Controlling Module Authority Using Programming Language Design

The security of a software system relies on the principle of least privilege,which says that each software component must have only the privilege necessary for its execution and nothing else. Current programming languages do not provide adequate control over the privilege of untrusted software modules. To fill this gap, we designed and implemented a capability-based module system that facilitates controlling what resources each software module accesses. Then, we augmented our module system with an effect system that facilitates controlling how resources are used, i.e., authority over resources. Our approach simplifies the process of ensuring that a software system maintains the principle of least privilege. We implemented our solution as part of the Wyvern programming language. In Wyvern, modules representing or using system resources,such as the file system and network,are considered to be security-critical and are designated as resource modules. References to resource modules are capability-protected, i.e., to access a resource module, the accessing module must have the appropriate capability. Using this feature, we designed our module system in such a way that it is obvious at compile time what capabilities a module have from looking at modules’ interfaces and not their code. This property significantly simplifies the task of checking what capabilities a module holds. From a theoretical viewpoint, our capability analysis uses a novel, non-transitive notion of capabilities, which allows estimating the capabilities each module holds more precisely than in previous formal systems. Further,leveraging the fact that effects are a good proxy for operations performed on a resource, we designed Wyvern’s effect system that can account for the effects a module has on each resource. Our effect system is capability-based and allows specifying and enforcing what operations a module can perform on a resource it accesses, i.e., allows controlling the module’s authority. Similarly to our modulesystem design, effect annotations that convey information about module authority are located in modules’ interfaces, thus simplifying the task of checking resource usage. We formalized both Wyvern’s module system and effect system, and proved Wyvern to be capability- and authority-safe. We also assessed the effectiveness of the module system and the effect system that we designed in terms of how they would be used in practice and how they benefit a security-minded software developer writing an application. To do that, we implemented an extensible text-editor application in Wyvern and performed a security analysis on it.

[1]  Sophia Drossopoulou,et al.  Permission and Authority Revisited towards a formalisation , 2016, FTfJP@ECOOP.

[2]  Toby Murray Analysing Object−Capability Security , 2008 .

[3]  Peter Van Roy,et al.  The Oz-E Project: Design Guidelines for a Secure Multiparadigm Programming Language , 2004, MOZ.

[4]  Sophia Drossopoulou,et al.  Towards Capability Policy Specification and Verification , 2013 .

[5]  David K. Gifford,et al.  Polymorphic effect systems , 1988, POPL '88.

[6]  Ian J. Hayes,et al.  Capabilities for Java: Secure Access to Resources , 2017, APLAS.

[7]  Daan Leijen,et al.  Koka: Programming with Row Polymorphic Effect Types , 2014, MSFP.

[8]  Scott Moore,et al.  Declarative Policies for Capability Control , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[9]  Michael Maass,et al.  A Theory and Tools for Applying Sandboxes Effectively , 2016 .

[10]  Andrej Bauer,et al.  Programming with algebraic effects and handlers , 2012, J. Log. Algebraic Methods Program..

[11]  David A. Wagner,et al.  A Security Analysis of the Combex DarpaBrowser Architecture , 2002 .

[12]  Matthias Felleisen,et al.  Units: cool modules for HOT languages , 1998, PLDI.

[13]  Sophia Drossopoulou,et al.  How to Break the Bank: Semantics of Capability Policies , 2014, IFM.

[14]  David Lorge Parnas,et al.  Information Distribution Aspects of Design Methodology , 1971, IFIP Congress.

[15]  Christian Payne,et al.  The state of the art of application restrictions and sandboxes: A survey of application-oriented access controls and their shortfalls , 2013, Comput. Secur..

[16]  Martin Odersky,et al.  Spores: A Type-Based Foundation for Closures in the Age of Concurrency and Distribution , 2014, ECOOP.

[17]  Conor McBride,et al.  Do be do be do , 2017, POPL.

[18]  J. Aldrich,et al.  Capability Safe Reflection for the Wyvern Language , 2016 .

[19]  Sophia Drossopoulou,et al.  The need for capability policies , 2013, FTfJP@ECOOP.

[20]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[21]  Wolfgang De Meuter,et al.  AmbientTalk: programming responsive mobile peer-to-peer applications with actors , 2014, Comput. Lang. Syst. Struct..

[22]  Robert N. M. Watson,et al.  Exploiting Concurrency Vulnerabilities in System Call Wrappers , 2007, WOOT.

