Building a Virus-Safe Platform Don’t add security, remove insecurity

Mark S. MillerVirus-Safe Computing InitiativeHewlett Packard Laboratories

Building a Virus-Safe PlatformDon’t add security, remove insecurity

Virus-Safe Computing Initiative

A Very Powerful Program

This program can delete any file you can.

Virus Safe Computing Initiative

Functionality vs. Security?

Integratable

Isolated

E & CapDeskLeast Authority

Applets:No Authority

Applications:User’s Authority

SafeDangerous

“Sandboxing”Firewalls


A Tale of Two Copies

$ cp foo.txt bar.txt

vs.$ cat < foo.txt > bar.txt

•Bundle permission with designation•Let “knowledge of” shape “access to”•Remove ambient authority


CapDesk: Usable POLA

• Double click launch• File Explorer• Open dialog• Drag/Drop• Etc...

Moral: Bundle permission with designation


How do I designate thee?

• by Introduction– ref to Carol– ref to Bob– decides to share

• by Parenthood• by Endowment• by Initial

Conditions

How might object Bob come to know of object Carol?





Conditions

Alice says: bob.foo(carol)





Conditions






Conditions





• by Parenthood• by Endowment• by Initial Conditions


Think in names. Speak in references.










Bob says: def carol { ... }





Alice says: def bob { ... carol ... }





At t0:


What are Object-Capabilities?



• Absolute encapsulation—causality only by messages• Only references permit causality

Reference Graph == Access Graph


Not Discretionary!



Conditions


• Overlooked requirement. Enables confinement.• Only connectivity begets connectivity.


Distributed Crypto Object-Caps

Alice says:

bob <- foo(carol)








The Two Impostor Problems

VatID:

Is this the Carol

Alice Meant?

SwissNumber:

Is this the Bob

Alice Meant?

POLA

Virus SafeComputing

Objects

Object-C

apabilities

Roadmap, in Hindsight

SafeReflection

Scheme

Mutable Static State

Static Native “Devices”

Shared State Concurrency

Unprincipled Libraries

Oak, pre.NET, Squeak , Oz

What about

Security?

ClassLoaders as Principals

Stack Introspection

Security Managers Signed Applets

Safe Loading

No problemo

Java, .NET

What about

Security?

Lexical NestingMessage Passing, Encapsulation

Memory Safety, GC, Eval / Loading

W7 E

Message Passing, Encapsulation Lexical Nesting POLA

Virus SafeComputing

Objects

Object-C

apabilities

Detour is Non-Object Causality

SafeReflection

Scheme W7 E

Squeak-E, Oz-E

What about

Security?

ClassLoaders as Principals

Stack Introspection

Security Managers Signed Applets

Memory Safety, GC, Eval / Loading Safe Loading

No problemo

Java, .NET

Mutable Static State

Static Native “Devices”

Shared State Concurrency

Unprincipled Libraries


def makePoint { to run(x :int, y :int) :any { def point { to getX() :int { return x } to getY() :int { return y } to add(otherPt) :any { def x2 := x.add(otherPt.getX()) def y2 := y.add(otherPt.getY()) return makePoint.run(x2, y2) } } return point} }

Objects as Closures


def makePoint(x :int, y :int) :any { def point { to getX() :int { return x } to getY() :int { return y } to add(otherPt) :any { def x2 := x + otherPt.getX() def y2 := y + otherPt.getY() return makePoint(x2, y2) } } return point}

def makePoint { to run(x :int, y :int) :any { def point { to getX() :int { return x } to getY() :int { return y } to add(otherPt) :any { def x2 := x.add(otherPt.getX()) def y2 := y.add(otherPt.getY()) return makePoint.run(x2, y2) } } return point} }

+ a pinch of sugar


Redell’s 1974 Caretaker Pattern

def makeCaretaker(var target) :any { def caretaker { match [verb :String, args :any[]] { E.call(target, verb, args) } } def revoker { to revoke() :void { target := null } } return [caretaker, revoker]}


Redell’s 1974 Caretaker Pattern

def makeCaretaker(var target) :any { def caretaker { match [verb :String, args :any[]] { E.call(target, verb, args) } } def revoker { to revoke() :void { target := null } } return [caretaker, revoker]}

Alice says: def [carol2, carol2revoker] := makeCaretaker(carol) bob.foo(carol2)


Can’t Revoke Permissions, but...

Alice says: carol2revoker.revoke()Bob says: carol2.doThis(...)

Bob says: carol2.doThat(...)


