MASSACHUSETTS INSTITUTE OF TECHNOLOGY
ARTIFICIAL INTELLIGENCE LABORATORY
A.I. Memo No. 1564 March, 1996
A Security Kernel Based on the
Lamb da-Calculus
Jonathan A. Rees
This publication can b e retrieved byanonymous ftp to publications.ai.mit.edu.
Abstract
Co op eration b etween indep endent agents dep ends up on establishing a degree of security.Eachofthe
co op erating agents needs assurance that the co op eration will not endanger resources of value to that agent.
In a computer system, a computational mechanism can assure safe co op eration among the system's users
by mediating resource access according to desired security p olicy.Such a mechanism, which is called a
security kernel , lies at the heart of many op erating systems and programming environments.
This rep ort describ es Scheme 48, a programming environment whose design is guided by established prin-
ciples of op erating system security.Scheme 48's securitykernel is small, consisting of the call-by-value
-calculus with a few simple extensions to supp ort abstract data typ es, ob ject mutation, and access to
hardware resources. Eachagent (user or subsystem) has a separate evaluation environment that holds ob-
jects representing privileges granted to that agent. Because environments ultimately determine availability
of ob ject references, protection and sharing can b e controlled largely by the wayinwhichenvironments
are constructed.
I will describ e exp erience with Scheme 48 that shows how it serves as a robust and exible exp erimental
platform. Two successful applications of Scheme 48 are the programming environment for the Cornell
mobile rob ots, where Scheme 48 runs with no (other) op erating system supp ort; and a secure multi-user
environment that runs on workstations.
Copyright Massachusetts Institute of Technology, 1996
This rep ort describ es research done at the Arti cial Intelligence Lab oratory of the Massachusetts Institute of Technology.
Supp ort for this researchwas provided in part by the Advanced Research Pro jects Agency of the Department of Defense
under Oce of Naval Researchcontract N00014-92-J-4097.
in which the -calculus and W7 provide protection is 1 Intro duction
through closure : a pro cedure is not just a program but
Co op eration b etween indep endent agents dep ends up on
a program coupled with its environment of origin. A pro-
establishing a degree of security. Each of the co op er-
cedure cannot access the environment of its call, and its
ating agents needs assurance that the co op eration will
caller cannot access the pro cedure's environmentofori-
not endanger resources of value to that agent. In a com-
gin. The caller and callee are therefore protected from
puter system, a computational mechanism can assure
one another. Sharing is accomplished through shared
safe co op eration among the system's users by mediat-
p ortions of environments, whichmay include pro cedures
ing resource access according to desired security p olicy.
that allow still other ob jects to b e shared.
Such a mechanism, whichiscalledasecurity kernel , lies
To address a numberofauthentication and certi ca-
at the heart of many op erating systems and program-
tion problems, W7 includes an abstract data typ e facil-
ming environments.
ity. (Usually this term refers to typ e abstraction enforced
I claim that the -calculus can serve as the central
through compile-timetyp e checking, but here it means
comp onent of a simple and exible securitykernel. The
a dynamic information hiding mechanism.) The facil-
present rep ort supp orts this thesis by motivating and de-
ity is akin to digital signatures: a subsystem may sign
scribing sucha-calculus-based securitykernel and by
an ob ject in suchaway that the signed ob ject maybe
giving several lines of evidence of the kernel's e ective-
recognized as having b een de nitely signed by that sub-
ness.
system. In particular, a compiler might use a particular
1
The W7 securitykernel consists of the call-by-value
signature to mean that the signed pro cedure is one that
-calculus with a few simple extensions to supp ort ab-
is \harmless" (in a technical sense) and is therefore safe
stract data types,objectmutation, and access to hard-
to apply to fragile arguments.
ware resources. Within W7, each agent (user or subsys-
tem) has a separate evaluation environment that holds
1.2 Scheme 48
ob jects representing privileges granted to that agent.
Scheme 48 is a complete Scheme system that tests W7's
Because environments ultimately determine availability
capacity to supp ort safe co op eration. Scheme 48 was
of ob ject references, protection and sharing can b e con-
a ma jor design and implementation e ort and therefore
trolled largely bytheway in whichenvironments are
constitutes the heart of the pro ject. Section 3 gives an
constructed.
overview of Scheme 48, but most of the information on
The e ectiveness of W7 as a securitykernel is demon-
it is to b e found in the related rep orts [13,23,6,19].
strated through three lines of evidence:
A large amount of engineering go es into making a
1. its ability to address certain fundamental security
practical programming environment, and in Scheme 48
problems that are imp ortant for co op eration (Sec-
security has b een a concern in nearly every comp onent.
