Current Techniques in Language-based Security

1
Current Techniques in Language-based Security

• David Walker
• COS 597B
• With slides stolen from
• Steve Zdancewic
• University of Pennsylvania

2
Security Talks this Week

• My Dad's Computer, Microsoft, and the Future of
  Internet Security.
• Bill Cheswick, Lumeta, co-inventor of the
  Internet firewall
• Today at 4PM (Well stop class early)
• Extensible Semantics for XrML
• Vicky Weissman, Cornell
• Friday at 230, CS 402
• XrML (the eXtensible rights Markup Language) is a
  popular language in which to write software
  licenses. See what it is all about and how to
  give it a semantics.

3
Types for Stack Inspection

• Want to do static checking of lsec code
• Statically detect security failures.
• Eliminate redundant checks.
• Example of nonstandard type system for enforcing
  security properties.
• Type system based on work by Pottier, Skalka, and
  Smith
• A Systematic Approach to Static Access Control
• Explain the type system by taking a detour
  through security-passing style.
• Wallachs Feltens Understanding Stack
  Inspection

4
Security-passing Style

• Basic idea Convert the stack-crawling form of
  stack inspection into a permission-set passing
  style
• Compute the set of current permissions at any
  point in the code.
• Make the set of permissions explicit as an extra
  parameter to functions (hence security-passing
  style)
• Target language is a lambda calculus with a
  primitive datatype of sets.

5
Target Language lset

• Language syntaxe,f expressions
  x variable lx.e function e
  f application fail failure let x
  e in f local decl. if p?se then e
  else f member test se set
  expr.
• se
• S perm. set se ?
  se union se ? se
  intersection x

6
Translation lsec to lset

• eR translation of e in domain R
• with s current permissions
• xR x
• lx.eR lx.ls.eR
• e fR eR fR s
• let x e in fR let x eR in
  fR
• enable p in eR let s s ? (p ? R) in
  eR
• ReR let s s ? R in eR
• check p eR if p ? s then eR else
  fail
• test p then e1 else e2R if p ? s then
  e1R else e2R
• Top level translation e ePP/s

7
Example Translation
System f1, f2, f3 Applet f1 h
Systemenable f1 in Applet(lx.
Systemcheck f1 then write x)
kwijibo
8
Example Translation
h
( System ) let s P ? f1, f2, f3 in (
enable f1 ) let s s ? (f1 ? f1, f2,
f3) in ( Applet ) let s s ? f1 in
(lx.ls. ( System ) let s s ? f1,
f2, f3 in if f1 ? s then write x else
fail) kwijibo s
9
Example Translation
h
( System ) let s P ? f1, f2, f3 in (
enable f1 ) let s s ? (f1 ? f1, f2,
f3) in ( Applet ) let s s ? f1 in
(lx.ls. ( System ) let s s ? f1,
f2, f3 in if f3 ? s then write x else
fail) kwijibo s
Change permission check
10
Stepping Back

• Have two formulations of stack inspection
  original and eager
• Have a translation to a language that manipulates
  sets of permissions explicitly.
• Includes the administrative reductions that
  just compute sets of permissions.
• Similar computations can be done statically!

11
Typing Judgments
RSG -- e t
12
Form of types

• Only interesting (non administrative) change
  during compilation was for functions
• lx.eR lx.ls.eR
• Source type t ? u
• Target type t ? s ? u
• The 2nd argument, is always a set, so we
  specialize the type tot S? u

13
Types

• Typest types int, string, base
  types t S? t functions

14
Simple Typing Rules
RSG -- x G(x)
Variables
Abstraction
15
More Simple Typing Rules
Application
Let
16
Rule for Check
Note that this typing rule requires that the
permission p is statically known to be available.
R S?pG -- e t
R S?pG -- check p then e t
17
Typing Rules for Enable
Enable succeed
RS?pG -- e t p ? R
RSG -- enable p in e t
RSG -- e t p ? R
Enable fail
RSG -- enable p in e t
-- latter should be flagged as useless code
18
Rule for Test
Check the first branch under assumption that p is
present, check the else branch under assumption
that p is absent.
R S?pG -- e t
RSG -- f t
RSG -- test p then e else f t
19
Rule for Protection Domains
Intersect the permissions in the static
protection domain with the current permission
set.
SS?SG -- e t
RSG -- Se t
20
Weakening (Subsumption)
It is always safe to forget permissions.
21
Type Safety

• TheoremIf PP? -- e t then either e ? v or
  ediverges.
• In particular e never fails. (i.e. check always
  succeeds)
• ProofPreservation Progress.

22
Example Good Code
h Systemenable f1 in Applet(lx.
Systemcheck f1 then write x)
kwijibo Then PS? -- h unit for any
S
23
Example Bad Code
g Systemenable f1 in Applet(lx.
Systemcheck f2 then write x)
kwijibo Then RS? -- g t is not
derivablefor any R,S, and t.
24
Static vs. Dynamic Checks
Calling this function requires the static
permission p
??? -- lx.check p in x int p?int
Only way to call it (assuming initial perms.are
empty) is to put it in the scope of adynamic
test test p then can call it here
else may not call it here
25
Expressiveness

• This type system is very simple
• No subtyping
• No polymorphism
• Not algorithmic
• Hard to do inference
• Can add all of these features
• See François Pottiers paper for a nice example.
• Uses Didier Rémys row types to describe the sets
  of permission.
• Uses HM(X) Hindley Milner with constraints
• Also shows how to derive a type system for the
  source language from the translation!

26
Conclusions

• Stack inspection is a complex security mechanism
• In practice, useful for preventing some attacks
• Formal reasoning useful for understanding what
  optimizations preserve semantics
• Type systems or program analysis have the
  potential to catch obvious security violations
  at compile time where they can easily be fixed