... Can Revoke Authority




No Permissions Were Revoked




Cashing in on Distributed Objects

Alice Bob

mint

$100 $0

$200

def payment := myPurse <- makePurse()payment <- deposit(10, myPurse)bob <- buy(..., payment)

when (payment) -> ... { when (myPurse <- deposit(10, payment)) ... { ... # dispense value }}

namesealerunsealer

buy

$90 $210

$10

makePurse

deposit

deposit


Distributed Secure Money in Edef makeMint(name :String) :any { def [sealer, unsealer] := makeBrandPair(name) def mint { to makePurse(var balance :(int >= 0)) :any { def decr(amount :(0..balance)) :void { balance -= amount } def purse { to getBalance() :int { return balance } to makePurse() :any { return mint.makePurse(0) } to getDecr() :any { return sealer.seal(decr) } to deposit(amount :int, src) :void { unsealer.unseal(src.getDecr())(amount) balance += amount } } return purse } } return mint}


Rights Amplification

? def [sealer, unsealer] := makeBrandPair("MarkM")# value: [<MarkM sealer>, <MarkM unsealer>]

? def envelope := sealer.seal("Tuna") # value: <sealed by MarkM>

? unsealer.unseal(envelope) # value: "Tuna"


Distributed Secure Money in Edef makeMint(name :String) :any { def [sealer, unsealer] := makeBrandPair(name) def mint { to makePurse(var balance :(int >= 0)) :any { def decr(amount :(0..balance)) :void { balance -= amount } def purse { to getBalance() :int { return balance } to makePurse() :any { return mint.makePurse(0) } to getDecr() :any { return sealer.seal(decr) } to deposit(amount :int, src) :void { unsealer.unseal(src.getDecr())(amount) balance += amount } } return purse } } return mint}


Security is Just Extreme Modularity

• Good software engineering– Responsibility driven design– Omit needless coupling– assert(..) preconditions

• Information hiding– Designation, need to know– Dynamics of knowledge

• Lexical naming– Think names, speak refs– Avoid global variables

• Abstraction– Procedural, data, control, ...– Patterns and frameworks– Say what you mean

• Capability discipline– Authority driven design– Omit needless vulnerability– Validate inputs

• Principle of Least Authority– Permission, need to do– Dynamics of authorization

• No global name spaces– Think names, speak refs– Forbid mutable static state

• Abstraction– ... and access abstractions– Patterns of safe cooperation– Mean only what you say


Our Logo

The POLA Bear


Bibliography

• E in a Walnut skyhunter.com/marcs/ewalnut.html Download E from erights.org and try it! (It’s open source.)

• Paradigm Regained (HPL-2003-222) erights.org/talks/asian03/• A Security Kernel Based on the Lambda-Calculus

mumble.net/jar/pubs/secureos/• Capability-based Financial Instruments (the “Ode”)

erights.org/elib/capability/ode/index.html• Intro to Capability-based Security

skyhunter.com/marcs/capabilityIntro/index.html• Statements of Consensus

erights.org/elib/capability/consensus-9feb01.html• Web Calculus www.waterken.com/dev/Web/Calculus/• Web sites: erights.org , combex.com , eros-os.org ,

cap-lore.com/CapTheory , www.waterken.com


Thank You


Paradigm Lost: Unchallenged Myths

“On the Inability of an Unmodified Capability Machine to Enforce the *-Property”

“... an unmodified or classic capability system cannot ... solve the confinement problem”

“Since a capability is just a bit string, it can propagate in many ways without the detection of the kernel or the server...”

“Capability systems modeled as unforgeable references present the other extreme, where delegation is trivial, and revocation is infeasible”

• Capabilities vs. ACLs are just rows vs. columns• Capabilities are “tickets” or “keys”• Capabilities are discretionary• ACLs won. Capabilities lost.


Example: Oak’s Detour

• Mutable static state (class variables)– even when private, prevents confinement

• Static, native, authority-bearing methods– example: File opening, clock

• Ambient access to non-determinism– System.identityHashcode(obj), threads

• Locks as communication channels– synchronized (“foo”.intern()) {...}

• Non-POLA legacy libraries


Stay on the Pure Object Road

• Pure object (instance) model is fine as is– No features need be added or removed– Though some new primitives are convenient

• Non-object causality must be prohibited– Authority only according to references held & used

• Loading separately provided code and state– No implicit state bindings, no global scopes– Must support lexical nesting in the large– All free variables are virtualizable– Only main() starts with all authority, as instances


Let Knowledge Shape Access

“Make the Computer Recursive”—Alan Kay

• “Knows about” has fractal structure.– People know people. Organs know organs. Cells know cells.– Make access rights similarly self-similar!

•Information hiding: “Need to know”•POLA: “Need to do”


Spectrum of Models

Direct access +Indirect causality

Overt behavior +Covert+Side+Bugs

Permission

Rules

Arcs

Protection State

Permit

Authority

Legal Outcomes

Paths (with behavior)

Op. Semantics

Authorize

Ability

Actual Outcomes

Non-determinism

Implementation

Enable

Tractable Realistic


Paradigm Regained: Access Abstraction



• Caretaker is smart ref• Alice uses behaviour to

express policy• Further limits Bob’s

authority• Tighter POLA


No Permissions Were Granted

• She’s only authorizing Bob.• By practicing POLA, as she

should, Alice has inadvertently thwarted the intent of this prohibition.

• Policy ignores Alice’s possible behaviour

• Confinement of permissions, by itself, is mostly pointless

• Confinement of authority, isn’t enough if we’ve got covert channels

What if Alice couldn’t permit Bob to access Carol?

Other Capability Models

Equivalence? Revocability? Confinement?

Capabilities as Rows Capabilities as Keys


Capability Myths DemolishedModels mostly missed virtues of actual systems

Documents

Building a Virus-Safe Platform Don’t add security, remove insecurity