Ethos' Deeply Integrated Distributed Types

Programming languages have long incorporated type safety, increasing their level of abstraction and thus aiding programmers. Type safety eliminates whole classes of security-sensitive bugs, replacing the tedious and error-prone search for such bugs in each application with verifying the correctness of the type system. Despite their benefits, these protections often end at the process boundary, that is, type safety holds within a program but usually not to the file system or communication with other programs. Existing operating system approaches to bridge this gap require the use of a single programming language or common language runtime. We describe the deep integration of type safety in Ethos, a clean-slate operating system which requires that all program input and output satisfy a recognizer before applications are permitted to further process it. Ethos types are multilingual and runtime-agnostic, and each has an automatically generated unique type identifier. Ethos bridges the type-safety gap between programs by (1) providing a convenient mechanism for specifying the types each program may produce or consume, (2) ensuring that each type has a single, distributed-system-wide recognizer implementation, and (3) inescapably enforcing these type constraints.

[1]  Jim Waldo Remote procedure calls and Java Remote Method Invocation , 1998, IEEE Concurr..

[2]  R. Hansen,et al.  Guns and Butter : Towards Formal Axioms of Input Validation , 2005 .

[3]  Brian N. Bershad,et al.  Lightweight remote procedure call , 1989, TOCS.

[4]  James R. Larus,et al.  Singularity: rethinking the software stack , 2007, OPSR.

[5]  Vitaly Shmatikov,et al.  Abusing File Processing in Malware Detectors for Fun and Profit , 2012, 2012 IEEE Symposium on Security and Privacy.

[6]  Francesco Buccafurri,et al.  Fortifying the dalì attack on digital signature , 2009, SIN '09.

[7]  Raj Srinivasan,et al.  XDR: External Data Representation Standard , 1995, RFC.

[8]  Richard D. Greenblatt,et al.  A LISP Machine , 1980, CAW '80.

[9]  Sergey Bratus,et al.  The Halting Problems of Network Stack Insecurity , 2011, login Usenix Mag..

[10]  J. Darzentas,et al.  A framework for the analysis of the reliability of digital signatures for secure e-commerce , 2005 .

[11]  Edward Wobber,et al.  Network objects , 1994, SOSP '93.

[12]  Jon A. Solworth,et al.  Digital identity security architecture in Ethos , 2011, DIM '11.

[13]  Dawson R. Engler,et al.  Fast and flexible application-level networking on exokernel systems , 2002, TOCS.

[14]  Robert Grimm,et al.  Separating access control policy, enforcement, and functionality in extensible systems , 2001, TOCS.

[15]  Bill Kalsow,et al.  Some Useful Modula-3 Interfaces , 1996 .

[16]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[17]  Xin Qi,et al.  Fabric: a platform for secure distributed computation and storage , 2009, SOSP '09.

[18]  Mark P. Jones,et al.  A principled approach to operating system construction in Haskell , 2005, ICFP '05.

[19]  Maurice Herlihy,et al.  A Value Transmission Method for Abstract Data Types , 1982, TOPL.

[20]  Michael Golm,et al.  The JX Operating System , 2002, USENIX Annual Technical Conference, General Track.

[21]  Steve Vinoski,et al.  CORBA: integrating diverse applications within distributed heterogeneous environments , 1997, IEEE Commun. Mag..

[22]  Jon A. Solworth,et al.  Simple-to-use, Secure-by-design Networking in Ethos , 2013 .

[23]  Rob Pike,et al.  Interpreting the data: Parallel analysis with Sawzall , 2005, Sci. Program..

[24]  V. N. Venkatakrishnan,et al.  XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks , 2008, DIMVA.

[25]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[26]  Barbara Liskov,et al.  Distributed programming in Argus , 1988, CACM.

[27]  Bob Martin,et al.  2010 CWE/SANS Top 25 Most Dangerous Software Errors , 2010 .

[28]  Mike Eisler XDR: External Data Representation Standard , 2006, RFC.

[29]  Per Martin-Löf,et al.  Intuitionistic type theory , 1984, Studies in proof theory.

[30]  Robert Gruber,et al.  PADS: a domain-specific language for processing ad hoc data , 2005, PLDI '05.

[31]  Rob Pike,et al.  The Hideous Name , 1985 .

[32]  Jochen Liedtke,et al.  Improving IPC by kernel design , 1994, SOSP '93.

[33]  Sergey Bratus,et al.  Security Applications of Formal Language Theory , 2013, IEEE Systems Journal.

[34]  Chandra Krintz,et al.  Cross-language, type-safe, and transparent object sharing for co-located managed runtimes , 2010, OOPSLA.

[35]  Stephanie Weirich,et al.  Type Systems , 2014, Computing Handbook, 3rd ed..

[36]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[37]  S. C. Crawley,et al.  Improving type-safety in CORBA , 2009 .

[38]  Tanja Lange,et al.  MinimaLT: minimal-latency networking through better security , 2013, IACR Cryptol. ePrint Arch..

[39]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[40]  A. Prasad Sistla,et al.  TAPS: automatically preparing safe SQL queries , 2010, CCS '10.

[41]  Philip Wadler,et al.  Linear Types can Change the World! , 1990, Programming Concepts and Methods.

[42]  Larry Carter,et al.  Distrbution and Abstract Types in Emerald , 1987, IEEE Transactions on Software Engineering.

[43]  Atsushi Igarashi,et al.  Union types for object-oriented programming , 2006, SAC.

[44]  GhemawatSanjay,et al.  The Google file system , 2003 .

[45]  Robert Thurlow,et al.  RPC: Remote Procedure Call Protocol Specification Version 2 , 2009, RFC.

[46]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.

[47]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[48]  Andrew Birrell,et al.  Implementing Remote procedure calls , 1983, SOSP '83.

[49]  Barbara Liskov,et al.  Guardians and Actions: Linguistic Support for Robust, Distributed Programs , 1983, TOPL.

[50]  Douglas Crockford,et al.  The application/json Media Type for JavaScript Object Notation (JSON) , 2006, RFC.