A Capability-Based Module System for Authority Control

The principle of least authority states that each component of the system should be given authority to access only the information and resources that it needs for its operation. This principle is fundamental to the secure design of software systems, as it helps to limit an application's attack surface and to isolate vulnerabilities and faults. Unfortunately, current programming languages do not provide adequate help in controlling the authority of application modules, an issue that is particularly acute in the case of untrusted third-party extensions. In this paper, we present a language design that facilitates controlling the authority granted to each application module. The key technical novelty of our approach is that modules are first-class, statically typed capabilities. First-class modules are essentially objects, and so we formalize our module system by translation into an object calculus and prove that the core calculus is type-safe and authority-safe. Unlike prior formalizations, our work defines authority non-transitively, allowing engineers to reason about software designs that use wrappers to provide an attenuated version of a more powerful capability. Our approach allows developers to determine a module's authority by examining the capabilities passed as module arguments when the module is created, or delegated to the module later during execution. The type system facilitates this by identifying which objects provide capabilities to sensitive resources, and by enabling security architects to examine the capabilities passed into and out of a module based only on the module's interface, without needing to examine the module's implementation code. An implementation of the module system and illustrative examples in the Wyvern programming language suggest that our approach can be a practical way to control module authority.

[1]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[2]  Yi-Min Wang,et al.  An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism , 2007, CCS '07.

[3]  M. Louw,et al.  Analysis of Hypertext Isolation Techniques for XSS Prevention , 2008 .

[4]  Claire Le Goues,et al.  Evaluating the Flexibility of the Java Sandbox , 2015, ACSAC.

[5]  Michael Maass,et al.  A Theory and Tools for Applying Sandboxes Effectively , 2016 .

[6]  Sophia Drossopoulou,et al.  Swapsies on the Internet: First Steps towards Reasoning about Risk and Trust in an Open World , 2015, PLAS@ECOOP.

[7]  David A. Wagner,et al.  A Security Analysis of the Combex DarpaBrowser Architecture , 2002 .

[8]  Scott Moore,et al.  SHILL: A Secure Shell Scripting Language , 2014, OSDI.

[9]  Sophia Drossopoulou,et al.  The need for capability policies , 2013, FTfJP@ECOOP.

[10]  Martin Odersky,et al.  Spores: A Type-Based Foundation for Closures in the Age of Concurrency and Distribution , 2014, ECOOP.

[11]  Yaron Kashai,et al.  Modules as Objects in Newspeak , 2010, ECOOP.

[12]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[13]  Jonathan Rees,et al.  A security kernel based on the lambda-calculus , 1995 .

[14]  John Tang Boyland,et al.  Capabilities for Sharing: A Generalisation of Uniqueness and Read-Only , 2001, ECOOP.

[15]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[16]  Ben Laurie Safer Scripting Through Precompilation , 2005, Security Protocols Workshop.

[17]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[18]  Marc Stiegler Emily: A High Performance Language for Enabling Secure Cooperation , 2007, Fifth International Conference on Creating, Connecting and Collaborating through Computing (C5 '07).

[19]  David A. Wagner,et al.  Joe-E: A Security-Oriented Subset of Java , 2010, NDSS.

[20]  Matthias Felleisen,et al.  Units: cool modules for HOT languages , 1998, PLDI.

[21]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[22]  J. Aldrich,et al.  Capability Safe Reflection for the Wyvern Language , 2016 .

[23]  Scott Moore,et al.  Declarative Policies for Capability Control , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[24]  Sophia Drossopoulou,et al.  Rationally Reconstructing the Escrow Example , 2014, FTfJP@ECOOP.

[25]  Jonathan Aldrich,et al.  A Capability-Based Module System for Authority Control (Artifact) , 2017, Dagstuhl Artifacts Ser..

[26]  Wolfgang De Meuter,et al.  AmbientTalk: programming responsive mobile peer-to-peer applications with actors , 2014, Comput. Lang. Syst. Struct..

[27]  Robert N. M. Watson,et al.  Exploiting Concurrency Vulnerabilities in System Call Wrappers , 2007, WOOT.

[28]  James H. Morris Protection in programming languages , 1973, CACM.

[29]  David B. MacQueen Modules for standard ML , 1984, LFP '84.

[30]  Peter Van Roy,et al.  The Oz-E Project: Design Guidelines for a Secure Multiparadigm Programming Language , 2004, MOZ.

[31]  Sophia Drossopoulou,et al.  Towards Capability Policy Specification and Verification , 2013 .

[32]  Benjamin Chung,et al.  Wyvern: a simple, typed, and pure object-oriented language , 2013 .

[33]  Dominique Devriese,et al.  Reasoning about Object Capabilities with Logical Relations and Effect Parametricity , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[34]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[35]  Jonathan Aldrich,et al.  Modules in wyvern: advanced control over security and privacy , 2016, HotSoS.

[36]  Sophia Drossopoulou,et al.  How to Break the Bank: Semantics of Capability Policies , 2014, IFM.

[37]  Christian Payne,et al.  The state of the art of application restrictions and sandboxes: A survey of application-oriented access controls and their shortfalls , 2013, Comput. Secur..