Presentation is loading. Please wait.

Presentation is loading. Please wait.

Type-based confinement. content Introduction Related work Confinement rules Formalization Generic confined types.

Similar presentations


Presentation on theme: "Type-based confinement. content Introduction Related work Confinement rules Formalization Generic confined types."— Presentation transcript:

1 Type-based confinement

2 content Introduction Related work Confinement rules Formalization Generic confined types

3 Introduction Confinement properties impose structure on object graphs to enforce encapsulation Confinement is based on package-level protection The type system is based on call-by-value object calculus as well as a generic extension.

4 Motivating example class Class { private Identity[] signers; public Identity[] getSigners( ) { return signers; } The signers field holds capabilities that are managed by the security subsystem. By returning the object referenced by signers, the class expose the array to updates by outside code.

5 Confined types An object of confined types is encapsulated within its defining scope package boundary public class confined class outside class legal reference illegal reference

6 A solution using confined types @confined class SecureIdentity { … // original implementation } public class Identity { SecureIdentity target; Identity (SecureIdentity t) { target = t; } … // public operations on identities }

7 A solution using confined types public class Class { private SecureIdentity[] signers; public Identity[] getSigners ( ) { Identity[] pub = new Identity[signers.length]; for (int i = 0; i < signers.length; i ++) pub[i] = new Identity(signer[i]); return pub; }

8 Other solutions Return a copy of the signer array Using façade or wrapper objects to interpose between trusted and untrusted components Discretionary access control checks

9 Related work Full aliasing protection: Islands (Hoggs, 1991), Balloon types (Almeida, 1997) – representation objects are fully enclosed in the encapsulation boundary. Flexible alias protection (Noble et al, 1998) – distinguish representation and argument objects Ownership types (Clarke et al. 1998, Boyapatti et al. 2002) – all external access to the representation objects must go through their owners

10 Confinement rules 1.A confined type must not appear in the type of a public (or protected) field or the return type of a public (or protected) method 2.A confined type must not be public 3.Methods invoked on an expression of confined type must either be defined in a confined class or be anonymous method 4.Subtypes of a confined type must be confined 5.Confined types can be widened only to other confined types 6.Overriding must preserve anonymity of methods

11 Anonymous method The this reference is used only to select fields and as the receiver in the invocation of other anonymous methods

12 Example package p; public class Table { private Bucket[] buckets; public Object get(Object key) { … } } @confined class Bucket { Bucket next; Object key, val; }

13 class Example { int count; int anon ok( A arg ) { alsoOk( arg.foo() ); return count ; } void anon alsoOk( int i ) { count = i + count ; } Example notOk( A arg ) { arg.bar( this ) ; arg.o = this ; notOk( arg ); return this ; } }

14 package inside; public class C extends outside.B { void putReferences() { C c = new C(); r1 outside.B.c1 = c; r2 outside.B.storeReference(c); r3 outside.B.c3s = new C[] {c}; r4 calledByConfined(); r5 implementedInSubclass(); r6 throw new E(); }

15 void implementedInSubclass() { } r7public static C f = new C(); r8public static void C m() { return new C(); } r9public static C[] fs = new C[]{new C()}; r10public C() { } } public class E extends RuntimeException { } class D extends inside.C { r5void implementedInSubclass() { // store this } }

16 package outside; public class B { r1static inside.C c1; r2static void storeReference(inside.C c2) {//store c2} r3 static inside.C[] c3s; r4 void calledByConfined() { // store this } static void getReferences() { r7 inside.C c7 = inside.C.f; r8 inside.C c8 = inside.C.m(); r9 inside.C[] c9s = inside.C.fs; r10 inside.C c10 = new inside.C(); D d = new D(); try { d.putReferences(); r6 } catch (inside.E ex) { // store ex } }

17 Syntax

18 Reduction rules P is a possibly empty sequence of stack frames: A frame v m e denotes the invocation of method m on a receiver Object v where e is the body of the method being evaluated.

19 Evaluation context Evaluation context is an expression E[o] with a hole and E[e] methods E with the hole replaced by e.

20 Semantics R-Field R-Cast

21 Semantics R-Ink R-Ret

22 Safe subtyping and visibility True if class C is visible from class D

23 Expression typing rules T-Var T-Field T-UCast

24 Expression typing rule T-New T-Invk

25 Method typing rule

26 Class typing rule

27 example class p.Cell extends l.Object { l.Object data; l.Object getData() { return this.data; } } conf class p.Buck extends p.Cell { p.Buck() { super(); } }

28 example class p.Table extends l.Object { p.Buck buck; Table(p.Buck buck) { super(); this.buck=buck; } p.Cell get() { return this.buck; } } class p.Factory extends l.Object { p.Factory() { super(); } p.Table table() { return new p.Table( new p.Buck() ); }

29 Confined object leaked class o.Breach extends l.Object { l.Object main() { return new p.Factory().table().get(); }

30 Implicit reference widening conf class p.Self extends o.Broken { } class o.Broken extends l.Object{ l.Object reveal() { return this; } } class p.Main extends l.Object { Main() { super(); } l.Object get() { return new p.Self().reveal(); } }

31 Well-typed program

32 Confinement An expression e is visible from C’ relative to C if the types of all sub-terms of e are visible from C’ except sub-terms of the form v.f, v.m(…), where v may be an object of type C. A program P = v 1 m 1 e 1 … v n m n e n satisfies confinement iff for all i between 1 and n, the expression e is visible from C’ relative to C, where v i is an object of class C, method m i called on v i is defined in C’.

33 Subject reduction, progress, and confinement If P is well-typed and P -> P’, then P’ is well-typed If P is well-typed and not in the forms of nil.v m v’, then there exists P’ such that P -> P’ If P is well-typed, satisfies confinement, and P->* P’, then P’ satisfies confinment

34 Generics and confinement class p.List extends l.Object { X val; p.List next; List (X val, p.List next) { super(); this.val = val; this.next = next; }

35 Generics and confinement class q.A extends l.Object { p.List show; p.List hide; … } conf class q.B extends l.Object { … }

36 Confinement violation class p.Container extends l.Object { X val; Container(X val) { this.val = val; } l.Object get() { return this.val; } l.Object get2() { return this; } } class q.A extends l.Object{ p.Container f = new p.Container (new q.B()); l.Object reveal() { return f.get(); } }

37 Additional rules 7. A generic type or type variable cannot be widened to a type containing a different set of type variables 8. A method invoked on an expression of type T must either by defined in a type with the same set of type variable as that in T or be an anonymous method.

38 Overriding must preserve anonymity of methods class q.Naïve { X f; Naïve(X f) {this.f = f;} l.Object reveal() { return this.f.m(); } } class q.A extends l.Object { anon l.Object m() { return new l.Object(); } } class q.B extends q.A { l.Object m() { return this; } } conf class q.C extends q.B { … }

39 class q.Naïve { X f; Naïve(X f) {this.f = f;} l.Object reveal() { return this.f.m(); } } class q.A extends l.Object { anon l.Object m() { return new l.Object(); } } class q.B extends q.A { l.Object m() { return this; } } l.Object o = new q.Naïve ( new q.C() ).reveal()  new q.Naïve ( new q.C() ).f.m()  new q.C().m()  new q.C()

40 Subclasses of confined class must be confined as well class q.Container { X val; Container(X val) { this.val = val; } X get() { return this.val; } } conf class p.A { … } class p.C extends q.Container { C () { super(new p.A()); } } l.Object o = new p.C().get()  new p.A();


Download ppt "Type-based confinement. content Introduction Related work Confinement rules Formalization Generic confined types."

Similar presentations


Ads by Google