Reasoning for Open Systems Sophia Drossopoulou, Imperial College - - PowerPoint PPT Presentation

reasoning for open systems
SMART_READER_LITE
LIVE PREVIEW

Reasoning for Open Systems Sophia Drossopoulou, Imperial College - - PowerPoint PPT Presentation

Feb 08, 2024 261 likes •631 views

Reasoning for Open Systems Sophia Drossopoulou, Imperial College London work with James Noble (VU Wellington), Mark Miller (Google), Toby Murray (Uni Melbourne), and also She Peng Loh and Emil Klasan (Imperial) 1 Open Systems

slide-1
SLIDE 1

Reasoning for Open Systems

Sophia Drossopoulou, Imperial College London

work with 
 James Noble (VU Wellington), Mark Miller (Google), 
 Toby Murray (Uni Melbourne),
 
 and also She Peng Loh and Emil Klasan (Imperial)

1

slide-2
SLIDE 2

Open Systems

  • Objects carry out business with other objects of unknown provenance. 


Therefore, our objects need to be very robust.
 To specify such robust code, classical pre- and post- condition specifications

  • not always sufficient
  • not always convenient
  • New concepts for such robust specs: rather than talk about pre- and post-state 


we want to which reflect over the executions

  • invariants
  • authority (who may access)
  • permission (who may modify)
  • heap topology (domination)
  • trust (have we established that some object adheres to its spec)
  • necessary rather than sufficient conditions
  • reflect on trace of calls
slide-3
SLIDE 3

3

Mint &Purse Escrow [ Grant
 Matcher ] DOM &
 Proxies Coin
 & DAO
 invariant necessary
 conduitions authority permission topology trust reflect on
 call trace

slide-4
SLIDE 4

4

Mint &Purse Escrow [ Grant
 Matcher ] DOM &
 Proxies Coin
 & DAO
 invariant necessary
 conduitions authority permission topology trust reflect on
 call traces

Today

slide-5
SLIDE 5

Today
 Reasoning about Authority Attenuation

Shu Peng Loh and Sophia Drossopoulou 


slide-6
SLIDE 6

Proxies

this talk

  • Proxy objects give secure access to some but not all capabilities of another object.
  • We argue that the formal specification of attenuation requires concepts of
  • authority
  • permission and domination (graph theoretic property)
  • necessary rather than sufficient conditions
  • We apply this to DOM-tree example [Devriese, Birkedahl & Piessens, Euro S&P 2016]
  • we specify proxy’s access to trees
  • specification is “simple”
  • specification allows us to reason in the presence of unknown code, and of

unknown provenance

slide-7
SLIDE 7

Node

:Node
 … :Node
 … :Node
 … :Node
 … :Node
 …
 :Node
 … :Node
 .:.. :Node
 … :Node
 p:…

function Node(par,a) { var parent = par var attr = a var children = … return freeze ({ getParent: function()
 { return parent; }, setAttr: function(a){ attr=a; }, getAttr: function(){ return attr; } setChild: function(n){ … } }) }


slide-8
SLIDE 8

Authority of a Node

:Node
 … :Node
 … :Node
 … :Node
 … :Node
 …
 :Node
 … :Node
 … :Node
 … :Node
 …

Access to a Node makes it possible
 to modify any other Node in tree

unknown

slide-9
SLIDE 9

Proxy

:Node
 … :Node
 … :Node
 … :Node
 … :Node
 …
 :Node
 … :Node
 .. :Node
 p:… :Node
 …

function Proxy(nd,h) { var node = nd var height = h return
 freeze ( { setAttr: function(a,i){ 
 if (height<i){ 
 return; };

else if ( i==0 ){

node.setAttr(attr); 
 } else { Proxy(nd.getParent(),height-1)
 .setAttr(a,i-1); } } },
 setChildAttr: function(a,i,j){ … }
 } ) }
 


slide-10
SLIDE 10

Authority of a Proxy

:Node
 … :Node
 … :Node
 … :Node
 … :Node
 …
 :Node
 … :Node
 .. :Node
 … :Node
 … :Proxy
 h=1

Acces to a Proxy gives access to


  • nly part of the tree

unknown

slide-11
SLIDE 11

Authority of a Node vs 
 Authority of a Proxy

:Node
 p:… :Node
 p:… :Node
 p:… :Node
 p:… :Node
 p:…
 :Node
 p:… :Node
 p:.. :Node
 p:… :Node
 p:… :Proxy h=1 Access to a Node gives access to any other Node

Access to a Proxy p allows to modify the attire of Nodes under p.height’s parent and nothing else

unknown2 unknown1

slide-12
SLIDE 12

12

Today’s aim

function mm(o){ n1=Node(…)
 n2=Node(n1,…) n3=Node(n2,…)
 n4=Node(n3,…)
 n5=Node(n4,…)
 …

n2 n4 n5 …. … n1 …. … n3 p:Proxy
 h=1

p=Proxy(n4,1) unknown.untrusted(p)

unknown

This code leaves n1, n2 unaffected!

