JoeE: An ObjectCapability Subset of Java - PowerPoint PPT Presentation

1 / 8
About This Presentation
Title:

JoeE: An ObjectCapability Subset of Java

Description:

With languages used today, nearly every line of a program could be a security flaw ... assert additional properties of classes, e.g. immutability, checked by verifier ... – PowerPoint PPT presentation

Number of Views:42
Avg rating:3.0/5.0
Slides: 9
Provided by: ptolemyEe
Category:

less

Transcript and Presenter's Notes

Title: JoeE: An ObjectCapability Subset of Java


1
Joe-E An Object-Capability Subset of Java
  • Adrian Mettler
  • U.C. Berkeley

2
Problem Ambient Authority
  • With languages used today, nearly every line of a
    program could be a security flaw
  • Any code in a Java program has all permissions of
    the JVM
  • How can we limit our exposure to program errors
    or malicious behaviors?
  • Extensions particularly problematic
  • How do we help application authors gain
    confidence about the security of their program?

3
Principle of Least Authority
  • Goal give each component of the program only the
    privileges it needs to perform its role
  • Prevents apparently non-security-relevant parts
    of program from breaking security
  • Goes hand in hand with modularity, separation of
    concerns
  • Currently implemented for modern languages as
    privilege separation
  • Break a program up into processes, each of which
    has different OS permissions
  • Limit to granularity of security domains due to
    complexity, context switch cost

4
Use the language?
  • Object-capability languages enforce the principle
    of least authority
  • Object references are unforgeable and act as
    capabilities
  • References grant authority to invoke methods on
    the corresponding object
  • Each scope in the program can only affect the
    objects that it is granted
  • Could use a new a language for this, but no one
    wants to learn a new language

5
Joe-E A Subset of Java
  • Memory-safe languages like Java already most of
    the way toward being capability languages
  • Problems include global state and many library
    routines that allow anyone to affect the outside
    world without authorization in the form of an
    object
  • Our solution Joe-E is a subset of Java that
    preserves existing language semantics, leveraging
    tool chain and developer experience

6
Joe-E A Subset of Java
  • Must ensure only authority is from capabilities
  • All static state must be immutable
  • Prevent exercise of Capability-unsafe library
    calls, e.g. new java.io.File(String)
  • Capability-safe alternatives provided
  • Marker interfaces assert additional properties of
    classes, e.g. immutability, checked by verifier
  • All classes that implement the interface are
    guaranteed to have the checked properties

7
Benefits
  • Strong isolation simplifies analysis
  • Can ignore components not granted capabilities of
    interest
  • Guarantee determinism by requiring capabilities
    for access to nondeterminism
  • Allows for safely extensible applications
  • Risk of running an extension is limited to
    capabilities granted to it
  • Waterken application server written atop Joe-E
    hosts mutually-untrusting web service apps

8
For More Information
  • Language specification and Eclipse plug-in
    available at http//www.joe-e.orgAdrian
    MettlerU. C. Berkeleyamettler_at_cs.berkeley.edu
Write a Comment
User Comments (0)
About PowerShow.com