skip to main content
research-article
Open Access
Artifacts Evaluated & Functional

Robust and compositional verification of object capability patterns

Published:12 October 2017Publication History
Skip Abstract Section

Abstract

In scenarios such as web programming, where code is linked together from multiple sources, object capability patterns (OCPs) provide an essential safeguard, enabling programmers to protect the private state of their objects from corruption by unknown and untrusted code. However, the benefits of OCPs in terms of program verification have never been properly formalized. In this paper, building on the recently developed Iris framework for concurrent separation logic, we develop OCPL, the first program logic for compositionally specifying and verifying OCPs in a language with closures, mutable state, and concurrency. The key idea of OCPL is to account for the interface between verified and untrusted code by adopting a well-known idea from the literature on security protocol verification, namely robust safety. Programs that export only properly wrapped values to their environment can be proven robustly safe, meaning that their untrusted environment cannot violate their internal invariants. We use OCPL to give the first general, compositional, and machine-checked specs for several commonly-used OCPs—including the dynamic sealing, membrane, and caretaker patterns—which we then use to verify robust safety for representative client code. All our results are fully mechanized in the Coq proof assistant.

References

  1. Martín Abadi. 1999. Secrecy by typing in security protocols. J. ACM 46, 5 (Sept. 1999), 749–786. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Andrew W. Appel, Paul-André Melliès, Christopher D. Richards, and Jérôme Vouillon. 2007. A very modal model of a modern, major, general type system. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’07). 109–122. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Anindya Banerjee and David A. Naumann. 2005a. Ownership confinement ensures representation independence for object-oriented programs. J. ACM 52, 6 (Nov. 2005), 894–960. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Anindya Banerjee and David A. Naumann. 2005b. State based ownership, reentrance, and encapsulation. In Proceedings of the 19th European Conference on Object-Oriented Programming (ECOOP ’05). 387–411. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Adam Barth. 2011. The Web origin concept. RFC 6454. https://www.rfc- editor.org/rfc/rfc6454.txtGoogle ScholarGoogle Scholar
  6. Jesper Bengtson, Karthikeyan Bhargavan, Cédric Fournet, Andrew D. Gordon, and Sergio Maffeis. 2011. Refinement types for secure implementations. ACM Trans. Program. Lang. Syst. 33, 2 (Feb. 2011), 8:1–8:45.Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Lars Birkedal, Bernhard Reus, Jan Schwinghammer, Kristian Støvring, Jacob Thamsborg, and Hongseok Yang. 2011. Stepindexed Kripke models over recursive worlds. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’11). 119–132.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Dave Clarke, Johan Östlund, Ilya Sergey, and Tobias Wrigstad. 2013. Ownership types: A survey. In Aliasing in ObjectOriented Programming: Types, Analysis, and Verification, Dave Clarke, James Noble, and Tobias Wrigstad (Eds.). Springer LNCS 7850, 15–58. Google ScholarGoogle ScholarCross RefCross Ref
  9. David G. Clarke, John M. Potter, and James Noble. 1998. Ownership types for flexible alias protection. In Proceedings of the 13th ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications (OOPSLA ’98). 48–64. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Douglas Crockford. 2008. Making JavaScript safe for advertising. (2008). Retrieved April 2017 from http://www.adsafe.org/Google ScholarGoogle Scholar
  11. Dominique Devriese, Lars Birkedal, and Frank Piessens. 2016. Reasoning about object capabilities with logical relations and effect parametricity. In IEEE European Symposium on Security and Privacy (EuroS&P). 147–162. Google ScholarGoogle ScholarCross RefCross Ref
  12. Thomas Dinsdale-Young, Mike Dodds, Philippa Gardner, Matthew J. Parkinson, and Viktor Vafeiadis. 2010. Concurrent abstract predicates. In Proceedings of the 24th European Conference on Object-Oriented Programming (ECOOP ’10). 504–528. Google ScholarGoogle ScholarCross RefCross Ref
  13. Sophia Drossopoulou, James Noble, and Mark S. Miller. 2015a. Swapsies on the internet: First steps towards reasoning about risk and trust in an open world. In Proceedings of the 10th ACM Workshop on Programming Languages and Analysis for Security (PLAS ’15). 2–15. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Sophia Drossopoulou, James Noble, Mark S. Miller, and Toby Murray. 2015b. Reasoning about risk and trust in an open world. Technical Report ECSTR-15-08. Victoria University of Wellington.Google ScholarGoogle Scholar
  15. Matthias Felleisen and Robert Hieb. 1992. The revised report on the syntactic theories of sequential control and state. Theor. Comput. Sci. 103, 2 (Sept. 1992), 235–271. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Google, Inc. 2015. Caja membrane implementation. (Feb. 2015). https://github.com/google/caja/blob/master/src/com/google/ caja/plugin/taming- membrane.jsGoogle ScholarGoogle Scholar
