Abstract
In scenarios such as web programming, where code is linked together from multiple sources, object capability patterns (OCPs) provide an essential safeguard, enabling programmers to protect the private state of their objects from corruption by unknown and untrusted code. However, the benefits of OCPs in terms of program verification have never been properly formalized. In this paper, building on the recently developed Iris framework for concurrent separation logic, we develop OCPL, the first program logic for compositionally specifying and verifying OCPs in a language with closures, mutable state, and concurrency. The key idea of OCPL is to account for the interface between verified and untrusted code by adopting a well-known idea from the literature on security protocol verification, namely robust safety. Programs that export only properly wrapped values to their environment can be proven robustly safe, meaning that their untrusted environment cannot violate their internal invariants. We use OCPL to give the first general, compositional, and machine-checked specs for several commonly-used OCPs—including the dynamic sealing, membrane, and caretaker patterns—which we then use to verify robust safety for representative client code. All our results are fully mechanized in the Coq proof assistant.
- Martín Abadi. 1999. Secrecy by typing in security protocols. J. ACM 46, 5 (Sept. 1999), 749–786. Google Scholar
Digital Library
- Andrew W. Appel, Paul-André Melliès, Christopher D. Richards, and Jérôme Vouillon. 2007. A very modal model of a modern, major, general type system. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’07). 109–122. Google Scholar
Digital Library
- Anindya Banerjee and David A. Naumann. 2005a. Ownership confinement ensures representation independence for object-oriented programs. J. ACM 52, 6 (Nov. 2005), 894–960. Google Scholar
Digital Library
- Anindya Banerjee and David A. Naumann. 2005b. State based ownership, reentrance, and encapsulation. In Proceedings of the 19th European Conference on Object-Oriented Programming (ECOOP ’05). 387–411. Google Scholar
Digital Library
- Adam Barth. 2011. The Web origin concept. RFC 6454. https://www.rfc- editor.org/rfc/rfc6454.txtGoogle Scholar
- Jesper Bengtson, Karthikeyan Bhargavan, Cédric Fournet, Andrew D. Gordon, and Sergio Maffeis. 2011. Refinement types for secure implementations. ACM Trans. Program. Lang. Syst. 33, 2 (Feb. 2011), 8:1–8:45.Google Scholar
Digital Library
- Lars Birkedal, Bernhard Reus, Jan Schwinghammer, Kristian Støvring, Jacob Thamsborg, and Hongseok Yang. 2011. Stepindexed Kripke models over recursive worlds. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’11). 119–132.Google Scholar
Digital Library
- Dave Clarke, Johan Östlund, Ilya Sergey, and Tobias Wrigstad. 2013. Ownership types: A survey. In Aliasing in ObjectOriented Programming: Types, Analysis, and Verification, Dave Clarke, James Noble, and Tobias Wrigstad (Eds.). Springer LNCS 7850, 15–58. Google Scholar
Cross Ref
- David G. Clarke, John M. Potter, and James Noble. 1998. Ownership types for flexible alias protection. In Proceedings of the 13th ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications (OOPSLA ’98). 48–64. Google Scholar
Digital Library
- Douglas Crockford. 2008. Making JavaScript safe for advertising. (2008). Retrieved April 2017 from http://www.adsafe.org/Google Scholar
- Dominique Devriese, Lars Birkedal, and Frank Piessens. 2016. Reasoning about object capabilities with logical relations and effect parametricity. In IEEE European Symposium on Security and Privacy (EuroS&P). 147–162. Google Scholar
Cross Ref
- Thomas Dinsdale-Young, Mike Dodds, Philippa Gardner, Matthew J. Parkinson, and Viktor Vafeiadis. 2010. Concurrent abstract predicates. In Proceedings of the 24th European Conference on Object-Oriented Programming (ECOOP ’10). 504–528. Google Scholar
Cross Ref
- Sophia Drossopoulou, James Noble, and Mark S. Miller. 2015a. Swapsies on the internet: First steps towards reasoning about risk and trust in an open world. In Proceedings of the 10th ACM Workshop on Programming Languages and Analysis for Security (PLAS ’15). 2–15. Google Scholar
Digital Library
- Sophia Drossopoulou, James Noble, Mark S. Miller, and Toby Murray. 2015b. Reasoning about risk and trust in an open world. Technical Report ECSTR-15-08. Victoria University of Wellington.Google Scholar
- Matthias Felleisen and Robert Hieb. 1992. The revised report on the syntactic theories of sequential control and state. Theor. Comput. Sci. 103, 2 (Sept. 1992), 235–271. Google Scholar
Digital Library
- Google, Inc. 2015. Caja membrane implementation. (Feb. 2015). https://github.com/google/caja/blob/master/src/com/google/ caja/plugin/taming- membrane.jsGoogle Scholar
- Andrew D. Gordon and Alan Jeffrey. 2001. Authenticity by typing for security protocols. In Proceedings of the 14th IEEE Workshop on Computer Security Foundations (CSFW ’01). 145–159. Google Scholar
Cross Ref
- Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order ghost state. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming (ICFP ’16). 256–269. Google Scholar
Digital Library
- Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Aleš Bizjak, Lars Birkedal, and Derek Dreyer. 2017. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. (2017). Submitted for publication.Google Scholar
- Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’15). 637–650. Google Scholar
Digital Library
- Robbert Krebbers, Ralf Jung, Aleš Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. 2017a. The essence of higher-order concurrent separation logic. In Proceedings of the 26th European Symposium on Programming (ESOP ’17). 696–723. Google Scholar
Digital Library
- Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017b. Interactive proofs in higher-order concurrent separation logic. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL ’17). 205–217. Google Scholar
Digital Library
- Adrian Mettler, David Wagner, and Tyler Close. 2010. Joe-E: A security-oriented subset of Java. In Proceedings of the Network and Distributed System Security Symposium (NDSS ’10).Google Scholar
- Mark Samuel Miller. 2006. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. Ph.D. Dissertation. Johns Hopkins University.Google Scholar
- Mark S. Miller, Tom Van Cutsem, and Bill Tulloh. 2013. Distributed electronic rights in JavaScript. In Proceedings of the 22nd European Conference on Programming Languages and Systems (ESOP ’13). 1–20. Google Scholar
Digital Library
- Mark S. Miller, Chip Morningstar, and Bill Frantz. 2000. Capability-based financial instruments. In Proceedings of the 4th International Conference on Financial Cryptography (FC ’00). 349–378.Google Scholar
Digital Library
- Mark S. Miller, Mike Samuel, Ben Laurie, Ihab Awad, and Mike Stay. 2008. Caja: Safe active content in sanitized JavaScript. (June 2008).Google Scholar
- Mark S. Miller and Jonathan S. Shapiro. 2003. Paradigm regained: Abstraction mechanisms for access control. In Advances in Computing Science – ASIAN 2003 Programming Languages and Distributed Computation, 8th Asian Computing Science Conference (ASIAN ’03). Springer LNCS 2896, 224–242.Google Scholar
- James H. Morris, Jr. 1973. Protection in programming languages. Commun. ACM 16, 1 (Jan. 1973), 15–21. Google Scholar
Digital Library
- Mozilla. 2016. Script security. (Aug. 2016). https://developer.mozilla.org/en- US/docs/Mozilla/Gecko/Script_security Overview of the Firefox membrane.Google Scholar
- Toby Murray. 2010. Analysing the Security Properties of Object-Capability Patterns. Ph.D. Dissertation. Hertford College.Google Scholar
- OCPL 2017. Long version of this paper (with appendices) and Coq development. (Sept. 2017). Available at the Iris project website at http://iris- project.org .Google Scholar
- Marco Patrignani, Dave Clarke, and Davide Sangiorgi. 2011. Ownership types for the join calculus. In Proceedings of the Joint 13th IFIP WG 6.1 and 30th IFIP WG 6.1 International Conference on Formal Techniques for Distributed Systems (FMOODS’11/FORTE’11). 289–303. Google Scholar
Cross Ref
- Joe Gibbs Politz, Arjun Guha, and Shriram Krishnamurthi. 2014. Typed-based verification of Web sandboxes. J. Comput. Secur. 22, 4 (July 2014), 511–565. Google Scholar
Cross Ref
- Alfred Spiessens. 2007. Patterns of Safe Collaboration. Ph.D. Dissertation. Université catholique de Louvain.Google Scholar
- Fred Spiessens and Peter Van Roy. 2004. The Oz-E project: Design guidelines for a secure multiparadigm programming language. In Proceedings of the Second International Conference on Multiparadigm Programming in Mozart/Oz (MOZ ’04). 21–40.Google Scholar
- Fred Spiessens and Peter Van Roy. 2005. A practical formal model for safety analysis in capability-based systems. In Proceedings of the 1st International Conference on Trustworthy Global Computing (TGC ’05). 248–278. Google Scholar
Cross Ref
- Marc Stiegler and Mark Miller. 2006. How Emily tamed the Caml. Technical Report HPL-2006-116. HP Laboratories.Google Scholar
- Eijiro Sumii and Benjamin C. Pierce. 2004. A bisimulation for dynamic sealing. In Proceedings of the 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’04). 161–172. Google Scholar
Digital Library
- Tom Van Cutsem and Mark S. Miller. 2013. Trustworthy proxies: Virtualizing objects with invariants. In Proceedings of the 27th European Conference on Object-Oriented Programming (ECOOP ’13). 154–178. Google Scholar
Digital Library
Index Terms
Robust and compositional verification of object capability patterns
Recommendations
Automatic Compositional Verification of Probabilistic Safety Properties for Inter-organisationalWorkflow Processes
SIMULTECH 2016: Proceedings of the 6th International Conference on Simulation and Modeling Methodologies, Technologies and ApplicationsFor many complex systems, it is important to verify formally their correctness; the aim is to guarantee the
reliability and the correctness of such systems before their effective deployment. Several methods have been
proposed to this effect using ...
Automated interface refinement for compositional verification
Compositional verification is essential for verifying large systems. However, approximate environments are needed when verifying the constituent modules in a system. Effective compositional verification requires finding a simple but accurate ...
Interactive proofs in higher-order concurrent separation logic
POPL '17: Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming LanguagesWhen using a proof assistant to reason in an embedded logic -- like separation logic -- one cannot benefit from the proof contexts and basic tactics of the proof assistant. This results in proofs that are at a too low level of abstraction because they ...






Comments