Reasoning about Object Capa- bilities with Logical Relations and - - PowerPoint PPT Presentation

reasoning about object capa bilities with logical
SMART_READER_LITE
LIVE PREVIEW

Reasoning about Object Capa- bilities with Logical Relations and - - PowerPoint PPT Presentation

Nov 02, 2022 173 likes •389 views

Reasoning about Object Capa- bilities with Logical Relations and Effect Parametricity (EuroS&P 2016, Saarbrcken) Dominique Devriese 1 , Frank Piessens 1 , Lars Birkedal 2 1 iMinds-DistriNet, KU Leuven, 2 Aarhus University December 2015

slide-1
SLIDE 1

Reasoning about Object Capa- bilities with Logical Relations and Effect Parametricity

(EuroS&P 2016, Saarbrücken) Dominique Devriese1, Frank Piessens1, Lars Birkedal2

1 iMinds-DistriNet, KU Leuven, 2 Aarhus University

December 2015

slide-2
SLIDE 2

Outline

2/15 Object capabilities Reasoning about Object Capabilities Encapsulation, shared data, authority Reasoning about Primitive I/O Conclusion Reasoning about Object Capabilities

slide-3
SLIDE 3

Object capabilities

3/15 Example: browser ad sandboxing: rnode

def

= func(node, d){· · · } initWebPage

def

= func(document, ad)      let (adNode = document.addChild(“ad_div”)) let (rAdNode = rnode(adNode, 0)) ad.initialize(rAdNode)      Reasoning about Object Capabilities

slide-4
SLIDE 4

Object capabilities

4/15 Fine-grained privilege separation. Control authority of arbitrary, untrusted, untyped code.

Just restrict what it has access to.

Low tech, low overhead.

No types/... Standard OO techniques/patterns.

High-level OO languages or low-level assembly Applications:

sandboxing fault isolation auditability etc.

Reasoning about Object Capabilities

slide-5
SLIDE 5

Object capabilities

5/15 A capability-safe language: Private state encapsulation. Primitive I/O through non-public objects (like document). No global mutable state. Examples: E, Joe-E, Emily, Newspeak etc. JavaScript 5 (strict mode, after proper initialisation)? Reasoning about Object Capabilities

slide-6
SLIDE 6

Reasoning about capability-safe languages?

6/15 rnode

def

= func(node, d){· · · } initWebPage

def

= func(document, ad)      let (adNode = document.addChild(“ad_div”)) let (rAdNode = rnode(adNode, 0)) ad.initialize(rAdNode)      Are we 100% sure? What does the language guarantee precisely? Is it really capability-safe? What does that mean? What to ensure precisely? What can we rely on precisely? Reasoning about Object Capabilities

slide-7
SLIDE 7

Reasoning about capability-safe languages?

7/15 OCap community: Reference graph “No Authority Amplification” “Only Connectivity Begets Connectivity” Problem: Syntactic bound on authority. Ignores behavior. Necessary, but not sufficient! Reasoning about Object Capabilities

slide-8
SLIDE 8

Reasoning about capability-safe languages?

8/15 What’s the alternative? Reasoning about Object Capabilities

slide-9
SLIDE 9

Reasoning about capability-safe languages?

8/15 What’s the alternative?

Security Researcher ...privilege separation... ...capability-safety... ...security applications... But how to reason? Programming Languages Researcher ...logical relations... ...Kripke worlds... ...modular reasoning... But applications?

Reasoning about Object Capabilities

slide-10
SLIDE 10

Reasoning about capability-safe languages

9/15 Our approach: Untyped higher-order language Private state en- capsulation Primitive I/O encapsulation Step- indexed logical re- lations Recursive Kripke worlds

OCap ingredients PL Reasoning Techniques

Reasoning about Object Capabilities

slide-11
SLIDE 11

Reasoning about capability-safe languages

9/15 Our approach: Untyped higher-order language Private state en- capsulation Primitive I/O encapsulation Step- indexed logical re- lations Recursive Kripke worlds Pub/priv transitions for authority

OCap ingredients PL Reasoning Techniques

Reasoning about Object Capabilities

slide-12
SLIDE 12

Reasoning about capability-safe languages

9/15 Our approach: Untyped higher-order language Private state en- capsulation Primitive I/O encapsulation Step- indexed logical re- lations Recursive Kripke worlds Pub/priv transitions for authority