tions 2.2{2.3);
Ma jor facilities whose design has b een shap ed by secu-
2. a structural corresp ondence with familiar op erating
rity concerns include the following:
system kernels (Section 2.4); and
The mo dule system [19]. Mo dules are truly encap-
3. the success of Scheme 48, a complete implemen-
sulated, just as pro cedures are, allowing them to
tation of the Scheme programming language built
b e shared safely.
on W7, as a basis for secure, robust, and exible
The macro facility [6]. Macros are also closed, like
programming systems (Section 3).
pro cedures. This allows a form of compile-time se-
curityinwhich a mo dule may exp ort a macro while
1.1 Security Kernel Based on -calculus
protecting ob jects used in the macro's implemen-
The -calculus is a calculus of functions, and is con-
tation.
cerned with how computations are abstracted and in-
stantiated and how names come to have meanings. W7
Dynamic variables. Information can b e communi-
is a -calculus of procedures, which are generalized func-
cated from caller to callee through an implicit dy-
tions capable of p erforming side e ects. Pro cedures cor-
namic environment. However, a dynamic variable
resp ond to what in an op erating system would b e pro-
must b e accessed via a key,andsuchkeys can b e
grams and servers. Side e ects include access to input
protected.
and output devices and to memory cells. It is through
A ma jor theme running through the design of Scheme
side e ects that communication, and therefore co op era-
48 is avoidance or minimization of shared global state.
tion, is p ossible. However, side e ects can b e harmful.
For example, the virtual machine (byte-co de interpreter)
For example, a computer-controlled rob ot arm can easily
has only an essential minimum set of registers; there are
hurt a p erson who gets in its way.
no registers that hold global symb ol tables or environ-
The purp ose of a securitykernel is to allowcontrol
ment structure as there is in most Lisp and Scheme im-
over access to ob jects. The challenge in designing a se-
plementations. Another example is in the run-time sys-
curitykernel is not to supp ort sharing or protection p er
tem mo dules, which never alter global state (in Scheme
se, but rather to allow exible control over the extent
terms, no top-level variable is ever assigned with set!).
to which an ob ject is shared or protected. One way
Data structures manipulated by these mo dules can b e
1
instantiated multiple times to avoid con ict over their
This name was chosen to have no mnemonic or cuteness
value. use. 1
resources of value to that agent, so those resources are Finally, the success of Scheme 48 (and therefore of
also put at risk when the program is invoked. W7) is demonstrated by its use in a numb er of applica-
tions. These include the programming environmentfor
Consider the following scenario:
the Cornell mobile rob ots, where Scheme 48 runs with
Bart writes a program that sorts a list of num-
no (other) op erating system supp ort [23], and a secure
b ers. Being a generous fellow, he gives this
multi-user environment that runs on workstations.
useful program to Lisa, who has expressed
an interest in using such a program. But
2 The Security Kernel
Lisa is hesitant to use Bart's program, since
Bart mayhave arranged for the program to
This section is an exp osition, starting from rst princi-
do sneaky things. For example, the program
ples, of the problem of secure co op eration b etween inde-
mightcovertly send the list to b e sorted back
p endent agents. It describ es a simple idealized security
to Bart via electronic mail. That would b e
kernel that addresses this problem. The presentation is
unfortunate, since Lisa wants to sort a list
intended to show the essential unity of security concerns
of credit card numb ers, and she would liketo
in op erating systems and programming languages.
keep these secret. What should Bart and Lisa
The idealized kernel is based on a graph of encapsu-
do?
lated ob jects. Accessibility of one ob ject from another is
constrained by the connectivity of the ob ject graph and
There are two distinct approaches to solving the safe
further limited by ob ject-sp eci c gatekeep er programs.
invo cation problem | that is, the general situation in
The kernel enables the natural construction of a variety
whicheach agent in a co op eration has resources that
of mechanisms that supp ort secure co op eration b etween
should b e protected when one agent's program is invoked
agents. In particular, an agent can securely call an un-
in a context (inputs and computer system) given by an-
trusted agent's program on a sensitive input.
other agent. In the rst approach, the program runs in a
The kernel is similar to those of the capability-based
limited computing environment, one in which dangerous
op erating systems of the 1970's [15, 34]. The main dif-
op erations (such as sending mail) are prohibited. In the
ferences are that this kernel is simpler, more abstract,
second approach, the second agent rejects the program
and more clearly connected with programming language
unless it b ears a recognized certi cate of safety. The
concepts than are classical capability systems.
next two sections lo ok at the twoapproaches.
2.1 Safe Computer-Mediated Co op eration
2.1.1 Limited Environments
One waytoavoid disclosure of the numb ers (an in-
The participants in a co op erativeinteraction carry out
stance of the con nement problem [14]) would b e for Lisa
ajoint activity that uses or combines the resources that
to isolate a computer running Bart's program, making it
each provides. Resources might include energy, informa-
physically imp ossible for the program to do any harm.
tion, skills, or equipment.
