Current Techniques in Language-based Security

1
Current Techniques in Language-based Security

• David Walker
• COS 441
• With slides stolen from
• Steve Zdancewic
• University of Pennsylvania

2
Mobile Code

• Modern languages like Java and C have been
  designed for Internet applications and extensible
  systems
• PDAs, Cell Phones, Smart Cards,

applet
applet
applet
web browser
operating system
3
Applet Security Problems

• Protect OS other valuable resources.
• Applets should not
• crash browser or OS
• execute rm rf /
• be able to exhaust resources
• Applets should
• be able to access some system resources (e.g. to
  display a picture)
• be isolated from each other
• Principles of least privileges and complete
  mediation apply

4
Java and C Security

• Static Type Systems
• Memory safety and jump safety
• Run-time checks for
• Array index bounds
• Downcasts
• Access controls
• Virtual Machine / JIT compilation
• Bytecode verification
• Enforces encapsulation boundaries (e.g. private
  field)
• Garbage Collected
• Eliminates memory management errors
• Library support
• Cryptography, authentication,

These lectures
5
Access Control for Applets

• What level of granularity?
• Applets can touch some parts of the file system
  but not others
• Applets can make network connections to some
  locations but not others
• Different code has different levels of
  trustworthiness
• www.l33t-hax0rs.com vs. www.java.sun.com
• Trusted code can call untrusted code
• e.g. to ask an applet to repaint its window
• Untrusted code can call trusted code
• e.g. the paint routine may load a font
• How is the access control policy specified?

6
Outline

• Java Security Model (C similar)
• Stack inspection
• Concrete examples
• To discuss what security principles does the
  Java security model obey or not obey?
• Semantics from a PL perspective
• Formalizing stack inspection
• how exactly does it work?
• Reasoning about programs that use stack
  inspection

7
Java Security Model
Security Policy
VM Runtime
a.class b.class c.class d.class e.class
Permissions
Domain A
Permissions
Domain B
ClassloaderSecurityManager
http//java.sun.com/j2se/1.4.2/docs/guide/security
/spec/security-specTOC.fm.html
8
Kinds of Permissions

• java.security.Permission Class
• perm new java.io.FilePermission("/tmp/abc","read
  ")
• java.security.AllPermission
• java.security.SecurityPermission
• java.security.UnresolvedPermission
• java.awt.AWTPermission
• java.io.FilePermission
• java.io.SerializablePermission
• java.lang.reflect.ReflectPermission
• java.lang.RuntimePermission
• java.net.NetPermission
• java.net.SocketPermission

9
Code Trustworthiness

• How does one decide what protection domain the
  code is in?
• Source (e.g. local or applet)
• Digital signatures
• C calls this evidence based
• How does one decide what permissions a protection
  domain has?
• Configurable administrator file or command line
• Enforced by the classloader

10
Classloaders

• In order to pull new code into the virtual
  machine, we use an object from the ClassLoader
  class
• A class loader will look in the file system, or
  across the network for a class file, or possibly
  dynamically generate the class
• When loading the first class of an application, a
  new instance of the URLClassLoader is used.
• When loading the first class of an applet, a new
  instance of the AppletClassLoader is used.
• Class loaders are responsible for placing classes
  into their security domains
• AppletClassLoader places classes in domains
  depending on where they are from
• Other ClassLoaders places classes in domains
  based on digital signatures, or origin (such as
  local file system)

11
Classloader Hierarchy
Primordial ClassLoader
ClassLoader
SecureClassLoader
URLClassLoader
AppletClassLoader
12
Associating Privileges with Domains
grant codeBase http//www.l33t-hax0rz.com/
permission java.io.FilePermission(/tmp/,
read,write) grant codeBase
file//JAVA_HOME/lib/ext/ permission
java.security.AllPermission grant signedBy
trusted-company.com permission
java.net.SocketPermission() permission
java.io.FilePermission(/tmp/, read,write)

