk The What and Why of object-capabilities (ocaps) My Securing EcmaScript 5 talk tomorrow The How of doing ocaps in JavaScript Patterns

  1. Expressing Security Constraints using capabilities Mark S. Miller and the Cajadores

  2. Overview This talk The What and Why of object-capabilities (ocaps) My “Securing EcmaScript 5” talk tomorrow The How of doing ocaps in JavaScript Patterns of Safe Cooperation In Secure EcmaScript (SES) Distributed Cryptographic Capabilities In Distributed Resilient Secure EcmaScript (Dr. SES)

  3. Security as Extreme Modularity Modularity: Avoid needless dependencies Security: Avoid needless vulnerabilities Vulnerability is a form of dependency Mod: Principle of info hiding - need to know. Sec: Principle of least authority - need to do.

  4. The Mashup problem: Code as Media <html> <head> <title>Basic Mashup</title> <script> function animate ( id ) { var element = document.getElementById(id); var textNode = element.childNodes[0]; var text = textNode.data; var reverse = false; element.onclick = function() { reverse = !reverse; }; setInterval(function() { textNode.data = text = reverse ? text.substring(1) + text[0] : text[text.length-1] + text.substring(0, text.length-1); }, 100); } </script> </head> <body onload="animate('target')"> <pre id="target">Hello Programmable World! </pre> </body> </html>

  9. How do I designate thee? by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions How might object Bob come to know of object Carol?

  10. How do I designate thee? Alice says : bob.foo(carol) by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions

  11. How do I designate thee? Alice says : bob.foo(carol) by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions

  12. How do I designate thee? Alice says : bob.foo(carol) by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions

  13. How do I designate thee? Alice says : bob.foo(carol) by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions

  14. How do I designate thee? Alice says : bob.foo(carol) by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions

  15. How do I designate thee? Bob says : var carol = { ... }; by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions

  16. How do I designate thee? Alice says : var bob = { ... carol ... }; by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions

  17. How do I designate thee? At t 0 : by Introduction ref to Carol ref to Bob decides to share by Parenthood by Endowment by Initial Conditions

  18. OCaps: Small step from pure objects Memory safety and encapsulation + Effects only by using held references + No powerful references by default

  19. OCaps: Small step from pure objects Memory safety and encapsulation + Effects only by using held references + No powerful references by default Reference graph ≡ Access graph Only connectivity begets connectivity Natural Least Authority OO expressiveness for security patterns

  20. Objects as Closures function makeCounter () { makeCounter var count = 0; return def({ incr incr incr: function() { return ++count; }, incr incr incr incr decr: function() { return –count; } count }); count count } decr decr decr decr decr decr

  21. Objects as Closures function makeCounter () { makeCounter var count = 0; return def({ incr incr incr: function() { return ++count; }, incr incr incr incr decr: function() { return –count; } count }); count count } decr decr decr decr decr decr A record of closures hiding state is a fine representation of an object of methods hiding instance vars

  22. Revocable Function Forwarder function makeFnCaretaker ( target ) { makeCaretaker return def({ wrapper: function(…args) { revoke revoke revoke revoke wrapper wrapper wrapper wrapper revoke revoke revoke revoke wrapper wrapper wrapper wrapper revoke revoke revoke revoke wrapper wrapper wrapper wrapper return target(…args); }, target target target target target target revoke: function() { target = null; } }); }

  23. Unconditional Access Alice says: Alice Bob foo bob.foo(carol); Grants Bob full access to Carol forever Carol

  24. Revocability ≡ Temporal attenuation Alice says: Alice Bob foo var ct = makeCaretaker(carol); bob.foo(ct.wrapper); revoke revoke wrapper wrapper target Carol

  25. Revocability ≡ Temporal attenuation Alice says: Alice Bob var ct = makeCaretaker(carol); bob.foo(ct.wrapper); //… revoke revoke wrapper wrapper target Carol

  26. Revocability ≡ Temporal attenuation Alice says: Alice Bob var ct = makeCaretaker(carol); bob.foo(ct.wrapper); //… revoke revoke wrapper wrapper ct.revoke(); target Carol

  27. Revocability ≡ Temporal attenuation Alice says: Alice Bob var ct = makeCaretaker(carol); bob.foo(ct.wrapper); //… revoke revoke wrapper wrapper ct.revoke(); target Carol

  28. Attenuators ≡ Access Abstractions Alice says: Alice Bob foo var ct = makeCaretaker(carol); bob.foo(ct.wrapper); Express security policy by the behavior of the objects you provide Carol

  29. Membranes: Transitive Interposition Alice Bob function makeFnMembrane ( target ) { var enabled = true; function wrap ( wrapped ) { if (wrapped !== Object(wrapped)) { return wrapped; Dave } return function(… args ) { if (!enabled) { throw new Error(“revoked”); } return wrap(wrapped(…args.map(wrap)); } } return def({ wrapper: wrap(target), Carol revoke: function() { target = null; } }); }

