Confined%20Types - PowerPoint PPT Presentation

About This Presentation
Title:

Confined%20Types

Description:

Static constraints on the definition and use of objects ... Example: Public-Key Cryptography. Other Aspects. Protection domain package. Generics ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 30
Provided by: csta3
Category:

less

Transcript and Presenter's Notes

Title: Confined%20Types


1
Confined Types
presented by Guy Gueta
  • Encapsulation and modularity Seminar
  • November, 2005

2
Writing secure code
  • Difficult task
  • A lot of security problems
  • Software systems that permit untrusted and
    trusted code together
  • Loadable components

3
Object-oriented
  • An objects can be pointed by many other objects
  • Every method can be called by an adversary
  • Defensive style dynamic security checks
  • Performance problem
  • Bugs
  • Protection domains

4
Protection domains
  • Internal (without security checks) and external
    objects (with security checks)
  • The core code can be written without security
    checks
  • Easier for security analysis (programmer,
    automatic)
  • No means to enforce such a distinction
  • Access modifiers (visibility of methods and
    fields, scope of types)
  • Reference to sensitive objects may leak to other
    protection domains

5
Confined Types
  • Prevent escaping of internal objects
  • T is confined in D iff all references to
    instances of T are in D
  • Enforce static scoping of dynamic object
    references
  • stronger than private type

6
Achieving confinement
  • Static constraints on the definition and use of
    objects
  • Compile time (better performance, compilation
    errors)
  • Java
  • Two additional modifiers (confined, anon)
  • Restrictions on programs
  • Certain programming tasks may be clumsier
  • Package protection domain
  • Dont affect the program semantics !
  • Modular (dynamic loading is possible)
  • Simple implementation

7
Security breach in JDK 1.1.1
  • Untrusted code can acquire extended access rights

class java.lang.Class private Identity
signers public Identity getSigners()
return signers
java.security.IdentityScope.IdentityScope.identiti
es() an enumeration of all identities known
to the local system
8
  • Simple fix return a copy of the internal array
  • Nothing guarantees that similar defects are not
    present in other parts of the package
  • The attack doesnt interact with Identity
    (private cant help use)
  • Confined types References to identity objects
    will never escape from the java.security package

9
(No Transcript)
10
Anonymous Methods
  • Do not depend on the identity of the current
    instance
  • Behavior is determined by arguments and fields
  • Essential to allow confined types to inherit
    methods from unconfined parents

11
Anonymous Methods in Java
  • anon
  • Anonymous method does not invoke a non-anonymous
    method of the same object

12
(No Transcript)
13
  • Potential callers can rely on anonymity
  • Constructors are a special case of instance
    methods
  • Constructors may be declared anonymous
  • Explicit and implicit calls are made only to
    anonymous constructors
  • The Object constructor is anonymous by definition

14
Anonymous methods in existing code
15
Confined Types
16
(No Transcript)
17
(No Transcript)
18
Confinement in declarations
  • C1 confined types have private or package-local
    access
  • The unnamed global package is open to extension
  • All subtypes of a confined type are confined

19
Reference widening
// package one class A . // package
two confined class B extends A . A a
(A)(new B()) // a can leak out of package two
  • Each instance object can be stored in a object
    variable (java.lang.Object is not confined)
  • Reference widening from a confined type to an
    unconfined supertype shouldnt be allowed

20
Reference widening
assignment var exp dec_type(var) gt static_type(exp)
method call void method(A a) method(exp) A gt static_type(exp)
return A method () .... return exp A gt static_type(exp)
cast (A)(new B) A gt B
21
(No Transcript)
22
Collections
  • Confined objects should not be stored in
    unconfined collections
  • For arrays if T is confined then T is
    confined
  • For the other collections cant cast to
    java.lang.object
  • Use confined collections
  • Generics

23
Hidden Widening
confined class B extends A public void boo()
foo() .
class A protected void foo() // store
this
  • this can escape from the package
  • Solution confined classed are not allowed to
    inherit from non-trivial unconfined class
  • Better solution with anonymous methods....

24
confined class B extends A public void boo()
foo()
class A public void anon foo() //

can be checked in the defining package
25
(No Transcript)
26
(No Transcript)
27
Preventing transfer from the outside
Can be omitted !?
28
Example Public-Key Cryptography
29
Other Aspects
  • Protection domain ? package
  • Generics
  • Reduce the need for reference widening
  • Less code (public-key example)
  • Software Engineering
  • strong private
  • Optimizations

30
Summary
  • We saw two new language mechanisms
  • Confined types
  • Anonymous methods
  • Enforced by a set of simple syntactic constraints
    which can be verified statically
  • Can be used for controlling the dissemination of
    object reference
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Confined%20Types" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!