Policy information stored in
JAVA_HOME/lib/security/java.policy
USER_HOME/.java.policy (or passed on
command line)
13
Example Trusted Code
Code in the System protection domain
void fileWrite(String filename, String s)
SecurityManager sm System.getSecurityManager()
if (sm ! null) FilePermission fp new
FilePermission(filename,write)
sm.checkPermission(fp) / write s to file
filename (native code) / else throw
new SecurityException()
public static void main() SecurityManager sm
System.getSecurityManager() FilePermission
fp new FilePermission(/tmp/,write,)
sm.enablePrivilege(fp) UntrustedApplet.run()
14
Example Client
Applet code obtained from http//www.l33t-hax0rz.
com/
class UntrustedApplet void run() ...
s.FileWrite(/tmp/foo.txt, Hello!) ...
s.FileWrite(/home/dpw/grades.txt, Ginsburg
A) ...
15
Stack Inspection

• Stack frames are annotated with their protection
  domains and any enabled privileges.
• During inspection, stack frames are searched from
  most to least recent
• fail if a frame belonging to someone not
  authorized for privilege is encountered
• succeed if activated privilege is found in frame

16
Stack Inspection Example
Policy Database
main() fp new FilePermission(/tmp/,write
,) sm.enablePrivilege(fp)
UntrustedApplet.run()
17
Stack Inspection Example
Policy Database
main() fp new FilePermission(/tmp/,write
,) sm.enablePrivilege(fp)
UntrustedApplet.run()
fp
18
Stack Inspection Example
void run() s.FileWrite(/tmp/foo.txt,
Hello!)
Policy Database
main() fp new FilePermission(/tmp/,write
,) sm.enablePrivilege(fp)
UntrustedApplet.run()
fp
19
Stack Inspection Example
void fileWrite(/tmp/foo.txt, Hello!) fp
new FilePermission(/tmp/foo.txt,write)
sm.checkPermission(fp) / write s to file
filename /
void run() s.FileWrite(/tmp/foo.txt,
Hello!)
Policy Database
main() fp new FilePermission(/tmp/,write
,) sm.enablePrivilege(fp)
UntrustedApplet.run()
fp
20
Stack Inspection Example
void fileWrite(/tmp/foo.txt, Hello!) fp
new FilePermission(/tmp/foo.txt,write)
sm.checkPermission(fp) / write s to file
filename /
void run() s.FileWrite(/tmp/foo.txt,
Hello!)
Policy Database
main() fp new FilePermission(/tmp/,write
,) sm.enablePrivilege(fp)
UntrustedApplet.run()
fp
Succeed!
21
Stack Inspection Example
void run() s.FileWrite(/home/dpw/grades.t
xt, Ginsburg A)
Policy Database
main() fp new FilePermission(/tmp/,write
,) sm.enablePrivilege(fp)
UntrustedApplet.run()
fp
22
Stack Inspection Example
void fileWrite(/important.txt, kwijibo)
fp new FilePermission(important.txt,
write) sm.checkPermission(f
p)
void run() s.FileWrite(/home/dpw/grades.t
xt, Ginsburg A)
Policy Database
Fail
main() fp new FilePermission(/tmp/,write
,) sm.enablePrivilege(fp)
UntrustedApplet.run()
fp
23
Other Possibilities

• The fileWrite method could enable the write
  permission itself
• Potentially dangerous, should not base the file
  to write on data from the applet
• but no enforcement in Java
• A trusted piece of code could disable a
  previously granted permission
• Terminate the stack inspection early

24
Stack Inspection Algorithm
checkPermission(T) // loop newest to oldest
stack frame foreach stackFrame if (local
policy forbids access to T by class executing in
stack frame) throw ForbiddenException
if (stackFrame has enabled privilege for T)
return // allow access if (stackFrame has
disabled privilege for T) throw
ForbiddenException // end of stack if
(Netscape ) throw ForbiddenException if
(MS IE4.0 JDK 1.2 ) return
25
Two Implementations

