Abstract
The object capability model is a de-facto industry standard widely adopted for the implementation of secure software. We call capability policies the policies enforced by programs using object capabilities. Such policies tend to restrict the objects and the circumstances which may access services. In this paper we argue that capability policies should be made explicit and written separately from the code implementing them. We also argue that the specification of capability policies requires concepts that go beyond the features of current specification languages. Moreover, we argue that we need methodologies with which to prove that programs adhere to their capability policies as specified.
To give precise semantics to capability policy specifications, we propose execution observations, which talk about various properties of a program’s execution. We use execution observations to write the formal specification of five out of the six informal policies in the mint example, famous in the object capability literature. In these specifications, the conclusions but also the premises may relate to the state before as well as after execution, the code may be existentially or universally quantified, and interpretation quantifies over all modules extending the current module. In statically typed languages, adherence of code to the capability policies relies heavily on the guarantees provided by type system features such as final and private.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., Piessens, F.: JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. In: ACSAC (2012)
Bauer, L., Ligatti, J., Walker, D.: Composing security policies with Polymer. In: PLDI (2005)
Bhargavan, K., Delignat-Lavaud, A., Maffeisp, S.: Language-based defenses against untrusted browser origins. In: USENIX Security (2013)
Birgisson, A., Russo, A., Sabelfeld, A.: Capabilities for information flow. In: Programming Languages and Analysis for Security (PLAS) (2011)
Dennis, J.B., Van Horn, E.C.: Programming Semantics for Multiprogrammed Computations. Comm. ACMÂ 9(3) (1966)
Dimoulas, C., Moore, S., Askarov, A., Chong, S.: Declarative policies for capability control. In: Computer Security Foundations Symposium (CSF) (2014)
Drossopoulou, S., Noble, J.: The need for capability policies. In: (FTfJP) (2013)
Drossopoulou, S., Noble, J.: Towards Capability Policy Specification and Verification. Technical Report ECSTR-14-05, School of Engineering and Computer Science, Victoria University of Wellington (2014)
Gardner, P., Maffeis, S., Smith, G.D.: Towards a program logic for JavaScript. In: POPL (2012)
Hoare, C.A.R.: Proofs of correctness of data representation. Acta Informatica 1, 271–281 (1972)
Jang, D., Tatlock, Z., Lerner, S.: Establishing browser security guarantees through formal shim verification. In: USENIX Security (2012)
Karim, R., Dhawan, M., Ganapathy, V., Shan, C.-C.: An Analysis of the Mozilla Jetpack Extension Framework. In: Noble, J. (ed.) ECOOP 2012. LNCS, vol. 7313, pp. 333–355. Springer, Heidelberg (2012)
Lampson, B.W., Sturgis, H.E.: Reflection on an Operating System Design. Communications of the ACMÂ 19(5) (1976)
Leino, K.R.M., Schulte, W.: Using history invariants to verify observers. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 80–94. Springer, Heidelberg (2007)
Lerner, B.S., Elberty, L., Poole, N., Krishnamurthi, S.: Verifying web browser extensions’ compliance with private-browsing mode. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 57–74. Springer, Heidelberg (2013)
Maffeis, S., Mitchell, J.C., Taly, A.: Object capabilities and isolation of untrusted web applications. In: Proc. of IEEE Security and Privacy (2010)
Magazinius, J., Russo, A., Sabelfeld, A.: On-the-fly inlining of dynamic security monitors. Computers & Security 31(7), 827–843 (2012)
Meredith, L.G., Stay, M., Drossopoulou, S.: Policy as types. arXiv:1307.7766 [cs.CR] (July 2013)
Mettler, A., Wagner, D., Close, T.: Joe-E a Security-Oriented Subset of Java. In: NDSS (2010)
Meyer, B.: Object-Oriented Software Construction. Prentice-Hall (1988)
Miller, M.S., Van Cutsem, T., Tulloh, B.: Distributed Electronic Rights in JavaScript. In: Felleisen, M., Gardner, P. (eds.) Programming Languages and Systems. LNCS, vol. 7792, pp. 1–20. Springer, Heidelberg (2013)
Miller, M.S.: Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. PhD thesis, Baltimore, Maryland (2006)
Miller, M.S.: Secure Distributed Programming with Object-capabilities in JavaScript. Talk at Vrije Universiteit Brussel (October 2011), http://mobicrant-talks.eventbrite.com
Miller, M.S., Morningstar, C., Frantz, B.: Capability-based Financial Instruments: From Object to Capabilities. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, p. 349. Springer, Heidelberg (2001)
Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Safe active content in sanitized JavaScript (2008), http://code.google.com/p/google-caja/
Murray, T., Lowe, G.: Analysing the information flow properties of object-capability patterns. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 81–95. Springer, Heidelberg (2010)
Noble, J., Drossopoulou, S.: A rational reconstruction of the escrow example. In: (FTfJP) (2014)
Parkinson, M.: A rational reconstruction of the escrow example. In: IWACO (2007)
Politz, J.G., Eliopoulos, S.A., Guha, A., Krishnamurthi, S.: ADsafety: Type-based verification of JavaScript sandboxing. In: USENIX Security (2011)
Qin, S., Chawdhary, A., Xiong, W., Munro, M., Qiu, Z., Zhu, H.: Towards an axiomatic verification system for JavaScript. In: TASE, pp. 133–141 (2011)
Richards, G., Hammer, C., Nardelli, F.Z., Jagannathan, S., Vitek, J.: Flexible access control for JavaScript. In: OOPSLA, pp. 305–322 (2013)
Stiegler, M.: The lazy programmer’s guide to security. HP Labs, http://www.object-oriented-security.org
Summers, A.J., Drossopoulou, S., Müller, P.: The need for Flexible Object Invariants. In: IWACO. ACM DL (July 2009)
Swamy, N., Weinberger, J., Schlesinger, C., Chen, J., Livshits, B.: Verifying higher-order programs with the dijkstra monad. In: PLDI, pp. 387–398 (2013)
Taly, A., Erlingsson, U., Mitchell, J.C., Miller, M.S., Nagra, J.: Automated Analysis of Security-Critical JavaScript APIs. In: IEEE Symposium on Security and Privacy (SP) (2011)
The Newspeak Team. Several Newspeak Documents (September 2012), http://newspeaklanguage.org/
Tom van Cutsem. Membranes in JavaScript (2012), http://prog.vub.ac.be/~tvcutsem/-invokedynamic/js-membranes
Wilkes, M.V., Needham, R.M.: The Cambridge CAP computer and its operating system (1979)
Xiong, W.: Verification and Validation of JavaScript. PhD thesis, Durham University (2013)
Yang, J., Yessenov, K., Solar-Lezama, A.: A language for automatically enforcing privacy policies. In: POPL (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Drossopoulou, S., Noble, J. (2014). How to Break the Bank: Semantics of Capability Policies. In: Albert, E., Sekerinski, E. (eds) Integrated Formal Methods. IFM 2014. Lecture Notes in Computer Science(), vol 8739. Springer, Cham. https://doi.org/10.1007/978-3-319-10181-1_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-10181-1_2
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-10180-4
Online ISBN: 978-3-319-10181-1
eBook Packages: Computer ScienceComputer Science (R0)