Reasoning about Object Capa- bilities with Logical Relations and - PowerPoint PPT Presentation

Reasoning about Object Capa- bilities with Logical Relations and Effect Parametricity (EuroS&P 2016, Saarbrücken) Dominique Devriese 1 , Frank Piessens 1 , Lars Birkedal 2 1 iMinds-DistriNet, KU Leuven, 2 Aarhus University December 2015

Outline 2/15 Object capabilities Reasoning about Object Capabilities Encapsulation, shared data, authority Reasoning about Primitive I/O Conclusion Reasoning about Object Capabilities

Object capabilities 3/15 Example: browser ad sandboxing: def rnode = func ( node , d ) {· · · } def = func ( document , ad ) initWebPage   let ( adNode = document . addChild (“ ad _ div ”))     let ( rAdNode = rnode ( adNode , 0))   ad . initialize ( rAdNode )   Reasoning about Object Capabilities

Object capabilities 4/15 Fine-grained privilege separation. Control authority of arbitrary, untrusted, untyped code. Just restrict what it has access to. Low tech, low overhead. No types/... Standard OO techniques/patterns. High-level OO languages or low-level assembly Applications: sandboxing fault isolation auditability etc. Reasoning about Object Capabilities

Object capabilities 5/15 A capability-safe language: Private state encapsulation. Primitive I/O through non-public objects (like document ). No global mutable state. Examples: E, Joe-E, Emily, Newspeak etc. JavaScript 5 (strict mode, after proper initialisation)? Reasoning about Object Capabilities

Reasoning about capability-safe languages? 6/15 def = func ( node , d ) {· · · } rnode def initWebPage = func ( document , ad )   let ( adNode = document . addChild (“ ad _ div ”))     let ( rAdNode = rnode ( adNode , 0))   ad . initialize ( rAdNode )   Are we 100% sure? What does the language guarantee precisely? Is it really capability-safe? What does that mean? What to ensure precisely? What can we rely on precisely? Reasoning about Object Capabilities

Reasoning about capability-safe languages? 7/15 OCap community: Reference graph “No Authority Amplification” “Only Connectivity Begets Connectivity” Problem: Syntactic bound on authority. Ignores behavior. Necessary, but not sufficient! Reasoning about Object Capabilities

Reasoning about capability-safe languages? 8/15 What’s the alternative? Reasoning about Object Capabilities

Reasoning about capability-safe languages? 8/15 What’s the alternative? ...logical relations... ...privilege separation... ...Kripke worlds... ...capability-safety... ...modular reasoning... ...security applications... But applications? But how to reason? Programming Languages Researcher Security Researcher Reasoning about Object Capabilities

Reasoning about capability-safe languages 9/15 Our approach: Private Untyped state en- Primitive I/O higher-order capsulation encapsulation language OCap ingredients PL Reasoning Techniques Recursive Step- Kripke indexed worlds logical re- lations Reasoning about Object Capabilities

Reasoning about capability-safe languages 9/15 Our approach: Private Untyped state en- Primitive I/O higher-order capsulation encapsulation language OCap ingredients PL Reasoning Techniques Recursive Step- Kripke indexed Pub/priv worlds logical re- transitions lations for authority Reasoning about Object Capabilities

Reasoning about capability-safe languages 9/15 Our approach: Private Untyped state en- Primitive I/O higher-order capsulation encapsulation language OCap ingredients PL Reasoning Techniques Recursive ? Step- Kripke indexed Pub/priv worlds logical re- transitions lations for authority Reasoning about Object Capabilities

Reasoning about capability-safe languages 9/15 Our approach: Private Untyped state en- Primitive I/O higher-order capsulation encapsulation language OCap ingredients PL Reasoning Techniques Effect Recursive Step- Parametricity Kripke indexed Pub/priv worlds logical re- transitions lations for authority Reasoning about Object Capabilities

