type-based capability for java · type-based capability for java xi wu, yi lu, ian j. hayes and...
TRANSCRIPT
Type-Based Capability for Java
Xi Wu, Yi Lu, Ian J. Hayes and Larissa A. Meinicke
The University of Queensland
Oracle Labs, Australia
Sydney November 2017
Under the ARC Linkage Project with Oracle Labs, Australia
1 / 13
Outline
I An Overview of Capabilities for Java
I Motivation
I Ongoing Work
I Summary and Future Direction
2 / 13
Java Security Issues
I doPrivileged blocksI wide privileges granted to the Java Class LibraryI code can run with fewer restrictions
I Subclassing privileged classes
I unprivileged subclasses of privileged classesI overriding existing methods with rogue code
I Privileged access escape
I access to a privileged object escapes to unauthorized domains
I Caller-sensitive methods
I depend on the privileges of the class loader of the caller
3 / 13
Java Security Issues
I doPrivileged blocksI wide privileges granted to the Java Class LibraryI code can run with fewer restrictions
I Subclassing privileged classesI unprivileged subclasses of privileged classesI overriding existing methods with rogue code
I Privileged access escape
I access to a privileged object escapes to unauthorized domains
I Caller-sensitive methods
I depend on the privileges of the class loader of the caller
3 / 13
Java Security Issues
I doPrivileged blocksI wide privileges granted to the Java Class LibraryI code can run with fewer restrictions
I Subclassing privileged classesI unprivileged subclasses of privileged classesI overriding existing methods with rogue code
I Privileged access escapeI access to a privileged object escapes to unauthorized domains
I Caller-sensitive methods
I depend on the privileges of the class loader of the caller
3 / 13
Java Security Issues
I doPrivileged blocksI wide privileges granted to the Java Class LibraryI code can run with fewer restrictions
I Subclassing privileged classesI unprivileged subclasses of privileged classesI overriding existing methods with rogue code
I Privileged access escapeI access to a privileged object escapes to unauthorized domains
I Caller-sensitive methodsI depend on the privileges of the class loader of the caller
3 / 13
How to provide a more secure access to
resources for Java,
with the aim of preventing security flaws
4 / 13
Philosophy behind Capabilities in Java
I All access to resources given by explicit “capabilities”I An object with a restricted interface
I a set of operations that can be invokedI encapsulate what one can do with a resource
I Permission checking done when a capability createdI access the resource via methods of the capabilityI no further permission checking is required
Reference
I Ian J. Hayes, Xi Wu and Larissa A. Meinicke.: Capabilities for Java: Secure Access to Resources.In: Proc. 15th Asian Symposium on Programming Languages and Systems, APLAS 2017. pp67-84.
5 / 13
Running Example: File Input and Output Streams
6 / 13
Running Example: File Input and Output Streams
Inherit from the empty capability NullCapI methods inherited from class object are disallowed unless explicitly included with
restrictions6 / 13
Generating Capabilities
I Capability Manager
7 / 13
Generating Capabilities
I Capability Manager
7 / 13
Generating Capabilities
I Capability Manager
7 / 13
Generating Capabilities
I Capability Manager
7 / 13
Capabilities Escape to Untrusted Code
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
class RandomAccessFileManager implements FileAccessCap { RandomAccessFileManager() { } public InCap requestInCap (String name) throws SecurityException, FileNotFoundException { SecurityManager sm = System.getSecurityManager(); If (sm != null) { sm.checkPermission (new FilePermission (name, read )); } return capability (InCap) new RandomAccessFile (name);}
8 / 13
Capabilities Escape to Untrusted Code
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
class RandomAccessFileManager implements FileAccessCap { RandomAccessFileManager() { } public InCap requestInCap (String name) throws SecurityException, FileNotFoundException { SecurityManager sm = System.getSecurityManager(); If (sm != null) { sm.checkPermission (new FilePermission (name, read )); } return capability (InCap) new RandomAccessFile (name);}
public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
public class B { ... public void use (InCap in) { ... }}
8 / 13
Capabilities Escape to Untrusted Code
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
class RandomAccessFileManager implements FileAccessCap { RandomAccessFileManager() { } public InCap requestInCap (String name) throws SecurityException, FileNotFoundException { SecurityManager sm = System.getSecurityManager(); If (sm != null) { sm.checkPermission (new FilePermission (name, read )); } return capability (InCap) new RandomAccessFile (name);}
public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
public class B { ... public void use (InCap in) { ... }}
8 / 13
Capabilities Escape to Untrusted Code
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
class RandomAccessFileManager implements FileAccessCap { RandomAccessFileManager() { } public InCap requestInCap (String name) throws SecurityException, FileNotFoundException { SecurityManager sm = System.getSecurityManager(); If (sm != null) { sm.checkPermission (new FilePermission (name, read )); } return capability (InCap) new RandomAccessFile (name);}
public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
public class B { ... public void use (InCap in) { ... }}
8 / 13
Type-based Capability
I Attempt to solve
I capabilities obtained by trusted code may be received by untrusted code
I Avoid dynamic permission check
I regarding capabilities as typesI proper use of capabilities by type checking
I Capabilities as permissions
I grant to code by user-defined policy filesI restrict capabilities to only authorised code
9 / 13
Type-based Capability
I Attempt to solveI capabilities obtained by trusted code may be received by untrusted code
I Avoid dynamic permission check
I regarding capabilities as typesI proper use of capabilities by type checking
I Capabilities as permissions
I grant to code by user-defined policy filesI restrict capabilities to only authorised code
9 / 13
Type-based Capability
I Attempt to solveI capabilities obtained by trusted code may be received by untrusted code
I Avoid dynamic permission checkI regarding capabilities as typesI proper use of capabilities by type checking
I Capabilities as permissions
I grant to code by user-defined policy filesI restrict capabilities to only authorised code
9 / 13
Type-based Capability
I Attempt to solveI capabilities obtained by trusted code may be received by untrusted code
I Avoid dynamic permission checkI regarding capabilities as typesI proper use of capabilities by type checking
I Capabilities as permissionsI grant to code by user-defined policy filesI restrict capabilities to only authorised code
9 / 13
Security Goal
I access(code, cap): code uses the capability cap
I grant(code, cap): code is granted the capability cap by user
I Transitivity:
grant(code, cap2) ∧ cap1 <: cap2 ⇒ grant(code, cap1)
I cap1 <: cap2: is satisfied if cap2 is more privileged than cap1
I relation <: is opposite of the standard Java subset relation
I e.g., InCap <: InOutCap and InCap 6<: OutCap
10 / 13
Security Goal
access(code, cap) ⇒ grant(code, cap)
I access(code, cap): code uses the capability cap
I grant(code, cap): code is granted the capability cap by user
I Transitivity:
grant(code, cap2) ∧ cap1 <: cap2 ⇒ grant(code, cap1)
I cap1 <: cap2: is satisfied if cap2 is more privileged than cap1
I relation <: is opposite of the standard Java subset relation
I e.g., InCap <: InOutCap and InCap 6<: OutCap
10 / 13
Security Goal
access(code, cap) ⇒ grant(code, cap)
I access(code, cap): code uses the capability cap
I grant(code, cap): code is granted the capability cap by user
I Transitivity:
grant(code, cap2) ∧ cap1 <: cap2 ⇒ grant(code, cap1)
I cap1 <: cap2: is satisfied if cap2 is more privileged than cap1
I relation <: is opposite of the standard Java subset relation
I e.g., InCap <: InOutCap and InCap 6<: OutCap
10 / 13
Revisited Capabilities Escape
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
public class B { ... public void use (InCap in) { ... }}
Class RandomAccessFileManager
Create Capabilities
11 / 13
Revisited Capabilities Escape
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
public class B { ... public void use (InCap in) { ... }}
Class RandomAccessFileManager
Create Capabilities
11 / 13
Revisited Capabilities Escape
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
@grant{FileAccessCap, InCap}public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
@grant{NullCap}public class B { ... public void use (InCap in) { ... }}
Class RandomAccessFileManager
Create Capabilities
11 / 13
Revisited Capabilities Escape
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
@grant{FileAccessCap, InCap}public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
@grant{NullCap}public class B { ... public void use (InCap in) { ... }}
Class RandomAccessFileManager
Create Capabilities
11 / 13
Revisited Capabilities Escape
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
@grant{FileAccessCap, InCap}public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
@grant{NullCap}public class B { ... public void use (InCap in) { ... }}
Class RandomAccessFileManager
Create Capabilities
11 / 13
Revisited Capabilities Escape
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
@grant{FileAccessCap, InCap}public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
@grant{InOutCap}public class B { ... public void use (InCap in) { ... }}
Class RandomAccessFileManager
Create Capabilities
11 / 13
Revisited Capabilities Escape
capability FileAccessCap { InCap requestInCap (String name) throws FileNotFound Exception, SecurityException;}
@grant{FileAccessCap, InCap}public class A { public static void main (String[] args) throws Exception { FileAccessCap f = ; B b = ; InCap in = f.requestInCap (fileName); b.use(in); }}
@grant{InOutCap}public class B { ... public void use (InCap in) { ... }}
Class RandomAccessFileManager
Create Capabilities
11 / 13
Summary and Future Directions
I Summary
I prevent capabilities from escaping to unauthorised codeI security goal can be enforced statically by type system
I Future Direction
I Capabilities as Module Dependency
I applies capabilities on describing dependency in module system
I Properties from Object-Capability and Design Patterns
I describes object-capability properties and design patterns
I Parameterization
I specifies the specific file names that the code with capabilities can access
12 / 13
Summary and Future Directions
I SummaryI prevent capabilities from escaping to unauthorised codeI security goal can be enforced statically by type system
I Future Direction
I Capabilities as Module Dependency
I applies capabilities on describing dependency in module system
I Properties from Object-Capability and Design Patterns
I describes object-capability properties and design patterns
I Parameterization
I specifies the specific file names that the code with capabilities can access
12 / 13
Summary and Future Directions
I SummaryI prevent capabilities from escaping to unauthorised codeI security goal can be enforced statically by type system
I Future DirectionI Capabilities as Module Dependency
I applies capabilities on describing dependency in module system
I Properties from Object-Capability and Design Patterns
I describes object-capability properties and design patterns
I Parameterization
I specifies the specific file names that the code with capabilities can access
12 / 13
Summary and Future Directions
I SummaryI prevent capabilities from escaping to unauthorised codeI security goal can be enforced statically by type system
I Future DirectionI Capabilities as Module Dependency
I applies capabilities on describing dependency in module system
I Properties from Object-Capability and Design PatternsI describes object-capability properties and design patterns
I Parameterization
I specifies the specific file names that the code with capabilities can access
12 / 13
Summary and Future Directions
I SummaryI prevent capabilities from escaping to unauthorised codeI security goal can be enforced statically by type system
I Future DirectionI Capabilities as Module Dependency
I applies capabilities on describing dependency in module system
I Properties from Object-Capability and Design PatternsI describes object-capability properties and design patterns
I ParameterizationI specifies the specific file names that the code with capabilities can access
12 / 13
Thanks.
Questions?
13 / 13