How to show, even though

we know nothing about unknown and untrusted?

slide-13
SLIDE 13

Specifying Node/Proxy

13

the “conventional” part We describe the effect of calls on methods

  • n Node and on Proxy

:Node
 … :Node
 … :Proxy …

slide-14
SLIDE 14

Specifying Node/Proxy

14

the “conventional” part nd:Node { n.setAttr(x) } nd.attr==x

:Node
 p:…

slide-15
SLIDE 15

Specifying Proxy- 1

15

the “conventional” part p:Proxy ∧ p.height==k
 { any_code } p.height==k


:Node
 … :Proxy …

Note: This is an invariant.

slide-16
SLIDE 16

Specifying Proxy - 2

16

the “conventional” part p:Proxy ∧ p.node==nd ∧ p.height>=k
 { p.setAttr(a,k) } nd.parentk.attr==a Note: We are describing sufficient conditions.

:Node
 … :Proxy …

slide-17
SLIDE 17

17

“Conventional” spec does not do

function mm(o){ n1=Node(…)
 n2=Node(n1,…) n3=Node(n2,…)
 n4=Node(n3,…)
 n5=Node(n4,…)
 …

n2 n4 n5 …. … n1 …. … n3 p:Proxy
 h=1

p=Proxy(n4,1) unknown.untrusted(p)

unknown

nd:Node 
 { nd.setAttr(a) } 
 nd.attr==x

p:Proxy ∧ p.node==nd ∧ p.height>=k


{ p.setAttr(a,k) } nd.parentk==a

slide-18
SLIDE 18

We will be describing necessary conditions.

Specifying Node/Proxy

18

the “unconventional” part We need new concepts for affecting and accessing. x,y objects of unknown provenance
 { x.m(y) } which part of DOM unaffected?

slide-19
SLIDE 19

Specifying Proxy

19

the “unconventional” part - 2 Under what circumstances may a Proxy be accessed?
 Under what circumstances may a Node be modified?
 , Concepts for affecting and accessing.

slide-20
SLIDE 20

In order to specify Proxy we need some new predicates

20

,

slide-21
SLIDE 21

Affecting and Accessing

21

new concepts WillAffect(o,o’) expresses that 
 at some future point in time, 


  • bject o will cause change of state in object o’

Definition M, σ ⊨ WillAffect(o,o’) iff 
 ∃ σ’∈Reach(M,σ). 
 [ σ’(this)=o ∧ 
 ∃ σ’’∈Reach(M,σ’).∃f. σ’’(o’.f) ≠ σ’(o’.f) ]
 Reach(M,σ): intermediate configurations reachable from σ.

slide-22
SLIDE 22

Affecting and Accessing - 2

22

new concepts WillCall(o,o’) expresses that 
 at some future point in time,


  • bject o will (indirectly) call a method on object o’

Definition M, σ ⊨ WillCall(o,o’) iff 
 ∃ σ’∈Reach(M,σ). 
 [ σ’(this)= o ∧ 
 ∃ σ’’∈Reach(M,σ’). σ’’(this)= o’ ]
 Reach(M,σ): intermediate configurations reachable from σ.

slide-23
SLIDE 23

Affecting and Accessing - 3

23

new concepts Doms(S,o,o’) expresses that 
 any path which leads from object o to object o’
 goes through some object in the set S Definition M, σ ⊨ Doms(S,o,o’) iff 
 ∀ f1,…fn. [ σ(o.f1.…fn)= o’ ➝ ∃ k. σ(o.f1.…fk)∈ S ]

slide-24
SLIDE 24

24

E C D B A

Doms({B,C},A,E) Doms({B,D},A,E) Definition M, σ ⊨ Doms(S,o,o’) iff 
 ∀ f1,…fn. [ σ(o.f1.…fn)= o’ ➝ ∃ k. σ(o.f1.…fk)∈ S ]

Doms - example

F

¬Doms({B,D},A,E)

slide-25
SLIDE 25

Having introduced the new predicates, we return to the specification of some general, language, properties, and the specification of Node and Proxy.