Encapsulation of private state 10/15 Register state machine to govern fresh data structure. start 0 def ticketDispenser = func ( attacker )   let ( o = ref 0) 2        let ( dispTkt = func () {        let ( v = deref o ) { o := v + 2; v }} ) 4  attacker ( dispTkt );            deref o   6 · · · Reasoning about Object Capabilities

Limited authority over shared data 11/15 Public transitions: accessible under current authority. Private transitions: potentially accessible by others. def rnode = func ( node , d ) {· · · } def = func ( document , ad ) initWebPage   let ( adNode = document . addChild (“ ad _ div ”))     let ( rAdNode = rnode ( adNode , 0))   ad . initialize ( rAdNode )   Reasoning about Object Capabilities

Primitive I/O 12/15 Effect interpretation: custom property about primitive effects ρ ∈ P ( Cap ) + admissibility conditions... µ ∈ P ( Val ) → P ( Expr ) Effect parametricity. Theorem (Fundamental Theorem for λ JS ) If Γ , Σ ⊢ e then for a valid effect interpretation ( µ, ρ ) and for all n , γ and w with ( n, w ) ∈ � Σ � µ,ρ and ( n, γ ) ∈ � Γ � µ,ρ w , we have that ( n, γ ( e )) must be in E [ µ JSVal µ,ρ ] w . Reasoning about Object Capabilities

Conclusion 13/15 Capability Safety is: Private state encapsulation. Absence of global state. Primitive I/O encapsulation. Modular reasoning in cap-safe language: Reference graph dynamics is not enough Logical relations to the rescue. Some novel features: Authority over shared data using public/private transitions. Effect parametricity. (Not shown: relational version) Reasoning about Object Capabilities

Future work 14/15 Build effect interpretations into Kripke worlds? A program logic? Apply to full JavaScript? Reasoning about Object Capabilities

Backup slide: formal details 1/3 Worlds: def IslandName = N def W = { w ∈ IslandName ֒ → Island | dom( w ) finite }  ι = ( s, φ, φ pub , H ) | s ∈ State ∧ φ ⊆ State 2 ∧    H ∈ State → StorePred ∧ φ pub ⊆ φ ∧   def Island = φ, φ pub reflexive and transitive     def = { ψ ∈ ˆ StorePred W → mon , ne UPred (Store) } roll : 1 2 · W ∼ = ˆ W Reasoning about Object Capabilities

Backup slides: formal details 2/3 Effect interpretations: ρ : W → mon , ne UPred ( Loc ) µ : ( W → mon , ne UPred ( Val )) → ne ( W → ne Pred ( Cmd )) . JSVal µ,ρ predicate: JSVal µ,ρ : W → mon , ne UPred ( Val ) def = Cnst ∪ ρ ∪ { JSVal µ,ρ } ∪ ([ JSVal µ,ρ ] → µ JSVal µ,ρ ) JSVal µ,ρ Reasoning about Object Capabilities

Backup slides: formal details 3/3 Admissibility conditions for effect interpretation: A-Pure : If ( n, v ) ∈ P w then ( n, v ) ∈ µ P w A-Bind : If ( n, cmd ) ∈ µ P w and ( n ′ , E � v � ) ∈ E [ µ P ′ ] w ′ for all n ′ ≤ n , w ′ ⊒ w and ( n ′ , v ) ∈ P w ′ , then ( n, E � cmd � ) ∈ E [ µ P ′ ] w . A-Assign : If ( n, v 1 ) ∈ JSVal µ,ρ w and ( n, v 2 ) ∈ JSVal µ,ρ w , then ( n, v 1 = v 2 ) ∈ µ JSVal µ,ρ w . A-Deref : If ( n, v ) ∈ JSVal µ,ρ w , ( n, deref v ) must be in µ JSVal µ,ρ w . A-Ref : If ( n, v ) ∈ JSVal µ,ρ w , then ( n, ref v ) ∈ µ JSVal µ,ρ w . Reasoning about Object Capabilities