Robust and compositional verification of object capability patterns

In scenarios such as web programming, where code is linked together from multiple sources, object capability patterns (OCPs) provide an essential safeguard, enabling programmers to protect the private state of their objects from corruption by unknown and untrusted code. However, the benefits of OCPs in terms of program verification have never been properly formalized. In this paper, building on the recently developed Iris framework for concurrent separation logic, we develop OCPL, the first program logic for compositionally specifying and verifying OCPs in a language with closures, mutable state, and concurrency. The key idea of OCPL is to account for the interface between verified and untrusted code by adopting a well-known idea from the literature on security protocol verification, namely robust safety. Programs that export only properly wrapped values to their environment can be proven robustly safe, meaning that their untrusted environment cannot violate their internal invariants. We use OCPL to give the first general, compositional, and machine-checked specs for several commonly-used OCPs—including the dynamic sealing, membrane, and caretaker patterns—which we then use to verify robust safety for representative client code. All our results are fully mechanized in the Coq proof assistant.

[1]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[2]  Andrew D. Gordon,et al.  Authenticity by typing for security protocols , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[3]  Peter Van Roy,et al.  A Practical Formal Model for Safety Analysis in Capability-Based Systems , 2005, TGC.

[4]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[5]  Mark S. Miller,et al.  Capability-Based Financial Instruments , 2000, Financial Cryptography.

[6]  Dave Clarke,et al.  Ownership Types: A Survey , 2013, Aliasing in Object-Oriented Programming.

[7]  Marco Patrignani,et al.  Ownership Types for the Join Calculus , 2011, FMOODS/FORTE.

[8]  Anindya Banerjee,et al.  State Based Ownership, Reentrance, and Encapsulation , 2005, ECOOP.

[9]  Toby C. Murray Analysing the security properties of object-capability patterns , 2010 .

[10]  Gavin Lowe,et al.  Analysing the Information Flow Properties of Object-Capability Patterns , 2009, Formal Aspects in Security and Trust.

[11]  Tom Van Cutsem,et al.  Distributed Electronic Rights in JavaScript , 2013, ESOP.

[12]  Robert Hieb,et al.  The Revised Report on the Syntactic Theories of Sequential Control and State , 1992, Theor. Comput. Sci..

[13]  Andrew W. Appel,et al.  A very modal model of a modern, major, general type system , 2007, POPL '07.

[14]  Joe Gibbs Politz,et al.  Typed-based verification of Web sandboxes , 2014, J. Comput. Secur..

[15]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.

[16]  Dominique Devriese,et al.  Reasoning about Object Capabilities with Logical Relations and Effect Parametricity , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[17]  Lars Birkedal,et al.  Unifying refinement and hoare-style reasoning in a logic for higher-order concurrency , 2013, ICFP.

[18]  Anindya Banerjee,et al.  Ownership confinement ensures representation independence for object-oriented programs , 2002, JACM.

[19]  Hongseok Yang,et al.  Step-indexed kripke models over recursive worlds , 2011, POPL '11.

[20]  Lars Birkedal,et al.  The Essence of Higher-Order Concurrent Separation Logic , 2017, ESOP.

[21]  James Noble,et al.  Ownership types for flexible alias protection , 1998, OOPSLA '98.

[22]  Tom Van Cutsem,et al.  Trustworthy Proxies - Virtualizing Objects with Invariants , 2013, ECOOP.

[23]  Lars Birkedal,et al.  Iris from the ground up: A modular foundation for higher-order concurrent separation logic , 2018, Journal of Functional Programming.

[24]  Lars Birkedal,et al.  Higher-order ghost state , 2016, ICFP.

[25]  Lars Birkedal,et al.  Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning , 2015, POPL.

[26]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[27]  Viktor Vafeiadis,et al.  Concurrent Abstract Predicates , 2010, ECOOP.

[28]  Úlfar Erlingsson,et al.  Workshop on programming languages and analysis for security (PLAS 2008) , 2009, SIGP.

[29]  Lars Birkedal,et al.  Interactive proofs in higher-order concurrent separation logic , 2017, POPL.

[30]  James H. Morris Protection in programming languages , 1973, CACM.

[31]  Jonathan S. Shapiro,et al.  Paradigm Regained: Abstraction Mechanisms for Access Control , 2003, ASIAN.

[32]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[33]  David A. Wagner,et al.  Joe-E: A Security-Oriented Subset of Java , 2010, NDSS.

[34]  Sophia Drossopoulou,et al.  Swapsies on the Internet: First Steps towards Reasoning about Risk and Trust in an Open World , 2015, PLAS@ECOOP.

[35]  Fred Spiessens,et al.  Patterns of safe collaboration , 2007 .

[36]  Peter W. O'Hearn,et al.  Concurrent separation logic , 2016, SIGL.

[37]  Benjamin C. Pierce,et al.  A bisimulation for dynamic sealing , 2004, Theor. Comput. Sci..

[38]  Peter Van Roy,et al.  The Oz-E Project: Design Guidelines for a Secure Multiparadigm Programming Language , 2004, MOZ.