Secure composition of untrusted code: box π, wrappers, and causality types

Software systems are becoming heterogeneous: instead of a small number of large programs from well-established sources, a user's desktop may now consist of many smaller components that interact in intricate ways. Some components will be downloaded from the network from sources that are only partially trusted. A user would like to know that a number of security properties hold, e.g., that personal data is not leaked to the net, but it is typically infeasible to verify that such components are well-behaved. Instead, they must be executed in a secure environment that provides fine-grain control of the allowable interactions between them, and between components and other system resources.In this paper, we consider the problem of assembling concurrent software systems from untrusted or partially trusted off-the-shelf components, using wrapper programs to encapsulate components and enforce security policies. We introduce a model programming language, the box-π calculus, that supports composition of software components and the enforcement of information flow security policies. Several example wrappers are expressed using the calculus; we explore the delicate security properties they guarantee. We present a novel causal type system that statically captures the allowed flows between wrapped possibly-badly-typed components; we use it to prove that an example ordered pipeline wrapper enforces a causal flow property.

[1]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[2]  Xavier Leroy,et al.  Security properties of typed applets , 1998, POPL '98.

[3]  Jan Vitek,et al.  Seal: A Framework for Secure Mobile Computations , 1998, ICCL Workshop: Internet Programming Languages.

[4]  George C. Necula,et al.  Safe, Untrusted Agents Using Proof-Carrying Code , 1998, Mobile Agents and Security.

[5]  Peter Sewell Applied π – a brief tutorial , 2000 .

[6]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[7]  Mario Tokoro,et al.  An Object Calculus for Asynchronous Communication , 1991, ECOOP.

[8]  Davide Sangiorgi,et al.  On Bisimulations for the Asynchronous pi-Calculus , 1996, Theor. Comput. Sci..

[9]  Benjamin C. Pierce,et al.  Location-Independent Communication for Mobile Agents: A Two-Level Architecture , 1998, ICCL Workshop: Internet Programming Languages.

[10]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.

[11]  Trent Jaeger,et al.  A Flexible Security System for Using Internet Content , 1997, IEEE Softw..

[12]  Timothy Fraser,et al.  Hardening COTS software with generic software wrappers , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[13]  Nobuko Yoshida,et al.  Secure Information Flow as Typed Process Behaviour , 2000, ESOP.

[14]  Mike Hibler,et al.  Microkernels meet recursive virtual machines , 1996, OSDI '96.

[15]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[16]  Thomas Anderson,et al.  Interposition as an Operating System Extension Mechanism , 1997 .

[17]  Davide Sangiorgi,et al.  A fully abstract semantics for causality in the $\pi$-calculus , 1998, Acta Informatica.

[18]  J. Gregory Morrisett,et al.  Type-safe linking and modular assembly language , 1999, POPL '99.

[19]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[20]  Corrado Priami,et al.  Causality for Mobile Processes , 1995, ICALP.

[21]  C. A. R. Hoare,et al.  A Theory of Communicating Sequential Processes , 1984, JACM.

[22]  Luca Cardelli,et al.  Mobile Ambients , 1998, Foundations of Software Science and Computation Structure.

[23]  James Riely,et al.  Information flow vs. resource access in the asynchronous pi-calculus , 2000, TOPL.

[24]  Dan Grossman,et al.  Principals in programming languages: a syntactic proof technique , 1999, ICFP '99.

[25]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[26]  Martín Abadi,et al.  Secure implementation of channel abstractions , 1998, Proceedings. Thirteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.98CB36226).

[27]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[28]  Jan Vitek,et al.  Secure composition of insecure components , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[29]  Luo Hong JAVA Security Architecture , 2000 .

[30]  Peter Sewell Global/Local Subtyping and Capability Inference for a Distributed pi-calculus , 1998, ICALP.

[31]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[32]  Jan Vitek,et al.  Secure composition of untrusted code: wrappers and causality types , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[33]  Ira S. Moskowitz,et al.  A Network Pump , 1996, IEEE Trans. Software Eng..

[34]  James Riely,et al.  A typed language for distributed mobile processes (extended abstract) , 1998, POPL '98.

[35]  Geoffrey Smith,et al.  Confinement properties for programming languages , 1998, SIGA.

[36]  Mogens Nielsen,et al.  Models for Concurrency , 1992 .

[37]  Mads Dam,et al.  From Higher-Order pi-Calculus to pi-Calculus in the Presence of Static Operators , 1998, CONCUR.

[38]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[39]  Jean-Jacques Lévy,et al.  A Calculus of Mobile Agents , 1996, CONCUR.