[23]  Massimo Bartoletti,et al.  Journal of Logical and Algebraic Methods in Programming , 2015 .

[24]  Gordon D. Plotkin,et al.  Algebraic Operations and Generic Effects , 2003, Appl. Categorical Struct..

[25]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[26]  Edwin Brady,et al.  Programming and reasoning with algebraic effects and dependent types , 2013, ICFP.

[27]  Sophia Drossopoulou,et al.  Swapsies on the Internet: First Steps towards Reasoning about Risk and Trust in an Open World , 2015, PLAS@ECOOP.

[28]  Patrick Th. Eugster,et al.  Versatile event correlation with algebraic effects , 2018, Proc. ACM Program. Lang..

[29]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[30]  Scott Moore,et al.  SHILL: A Secure Shell Scripting Language , 2014, OSDI.

[31]  Ben Laurie Safer Scripting Through Precompilation , 2005, Security Protocols Workshop.

[32]  David K. Gifford,et al.  Design Concepts in Programming Languages , 2008 .

[33]  Lindsay Groves,et al.  Capabilities: Effects for Free , 2018, ICFEM.

[34]  K. Rustan M. Leino,et al.  Using data groups to specify and check side effects , 2002, PLDI '02.

[35]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[36]  Anil Madhavapeddy,et al.  Concurrent System Programming with Effect Handlers , 2017, TFP.

[37]  Jonathan Aldrich,et al.  A Capability-Based Module System for Authority Control , 2017, ECOOP.

[38]  Jeffrey Overbey,et al.  A type and effect system for deterministic parallel Java , 2009, OOPSLA '09.

[39]  Dominique Devriese,et al.  Reasoning about Object Capabilities with Logical Relations and Effect Parametricity , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[40]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[41]  D. L. Parnas,et al.  On the criteria to be used in decomposing systems into modules , 1972, Software Pioneers.

[42]  Jonathan Immanuel Brachthäuser,et al.  Effekt: extensible algebraic effects in Scala (short paper) , 2017, SCALA@SPLASH.

[43]  Pierre Jouvelot,et al.  The Type and Effect Discipline , 1994, Inf. Comput..

[44]  Claire Le Goues,et al.  Evaluating the Flexibility of the Java Sandbox , 2015, ACSAC.

[45]  Benjamin Chung,et al.  Safely Composable Type-Specific Languages , 2014, ECOOP.

[46]  M. Louw,et al.  Analysis of Hypertext Isolation Techniques for XSS Prevention , 2008 .

[47]  Yaron Kashai,et al.  Modules as Objects in Newspeak , 2010, ECOOP.

[48]  Daniel Marino,et al.  A generic type-and-effect system , 2009, TLDI '09.

[49]  Marc Stiegler Emily: A High Performance Language for Enabling Secure Cooperation , 2007, Fifth International Conference on Creating, Connecting and Collaborating through Computing (C5 '07).

[50]  Martin Odersky,et al.  Lightweight Polymorphic Effects , 2012, ECOOP.

[51]  Jonathan Rees,et al.  A security kernel based on the lambda-calculus , 1995 .

[52]  Andrew C. Myers,et al.  Abstraction-safe effect handlers via tunneling , 2019, Proc. ACM Program. Lang..

[53]  Yi-Min Wang,et al.  An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism , 2007, CCS '07.

[54]  David A. Wagner,et al.  Joe-E: A Security-Oriented Subset of Java , 2010, NDSS.

[55]  Dariusz Biernacki,et al.  Abstracting algebraic effects , 2019, Proc. ACM Program. Lang..

[56]  Benjamin Chung,et al.  Wyvern: a simple, typed, and pure object-oriented language , 2013 .

[57]  George Kuan,et al.  Engineering Higher-Order Modules in SML/NJ , 2009, IFL.

[58]  Sophia Drossopoulou,et al.  Rationally Reconstructing the Escrow Example , 2014, FTfJP@ECOOP.

[59]  Martin Odersky,et al.  Foundations of path-dependent types , 2014, OOPSLA.

[60]  Deepak Garg,et al.  On Access Control, Capabilities, Their Equivalence, and Confused Deputy Attacks , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[61]  Gordon D. Plotkin,et al.  Handlers of Algebraic Effects , 2009, ESOP.

[62]  Joannes M. Lucassen Types and Effects Towards the Integration of Functional and Imperative Programming. , 1987 .

[63]  David B. MacQueen Modules for standard ML , 1984, LFP '84.