  30. Attenuators Compose function makeROFile ( file ) { return def({ read: file.read, getLength: file.getLength }); } var rorFile = makeROFile(revocableFile);

  31. No powerful references by default Alice says: Alice Bob var bobSrc = //site B bob var carolSrc = //site C var bob = safeEval(bobSrc); Carol var carol = safeEval(carolSrc); carol

  32. No powerful references by default Alice says: Alice Bob var bobSrc = //site B bob var carolSrc = //site C var bob = safeEval(bobSrc); Carol var carol = safeEval(carolSrc); carol Bob and Carol are confined . Only Alice controls how they can interact or get more connected.

  33. No powerful references by default Alice says: Alice bob Bob carol Carol

  34. Only connectivity begets connectivity Alice says: bob Bob var counter = makeCounter(); counter incr incr bob(counter.incr); carol(counter.decr); carol count count Carol count bob = carol = null; decr decr

  35. Only connectivity begets connectivity Alice says: bob Bob var counter = makeCounter(); counter incr incr bob(counter.incr); carol(counter.decr); carol count count Carol count bob = carol = null; decr decr Bob can only count up and see result. Carol only down. Alice can do both.

  36. Membrane safeEval → compartment var compartment = makeMembrane(safeEval); var vbob = compartment.wrapper(bobSrc); Bob Alice

  37. Membrane safeEval → compartment var compartment = makeMembrane(safeEval); var vbob = compartment.wrapper(bobSrc); //… Bob Alice

  38. Membrane safeEval → compartment var compartment = makeMembrane(safeEval); var vbob = compartment.wrapper(bobSrc); //… compartment.revoke(); Bob Alice GC

  39. Composing Authority +? Usually intersection

  40. Rights Amplification ≥ + +

  41. Rights Amplification function makeBrand () { Alice Bob foo var amp = WeakMap(); function seal ( payload ) { var box = def({}); amp.set(box, payload); return box; makeBrand } function unseal ( box ) { seal unseal seal unseal return amp.get(box); amp amp box } box box return def({seal: seal, unseal: unseal}); payload payload payload }

  42. Dr. SES Distributed Resilient Secure EcmaScript Most suspicion is not within an address space Stretch reference graph between machines Preserve distributed “memory safety”

  43. Dr. SES Distributed Resilient Secure EcmaScript Shared State Message Passing Blocking C++/pthreads Blocking receive Java, C#, Mozart/Oz CSP, Occam, CCS JoCAML, Polyphonic C# Erlang, Scala, Go Non-blocking Soft Transactional Mem Comm Event Loops Argus, Fortress, X10 Actors, AmbientTalk E, Waterken Ajax

  44. Dr. SES Distributed Resilient Secure EcmaScript Shared State Message Passing Blocking C++/pthreads Blocking receive Java, C#, Mozart/Oz CSP, Occam, CCS JoCAML, Polyphonic C# Erlang, Scala, Go Non-blocking Soft Transactional Mem Comm Event Loops Argus, Fortress, X10 Actors, AmbientTalk E, Waterken Ajax No conventional deadlocks or memory races

  45. Dr. SES Distributed Resilient Secure EcmaScript Shared State Message Passing Blocking C++/pthreads Blocking receive Java, C#, Mozart/Oz CSP, Occam, CCS JoCAML, Polyphonic C# Erlang, Scala, Go Non-blocking Soft Transactional Mem Comm Event Loops Argus, Fortress, X10 Actors, AmbientTalk E, Waterken Ajax, Dr. SES No conventional deadlocks or memory races var result = bob.foo(carol); // do it immediately var resultP = bobP ! foo(carol); // do it eventually

Recommend

Page 1 Expressing Constraints in UML Models A constraint can also be depicted as a note

Page 1 Expressing Constraints in UML Models A constraint can also be depicted as a note

Podcast Ch09-03 Title : Expressing Constraints using OCL Description : Preconditions; postconditions; constraints on more than one class Participants : Barry Kurtz (instructor); Brandon Winters, Sara Hyde, Cheng Vue, Dan Baehr

453 views • 6 slides
Using OCL for expressing temporal validity constraints Juliana K uster Filipe and Stuart

Using OCL for expressing temporal validity constraints Juliana K uster Filipe and Stuart

Using OCL for expressing temporal validity constraints Juliana K uster Filipe and Stuart Anderson LFCS, School of Informatics The University of Edinburgh United Kingdom SVERTS@UML 2003, 20 October, San Francisco, California Background In

240 views • 22 slides
Office of Security Capabilities John Sanders, Assistant Administrator June 24, 2014 OSC

