Secure composition of insecure components

Software systems are becoming heterogeneous: instead of a small number of large programs from well-established sources, a user's desktop may now consist of many smaller components that interact in intricate ways. Some components will be down-loaded from the network from sources that are only partially trusted. A user would like to know that a number of security properties hold, e.g., that personal data is not leaked to the net, but it is typically infeasible to verify that such components are well behaved. Instead they must be executed in a secure environment, or wrapper, that provides fine grain control of the allowable interactions between them and between components and other system resources. We study such wrappers, focusing on how they can be expressed in a way that enables their security properties to be stated and proved rigorously. We introduce a model programming language, the box-/spl pi/ calculus that supports composition of software components and the enforcement of security policies. Several example wrappers are expressed using the calculus: we explore the delicate security properties they guarantee.

[1]  James Riely,et al.  Type-Safe Execution of Mobile Agents in Anonymous Networks , 1998, ECOOP Workshops.

[2]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[3]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[4]  Mario Tokoro,et al.  An Object Calculus for Asynchronous Communication , 1991, ECOOP.

[5]  Michael B. Jones,et al.  Interposition agents: transparently interposing user code at the system interface , 1994, SOSP '93.

[6]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[7]  Peter Sewell Global / Local Subtyping for a Distributed-calculus , 1997 .

[8]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[9]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[10]  Li Gong Java Security Architecture (JDK1.2) , 1997 .

[11]  Glynn Winskel,et al.  Models for Concurrency , 1994 .

[12]  George C. Necula,et al.  Safe, Untrusted Agents Using Proof-Carrying Code , 1998, Mobile Agents and Security.

[13]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[14]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[15]  G. Erard Boudol Asynchrony and the -calculus (note) , 1992 .

[16]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[17]  Claudia Eckert On security models , 1996, SEC.

[18]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[19]  Benjamin C. Pierce,et al.  Location independence for mobile agents , 1998 .

[20]  Geoffrey Smith,et al.  Confinement properties for programming languages , 1998, SIGA.

[21]  Luca Cardelli,et al.  Mobile Ambients , 1998, FoSSaCS.

[22]  Jean-Jacques Lévy,et al.  A Calculus of Mobile Agents , 1996, CONCUR.

[23]  A. W. Roscoe,et al.  Using CSP to Detect Errors in the TMN Protocol , 1997, IEEE Trans. Software Eng..

[24]  Benjamin C. Pierce,et al.  Location-Independent Communication for Mobile Agents: A Two-Level Architecture , 1998, ICCL Workshop: Internet Programming Languages.

[25]  Luca Cardelli,et al.  Types for mobile ambients , 1999, POPL '99.

[26]  Peter Sewell Global/Local Subtyping and Capability Inference for a Distributed pi-calculus , 1998, ICALP.

[27]  R. Tibshirani,et al.  An introduction to the bootstrap , 1993 .

[28]  Martín Abadi,et al.  Secure implementation of channel abstractions , 1998, Proceedings. Thirteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.98CB36226).

[29]  Martín Abadi,et al.  Secrecy by Typing inSecurity Protocols , 1997, TACS.

[30]  James Riely,et al.  Resource Access Control in Systems of Mobile Agents , 2002, HLCL.

[31]  Matthew Hennessy A Typed Language for Distributed Mobile Processes , 1998 .

[32]  Mike Hibler,et al.  Microkernels meet recursive virtual machines , 1996, OSDI '96.

[33]  James Riely,et al.  Resource control in systems of mobile agents , 1998 .

[34]  Thomas Anderson,et al.  Interposition as an Operating System Extension Mechanism , 1997 .

[35]  James Riely,et al.  A typed language for distributed mobile processes (extended abstract) , 1998, POPL '98.

[36]  Roberto M. Amadio,et al.  Localities and Failures (Extended Abstract) , 1994, FSTTCS.

[37]  R. Amadio,et al.  Localities and Failures , 1995 .

[38]  Godmar Back Patrick Tullmann Leigh Stoller Wilson C. Hsie Lepreau Java Operating Systems : Design and Implementation , 1998 .

[39]  Michael B. Jones Interposition Agents: Transparently Interposing User Code at the System Interface , 1999, Secure Internet Programming.

[40]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[41]  Davide Sangiorgi,et al.  On Bisimulations for the Asynchronous pi-Calculus , 1996, Theor. Comput. Sci..

[42]  Trent Jaeger,et al.  A Flexible Security System for Using Internet Content , 1997, IEEE Softw..

[43]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[44]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[45]  Roberto M. Amadio An Asynchronous Model of Locality, Failurem and Process Mobility , 1997, COORDINATION.