Representation Independence, Confinement and Access Control

Similar documents
Representation Independence, Confinement and Access Control

Reasoning about modules: data refinement and simulation

Stack-based Access Control for Secure Information Flow

Towards imperative modules: reasoning about invariants and sharing of mutable state

STEVENS. Stevens Institute of Technology. Ownership Confinement Ensures Representation Independence for Object-Oriented Programs

Static Use Based Object Confinement. Christian Skalka and Scott Smith The Johns Hopkins University

Static Use-Based Object Confinement. Christian Skalka and Scott Smith The Johns Hopkins University

Hoare logic. WHILE p, a language with pointers. Introduction. Syntax of WHILE p. Lecture 5: Introduction to separation logic

Hoare Logic and Model Checking

Hoare logic. Lecture 5: Introduction to separation logic. Jean Pichon-Pharabod University of Cambridge. CST Part II 2017/18

Programming Languages

Reasoning about Object Structures Using Ownership

Programming Languages Lecture 15: Recursive Types & Subtyping

Abstract Interpretation

An Approach to Behavioral Subtyping Based on Static Analysis

CS558 Programming Languages

COMP 181. Agenda. Midterm topics. Today: type checking. Purpose of types. Type errors. Type checking

Axiomatic Rules. Lecture 18: Axiomatic Semantics & Type Safety. Correctness using Axioms & Rules. Axiomatic Rules. Steps in Proof

Outline. What is semantics? Denotational semantics. Semantics of naming. What is semantics? 2 / 21

Simply-Typed Lambda Calculus

Principles of Programming Languages

CS558 Programming Languages

Observational purity and encapsulation

Operational Semantics. One-Slide Summary. Lecture Outline

Reasoning About Imperative Programs. COS 441 Slides 10

Mutable References. Chapter 1

Programming Languages (PL)

Compilers. Type checking. Yannis Smaragdakis, U. Athens (original slides by Sam

Hoare triples. Floyd-Hoare Logic, Separation Logic

CS558 Programming Languages

An Annotated Language

Practical Affine Types and Typestate-Oriented Programming

Hoare logic. A proof system for separation logic. Introduction. Separation logic

Formal Semantics of Programming Languages

Hiding local state in direct style: a higher-order anti-frame rule

COS 320. Compiling Techniques

Concepts of Object-Oriented Programming Peter Müller

Operational Semantics of Cool

The Design of Core C++ (Notes)

Language-Based Information- Flow Security

Outline. Java Models for variables Types and type checking, type safety Interpretation vs. compilation. Reasoning about code. CSCI 2600 Spring

Denotational Semantics. Domain Theory

Concepts of Object-Oriented Programming Peter Müller

4. Object Structures, Aliasing, and Encapsulation

Certified Memory Usage Analysis

INF 212 ANALYSIS OF PROG. LANGS Type Systems. Instructors: Crista Lopes Copyright Instructors.

Formal Semantics of Programming Languages

From IMP to Java. Andreas Lochbihler. parts based on work by Gerwin Klein and Tobias Nipkow ETH Zurich

Refinement Types for TypeScript

An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C

CS558 Programming Languages

State Based Encapsulation for Modular Reasoning about Behavior-Preserving Refactorings

4.5 Pure Linear Functional Programming

Lexical Considerations

A Gentle Introduction to Program Analysis

Object Ownership in Program Verification

High-Level Small-Step Operational Semantics for Software Transactions

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

UNIT 3

Compiler Theory. (Semantic Analysis and Run-Time Environments)

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Index. object lifetimes, and ownership, use after change by an alias errors, use after drop errors, BTreeMap, 309

CS558 Programming Languages

Local Verification of Global Invariants in

G Programming Languages - Fall 2012

CA Compiler Construction

SAT-CNF Is N P-complete

An Introduction to Heap Analysis. Pietro Ferrara. Chair of Programming Methodology ETH Zurich, Switzerland

Static Program Analysis Part 1 the TIP language

Lecture Overview. [Scott, chapter 7] [Sebesta, chapter 6]

POLYMORPHISM 2 PART. Shared Interface. Discussions. Abstract Base Classes. Abstract Base Classes and Pure Virtual Methods EXAMPLE

1 Introduction. 3 Syntax

Cover Page. The handle holds various files of this Leiden University dissertation

POLYMORPHISM 2 PART Abstract Classes Static and Dynamic Casting Common Programming Errors

Software Engineering using Formal Methods

SMT-Based Modular Analysis of Sequential Systems Code

Semantic Analysis and Type Checking

Lectures 20, 21: Axiomatic Semantics

Lexical Considerations

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

Top Down Design vs. Modularization

Formal Semantics. Prof. Clarkson Fall Today s music: Down to Earth by Peter Gabriel from the WALL-E soundtrack