OCap ingredients PL Reasoning Techniques

? Reasoning about Object Capabilities

slide-13
SLIDE 13

Reasoning about capability-safe languages

9/15 Our approach: Untyped higher-order language Private state en- capsulation Primitive I/O encapsulation Step- indexed logical re- lations Recursive Kripke worlds Pub/priv transitions for authority

OCap ingredients PL Reasoning Techniques

Effect Parametricity Reasoning about Object Capabilities

slide-14
SLIDE 14

Encapsulation of private state

10/15 Register state machine to govern fresh data structure. ticketDispenser

def

= func(attacker)                let(o = ref 0) let (dispTkt = func(){ let (v = deref o){o := v + 2; v}}) attacker(dispTkt); deref o                start

2 4 6

· · · Reasoning about Object Capabilities

slide-15
SLIDE 15

Limited authority over shared data

11/15 Public transitions: accessible under current authority. Private transitions: potentially accessible by others. rnode

def

= func(node, d){· · · } initWebPage

def

= func(document, ad)      let (adNode = document.addChild(“ad_div”)) let (rAdNode = rnode(adNode, 0)) ad.initialize(rAdNode)      Reasoning about Object Capabilities

slide-16
SLIDE 16

Primitive I/O

12/15 Effect interpretation: custom property about primitive effects ρ ∈ P(Cap) µ ∈ P(Val) → P(Expr) + admissibility conditions... Effect parametricity.

Theorem (Fundamental Theorem for λJS)

If Γ, Σ ⊢ e then for a valid effect interpretation (µ, ρ) and for all n, γ and w with (n, w) ∈ Σµ,ρ and (n, γ) ∈ Γµ,ρ w, we have that (n, γ(e)) must be in E[µ JSValµ,ρ] w. Reasoning about Object Capabilities

slide-17
SLIDE 17

Conclusion

13/15 Capability Safety is:

Private state encapsulation. Absence of global state. Primitive I/O encapsulation.

Modular reasoning in cap-safe language:

Reference graph dynamics is not enough Logical relations to the rescue.

Some novel features:

Authority over shared data using public/private transitions. Effect parametricity.

(Not shown: relational version) Reasoning about Object Capabilities

slide-18
SLIDE 18

Future work

14/15 Build effect interpretations into Kripke worlds? A program logic? Apply to full JavaScript? Reasoning about Object Capabilities

slide-19
SLIDE 19

Backup slide: formal details

1/3 Worlds: IslandName

def

= N W

def

= {w ∈ IslandName ֒ → Island | dom(w) finite} Island

def

=      ι = (s, φ, φpub, H) | s ∈ State ∧ φ ⊆ State2∧ H ∈ State → StorePred ∧ φpub ⊆ φ ∧ φ, φpub reflexive and transitive      StorePred

def

= {ψ ∈ ˆ W →mon,ne UPred(Store)} roll : 1 2 · W ∼ = ˆ W Reasoning about Object Capabilities

slide-20
SLIDE 20

Backup slides: formal details

2/3 Effect interpretations: ρ : W →mon,ne UPred(Loc) µ : (W →mon,ne UPred(Val)) →ne (W →ne Pred(Cmd)). JSValµ,ρ predicate: JSValµ,ρ : W →mon,ne UPred(Val) JSValµ,ρ

def

= Cnst ∪ ρ ∪ {JSValµ,ρ} ∪ ([JSValµ,ρ] → µ JSValµ,ρ) Reasoning about Object Capabilities

slide-21
SLIDE 21

Backup slides: formal details

3/3 Admissibility conditions for effect interpretation: A-Pure: If (n, v) ∈ P w then (n, v) ∈ µ P w A-Bind: If (n, cmd) ∈ µ P w and (n′, Ev) ∈ E[µ P ′] w′ for all n′ ≤ n, w′ ⊒ w and (n′, v) ∈ P w′, then (n, Ecmd) ∈ E[µ P ′] w. A-Assign: If (n, v1) ∈ JSValµ,ρ w and (n, v2) ∈ JSValµ,ρ w, then (n, v1 = v2) ∈ µ JSValµ,ρ w. A-Deref: If (n, v) ∈ JSValµ,ρ w, (n, deref v) must be in µ JSValµ,ρ w. A-Ref: If (n, v) ∈ JSValµ,ρ w, then (n, ref v) ∈ µ JSValµ,ρ w. Reasoning about Object Capabilities