• On demand
• On a checkPermission invocation, actually crawl
  down the stack, checking on the way
• Used in practice
• Eagerly
• Keep track of the current set of available
  permissions during execution (security-passing
  style Wallach Felten)
• more apparent (could print current perms.)
• more expensive (checkPermission occurs
  infrequently)

26
Stack Inspection

• Stack inspection seems appealing
• Fine grained, flexible, configurable policies
• Distinguishes between code of varying degrees of
  trust
• But
• How do we understand what the policy is?
• Semantics tied to the operational behavior of the
  program (defined in terms of stacks!)
• How do we compare implementations
• Changing the program (e.g. optimizing it) may
  change the security policy
• Policy is distributed throughout the software,
  and is not apparent from the program interfaces.
• Is it any good?

27
Stack Inspection Literature

• Stack Inspection Theory and VariantsCédric
  Fournet and Andrew D. Gordon
• Use operational semantics like in class
• Understanding Java Stack InspectionDan S.
  Wallach and Edward W. Felten
• Formalize Java Stack Inspection using a special
  logic of authentication

28
Formalizing Stack Inspection
29
Abstract Stack Inspection

• Abstract permissions
• p,q Permissions (left abstract in the theory)
• R,S Principals (sets of permissions)
• Hide the details of classloading, etc.
• ExamplesSystem fileWrite(f1),
  fileWrite(f2),Applet fileWrite(f1)

30
lsec Syntax

• Language syntaxe expressions
  x variable lx.e function e1
  e2 application Re framed expr
  enable p in e enable test p then e1 else
  e2 check perm. fail failure v x
  lx.e valueso v fail outcome

31
Framing a Term

• Models the Classloader that marks the (unframed)
  code with its protection domainLoad(R,x) x
• Load(R,lx.e) lx. R Load(R,e)
• Load(R,e1 e2) Load(R,e1) Load(R,e2)
• Load(R,enable p in e)
• enable p in Load(R,e)
• Load(R,test p then e2 else e2)
• test p then Load(R,e1) else Load(R,e2)
• Load(R,fail) fail

32
Example
readFile lfileName.System test
fileWrite(fileName) then // primitive file IO
(native code) else fail
AppletreadFile f2 --gt fail
SystemreadFile f2 --gt ltf2 contentsgt
33
lsec Operational Semantics

• Evaluation contextsE Hole E
  e Eval function v E Eval arg enable p
  in E Tag on stack frame RE
  Stack frame
• E models the control stack

34
lsec Operational Semantics

• E(lx.e) v --gt Eev/x
• Eenable p in v --gt Ev
• ERv --gt Ev
• Efail --gt fail
• Etest p then e else f --gt Ee
  if Stack(E) -- p
• Etest p then e else f --gt Ef
  if ?(Stack(E) -- p)

35
Example Evaluation Context
AppletreadFile f2
E Applet r readfile f2
36
Example Evaluation Context
AppletreadFile f2
E Applet r (lfileName.System test
fileWrite(fileName) then // primitive file
IO (native code) else fail ) f2
37
Example Evaluation Context
AppletreadFile f2
E Applet r System test
fileWrite(f2) then // primitive file IO
(native code) else fail
38
Example Evaluation Context
AppletSystem test fileWrite(f2) then
// primitive file IO (native code) else
fail
39
Example Evaluation Context
AppletSystem test fileWrite(f2) then
// primitive file IO (native code) else
fail
E AppletSystemr test fileWrite(f2)
then // primitive file IO (native code)
else fail
40
Formal Stack Inspection
E AppletSystemr test fileWrite(f2)
then // primitive file IO (native code)
else fail
When does stack E allow permissionfileWrite(f2
)? Stack(E) -- fileWrite(f2)
41
Formal Stack Inspection
Structure of Stacks s .
(Empty Stack) s.R (Stack for code
of principal R) s.enable(p) (Privelege p
enabled)
42
Stack of an Eval. Context
Stack() . Stack(E e)
Stack(E)Stack(v E) Stack(E)Stack(enable p
in E) enable(p).Stack(E) Stack(RE)
R.Stack(E)
Stack(E) Stack(AppletSystem)
Applet.Stack(System) Applet.System.Stack(
) Applet.System.
43
Abstract Stack Inspection
. -- p empty stack axiom
protection domain check
p ? q irrelevant enable
check enable
44
Abstract Stack Inspection
. p empty stack enables all
enable succeeds
irrelevant enable
45
Equational Reasoning
e? iff there exists o such that e --gt o Let
C be an arbitrary program context. Say that
e e iff for all C, if Ce and Ce are
closed then Ce? iff Ce?.
46
Example Inequality
ok lx.x loop (lx.x x)(lx.x x)
(note loop ?) f lx. let z x ok in l_.z g
lx. let z x ok in l_.(x ok) Claim f ?
g Proof Let C ? l_.test p then loop
else ok ok
47
Example Continued

