Sunday, October 21, 2012

Security and Objects

Mobile code is one of the great challenges for software security. Lets say  you are writing an email application. The idea that people could send little apps to each other in email messages might seem like a potentially interesting feature: users could build polls, schedule meetings, play games, share interactive documents. Kind of cool.

And if the platform you are building upon supports reflectively evaluating code, it could be as easy as something like this (in OO pseudocode):

    define load_message(message)
        ...
        eval(message.code)

Of course it can't be that easy. What if the code in the message does something like:

    new stdlib.io.File("/").delete()

The standard way to avoid the vulnerability is to put the code in a so-called sandbox. It sounds very secure, but in practice this usually amounts to gathering up a list of "dangerous" call sites and inserting in each some code to check if the caller has permission to proceed. So the implementation of delete would include code along the lines of:

    define delete()
        if VM.callStackContainsEvilCode?()
            raise YouShallNotPassException()

        ...

This is fraught with problems. It requires runtime support for inspecting the call stack and a system for declaring that certain code has some level of authorization while some other code has a lower level. Not to mention the busywork of going trough the code and peppering that little snippet over every suspect call site. If you miss one — say, for instance, a method that gets the addresses of all contacts on your email application — and you have a security bug on your hands.

A better way ?

Perhaps there is a better way. Take another look at the offending line: new stdlib.io.File("/").delete(). It is only able to call the dangerous delete() method because it has a reference to a file object pointing to the root of the filesystem. And it only has that reference because it could reach for the File class on a global namespace. What if there was no global namespace?

It might seem weird, but it's not that hard to imagine a programming system lacking a global namespace. Many object-oriented languages, following Smalltalk's lead, have a notion of a metaclass, an object that represents a class. Many of them (also following Smalltak) also get by without a "new" operator. Objects are created by calling a method — usually named new() — on the metaclass object.

We are very close now. The last step, unfortunately not taken by most common languages, is to avoid anchoring the metaclass object onto a global namespace. The result is that code can only create objects of the classes it holds a reference to. And it only has a reference if it is given one via a method or constructor parameter.

Proceeding recursively, we end up with a stratified program. There is an entry point that receives a reference to the entire standard library, and each call site decides how much authority to grant each callee. On our example, when we evaluate external code we can grant very little authority, meaning we can pass the evaluated code just a handful of references. Care must be taken so that none of them will direct or indirectly provide a way to create a File. In a way, object design becomes security policy.

And we get very fine-grained control over such policy. We could, for instance, grant loaded code authority to write on a designated directory just by passing it a reference to the Directory object for that directory. Our choices get even more interesting when we realize we can pass references to proxies instead of real objects in order to attenuate authority. Continuing with our example, hoping it doesn't get too contrived, we could build a proxy for the Directory that checks if callers exceed a given quota of disk space.

Research

I have mentioned above that most common languages don't fit this post's description. But there are languages that do, a prime example is E. In fact, there is a whole area of research for dealing with security in this manner, it's called "object capability security".

I'm not really a security guy, I got interested in the area due to the implications for language and system design. If you got interested, for any reason, please check out Mark Miller's work. He is the creator of the E language and the javascript-based Caja project. His thesis is very readable.

630 comments:

«Oldest   ‹Older   601 – 630 of 630
Professional Course said...

I am here for the first time. I found this table and found it really useful and it helped me a lot. I hope to present something again and help others as you have helped me.

Business Analytics Course in Nagpur

Nathan said...

I wanted to thank you for this great read!! I definitely enjoying every little bit of it waiting for next one.
Data Analytics Course in Chennai

Robbie Simons said...

Research Paper Help
Research Paper Writing Service
Write My Paper For Me
Legitimate Essay Writing Services
Dissertation Statistics Help
CDR Report Writers
CDR Engineers Australia
CDR Writing Services

EDU said...

This is truly an practical and pleasant information for all and happy to see this awesome post by the way thanks for sharing this post.
Data Scientist Course in Noida

Technical Knowledge said...

