Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Wagner, UC Berkeley Object Capabilities for Security David Wagner UC Berkeley.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "David Wagner, UC Berkeley Object Capabilities for Security David Wagner UC Berkeley."— Presentation transcript:

1 David Wagner, UC Berkeley Object Capabilities for Security David Wagner UC Berkeley

2 A very powerful program Credits: Mark Stiegler This program can delete any file you can.

3 Themes of this talk David Wagner, UC Berkeley The principle of least privilege Reasoning about security Object capabilities

4 Ambient authority David Wagner, UC Berkeley “cp” must run with all of the user’s authority: Authority: ability to affect the rest of the world. Ambient authority: authority that’s available even if you don’t ask for it. $ cp foo.txt bar.txt “cat” needs no authority other than what’s given to it: $ cat bar.txt

5 Ambient authority is bad for security David Wagner, UC Berkeley Ambient authority violates the principle of least authority (POLA), because the default gives programs authority they don’t need.

6 Object capabilities make POLA easy David Wagner, UC Berkeley Capabilities bundle designation with authority: Parameters designate which files to access In capability systems, parameters also provide all needed authority — no extra effort needed e.g., telling cat which files to copy (by passing capabilities to those files) automatically provides it with the authority it needs to do its job

7 Principles of object capability systems David Wagner, UC Berkeley Capabilities are the only way to obtain authority. All rights are represented by capabilities. Alice may freely pass any of her capabilities to Bob, if she wants and she has a capability to Bob. Object = a protected domain with private state + code with well-defined entry points Capability = an unforgeable reference to an object By default, newly created objects have no authority

8 Language support for capabilities David Wagner, UC Berkeley Type-safe object-oriented languages are perfect for building object capability systems: Capabilities are just references; the language renders capabilities unforgeable. Type-safety renders objects tamper-resistant. Scoping rules ensure that code only receives the capabilities needed to do its job.

9 Example: Joe-E (work-in-progress) David Wagner, UC Berkeley Joe-E = a subset of Java: All static fields must be final and transitively immutable (to avoid ambient authority). Native methods are forbidden. Libraries have to be subsetted or replaced (avoid ambient authority; respect capability discipline). Single-threaded, single-classloader, no reflection. Joe-E is only intended for use with new code. www.joe-e.org

10 A confused deputy attack David Wagner, UC Berkeley $ cc foo.c -o foo [ok; normal operation] $ cc foo.c -o /var/log/billing [bug: corrupts billing file!]

11 Code with a confused deputy vulnerability David Wagner, UC Berkeley void main(String s, String d) { byte[] src = new File(s).readAll(); byte[] exe = compile(src); writeBillingInfo( new File(“/var/log/billing”)); new File(d).writeAll(exe); }

12 The confused deputy — the general case David Wagner, UC Berkeley ClientDeputyResource The Deputy serves two masters. When it accesses the Resource, is that done under its own authority, or by the authority granted to it by the Client?

13 Unconfusing the deputy with capabilities David Wagner, UC Berkeley private FileDescriptor billfd = ; void main(FileDescriptor s, FileDescriptor d) { byte[] src = s.readAll(); byte[] exe = compile(src); writeBillingInfo(billfd); d.writeAll(exe); }

14 A slightly more idiomatic solution David Wagner, UC Berkeley class Compiler { private FileDescriptor billfd; Compiler(FileDescriptor b) { billfd = b; } void main(FileDescriptor s, FileDescriptor d) { byte[] src = s.readAll(); byte[] exe = compile(src); writeBillingInfo(billfd); d.writeAll(exe); } }

15 Reasoning about authority David Wagner, UC Berkeley Can reason about the flow of capabilities, by reasoning about the points-to graph. AB A has a reference to B(A  B) means

16 Rules of evolution for the capability graph David Wagner, UC Berkeley AB A C AB C  A A  A B     (self-reference) (creation) (introduction) (B is fresh)

17 Conservative bounds on authority David Wagner, UC Berkeley Theorem. Let  = (    ) *. Then A can influence B only if A  B. This upper bound is overly conservative. Alice might have a reference to Bob that she chooses not to share with anyone. Approach: Reason about all possible behaviors of Alice, by examining Alice’s source code.