25

,

slide-26
SLIDE 26

∀ nd:Node,o:Object. 
 [ WillAffect(o,nd) ➝ WillCall(o,nd) ]

26

Node is encapsulated

This is an invariant of Node. Note: This is a necessary condition.

slide-27
SLIDE 27

∀ o,o’:Object. 
 [ WillCall(o,o’) ∧ Doms(S,o,o’) ➝ 
 ∃o’’∈S.WillCall(o,o’’) ∧ WillCall(o’’,o’) ]

27

Calls through dominators

This is a general invariant. Note: This is another necessary condition.

slide-28
SLIDE 28

:Nod :Nod :Nod :Nod :Nod :Nod :Nod :Nod :Nod :Proxy


A proxy may modify the properties of all descendants

  • f the height-th parent 

  • f the Node it points to

Specifying Proxy Calls

  • ∀ p:Proxy.∀ nd:Node. 


[ WillCall(p,nd) ➝ 
 ∃ j,k.[ nd.parentj= p.node.parentk 
 ∧ k ≤ p.height ] ] Note: This is another necessary condition.

slide-29
SLIDE 29

:Nod :Nod :Nod :Nod :Nod :Nod :Nod :Nod :Nod :RNde
 h=1

Proxies do not leak Authority

Specifying Proxy no Leaks

:RNde
 h=0

  • 1,o2:Object ∧ p:Proxy ∧ nd:Node ∧ 


S⊆Proxy ∧ Doms(S,o1,n) ∧ Doms(S,o2,n) ∧


Vars(any_code) ⊆ { o1, o2 }

[ Doms(S,o1,nd) ∧ Doms(S,o2,nd) ]

{ any_code }

:Proxy
 h=1 :Proxy
 h=2

slide-30
SLIDE 30

:Nod :Nod :Nod :Nod :Nod :Nod :Nod :Nod :Nod :Proxy


A proxy cannot be used to modify nodes beyond its height

Consequence of previous

∀ o:Object.∀ p:Proxy.∀ nd:Node. 
 [ Doms({p},o,nd) ∧ WillAffect(o,nd) ➝ 
 ∃ j,k.[ nd.parentj= p.node.parentk 
 ∧ k ≤ p.height ] ]

slide-31
SLIDE 31

Putting these specs to work

31

, unknown object of unknown provenance
 untrusted is some arbitrary method
 p:Proxy 
 { unknown.untrusted(p) } which part of DOM unaffected?

slide-32
SLIDE 32

32

Putting these specs to work

function mm(o){ n1=Node(…)
 n2=Node(n1,…) n3=Node(n2,…)
 n4=Node(n3,…)
 n5=Node(n4,…)
 …

n2 n4 n5 …. … n1 …. … n3 p:Proxy
 h=1

p=Proxy(n4,1) unknown.untrusted(p)

unknown Using the specifications from above, 


and even though we know nothing 


about unknown and untrusted,


we can prove that


the above leaves n1 and n2 unaffected!
 😆😆😆

slide-33
SLIDE 33

Why is this a holistic spec?

function ProxyLeak(nd,h) { var node = nd var height = h return
 freeze ( {
 // as earlier setAttr: function(a,i){ … },

// as earlier setChildAttr: function(a,i,j){ … }
 // new leak: function( ){ return node.parent } 
 } ) }

slide-34
SLIDE 34

Why is this a holistic spec? - 2
 ProxyLeak does not satisfy spec below

function ProxyLeak(nd,h) { .. return
 freeze ( {
 … // new

leak: function( ){ return node.parent } 
 } ) }

  • 1,o2:Object ∧ p:ProxyLeak ∧ nd:Node ∧ 


S⊆Proxy ∧ Doms(S,o1,n) ∧ Doms(S,o2,n) ∧


Vars(any_code) ⊆ { o1, o2 }

[ Doms(S,o1,nd) ∧ Doms(S,o2,nd) ]

{ any_code }

slide-35
SLIDE 35

Summary

  • We defined
  • WillAffect, WillCall (reflect over execution)
  • Doms (reflect over state)
  • For the DOM-tree example [Devriese at al Euro S&P 2016]
  • specification is “simple”
  • specification allows us to reason in the presence of code of unknown

provenance

  • using necessary as well as sufficient conditions
  • Similar style appeared in more examples