This would require detaching the computer from the net-
Each agent relinquishes control to some extentover
work, removing disks that should not b e read or written,
the resources that the agent brings. If the agentvalues a
setting up a sp ecial network or disk for transmitting the
resource, relinquishing control over it is dangerous, b e-
inputs and results, and so on.
cause the resource may come to harm or may b e used to
These measures are inconvenient, time-consuming,
cause harm.
and exp ensive. They are also crude; for example, it
To assure a resource's safety when control over it is
should b e p ermissible for Bart's program to fetchinfor-
relinquished, it is desirable for an agent to b e able to dic-
mation from the network or disks, but not write infor-
tate precisely the extent to which control is relinquished.
mation. This selective restriction would b e imp ossible
A trusted intermediary can b e helpful in this situation.
using hardware con gurations.
The resource is handed over to the intermediary,who
The basic idea is sound, however. The trickisto
p erforms actions as sp eci ed by the recipient sub ject to
ensure that all accesses to sensitive resources are inter-
restrictions imp osed by the source.
cepted by a sp ecial sup ervisor program. The sup ervisor
A computer system may b e useful in a co op era-
program checks the validity of the access attempt and
tion not only b ecause of the resources it mayprovide
allows it to go through only if it should.
(programmable pro cessor, memory,network communi-
The most straightforward metho d bywhichthisis
cations, programs, and so on), but also b ecause of its
achieved is through the use of an emulator .Anemula-
p otential to act as a trusted intermediary. The agent
providing a resource can dictate use restrictions in the tor is a program that mimics the role that the pro cessor
hardware usually plays in deco ding and executing pro-
form of a program, and the resource's recipient can sp ec-
grams. For instructions that are always safe, the em-
ify actions to b e p erformed with the resource in the form
of a program. ulator simulates the hardware precisely; for dangerous
instructions, the sup ervisor program is invoked.
Program invo cation therefore plays a critical role in
Use of an emulator makes programs run slowly,soa computer-mediated co op eration. But when a program
more common alternative is the use of a sp ecial hard- is untrusted (as most programs should b e!), invoking it
ware feature available on many computers called \user is fraught with p eril. The invoking agent puts at risk
mo de". When the pro cessor is in user mo de, all dan- resources of value, such as inputs and the use of parts
gerous op erations are preempted, causing the sup ervisor of the computer system. Similarly, the agent who sup-
program to b e invoked. The sup ervisor program runs in plied the program mayhaveendowed it with (access to) 2
an ordinary (non-user or \sup ervisor") mo de, so it may 3. If not, the invoker runs the program on the real ma-
implement whatever protection p olicy it likes. chine. Harmful op erations needn't b e prevented,
since they won't o ccur (if the certi er is correct).
Here is how safe program invo cation mightbeaccom-
plished using an architecture with user-mo de supp ort:
Screening has the drawback that some co op eration is
required from the p erson supplying the program. He
1. The invoker runs the program in user mo de, telling
must go to the trouble of obtaining certi cation, and
the sup ervisor program which op erations are to b e
p erhaps even change the program so that it is certi able.
p ermitted.
2. The sup ervisor program monitors all p otentially
2.2 A Simple Kernel
dangerous op erations, refusing to p erform op era-
A security kernel is the innermost layer of an op erating
tions that are not p ermitted.
system or programming language, the fundamental com-
3. When the program is done, it executes a sp ecial
ponent resp onsible for protecting valued resources from
op eration to return to sup ervisor mo de.
unwanted disclosure or manipulation. Isolating the se-
curitykernel from the rest of the system helps to ensure
2.1.2 Screening and Certi cation
reliability and trustworthiness. Simplicity is imp ortant
Another waytoavoid disclosure of her list of numbers
in a kernel b ecause the simpler the kernel, the more eas-
would b e for Lisa to screen Bart's program to verify that
ily it can b e tested and veri ed.
it contains no dubious op erations (such as calls to the
What follows is just one of manyways to de ne a se-
send-email program). This would probably require her
curitykernel. This design, which I'll call W7, is intended
receiving the program in source form, not as a binary;
to b e suitable for use in either an op erating system or
the program would have to b e of mo dest size and writ-
a programming language. W7 might also b e seen as a
ten in a language familiar to Lisa. She would also need
theory of security that can b e used to describ e security
access to a compiler and time on her hands to run the
in existing programming languages and op erating sys-
compiler. But even if Lisa were willing and able to go to
tems.
this trouble, Bart mightbeunwilling to give the source
W7 organizes the computer's resources into a network
program to her b ecause it contains information that he
2
of logical entities that I'll call objects . Ob jects are the
wants to keep secret, suchaspasswords, material sub ject
basic units of protection in W7. A link in the network
to copyright, trade secrets, or p ersonal information.
from one ob ject to another means that the second is
This dilemma could b e solved with the help of a
accessible from the rst. The ob jects to whichagiven
trusted third party. There are many di erentways in
ob ject has access are its successors, and the ob jects that
which a third partymight help; the following is a vari-
haveaccesstoagiven ob ject are its predecessors.
ant of the screening metho d suggested ab ove that do esn't
Ob jects may b e thoughtofasrepresenting particu-
require Lisa to obtain Bart's source program.
lar privileges, capabilities, or resources. For example,
an ob ject might represent the abilitytodraw pictures
Supp ose that Bart and Lisa b oth trust Ned.