• Cf ?f l_.test p then loop else ok ok
• ? ?let z (l_.test p
  then loop else ok) ok in l_.z ok
• ? ?let z test p then loop else ok
  in l_.z ok
• ? ?let z ok in l_.z ok
• ? ?l_.ok ok
• ? (l_.ok) ok
• ? ok

stack(? ) ..? ..? -- p is not valid
48
Example Continued

• Cg ?g l_.test p then loop else ok ok
• ? ?let z (l_.test p
  then loop else ok) ok in
  l_.((l_.test p then loop else ok) ok) ok
• ? ?let z test p then loop else ok
  in l_. ((l_.test p then loop else ok)
  ok) ok
• ? ?let z ok in l_.
  ((l_.test p then loop else ok) ok) ok
• ? ?l_. ((l_.test p then loop else ok)
  ok) ok
• ? (l_. ((l_.test p then loop else ok) ok))
  ok
• ? (l_.test p then loop else ok) ok
• ? test p then loop else ok
• ? loop ? loop ? loop ?

return from function gt pop frame
stack( ) . . -- p is valid!
49
Example Applications
Formal reasoning about the semantics of stack
inspection makes it possible to perform safe
optimizations
Eliminate redundant annotations lx.Rly.Re
lx.ly.Re
Decrease stack inspection costs e test p then
(enable p in e) else e
50
Axiomatic Equivalence
Can give a sound set of equations ? that
characterize . Example axioms

• (lx.e) v ? ev/x (beta equivalence)
• x ? fv(v) ? lx.v ? v
• enable p in o ? o
• enable p in (enable q in e) ? enable q in
  (enable p in e)
• R ? S ? RSe ? Se
• RSenable p in e ? R?pSenable p in
  e
• many, many more

? Implies
51
Example Higher-order Code
main System lh.(h ok ok) fileHandler
Systemls.lc.l_.c (readFile s) leak
Appletls.output s main(l_.AppletfileHandler
f2 leak)
52
Example Higher-order Code

• main(l_.AppletfileHandler f2 leak)
• ? SystemAppletfileHandler f2 leak okS
• ? SystemAppletSystemSystem
  l_.Systemleak (readFile f2) okS
• ? Systeml_.Systemleak (readFile f2) okS
• ? SystemSystemleak ltf2 contentsgt
• ? SystemSystemAppletoutput ltf2 contentsgt
• ? SystemSystemAppletok
• ? ok

53
Other Problems

• Applets returning closures can circumvent stack
  inspection.
• Possible solution
• Values of the form Rv (i.e. keep track of the
  protection domain of the source)
• Similarly, one could have closures capture their
  current security context
• Integrity analysis (i.e. where data comes from)
• Fournet Gordon prove some properties of
  strengthened versions of stack inspection.

54
Conclusions

• What security properties does the Java security
  model guarantee?
• What optimizations are legal?
• Formal semantics helps us find the answers
  suggests improvements