Office of Security Capabilities John Sanders, Assistant Administrator June 24, 2014 OSC

ACC/TSA Security Capabilities Day &amp; Technical Workshop Office of Security Capabilities John Sanders, Assistant Administrator June 24, 2014 OSC Organizational Chart TSA Organizational Goals Intel-Driven Risk Based Security OSC has two

1.28k views • 96 slides
Economic Constraints and Capabilities of Very Young Adolescent Girls in an Urban Nairobi Slum:

Economic Constraints and Capabilities of Very Young Adolescent Girls in an Urban Nairobi Slum:

Economic Constraints and Capabilities of Very Young Adolescent Girls in an Urban Nairobi Slum: Understanding their Expectations of Achieving Education and Work Aspirations Eunice Muthengi 1 &amp; Karen Austrian 1* 1 Population Council, Kenya *

537 views • 10 slides
Security Resources, Capabilities and Cultural Values: Links to Security Performance and

Security Resources, Capabilities and Cultural Values: Links to Security Performance and

Security Resources, Capabilities and Cultural Values: Links to Security Performance and Regulatory Compliance WEIS 2012 Juhee Kwon and M. Eric Johnson Tuck School of Business Dartmouth College 1 Healthcare Security Landscape Healthcare

223 views • 18 slides
Deduction with XOR Constraints in Security API Modelling Graham Steel V I N E U R S E I

Deduction with XOR Constraints in Security API Modelling Graham Steel V I N E U R S E I

Deduction with XOR Constraints in Security API Modelling Graham Steel V I N E U R S E I H T Y T O H F G R E U D B I N 1 Automated Teller Machines ATM Maestro UK Hansabank HSBC Graham Steel XOR and Security APIs

442 views • 18 slides
Outline Expressing Permission William Starr 1 Free Choices, Hard Choices 2 Expressing Permission

Outline Expressing Permission William Starr 1 Free Choices, Hard Choices 2 Expressing Permission

Free Choices, Hard Choices Expressing Permission Conclusion References Outline Expressing Permission William Starr 1 Free Choices, Hard Choices 2 Expressing Permission 3 Conclusion Department of Philosophy, Cornell University

155 views • 14 slides
Institute for Cyber Security Towards An Attribute Based Constraints Specification Language

Institute for Cyber Security Towards An Attribute Based Constraints Specification Language

Institute for Cyber Security Towards An Attribute Based Constraints Specification Language Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio September 11, 2013 2013 ASE/IEEE

425 views • 17 slides
A brainstorm of attention magnets TEXT TASK I P FACT finding out expressing self E C

A brainstorm of attention magnets TEXT TASK I P FACT finding out expressing self E C

A brainstorm of attention magnets TEXT TASK I P FACT finding out expressing self E C PLAY being entertained playing TEXT TASK I nterest P ersonalization Real world; curiosity; amazing Expressing and sharing; facts; human interest

490 views • 26 slides
Expressing I`rab: The Presentation of Arabic Expressing I`rab: The Presentation of Arabic

Expressing I`rab: The Presentation of Arabic Expressing I`rab: The Presentation of Arabic

4B0NU5VD6DUL eBook \\ Expressing I`rab: The Presentation of Arabic Grammatical Analysis Expressing I`rab: The Presentation of Arabic Expressing I`rab: The Presentation of Arabic Grammatical Analysis Grammatical Analysis Filesize: 9.4 MB

50 views • 3 slides
What is Prayer?A Definition Prayer is communicating with God What is Prayer?Types of

What is Prayer?A Definition Prayer is communicating with God What is Prayer?Types of

What is Prayer?A Definition Prayer is communicating with God What is Prayer?Types of Prayer 1. Adoration : Expressing love for who God is. 2. Praise : Expressing appreciation for what God has done. 3. Confession : Expressing sorrow for how

473 views • 18 slides
CAPSICUM Practical capabilities for UNIX 19 th USENIX Security Symposium 11 August 2010 -

CAPSICUM Practical capabilities for UNIX 19 th USENIX Security Symposium 11 August 2010 -

CAPSICUM Practical capabilities for UNIX 19 th USENIX Security Symposium 11 August 2010 - Washington, DC Robert N. M. Watson Jonathan Anderson Google UK Ltd

693 views • 31 slides
NGN OAM Capabilities NGN OAM Capabilities Dinesh Mohan CTO S r. Advisor, Nortel I TU-T W

NGN OAM Capabilities NGN OAM Capabilities Dinesh Mohan CTO S r. Advisor, Nortel I TU-T W

I nternational Telecom m unication Union ITU-T NGN OAM Capabilities NGN OAM Capabilities Dinesh Mohan CTO S r. Advisor, Nortel I TU-T W orkshop NGN and its Transport Netw orks Kobe, 2 0 -2 1 April 2 0 0 6 NGN OAM Activities Update

