A Security Kernel Based on the Lambda-Calculus

MASSACHUSETTS INSTITUTE OF TECHNOLOGY

ARTIFICIAL INTELLIGENCE LABORATORY

A.I. Memo No. 1564 March, 1996

A Security Kernel Based on the

Lamb da-Calculus

Jonathan A. Rees

This publication can b e retrieved byanonymous ftp to publications.ai.mit.edu.

Abstract

Co op eration b etween indep endent agents dep ends up on establishing a degree of security.Eachofthe

co op erating agents needs assurance that the co op eration will not endanger resources of value to that agent.

In a computer system, a computational mechanism can assure safe co op eration among the system's users

by mediating resource access according to desired security p olicy.Such a mechanism, which is called a

security kernel , lies at the heart of many op erating systems and programming environments.

This rep ort describ es Scheme 48, a programming environment whose design is guided by established prin-

ciples of op erating system security.Scheme 48's securitykernel is small, consisting of the call-by-value

-calculus with a few simple extensions to supp ort abstract data typ es, ob ject mutation, and access to

hardware resources. Eachagent (user or subsystem) has a separate evaluation environment that holds ob-

jects representing privileges granted to that agent. Because environments ultimately determine availability

of ob ject references, protection and sharing can b e controlled largely by the wayinwhichenvironments

are constructed.

I will describ e exp erience with Scheme 48 that shows how it serves as a robust and exible exp erimental

platform. Two successful applications of Scheme 48 are the programming environment for the Cornell

mobile rob ots, where Scheme 48 runs with no (other) op erating system supp ort; and a secure multi-user

environment that runs on workstations.

This rep ort describ es research done at the Arti cial Intelligence Lab oratory of the Massachusetts Institute of Technology.

Supp ort for this researchwas provided in part by the Advanced Research Pro jects Agency of the Department of Defense

under Oce of Naval Researchcontract N00014-92-J-4097.

in which the -calculus and W7 provide protection is 1 Intro duction

through closure : a pro cedure is not just a program but

Co op eration b etween indep endent agents dep ends up on

a program coupled with its environment of origin. A pro-

establishing a degree of security. Each of the co op er-

cedure cannot access the environment of its call, and its

ating agents needs assurance that the co op eration will

caller cannot access the pro cedure's environmentofori-

not endanger resources of value to that agent. In a com-

gin. The caller and callee are therefore protected from

puter system, a computational mechanism can assure

one another. Sharing is accomplished through shared

safe co op eration among the system's users by mediat-

p ortions of environments, whichmay include pro cedures

ing resource access according to desired security p olicy.

that allow still other ob jects to b e shared.

Such a mechanism, whichiscalledasecurity kernel , lies

To address a numberofauthentication and certi ca-

at the heart of many op erating systems and program-

tion problems, W7 includes an abstract data typ e facil-

ming environments.

ity. (Usually this term refers to typ e abstraction enforced

I claim that the -calculus can serve as the central

through compile-timetyp e checking, but here it means

comp onent of a simple and exible securitykernel. The

a dynamic information hiding mechanism.) The facil-

present rep ort supp orts this thesis by motivating and de-

ity is akin to digital signatures: a subsystem may sign

scribing sucha-calculus-based securitykernel and by

an ob ject in suchaway that the signed ob ject maybe

giving several lines of evidence of the kernel's e ective-

recognized as having b een de nitely signed by that sub-

ness.

system. In particular, a compiler might use a particular

The W7 securitykernel consists of the call-by-value

signature to mean that the signed pro cedure is one that

-calculus with a few simple extensions to supp ort ab-

is \harmless" (in a technical sense) and is therefore safe

stract data types,objectmutation, and access to hard-

to apply to fragile arguments.

ware resources. Within W7, each agent (user or subsys-

tem) has a separate evaluation environment that holds

1.2 Scheme 48

ob jects representing privileges granted to that agent.

Scheme 48 is a complete Scheme system that tests W7's

Because environments ultimately determine availability

capacity to supp ort safe co op eration. Scheme 48 was

of ob ject references, protection and sharing can b e con-

a ma jor design and implementation e ort and therefore

trolled largely bytheway in whichenvironments are

constitutes the heart of the pro ject. Section 3 gives an

constructed.

overview of Scheme 48, but most of the information on

The e ectiveness of W7 as a securitykernel is demon-

it is to b e found in the related rep orts [13,23,6,19].

strated through three lines of evidence:

A large amount of engineering go es into making a

1. its ability to address certain fundamental security

practical programming environment, and in Scheme 48

problems that are imp ortant for co op eration (Sec-

security has b een a concern in nearly every comp onent.

tions 2.2{2.3);

Ma jor facilities whose design has b een shap ed by secu-

2. a structural corresp ondence with familiar op erating

rity concerns include the following:

system kernels (Section 2.4); and

The mo dule system [19]. Mo dules are truly encap-

3. the success of Scheme 48, a complete implemen-

sulated, just as pro cedures are, allowing them to

tation of the Scheme programming language built

b e shared safely.

on W7, as a basis for secure, robust, and exible

The macro facility [6]. Macros are also closed, like

programming systems (Section 3).

pro cedures. This allows a form of compile-time se-

curityinwhich a mo dule may exp ort a macro while

1.1 Security Kernel Based on -calculus

protecting ob jects used in the macro's implemen-

The -calculus is a calculus of functions, and is con-

tation.

cerned with how computations are abstracted and in-

stantiated and how names come to have meanings. W7

Dynamic variables. Information can b e communi-

is a -calculus of procedures, which are generalized func-

cated from caller to callee through an implicit dy-

tions capable of p erforming side e ects. Pro cedures cor-

namic environment. However, a dynamic variable

resp ond to what in an op erating system would b e pro-

must b e accessed via a key,andsuchkeys can b e

grams and servers. Side e ects include access to input

protected.

and output devices and to memory cells. It is through

A ma jor theme running through the design of Scheme

side e ects that communication, and therefore co op era-

48 is avoidance or minimization of shared global state.

tion, is p ossible. However, side e ects can b e harmful.