Very great post which I really enjoy reading this and it is not everyday that I have the possibility to see something like this. Thank You.
Best Online Data Science Courses

Akshay said...

So luck to come across your excellent blog, glad i found it. Keep posting new articles. Good luck.
Data Science Course Details

Raghav said...

I finally found a great article here. Quality postings are essential to get visitors to visit the website, that's what this website offers.
Data Science Course in Indore

Dettifoss IT Solutions said...

A splendid job! Thank you for blog. you write very nice articles, I visit your website for regular updates.
AWS DevOps training in Hyderabad

Dettifoss IT Solutions said...

A splendid job! Thank you for blog. you write very nice articles, I visit your website for regular updates.
servicenow training and placement in hyderabad

princika said...

I want to leave a little comment to support and wish you the best of luck.we wish you the best of luck in all your blogging enedevors
data science training in trivandrum

Mallela said...

Thanks for posting the best information and the blog is very good.data science course in rajkot

Mallela said...

Thanks for posting the best information and the blog is very good.data analytics course in udaipur

Mallela said...

Thanks for posting the best information and the blog is very good.data science training in rajkot

Professional Learning Institute said...

It's like you've got the point right, but forgot to include your readers. Maybe you should think about it from different angles.

Data Analytics Course in Kolkata

anonymous said...

I want to leave a little comment to support and wish you the best of luck.we wish you the best of luck in all your blogging enedevors
data scientist course in faridabad

Technical Knowledge said...

I just got to this amazing site not long ago was actually captured with the piece of resources you have got here and big thumbs up for making such wonderful blog page!
Data Scientist Course

Professional Education Center said...

Very good message. I came across your blog and wanted to tell you that I really enjoyed reading your articles.


Business Analytics Course in Nashik

Vijay said...

It's always nice to be able to not only be informed, but also entertained! I'm sure you enjoyed writing this article.
Data Scientist Course in Ahmedabad

DataScienceBOX said...

Very informative message! There is so much information here that can help any business start a successful social media campaign!
data science training in london

PETER said...

We provide the best GIS homework help services in the market with best rates

Career Courses Academy said...

It's like you've got the point right, but forgot to include your readers. Maybe you should think about it from different angles.


Business Analytics Course

Unknown said...

Enjoying the great outdoors through camping, fishing, hiking, biking can be more memorable if you are not worried about going back home as soon as the sun starts setting. To last longer in the outdoors, a well-furnished recreational vehicle(RV) will come in handy where you will feel at home after the whole day’s experience with nature. Read more about Best Electric Tankless Water Heater for RV

anonymous said...

I want to leave a little comment to support and wish you the best of luck.we wish you the best of luck in all your blogging enedevors
data analytics course in varanasi

anonymous said...

I want to leave a little comment to support and wish you the best of luck.we wish you the best of luck in all your blogging enedevors
data analytics course in thiruvananthapuram

Unknown said...

Our Strategic Management Analysis Help provides you with various ways to get rid of that workload you’ve been carrying for a long time. Providing us with your Strategic Management Assignment allows you to focus on your studies. A vital part of management studies in strategic management involves analysing the organisation internally and investigating the competitive environment to develop strategies for achieving defined goals and running the organisation smoothly. Read more about Strategic Management Analysis Help

prathyusha said...

Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!data scientist course in ghaziabad

anonymous said...

I want to leave a little comment to support and wish you the best of luck.we wish you the best of luck in all your blogging enedevors
data scientist course in trivandrum

Akshay said...

I think this is a really good article. You make this information interesting and engaging. Thanks for sharing.
Data Science Course in India

DataScienceEXPO said...

Thank you quite much for discussing this type of helpful informative article. Will certainly stored and reevaluate your Website.
Data Analytics Course in Bangalore

Vijay said...

It's always nice to be able to not only be informed, but also entertained! I'm sure you enjoyed writing this article.
Data Scientist Course in Ahmedabad

«Oldest ‹Older   601 – 630 of 630   Newer› Newest»