777 views • 15 slides
Redirection Capabilities in SIP Redirection Capabilities in SIP

Redirection Capabilities in SIP Redirection Capabilities in SIP

Redirection Capabilities in SIP Redirection Capabilities in SIP draft-bharatia-sipping-redirect-00.txt Authors: J. Bharatia, S. Sen, R. Yuhanna, S. Orton, M. Watson Presenter: Mark Watson mwatson@nortelnetworks.com General Motivation SIP

478 views • 5 slides
Chapter 1: Constraints What are they, what do they do and what can I use them for. 1

Chapter 1: Constraints What are they, what do they do and what can I use them for. 1

Constraint Logic Programming Chapter 1: Constraints What are they, what do they do and what can I use them for. 1 Constraints What are constraints? Modelling problems Constraint solving Tree constraints Other constraint

205 views • 19 slides
Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010 Reading Material

Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010 Reading Material

Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010 Reading Material Web sites Microsoft links from last lecture Linux Capabilities - man 7 capabilities or http://www.linuxjournal.com/article/5737

1.17k views • 29 slides
Financial Complexity Physical Capabilities Process Capabilities Other Issues

Financial Complexity Physical Capabilities Process Capabilities Other Issues

Financial Complexity Physical Capabilities Process Capabilities Other Issues Upfront Costs - Financing (PPAs, Tax Credits, ESCOs) Split Incentive Alternatives - Virtual Net Metering Where to start? Intelligent

640 views • 8 slides
Thistle Capabilities AtBC What is Thistle? Why Thistle? Capabilities Commercial

Thistle Capabilities AtBC What is Thistle? Why Thistle? Capabilities Commercial

Thistle Capabilities AtBC What is Thistle? Why Thistle? Capabilities Commercial Capabilities Thistle Home Thistle is Market Ready Service Targets Benefits to AtBC Thistle Team &amp; Workflow What is Thistle?

522 views • 12 slides
Car-Like Robot: e.g., lie in free space How to Park a Car? Differential constraints: ff

Car-Like Robot: e.g., lie in free space How to Park a Car? Differential constraints: ff

2/14/2012 Types of Path Constraints Local constraints: Car-Like Robot: e.g., lie in free space How to Park a Car? Differential constraints: ff e.g., have bounded curvature (Nonholonomic Planning) Global constraints: e.g., have

252 views • 4 slides
Yang Models for I2NSF Capabilities draft-hares-i2nsf-capabilities-yang Susan Hares Co-author:

Yang Models for I2NSF Capabilities draft-hares-i2nsf-capabilities-yang Susan Hares Co-author:

Yang Models for I2NSF Capabilities draft-hares-i2nsf-capabilities-yang Susan Hares Co-author: Robert Moskowitz` Capability Model (Xia, et al.) External Meta External ECA Model Model Capability sub-model Attack Mitigation Network Security

258 views • 15 slides
20. Logic constraints, integer variables If-then constraints Generalized assignment

20. Logic constraints, integer variables If-then constraints Generalized assignment

CS/ECE/ISyE 524 Introduction to Optimization Spring 201718 20. Logic constraints, integer variables If-then constraints Generalized assignment problems Logic constraints Modeling a restricted set of values Sudoku! Laurent

475 views • 24 slides
Securing EcmaScript 5: Adventures in Strategic Compromise Mark S. Miller and the Cajadores Thanks

Securing EcmaScript 5: Adventures in Strategic Compromise Mark S. Miller and the Cajadores Thanks

Securing EcmaScript 5: Adventures in Strategic Compromise Mark S. Miller and the Cajadores Thanks to many on EcmaScript committee Overview My Expression Security Constraints talk The What and Why of object-capabilities (ocaps) This talk

831 views • 71 slides
Security of GPS/INS based On-road Location Tracking Systems Sashank Narain, Aanjhan Ranganathan,

Security of GPS/INS based On-road Location Tracking Systems Sashank Narain, Aanjhan Ranganathan,

Security of GPS/INS based On-road Location Tracking Systems Sashank Narain, Aanjhan Ranganathan, Guevara Noubir Northeastern University 2 3 No constraints Route Estimate with Road Constraints 4 Given a roadmap and assuming inertial sensor data is

216 views • 21 slides
Capabilities Capabilities Indexing and Publishing Indexing and Publishing Jason M. Coposky

Capabilities Capabilities Indexing and Publishing Indexing and Publishing Jason M. Coposky

Capabilities Capabilities Indexing and Publishing Indexing and Publishing Jason M. Coposky June 25-28, 2019 @jason_coposky iRODS User Group Meeting 2019 Executive Director, iRODS Consortium Utrecht, Netherlands 1 iRODS Capabilities

667 views • 23 slides

More recommend