Bart gives his source program to Ned with on a display, to transmit messages over a communica-
the instructions that Ned is not to givethe tions line, to read information from a data le, or to run
programs on a pro cessing element.
source program to Lisa, but he mayanswer
the question of whether the program is ob- New no des enter the ob ject network when a running
viously harmless to run. (\Obviously harm- program requests the creation of a new ob ject. In or-
less" could mean that the program uses no der to avoid the dangers of dangling references (links to
p otentially harmful op erations, or it could b e deleted no des) and memory leaks, ob ject deletion is left
a more sophisticated test. Because harmless- in the hands of the kernel. The kernel may delete an ob-
ness is uncomputable, anysuch test will b e ject as so on as there is no path through the networktoit
an approximation.) Lisa obtains the machine from the current computation. Absence of such a path is
program as b efore, and asks Ned whether detected by an automatic mechanism such as reference
the machine program is obviously harmless to counts or garbage collection.
run; if he says it is, she runs it with assurance.
There are several di erent kinds of ob jects. These will
be intro duced as they are needed in the presentation.
In the screening approach, the agentinvoking the pro-
gram rejects it unless it b ears a recognized certi cate of
2.2.1 On the Choice of Notation
safety.Following this initial check, invoking the program
In order to elucidate the kernel design and describ e its
is just as simple as invoking any fully trusted program.
consequences, it will b e necessary to present sp ecimen
There is no need for an emulator program or user-mo de
programs, and for this purp ose I must cho ose a notation
hardware supp ort.
| that is, a programming language. The choice is in
Here is how safe program invo cation mightbeaccom-
principle arbitrary, but is imp ortant b ecause it a ects
plished using the screening approach:
the exp osition.
1. The invoker checks to see whether the program is
2
Unfortunately, \ob ject" has b ecome a loaded term in
de nitely restricted to op erations p ermitted by the
computer science. To many p eople it implies complicated
invoker.
phenomena such as metho ds, classes and inheritance. I don't
2. The invoker refuses to run the program if it app ears
mean to suggest any of this baggage. It maybebesttotake
it as an unde ned term, as is \p oint" in geometry. to use any unp ermitted op erations. 3
to b e applicable only to symb ols and cells. If I were most interested in comparing W7 to cur-
I'll use the term value to describ e integers, b o oleans, rently p opular and familiar securitykernels in op erating
systems, I would presentmy examples as programs that
symb ols, and other entities that carry only information,
p erform kernel op erations in the traditional way, using
not privileges. Whether or not values are considered to
b e ob jects is unimp ortant. system calls. Programs would b e written in an Algol-like
language, or p erhaps in a machine-level language suchas
2.2.3 Pro cedures
C. This would b e a viable approach, since there is noth-
The W7 kernel is principally concerned with proce-
ing in the theory that precludes it (see Section 4.3.3).
dures. Every pro cedure has an asso ciated program.
However, this approachmakes some of the examples
The pro cedure's program can access the pro cedure's suc-
awkward to write and to understand. Particularly awk-
cessors and use them in various op erations. Access is not
ward is the frequent case where in creating a new ob ject,
transitive, however: access to a pro cedure do es not im-
a program must sp ecify a second program. Most tra-
ply the ability to access the pro cedure's successors. Any
ditional languages don't haveagoodway for a program
such access is necessarily controlled by the pro cedure's
to sp ecify another entire program. Even given sucha
program. In this sense, the pro cedure's program is a
notation, the division of lab or b etween the language and
\gatekeep er" that protects the pro cedure's successors.
the securitykernel might b e dicult to tease apart.
The primary op eration on a pro cedure is application
For this reason I prefer to use a notation in which
to an argument sequence. When a pro cedure is applied
kernel op erations have natural forms of expression. The
to arguments (whichmay include other ob jects or values,
language of the Unix \shell" approaches this goal since
suchasintegers), its program is run. In addition to
program invo cation has a natural syntax, and op erations
the pro cedure's successors, the program has access to
on programs and pro cesses are more concise than they
the arguments. It mayuseany of these ob jects, but no
would b e in Algol or C.
others, in making new ob jects or in p erforming further
However,Iwould like to go a step further in the di-