Reasoning about Object Capabilities with Logical Relations and Effect Parametricity

Object capabilities are a technique for fine-grained privilege separation in programming languages and systems, with important applications in security. However, current formal characterisations do not fully capture capability-safety of a programming language and are not sufficient for verifying typical applications. Using state-of-the-art techniques from programming languages research, we define a logical relation for a core calculus of JavaScript that better characterises capability-safety. The relation is powerful enough to reason about typical capability patterns and supports evolvable invariants on shared data structures, capabilities with restricted authority over them and isolated components with restricted communication channels. We use a novel notion of effect parametricity for deriving properties about effects. Our results imply memory access bounds that have previously been used to characterise capability-safety.

[1]  Peter W. O'Hearn,et al.  Parametricity and local variables , 1995, JACM.

[2]  Yaron Kashai,et al.  Modules as Objects in Newspeak , 2010, ECOOP.

[3]  Andrew W. Appel,et al.  A stratified semantics of general references embeddable in higher-order logic , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[4]  Andrew M. Pitts Step-Indexed Biorthogonality: a Tutorial Example , 2010, Modelling, Controlling and Reasoning About State.

[5]  Andrew W. Appel,et al.  An indexed model of recursive types for foundational proof-carrying code , 2001, TOPL.

[6]  Peter Van Roy,et al.  A Practical Formal Model for Safety Analysis in Capability-Based Systems , 2005, TGC.

[7]  Philip Wadler,et al.  Comprehending monads , 1990, Mathematical Structures in Computer Science.

[8]  Eugenio Moggi,et al.  Notions of Computation and Monads , 1991, Inf. Comput..

[9]  Sophia Drossopoulou,et al.  The need for capability policies , 2013, FTfJP@ECOOP.

[10]  Lars Birkedal,et al.  The impact of higher-order state and control effects on local relational reasoning , 2012, J. Funct. Program..

[11]  Anindya Banerjee,et al.  Ownership confinement ensures representation independence for object-oriented programs , 2002, JACM.

[12]  Viktor Vafeiadis,et al.  Concurrent Abstract Predicates , 2010, ECOOP.

[13]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[14]  Hongseok Yang,et al.  Step-indexed kripke models over recursive worlds , 2011, POPL '11.

[15]  Sam Weber,et al.  Verifying the EROS confinement mechanism , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[16]  Dilsun Kirli Kaynar,et al.  Compositional System Security with Interface-Confined Adversaries , 2010, MFPS.

[17]  Shriram Krishnamurthi,et al.  The Essence of JavaScript , 2010, ECOOP.

[18]  Fred Spiessens,et al.  Patterns of safe collaboration , 2007 .

[19]  Amal Ahmed,et al.  Semantics of types for mutable state , 2004 .

[20]  Derek Dreyer,et al.  State-dependent representation independence , 2009, POPL '09.

[21]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.

[22]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[23]  Lars Birkedal,et al.  A kripke logical relation for effect-based program transformations , 2011, ICFP '11.

[24]  David A. Wagner,et al.  Joe-E: A Security-Oriented Subset of Java , 2010, NDSS.

[25]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.

[26]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[27]  Scott Moore,et al.  Declarative Policies for Capability Control , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[28]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[29]  Lars Birkedal,et al.  Relational Reasoning for Recursive Types and References , 2006, APLAS.

[30]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[31]  Hongseok Yang,et al.  Correctness of Data Representations Involving Heap Data Structures , 2003, ESOP.

[32]  Jonathan Rees,et al.  A security kernel based on the lambda-calculus , 1995 .

[33]  Lars Birkedal,et al.  Relational parametricity for references and recursive types , 2009, TLDI '09.

[34]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[35]  D. Garg,et al.  A Logic of Programs with Interface-Confined Code , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[36]  Marc Stiegler Emily: A High Performance Language for Enabling Secure Cooperation , 2007, Fifth International Conference on Creating, Connecting and Collaborating through Computing (C5 '07).