Building a Virus-Safe Platform Don

1
Building a Virus-Safe PlatformDont add
security, remove insecurity
Mark S. Miller Virus-Safe Computing
Initiative Hewlett Packard Laboratories
2
A Very Powerful Program
3
Functionality vs. Security?
Integratable
Applications Users Authority
E CapDesk Least Authority
Sandboxing
Firewalls
Applets No Authority
Isolated
Safe
Dangerous
4
A Tale of Two Copies

• cp foo.txt bar.txt
• vs.
• cat lt foo.txt gt bar.txt

• Bundle permission with designation
• Let knowledge of shape access to
• Remove ambient authority

5
CapDesk Usable POLA

• Double click launch
• File Explorer
• Open dialog
• Drag/Drop
• Etc...

Moral Bundle permission with designation
6
How do I designate thee?

• by Introduction
• ref to Carol
• ref to Bob
• decides to share
• by Parenthood
• by Endowment
• by Initial Conditions

How might object Bob come to know of object Carol?
7
How do I designate thee?

• by Introduction
• ref to Carol
• ref to Bob
• decides to share
• by Parenthood
• by Endowment
• by Initial Conditions

Alice says bob.foo(carol)
8
How do I designate thee?

• by Introduction
• ref to Carol
• ref to Bob
• decides to share
• by Parenthood
• by Endowment
• by Initial Conditions

Alice says bob.foo(carol)
9
How do I designate thee?

• by Introduction
• ref to Carol
• ref to Bob
• decides to share
• by Parenthood
• by Endowment
• by Initial Conditions

Alice says bob.foo(carol)
10
How do I designate thee?

• by Introduction
• ref to Carol
• ref to Bob
• decides to share
• by Parenthood
• by Endowment
• by Initial Conditions

Alice says bob.foo(carol)
Think in names. Speak in references.
11
How do I designate thee?

• by Introduction
• ref to Carol
• ref to Bob
• decides to share
• by Parenthood
• by Endowment
• by Initial Conditions

Alice says bob.foo(carol)
12
How do I designate thee?

• by Introduction
• ref to Carol
• ref to Bob
• decides to share
• by Parenthood
• by Endowment
• by Initial Conditions

Bob says def carol ...
13
How do I designate thee?

• by Introduction
• ref to Carol
• ref to Bob
• decides to share
• by Parenthood
• by Endowment
• by Initial Conditions

Alice says def bob ... carol ...
14
How do I designate thee?

• by Introduction
• ref to Carol
• ref to Bob
• decides to share
• by Parenthood
• by Endowment
• by Initial Conditions

At t0
15
What are Object-Capabilities?
Reference Graph Access Graph

• by Introduction
• ref to Carol
• ref to Bob
• decides to share
• by Parenthood
• by Endowment
• by Initial Conditions

• Absolute encapsulationcausality only by messages
• Only references permit causality

16
Not Discretionary!

• by Introduction
• ref to Carol
• ref to Bob
• decides to share
• by Parenthood
• by Endowment
• by Initial Conditions

Alice says bob.foo(carol)

• Overlooked requirement. Enables confinement.
• Only connectivity begets connectivity.

17
Distributed Crypto Object-Caps
Alice says bob lt- foo(carol)
18
Distributed Crypto Object-Caps
19
Distributed Crypto Object-Caps
20
Distributed Crypto Object-Caps
21
The Two Impostor Problems
VatID Is this the Carol Alice Meant?
SwissNumber Is this the Bob Alice Meant?
22
Roadmap, in Hindsight
What about Security?
Scheme
W7 E
POLA
Objects
Lexical Nesting
Message Passing, Encapsulation
Object-Capabilities
SafeReflection
Safe Loading
Memory Safety, GC, Eval / Loading
Virus Safe Computing
Mutable Static State Static Native
Devices Shared State Concurrency Unprincipled
Libraries
What about Security?
Oak, pre.NET, Oz
No problemo
ClassLoaders as Principals Stack
Introspection Security Managers
Signed Applets
Java, .NET
23
Detour is Non-Object Causality
Scheme W7 E
Message Passing, Encapsulation
Lexical Nesting POLA
Objects
Object-Capabilities
SafeReflection
Memory Safety, GC, Eval / Loading Safe
Loading
Mutable Static State Static Native
Devices Shared State Concurrency Unprincipled
Libraries
What about Security?
Oz
No problemo
ClassLoaders as Principals Stack
Introspection Security Managers
Signed Applets
Java, .NET
24
Objects as Closures
def makePoint to run(x int, y int) any
def point to getX() int
return x to getY() int return
y to add(otherPt) any
def x2 x.add(otherPt.getX())
def y2 y.add(otherPt.getY())
return makePoint.run(x2, y2)
return point
25
a pinch of sugar
def makePoint to run(x int, y int) any
def point to getX() int
return x to getY() int return
y to add(otherPt) any
def x2 x.add(otherPt.getX())
def y2 y.add(otherPt.getY())
return makePoint.run(x2, y2)
return point

• def makePoint(x int, y int) any
• def point
• to getX() int return x
• to getY() int return y
• to add(otherPt) any
• def x2 x otherPt.getX()
• def y2 y otherPt.getY()
• return makePoint(x2, y2)
• return point

26
Paradigm Lost Unchallenged Myths

• On the Inability of an Unmodified Capability
  Machine to Enforce the -Property
• ... an unmodified or classic capability system
  cannot ... solve the confinement problem
• Since a capability is just a bit string, it can
  propagate in many ways without the detection of
  the kernel or the server...
• Capability systems modeled as unforgeable
  references present the other extreme, where
  delegation is trivial, and revocation is
  infeasible
• Capabilities vs. ACLs are just rows vs.
  columns
• Capabilities are tickets or keys
• Capabilities are discretionary
• ACLs won. Capabilities lost.

27
Redells 1974 Caretaker Pattern

• def makeCaretaker(var target) any
• def caretaker
• match verb String, args any
• E.call(target, verb, args)
• def revoker
• to revoke() void
• target null
• return caretaker, revoker

28
Redells 1974 Caretaker Pattern
Alice says def carol2, carol2revoker
makeCaretaker(carol)
bob.foo(carol2)

• def makeCaretaker(var target) any
• def caretaker
• match verb String, args any
• E.call(target, verb, args)
• def revoker
• to revoke() void
• target null
• return caretaker, revoker

29
Cant Revoke Permissions, but...
Bob says carol2.doThis(...)
Alice says carol2revoker.revoke()
Bob says carol2.doThat(...)
30
... Can Revoke Authority
Bob says carol2.doThis(...)
Alice says carol2revoker.revoke()
Bob says carol2.doThat(...)
31
No Permissions Were Revoked
Bob says carol2.doThis(...)
Alice says carol2revoker.revoke()
Bob says carol2.doThat(...)
32
Cashing in on Distributed Objects
def payment myPurse lt- makePurse() payment lt-
deposit(10, myPurse) bob lt- buy(..., payment)
when (payment) -gt ... when (myPurse lt-
deposit(10, payment)) ... ...
dispense value
Alice
Bob
mint
10
namesealerunsealer
100
200
90
210
33
Distributed Secure Money in E

• def makeMint(name String) any
• def sealer, unsealer makeBrandPair(name)
• def mint
• to makePurse(var balance (int gt 0))
  any
• def decr(amount (0..balance)) void
  
• balance - amount
• def purse
• to getBalance() int return
  balance
• to makePurse() any return
  mint.makePurse(0)
• to getDecr() any return
  sealer.seal(decr)
• to deposit(amount int, src)
  void
• unsealer.unseal(src.getDecr())
  (amount)
• balance amount
• return purse

34
Rights Amplification

• ? def sealer, unsealer makeBrandPair("MarkM")
  
• value ltMarkM sealergt, ltMarkM unsealergt
• ? def envelope sealer.seal("Tuna")
• value ltsealed by MarkMgt
• ? unsealer.unseal(envelope)
• value "Tuna"

35
Distributed Secure Money in E

• def makeMint(name String) any
• def sealer, unsealer makeBrandPair(name)
• def mint
• to makePurse(var balance (int gt 0))
  any
• def decr(amount (0..balance)) void
  
• balance - amount
• def purse
• to getBalance() int return
  balance
• to makePurse() any return
  mint.makePurse(0)
• to getDecr() any return
  sealer.seal(decr)
• to deposit(amount int, src)
  void
• unsealer.unseal(src.getDecr())
  (amount)
• balance amount
• return purse

36
Security is Just Extreme Modularity

• Good software engineering
• Responsibility driven design
• Omit needless coupling
• assert(..) preconditions
• Information hiding
• Designation, need to know
• Dynamics of knowledge
• Lexical naming
• Think names, speak refs
• Avoid global variables
• Abstraction
• Procedural, data, control, ...
• Patterns and frameworks
• Say what you mean

• Capability discipline
• Authority driven design
• Omit needless vulnerability
• Validate inputs
• Principle of Least Authority
• Permission, need to do
• Dynamics of authorization
• No global name spaces
• Think names, speak refs
• Forbid mutable static state
• Abstraction
• ... and access abstractions
• Patterns of safe cooperation
• Mean only what you say