Gradual Parametricity, Revisited

Controlling Object Allocation Using Creation Guards

Advanced Programming Methods. Introduction in program analysis

Application: Programming Language Semantics

CMSC 330: Organization of Programming Languages. Ownership, References, and Lifetimes in Rust

Semantic Analysis. CSE 307 Principles of Programming Languages Stony Brook University

The Java Language Implementation

Ownership Transfer in Universe Types

Compilation and Program Analysis (#11) : Hoare triples and shape analysis

Formal Specification and Verification

Chapter 13: Reference. Why reference Typing Evaluation Store Typings Safety Notes

The Substitution Model

Reference Counting. Reference counting: a way to know whether a record has other users

Lenient Array Operations for Practical Secure Information Flow

Lecture 15 CIS 341: COMPILERS

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS522 Programming Language Semantics

Type Systems Winter Semester 2006

Checks and Balances - Constraint Solving without Surprises in Object-Constraint Programming Languages: Full Formal Development

Transcription:

Representation Independence, Confinement and Access Control Anindya Banerjee and David Naumann ab@cis.ksu.edu and naumann@cs.stevens-tech.edu Kansas State University and Stevens Institute of Technology Banerjee&Naumann popl 02 p.1/18

Class signer bug (jdk1.1) public class Class private Identity[] signers; //authenticated public Identity[] getsigners() return signers;... public class System public Identity[] getknownsigners()...... class Bad void bad() Identity[] s = getsigners(); //leak s[0] = System.getKnownSigners()[0]; doprivileged("something bad");... Banerjee&Naumann popl 02 p.2/18

Representation independence class A private Boolean g; // rep object unit init() g := new Boolean(); g.set( true); unit setg(bool x) g.set( x); bool getg() return g.get(); Example: abstraction A using representation Boolean to hold current value (or its negation). Information hiding: type safety, visibility and scope rules ensure that clients are not dependent on encapsulated representation. z:= new A(); z.setg(true); b:= z.getg(); Banerjee&Naumann popl 02 p.3/18

Representation exposure class A private Boolean g; // rep object unit init() g := new Boolean(); g.set( true); unit setg(bool x) g.set( x); bool getg() return g.get(); Object bad() return g; Client behavior depends on representation: z := new A(); w := (Boolean) z.bad(); if (w.get()) skip else diverge; Banerjee&Naumann popl 02 p.4/18

Representation exposure class A private Boolean g; // rep object unit init() g := new Boolean(); g.set( true); unit setg(bool x) g.set( x); bool getg() return g.get(); Object bad() return g; Client behavior depends on representation: z := new A(); w := (Boolean) z.bad(); if (w.get()) skip else diverge; Leaks also allow clients to violate invariants, e.g., signers have all been authenticated for this class. Banerjee&Naumann popl 02 p.5/18

Contribution Formalization of pointer confinement and proof that it * ensures representation independence, for rich fragment of Java. Client objects Interface objects Representations A Boole allowed C A disallowed D Boole Banerjee&Naumann popl 02 p.6/18

Contribution Formalization of pointer confinement and proof that it * ensures representation independence, for rich fragment of Java. Justify component replacement: in software engineering (e.g., optimizing transformations, refactoring) and in theory (e.g., equivalence of lazy and eager access control). Modular verification: reason about component in terms of abstract interface spec. Secure information flow and other program analyses based on abstract interpretation. Banerjee&Naumann popl 02 p.6/18

Language pointers to mutable objects (but no ptr. arithmetic) subclassing, dynamic dispatch, type-cast and -test class-based visibility control recursive types and methods privilege-based access control Major omissions: exceptions, threads, class loading and reflection. Banerjee&Naumann popl 02 p.7/18

Language pointers to mutable objects (but no ptr. arithmetic) subclassing, dynamic dispatch, type-cast and -test class-based visibility control recursive types and methods privilege-based access control Straightforward compositional semantics: object state contains locations and prim. vals. heap maps locations to object states methods bound to classes, not objects commands denote functions - Banerjee&Naumann popl 02 p.7/18

Heap confinement for A, Rep A Rep C allowed A Rep disallowed D Rep iff has admissible partition,, and for with Banerjee&Naumann popl 02 p.8/18

Confinement Commands and method meanings preserve heap confinement; corresponding conditions on expressions and environments. Banerjee&Naumann popl 02 p.9/18

Confinement Commands and method meanings preserve heap confinement; corresponding conditions on expressions and environments. Semantic definition; static analysis separate concern. Banerjee&Naumann popl 02 p.9/18

Confinement Commands and method meanings preserve heap confinement; corresponding conditions on expressions and environments. Semantic definition; static analysis separate concern. Signatures confined: implies implies Methods not satisfying these conditions would violate heap confinement or ignore their arg s. Banerjee&Naumann popl 02 p.9/18