  17. Andrew D. Gordon and Alan Jeffrey. 2001. Authenticity by typing for security protocols. In Proceedings of the 14th IEEE Workshop on Computer Security Foundations (CSFW ’01). 145–159. Google ScholarGoogle ScholarCross RefCross Ref
  18. Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order ghost state. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming (ICFP ’16). 256–269. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Aleš Bizjak, Lars Birkedal, and Derek Dreyer. 2017. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. (2017). Submitted for publication.Google ScholarGoogle Scholar
  20. Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’15). 637–650. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Robbert Krebbers, Ralf Jung, Aleš Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. 2017a. The essence of higher-order concurrent separation logic. In Proceedings of the 26th European Symposium on Programming (ESOP ’17). 696–723. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017b. Interactive proofs in higher-order concurrent separation logic. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL ’17). 205–217. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Adrian Mettler, David Wagner, and Tyler Close. 2010. Joe-E: A security-oriented subset of Java. In Proceedings of the Network and Distributed System Security Symposium (NDSS ’10).Google ScholarGoogle Scholar
  24. Mark Samuel Miller. 2006. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. Ph.D. Dissertation. Johns Hopkins University.Google ScholarGoogle Scholar
  25. Mark S. Miller, Tom Van Cutsem, and Bill Tulloh. 2013. Distributed electronic rights in JavaScript. In Proceedings of the 22nd European Conference on Programming Languages and Systems (ESOP ’13). 1–20. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Mark S. Miller, Chip Morningstar, and Bill Frantz. 2000. Capability-based financial instruments. In Proceedings of the 4th International Conference on Financial Cryptography (FC ’00). 349–378.Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Mark S. Miller, Mike Samuel, Ben Laurie, Ihab Awad, and Mike Stay. 2008. Caja: Safe active content in sanitized JavaScript. (June 2008).Google ScholarGoogle Scholar
  28. Mark S. Miller and Jonathan S. Shapiro. 2003. Paradigm regained: Abstraction mechanisms for access control. In Advances in Computing Science – ASIAN 2003 Programming Languages and Distributed Computation, 8th Asian Computing Science Conference (ASIAN ’03). Springer LNCS 2896, 224–242.Google ScholarGoogle Scholar
  29. James H. Morris, Jr. 1973. Protection in programming languages. Commun. ACM 16, 1 (Jan. 1973), 15–21. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Mozilla. 2016. Script security. (Aug. 2016). https://developer.mozilla.org/en- US/docs/Mozilla/Gecko/Script_security Overview of the Firefox membrane.Google ScholarGoogle Scholar
  31. Toby Murray. 2010. Analysing the Security Properties of Object-Capability Patterns. Ph.D. Dissertation. Hertford College.Google ScholarGoogle Scholar
  32. OCPL 2017. Long version of this paper (with appendices) and Coq development. (Sept. 2017). Available at the Iris project website at http://iris- project.org .Google ScholarGoogle Scholar
  33. Marco Patrignani, Dave Clarke, and Davide Sangiorgi. 2011. Ownership types for the join calculus. In Proceedings of the Joint 13th IFIP WG 6.1 and 30th IFIP WG 6.1 International Conference on Formal Techniques for Distributed Systems (FMOODS’11/FORTE’11). 289–303. Google ScholarGoogle ScholarCross RefCross Ref
  34. Joe Gibbs Politz, Arjun Guha, and Shriram Krishnamurthi. 2014. Typed-based verification of Web sandboxes. J. Comput. Secur. 22, 4 (July 2014), 511–565. Google ScholarGoogle ScholarCross RefCross Ref
  35. Alfred Spiessens. 2007. Patterns of Safe Collaboration. Ph.D. Dissertation. Université catholique de Louvain.Google ScholarGoogle Scholar
  36. Fred Spiessens and Peter Van Roy. 2004. The Oz-E project: Design guidelines for a secure multiparadigm programming language. In Proceedings of the Second International Conference on Multiparadigm Programming in Mozart/Oz (MOZ ’04). 21–40.Google ScholarGoogle Scholar
  37. Fred Spiessens and Peter Van Roy. 2005. A practical formal model for safety analysis in capability-based systems. In Proceedings of the 1st International Conference on Trustworthy Global Computing (TGC ’05). 248–278. Google ScholarGoogle ScholarCross RefCross Ref
  38. Marc Stiegler and Mark Miller. 2006. How Emily tamed the Caml. Technical Report HPL-2006-116. HP Laboratories.Google ScholarGoogle Scholar
  39. Eijiro Sumii and Benjamin C. Pierce. 2004. A bisimulation for dynamic sealing. In Proceedings of the 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’04). 161–172. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Tom Van Cutsem and Mark S. Miller. 2013. Trustworthy proxies: Virtualizing objects with invariants. In Proceedings of the 27th European Conference on Object-Oriented Programming (ECOOP ’13). 154–178. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Robust and compositional verification of object capability patterns

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!