18 PRESUMED MALICIOUS Naïve modular reasoning David Wagner, UC Berkeley Reason about Alice’s possible behaviors by examining Alice’s source code. Do not examine code of anyone else — instead, assume everyone else is malicious. AB C Y Z PRESUMED MALICIOUS

19 Trust and vulnerability David Wagner, UC Berkeley Alice is a client of Bob & Charlie; she relies upon them (is vulnerable to them). Alice in turn provides services to her clients. AB C Y Z TRUSTED

20 MALICIOUS Defensive consistency David Wagner, UC Berkeley Rule: If a client satisfies A’s preconditions, A must provide correct service to that client. A Y Z TRUSTED E.g.: If Z misbehaves (violates A’s preconditions), A does not need to provide correct service to Z, but still must provide correct service to Y.

21 Modular reasoning & defensive consistency David Wagner, UC Berkeley  Check that A respects B’s & C’s preconditions. Corollary: B& C will provide correct service to A. B C MALICIOUS A Y Z TRUSTED  Check that if Y respects A’s preconditions, then A provides correct service to Y,  Y, Z. (Examine source code of A, spec of B&C, and use conservative bounds on behavior of Y&Z.)

22 Object capabilities enable local reasoning David Wagner, UC Berkeley Can use these techniques to reason about what capabilities Alice might receive; who might receive a capability to Bob; etc. ClientLogger To verify log entries are never deleted:  Check that Logger has the only ref. to log[]  Check that source code of Logger only appends (never deletes or overwrites) log[]

23 Design guideline: Capability discipline David Wagner, UC Berkeley Every authority-bearing object should represent some (physical or logical) resource. A reference to that object should provide only the ability to influence that resource — and no more. Example: java.io.File represents a file or directory on the filesystem. File.read() — ok File.formatHardDrive() — bad File.getParentFile() — bad

24 Guideline: Recursive authority reduction David Wagner, UC Berkeley Authority-bearing objects should provide a way to subdivide their authority further, if possible. Example: java.io.File: new File(File dir, String child) — provides access to a subdirectory of dir

25 Immutable objects simplify reasoning David Wagner, UC Berkeley A class is Immutable if: All fields are declared final. Every field is of immutable type. (Scalars are of immutable type.) Immutable objects convey no authority, and hence can be omitted from the capability graph. Methods of an Immutable class that accept only Immutable arguments are “pure” (deterministic and side-effect-free).

26 Spot the bug void donate(BigInteger n) { if (n.signum() < 0) throw new SecurityException(); mybalance = mybalance.subtract(n); charity = charity.add(n); }

27 Immutable objects prevent TOCTTOU bugs TOCTTOU vulnerability: Call donate() with a reference to an evil subclass of BigInteger whose values changes after each method call. Solution: Make all parameters Immutable. void donate(BigInteger n) { if (n.signum() < 0) throw new SecurityException(); mybalance = mybalance.subtract(n); charity = charity.add(n); }

28 Advantages of object capabilities Capabilities make POLA easy: Bundling designation with authority means modules receive only capabilities to objects relevant to their legitimate purpose. POLA follows from good OO design. Capabilities enable modular reasoning: It’s just reasoning about pointers, which programmers are already used to. Reachability analysis allows to bound the authority a module can obtain.

29 Summary and conclusions Object capabilities are an intriguing & promising direction for research. Lessons to take away: Be wary of ambient authority; watch for confused deputies; bundle designation with authority; capability discipline; reachability analysis; use idioms that enable modular reasoning.

30 Further reading David Wagner, UC Berkeley Mark Miller, “Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control”, PhD dissertation, 2006. The E language. www.erights.org (See also: Joe-E, Oz-E, Twisted Python, Emily, CaPerl, CapDesk, Polaris) Mailing lists: {e-lang, cap-talk}@mail.eros-os.org Jonathan Rees, “A Security Kernel Based on the Lambda Calculus”, MIT, 1995.

31 Extras David Wagner, UC Berkeley

32 Ambient authority is bad for security David Wagner, UC Berkeley Ambient authority is bad for the principle of least authority (POLA), because the default gives programs authority they don’t need. Ambient authority encourages confused deputy vulnerabilities.

33 Capabilities and higher-order functions David Wagner, UC Berkeley Compiler mkCompiler(FileDescriptor b) { return new Compiler() { void main(FileDescriptor s, FileDescriptor d) { byte[] src = s.readAll(); byte[] exe = compile(src); writeBillingInfo(b); d.writeAll(exe); } }; }

34 Privilege separation isn’t sufficient David Wagner, UC Berkeley smtpddeliver Internet mbox Privilege separation carves app into components, each with less authority  less risk. But, process-based privilege separation is cumbersome and inconvenient, hence rarely used.

35 Recap: Some goals for secure systems David Wagner, UC Berkeley Avoid ambient authority Components should come to life with no initial authority, by default Make it easy to build security boundaries Help programmer avoid confused deputy bugs

Download ppt "David Wagner, UC Berkeley Object Capabilities for Security David Wagner UC Berkeley."

Similar presentations

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
Programming Languages and Paradigms

Programming Languages and Paradigms
CS0007: Introduction to Computer Programming Introduction to Classes and Objects.

CS0007: Introduction to Computer Programming Introduction to Classes and Objects.
Mutability SWE 332 Fall 2011 Paul Ammann. SWE 3322 Data Abstraction Operation Categories Creators Create objects of a data abstraction Producers Create.

Mutability SWE 332 Fall 2011 Paul Ammann. SWE 3322 Data Abstraction Operation Categories Creators Create objects of a data abstraction Producers Create.
Java™ How to Program, 9/e Presented by: Dr. José M. Reyes Álamo © Copyright 1992-2012 by Pearson Education, Inc. All Rights Reserved.

Java™ How to Program, 9/e Presented by: Dr. José M. Reyes Álamo © Copyright by Pearson Education, Inc. All Rights Reserved.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Error Management with Design Contracts Karlstad University Computer Science Error Management with Design Contracts Eivind J. Nordby, Martin Blom, Anna.

Error Management with Design Contracts Karlstad University Computer Science Error Management with Design Contracts Eivind J. Nordby, Martin Blom, Anna.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
Confined Types Encapsulation and modularity Seminar November, 2005 presented by: Guy Gueta.

Confined Types Encapsulation and modularity Seminar November, 2005 presented by: Guy Gueta.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
PSUCS322 HM 1 Languages and Compiler Design II Parameter Passing Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU.

PSUCS322 HM 1 Languages and Compiler Design II Parameter Passing Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
1 Sharing Objects – Ch. 3 Visibility What is the source of the issue? Volatile Dekker’s algorithm Publication and Escape Thread Confinement Immutability.

1 Sharing Objects – Ch. 3 Visibility What is the source of the issue? Volatile Dekker’s algorithm Publication and Escape Thread Confinement Immutability.
An Approach to Safe Object Sharing Ciaran Bryce & Chrislain Razafimahefa University of Geneva, Switzerland.

An Approach to Safe Object Sharing Ciaran Bryce & Chrislain Razafimahefa University of Geneva, Switzerland.
Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.

Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.
Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631.

Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631.
Sanzaru Capability-Based Interactions for Web Applications Raluca Sauciuc Shaunak Chatterjee University of California, Berkeley Motivation Limitations.

Sanzaru Capability-Based Interactions for Web Applications Raluca Sauciuc Shaunak Chatterjee University of California, Berkeley Motivation Limitations.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

Similar presentations

Ads by Google