Confinement Commands and method meanings preserve heap confinement; corresponding conditions on expressions and environments. Semantic definition; static analysis separate concern. Signatures confined: implies implies Methods not satisfying these conditions would violate heap confinement or ignore their arg s. Semantic confinement can be ensured by simple syntactic checks similar to ones in literature. Banerjee&Naumann popl 02 p.9/18

Simulation Basic simulation Classes and confined class table with class extends class extends Banerjee&Naumann popl 02 p.10/18

Simulation Basic simulation Classes and confined class table with class extends class extends Relation for a single pair of objects at same location. h = ha * hrep h = ha * hrep A Boole T A Boole F Banerjee&Naumann popl 02 p.10/18

Simulation Basic simulation Classes and confined class table with class extends class extends Relation for a single pair of objects at same location. h = ha * hrep h = ha * hrep A Boole T A Boole F Induced relations iff (primitives and client-visible loc s) iff partition with Banerjee&Naumann popl 02 p.10/18

Main results Abstraction theorem: Given basic simulation for confined. If every method body of A preserves then so does every command. (Commands in both clients and subclasses of.) Banerjee&Naumann popl 02 p.11/18

Main results Abstraction theorem: Given basic simulation for confined method body of A preserves does every command.. If every then so (Commands in both clients and subclasses of.) Identity extension lemma: Suppose. Then - -, if these heaps are both -free. (Can also express in terms of heap visible to clients.) Banerjee&Naumann popl 02 p.11/18

Access control Access matrix: and. class Sys signer unit writepass(string x) check ; write(x,"passfile"); unit passwd(string x) check ; dopriv in writepass(x); class User signer Sys s... unit use() dopriv in s.passwd("me"); unit try() dopriv in s.writepass("me"); Banerjee&Naumann popl 02 p.12/18

Conclusion Contribution: analysis of information hiding for pointers, subclassing, etc., using simple, extensible denotational semantics. Ongoing and future work: polymorphism (essential to avoid Object) static analysis and transformation for access control (proved Fournet&Gordon [POPL02] equiv s in a denotational semantics for the funct. lang.) information flow static checking of confinement (sans annotation) proof rules for simulation (A s methods) other confinement disciplines (e.g., read-only) Banerjee&Naumann popl 02 p.13/18

Related work This paper, with other proof cases: http://www.cs.stevens-tech.edu/ naumann/absapp.ps A static analysis for instance-based confinement in Java: http:.../static.ps A simple semantics and static analysis for Java security: http:.../tr2001.ps J.Boyland: Alias burying, Software Practice & Experience 2001. D.Clarke, J.Noble, J.Potter: Simple ownership types for object containment, ECOOP 01. D.Grossman, G.Morrisett, S.Zdancewic: Syntactic type abstraction, TOPLAS 2000. K.R.M.Leino, G.Nelson: Data abstraction and information hiding, TOPLAS to appear. J.Mitchell, On the equivalence of data representations, McCarthy Festschrift 1991. P.Müller, A.Poetzsch-Heffter: Modular specification and verification techniques for object-oriented software components, Foundations of Component-Based Systems 2000. P.O Hearn, J.Reynolds, H.Yang: Local reasoning about programs that alter data structures, CSL 2001. J.Reynolds: Types, abstraction, and parametric polymorphism, Info. Processing 83 J.Vitek, B.Bokowski: Confined types in Java, Software Practice & Experience 2001. Banerjee&Naumann popl 02 p.14/18

Signatures: Appendix: static confinement for all Phrases: new These suffice for semantic condition stronger than needed for abstraction theorem. Banerjee&Naumann popl 02 p.15/18

Appendix: parametricity Simulation is made unsound by rep exposure and also by non-parametric constructs like unchecked casts, &x < &y, sizeof(a), etc. which Java lacks. Our results hold for any parametric allocator : and Equal heaps aren t enough for some equivalences: x := new C(); y := new C(); y := new C(); x := new C(); So take heaps up to isomorphism, in def of equivalence or in model. Or model with non-det. allocator. Banerjee&Naumann popl 02 p.16/18

Appendix: Meyer-Sieber var in if else var in O-O version with closure as explicit object (with method or ). Holds because locals objects and name spaces flat. Need confinement if the integer is itself an object. Banerjee&Naumann popl 02 p.17/18

Appendix: semantic domains Banerjee&Naumann popl 02 p.18/18

Appendix: semantic domains bool maps each identifier to its value maps (declared&inherited) fields to values is partial function on, with Banerjee&Naumann popl 02 p.18/18

Appendix: semantic domains bool maps each identifier to its value maps (declared&inherited) fields to values is partial function on, with maps each to. Banerjee&Naumann popl 02 p.18/18

Appendix: semantic domains bool maps each identifier to its value maps (declared&inherited) fields to values is partial function on, with maps each to. com Banerjee&Naumann popl 02 p.18/18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback