History-based Access Control with Local Policies

Fossacs 05 p.1 History-based Access Control with Local Policies Massimo Bartoletti Pierpaolo Degano Gian-Luigi Ferrari Dipartimento di Informatica, Università di Pisa

Fossacs 05 p.2 Mobile code security victim.org Firewall attacker.com Browser Mail Server Hacker Applet read/write download applet upload applet File Server Web Server

Fossacs 05 p.2 Mobile code security victim.org Firewall attacker.com Browser Sandbox Applet read/write download applet Mail Server Hacker upload applet File Server Web Server

Fossacs 05 p.3 The present: stack inspection run-time privileges = intersection of the static permissions of each method in the call stack unclear which are the actual security goals attained (checks scattered through code) makes little sense in functional languages (requires the call stack made explicit) prevents from inter-procedural program optimizations (inlining, tail-call elimination) no protection after return (untrusted results)

Fossacs 05 p.4 Beyond stack inspection major issue: untrusted results instead of call stacks: the whole history the history is a side effect of programs instead of permissions: (regular) properties of histories instead of local checks: local policies to gain efficiency: static analysis History-based access control with local policies

Fossacs 05 p.5 Why local policies? Problem: securization of code upon receipt an untrusted program e is received I want the execution of e to obey a policy ϕ where to insert the checks in e? one issue: e could invoke unknown code solution: dynamic sandboxing ϕ[e] each execution step of e is subject to ϕ the scope of ϕ is left when e terminates

Fossacs 05 p.6 Overview A calculus for history-based access control: λ [ ] = λ + histories + local policies a history η is a sequence of events α a policy ϕ is a regular property of η a framing ϕ[e] localizes the scope of ϕ in e type & effect system to predict histories Optimizations: static verification via model checking, or instrumentation with local checks

Fossacs 05 p.7 The language λ [ ] (syntax) e, e ::= x α λ z x. e e e if b then e else e ϕ[e] variable access event abstraction application conditional safety framing λ. e = λ z x. e (z, x fv(e)) e; e = (λ. e )e

Fossacs 05 p.8 The language λ [ ] (semantics) η, e 1 η, e 1 η, e 1 e 2 η, e 1 e 2 η, e 2 η, e 2 η, v e 2 η, v e 2 η, (λ z x.e)v η, e{v/x, λ z x.e/z} η, α ηα, η, e η, e η = ϕ η = ϕ η, ϕ[e] η, ϕ[e ] η = ϕ η, ϕ[v] η, v

Fossacs 05 p.9 Programming in λ [ ] (1) R = λ. α r W = λ. α w C = λ. α c file Read/Write, socket Connection Browser = λu. λp. if html(u) then display(u) else if trusted(u) then p u else ϕ[p u; W ] ϕ = no connect after read site policy p = λx. ϕ [x ] user policy (a closure!) η, (λx. ϕ [x ]) λ.e η, ϕ [(λ.e) ] η, ϕ [e]

Fossacs 05 p.10 Programming in λ [ ] (2) ϕ = no write user policy Untrusted = λz. λ. Browser z (λy. y ) ε, Browser (Untrusted W ) (λy.ϕ [y ]) ε, ϕ[λy.ϕ [y ] (λ. BrowserW λy. y ); W ] ε, ϕ[ϕ [Browser W (λy. y )]; W ] ε, ϕ[ϕ [(λy. y )W ]; W ] ε, ϕ[ϕ [α w ]; W ] security exception! α w = ϕ

Fossacs 05 p.11 Programming in λ [ ] (3) ε, Browser (Untrusted (λ. R ; C )) (λy.ϕ [y ]) ε, ϕ[λy.ϕ [y ] (Untrusted (λ. R ; C )); W ] ε, ϕ[ϕ [Browser (λ. R ; C ) (λy. y )]; W ] ε, ϕ[ϕ [R ; C ]; W ] ε, ϕ[ϕ [α r ; C ]; W ] α r, ϕ[ϕ [C ]; W ] α r, ϕ[ϕ [α c ]; W ] security exception! α r α c = ϕ

Fossacs 05 p.12 Programming in λ [ ] (4) ε, Browser (Untrusted R) (λy.ϕ [y ]) ε, ϕ[(λy.ϕ [y ]) (Untrusted R); W ] ε, ϕ[ϕ [Browser R (λy. y )]; W ] ε, ϕ[ϕ [R ]; W ] α r, ϕ[ϕ [ ]; W ] α r, ϕ[w ] α r α w, ϕ[ ] α r α w,

Fossacs 05 p.13 Enforcing Principle of least privilege Programs should be granted the minimum set of rights that are needed to accomplish their tasks. an expression must always obey all the active policies (no policy can be overridden) policies can always inspect the whole past history (no event can be hidden) so how to implement privileged calls / discard the past? answer: policies must explicitly allow for it!

Fossacs 05 p.14 Extracting History Expressions e 1 = if b then α else α H 1 = α + α α, α

Fossacs 05 p.14 Extracting History Expressions e 1 = if b then α else α H 1 = α + α α, α e 2 = (λx. α ) : unit H 2 = ε α unit

Fossacs 05 p.14 Extracting History Expressions e 1 = if b then α else α H 1 = α + α α, α e 2 = (λx. α ) : unit H 2 = ε e 3 = (λx. α )α H 3 = α α αα α unit

Fossacs 05 p.14 Extracting History Expressions e 1 = if b then α else α H 1 = α + α α, α e 2 = (λx. α ) : unit H 2 = ε e 3 = (λx. α )α H 3 = α α αα α unit e 4 = (λy. ϕ[α; y ])(λx. ϕ [α ]) H 4 = ϕ[α ϕ [α ]] [ ϕ α[ ϕ α ] ϕ ] ϕ H 4 = αα

Fossacs 05 p.14 Extracting History Expressions e 1 = if b then α else α H 1 = α + α α, α e 2 = (λx. α ) : unit H 2 = ε e 3 = (λx. α )α H 3 = α α αα α unit e 4 = (λy. ϕ[α; y ])(λx. ϕ [α ]) H 4 = ϕ[α ϕ [α ]] [ ϕ α[ ϕ α ] ϕ ] ϕ H 4 = αα e 5 = (λ z x. α; z x) H 5 = µh. α h ε, α, αα,...

Fossacs 05 p.15 Type & Effect System typing judgements Γ, H e : τ types: τ ::= unit τ H τ effects: history expressions H correctness of history expressions: ε, e η, e = η prefix( H ) type safety: H valid = e will not go wrong

Fossacs 05 p.16 Validity of Histories obeying all the policies, within their scopes ex: ϕ[α r ]α c valid, ϕ[α r ϕ [α c ]α w ] not valid safe-sets of ϕ[α r ϕ [α c ]α w ]: ϕ[{α r, α r α c, α r α c α w }] ϕ [{α r α c }] η valid iff, for each safe-set ϕ[{η 1,..., η k }] of η: η i = ϕ H valid iff each η H 1 i k is valid

Fossacs 05 p.17 Verifying History Expressions If validity were a regular property... H BP A(H) Pushdown automaton validity Ψ(H) A Ψ(H) Büchi automaton H valid if L(BP A(H)) L(A Ψ(H) ) = But validity of histories is non-regular! ex: µh. α + h h + ϕ[h] in or out? solution: transform H to make Ψ(H) regular

Fossacs 05 p.18 Regularizing History Expressions (1) idea: eliminating the redundant framings ϕ[αϕ [α ϕ[α ]]] valid iff ϕ[αϕ [α α ]] valid the inner ϕ-framing is redundant elimination of non-regularity: H has no redundant framings preservation of validity: H valid H valid

Fossacs 05 p.19 Regularizing History Expressions (2) H Φ eliminates all the redundant framings, plus the framings in the set of policies Φ ex: H = ϕ[αϕ [α ϕ[α ]]] H = ϕ[(αϕ [α ϕ[α ]]) ϕ ] = ϕ[α(ϕ [α ϕ[α ]) ϕ ]] = ϕ[αϕ [(α ϕ[α ]) ϕ,ϕ ]] = ϕ[αϕ [α (ϕ[α ]) ϕ,ϕ ]] = ϕ[αϕ [α α ]]

Fossacs 05 p.20 Regularizing History Expressions (3) H = µh. α + h h + ϕ[h] H = µh. α + h h + ϕ[h ϕ ] = µh. α + h h + ϕ[(µh. α + h h + ϕ[h]) ϕ ] = µh. α + h h + ϕ[µh. α + h h + h ] trickier example: µh. µh. α + h ϕ[h ]

Fossacs 05 p.21 Büchi automata for validity α c α r α r, α c A ϕ q0 α r q1 α c q2 α r α c L(A ϕ ) α c α r α r, α c q0 α r q1 α c q2 A ϕ[ ] [ ϕ ] ϕ [ ϕ ] ϕ α r q0 q1 α c α r [ ϕ w ] ϕ = ϕ[w] α r [ ϕ α c ] ϕ L(A ϕ[ ] ) [ ϕ α r ] ϕ α c L(A ϕ[ ] )

Fossacs 05 p.22 Conclusions λ [ ] = λ + histories + local policies history expression H from e (type & effect) H has no redundant framings (regularization) η H valid iff η = ϕ [ ] ϕ η (Büchi automata) H valid BP A(H ) = ϕ H ϕ [ ] type safety + verification (model checking): Γ, H e : τ, H valid = e will not go wrong

Fossacs 05 p.23 Understanding History Inspection resource usage analysis [Colcombet & Fradet 00, Igarashi & Kobayashi 02, Marriott, Stuckey & Sulzmann 03] capability-based model [Abadi & Fournet 03] shallow histories [Fong 04] type & effect system [Skalka & Smith 04] relation with information flow [Banerjee & Naumann 04] membranes [Gorla, Hennessy & Sassone, 04] safety and liveness framing for secure service composition [Bartoletti, Degano & Ferrari 05]

Fossacs 05 p.24 A Type and Effect system for λ [ ] (1) Γ, ε x : Γ(x) Γ, α α : unit Γ, H e : τ Γ, ϕ[h] ϕ[e] : τ Γ, H e : τ Γ, H + H e : τ Γ, H e : τ Γ, H e : τ Γ, H if b then e else e : τ

Fossacs 05 p.25 A Type and Effect system for λ [ ] (2) Γ; x : τ; z : τ H τ, H e : τ Γ, ε λ z x.e : τ H τ Γ, H e : τ H τ Γ, H e : τ Γ, H H H ee : τ

Fossacs 05 p.26 A Type and Effect system for λ [ ] (3) e = λ z x. b? α + (b? zzx + ϕ[zx]) Γ, ε z : τ H τ Γ, ε x : τ Γ, H z x : τ Γ, H H z z x : τ Γ, ϕ[h] ϕ[z x] : τ Γ, H H + ϕ[h] z z x : τ Γ, H H + ϕ[h] ϕ[z x] : τ Γ, H H + ϕ[h] b? z z x + ϕ[z x] : τ Γ, α + H H + ϕ[h] b? α + (b? z z x + ϕ[z x]) : τ H = α + H H + ϕ[h] = H = µh. α + h h + ϕ[h], ε e : unit µh. α+h h+ϕ[h] unit

Fossacs 05 p.27 History Expressions (syntax) H, H ::= ε h α H H H + H ϕ[h] µh.h empty variable access event sequence choice safety framing recursion

Fossacs 05 p.28 History Expressions (semantics) ε ρ = ε α ρ = α h ρ = ρ(h) H H ρ = H ρ H ρ H + H ρ = H ρ H ρ ϕ[h] ρ = ϕ[ H ρ] µh.h ρ = n ω f n ( ), f(x) = H ρ{x/h}

Fossacs 05 p.29 Validity (alt. definition) plain histories + framing events [ ϕ and ] ϕ notation: [ ϕ η ] ϕ = ϕ[η] validity: [ ϕ α r ] ϕ α c valid, α r [ ϕ α c not valid η discards the framing events in η Φ(η) is the set of ϕ such that [ ϕ > ] ϕ in η β 1 β n is valid iff β 1 β k = Φ(β 1 β k ), for all k 1..n H valid iff each η H is valid

Fossacs 05 p.30 Regularizing history expressions (1) ε Φ,Γ = ε h Φ,Γ = h α Φ,Γ = α (H H ) Φ,Γ = H Φ,Γ H Φ,Γ (H + H ) Φ,Γ = H Φ,Γ + H Φ,Γ ϕ[h] Φ,Γ = { H Φ,Γ ϕ[h Φ {ϕ},γ ] if ϕ Φ otherwise

Fossacs 05 p.31 Regularizing history expressions (2) (µh. H) Φ,Γ = µh. (H σ Φ,Γ{(µh.H)Γ/h} σ) where H = H {h/h i } i, h i fresh, h fv(h ) σ(h i ) = (µh.h)γ Φ guard(hi,h ),Γ σ (h i ) = { h h i if guard(h i, H ) Φ otherwise

Fossacs 05 p.32 Büchi automaton for ϕ [ ] A ϕ[ ] = Σ, Q, Q 0, ρ, F Σ = Σ { [ ϕ, ] ϕ ϕ Π } Q = F = Q { q q F } ρ = ρ { q, [ ϕ, q q F } { q, ] ϕ, q } { q 0, α, q 1 q 0, α, q 1 ρ and q 1 F } { q, [ ϕ, q q, ] ϕ, q q Q and ϕ ϕ }

Fossacs 05 p.33 Conclusions λ [ ] = λ + histories + local policies history expression H from e (type & effect) H has no redundant framings (regularization) η H valid iff η = ϕ [ ] ϕ η (Büchi automata) H valid BP A(H ) = ϕ H ϕ [ ] type safety + verification (model checking): Γ, H e : τ, H valid = e will not go wrong