37
Our Logo
The POLA Bear
38
Bibliography

• E in a Walnut skyhunter.com/marcs/ewalnut.html
  Download E from erights.org and try it! (Its
  open source.)
• Paradigm Regained (HPL-2003-222)
  erights.org/talks/asian03/
• A Security Kernel Based on the Lambda-Calculus
  mumble.net/jar/pubs/secureos/
• Capability-based Financial Instruments (the
  Ode)erights.org/elib/capability/ode/index.html
• Intro to Capability-based Securityskyhunter.com/m
  arcs/capabilityIntro/index.html
• Statements of Consensus erights.org/elib/capabili
  ty/consensus-9feb01.html
• Web Calculus www.waterken.com/dev/Web/Calculus/
• Web sites erights.org , combex.com , eros-os.org
  ,cap-lore.com/CapTheory , www.waterken.com

39
Thank You
40
The Access Matrix
Who might endanger what?
Assets at risk Assets at risk Assets at risk Assets at risk
/etc/passwd Alans stuff Barbs stuff Dougs stuff
Kernel root TCB
alan
barb
doug
Get the yellow out!
41
The Access Matrix, Reloaded
Who might endanger what?
Assets at risk Assets at risk Assets at risk Assets at risk
/etc/passwd Alans stuff Barbs stuff Dougs stuff
Kernel root TCB
alan POLArized
barb legacy user
doug POLArized
vulnerability ?exploitability of flaws
flaws
42
The Access Matrix Revolution
What might endanger what?
Dougs assets at risk to Doug Dougs assets at risk to Doug Dougs assets at risk to Doug Dougs assets at risk to Doug
email addrs pgp ring score.txt internet access
E CapDesk Dougs TCB
DarpaBrowser
Solitaire Machinevirtualization
CapMail
43
Subsystems within Subsystems
Dougs assets at risk to his CapMail Dougs assets at risk to his CapMail Dougs assets at risk to his CapMail Dougs assets at risk to his CapMail
email addrs pgp ring score.txt internet access
CapMails main() CapMails TCB
address book
gpg plugin Tamed Library Tamed Library
smtp / pop stacks
44
Least Authority is Fractal!
Assets at risk Assets at risk Assets at risk Assets at risk
/etc/passwd Alans stuff Barbs stuff Dougs stuff
Kernel root TCB
alan
barb legacy user
doug
confined Solitaire
tamed gpg
Recursively reduce area of vulnerability
45
POLA all the way down
46
Example Oaks Detour

• Mutable static state (class variables)
• even when private, prevents confinement
• Static, native, authority-bearing methods
• example File opening, clock
• Ambient access to non-determinism
• System.identityHashcode(obj), threads
• Locks as communication channels
• synchronized (foo.intern()) ...
• Non-POLA legacy libraries

47
Stay on the Pure Object Road

• Pure object (instance) model is fine as is
• No features need be added or removed
• Though some new primitives are convenient
• Non-object causality must be prohibited
• Authority only according to references held
  used
• Loading separately provided code and state
• No implicit state bindings, no global scopes
• Must support lexical nesting in the large
• All free variables are virtualizable
• Only main() starts with all authority, as
  instances

48
Let Knowledge Shape Access

• Make the Computer RecursiveAlan Kay
• Knows about has fractal structure.
• People know people. Organs know organs. Cells
  know cells.
• Make access rights similarly self-similar!
• Information hiding Need to know
• POLA Need to do

49
Spectrum of Models
Tractable
Realistic
Direct access
Indirect causality
Overt behavior
CovertSideBugs
Permission Rules Arcs Protection State Permit
Authority Legal Outcomes Paths (with
behavior) Op. Semantics Authorize
Ability Actual Outcomes Non-determinism Implementa
tion Enable
50
Paradigm Regained Access Abstraction
Bob says carol2.doThis(...)
Alice says carol2revoker.revoke()
Bob says carol2.doThat(...)

• Caretaker is smart ref
• Alice uses behaviour to express policy
• Further limits Bobs authority
• Tighter POLA

51
No Permissions Were Granted
What if Alice couldnt permit Bob to access Carol?

• Shes only authorizing Bob.
• By practicing POLA, as she should, Alice has
  inadvertently thwarted the intent of this
  prohibition.
• Policy ignores Alices possible behaviour
• Confinement of permissions, by itself, is mostly
  pointless
• Confinement of authority, isnt enough if weve
  got covert channels

52
Other Capability Models
Capabilities as Rows
Capabilities as Keys

• Equivalence? Revocability? Confinement?

53
Capability Myths DemolishedModels mostly missed
virtues of actual systems