For example, the virtual machine (byte-co de interpreter)

For example, a computer-controlled rob ot arm can easily

has only an essential minimum set of registers; there are

hurt a p erson who gets in its way.

no registers that hold global symb ol tables or environ-

The purp ose of a securitykernel is to allowcontrol

ment structure as there is in most Lisp and Scheme im-

over access to ob jects. The challenge in designing a se-

plementations. Another example is in the run-time sys-

curitykernel is not to supp ort sharing or protection p er

tem mo dules, which never alter global state (in Scheme

se, but rather to allow exible control over the extent

terms, no top-level variable is ever assigned with set!).

to which an ob ject is shared or protected. One way

Data structures manipulated by these mo dules can b e

instantiated multiple times to avoid con ict over their

This name was chosen to have no mnemonic or cuteness

value. use. 1

resources of value to that agent, so those resources are Finally, the success of Scheme 48 (and therefore of

also put at risk when the program is invoked. W7) is demonstrated by its use in a numb er of applica-

tions. These include the programming environmentfor

Consider the following scenario:

the Cornell mobile rob ots, where Scheme 48 runs with

Bart writes a program that sorts a list of num-

no (other) op erating system supp ort [23], and a secure

b ers. Being a generous fellow, he gives this

multi-user environment that runs on workstations.

useful program to Lisa, who has expressed

an interest in using such a program. But

2 The Security Kernel

Lisa is hesitant to use Bart's program, since

Bart mayhave arranged for the program to

This section is an exp osition, starting from rst princi-

do sneaky things. For example, the program

ples, of the problem of secure co op eration b etween inde-

mightcovertly send the list to b e sorted back

p endent agents. It describ es a simple idealized security

to Bart via electronic mail. That would b e

kernel that addresses this problem. The presentation is

unfortunate, since Lisa wants to sort a list

intended to show the essential unity of security concerns

of credit card numb ers, and she would liketo

in op erating systems and programming languages.

keep these secret. What should Bart and Lisa

The idealized kernel is based on a graph of encapsu-

do?

lated ob jects. Accessibility of one ob ject from another is

constrained by the connectivity of the ob ject graph and

There are two distinct approaches to solving the safe

further limited by ob ject-sp eci c gatekeep er programs.

invo cation problem | that is, the general situation in

The kernel enables the natural construction of a variety

whicheach agent in a co op eration has resources that

of mechanisms that supp ort secure co op eration b etween

should b e protected when one agent's program is invoked

agents. In particular, an agent can securely call an un-

in a context (inputs and computer system) given by an-

trusted agent's program on a sensitive input.

other agent. In the rst approach, the program runs in a

The kernel is similar to those of the capability-based

limited computing environment, one in which dangerous

op erating systems of the 1970's [15, 34]. The main dif-

op erations (such as sending mail) are prohibited. In the

ferences are that this kernel is simpler, more abstract,

second approach, the second agent rejects the program

and more clearly connected with programming language

unless it b ears a recognized certi cate of safety. The

concepts than are classical capability systems.

next two sections lo ok at the twoapproaches.

2.1 Safe Computer-Mediated Co op eration

2.1.1 Limited Environments

One waytoavoid disclosure of the numb ers (an in-

The participants in a co op erativeinteraction carry out

stance of the con nement problem [14]) would b e for Lisa

ajoint activity that uses or combines the resources that

to isolate a computer running Bart's program, making it

each provides. Resources might include energy, informa-

physically imp ossible for the program to do any harm.

tion, skills, or equipment.

This would require detaching the computer from the net-

Each agent relinquishes control to some extentover

work, removing disks that should not b e read or written,

the resources that the agent brings. If the agentvalues a

setting up a sp ecial network or disk for transmitting the

resource, relinquishing control over it is dangerous, b e-

inputs and results, and so on.

cause the resource may come to harm or may b e used to

These measures are inconvenient, time-consuming,

cause harm.

and exp ensive. They are also crude; for example, it

To assure a resource's safety when control over it is

should b e p ermissible for Bart's program to fetchinfor-

relinquished, it is desirable for an agent to b e able to dic-

mation from the network or disks, but not write infor-

tate precisely the extent to which control is relinquished.

mation. This selective restriction would b e imp ossible

A trusted intermediary can b e helpful in this situation.

using hardware con gurations.

The resource is handed over to the intermediary,who

The basic idea is sound, however. The trickisto

p erforms actions as sp eci ed by the recipient sub ject to

ensure that all accesses to sensitive resources are inter-

restrictions imp osed by the source.

cepted by a sp ecial sup ervisor program. The sup ervisor

A computer system may b e useful in a co op era-

program checks the validity of the access attempt and

tion not only b ecause of the resources it mayprovide

allows it to go through only if it should.

(programmable pro cessor, memory,network communi-

The most straightforward metho d bywhichthisis

cations, programs, and so on), but also b ecause of its

achieved is through the use of an emulator .Anemula-

p otential to act as a trusted intermediary. The agent

providing a resource can dictate use restrictions in the tor is a program that mimics the role that the pro cessor

hardware usually plays in deco ding and executing pro-

form of a program, and the resource's recipient can sp ec-

grams. For instructions that are always safe, the em-

ify actions to b e p erformed with the resource in the form

of a program. ulator simulates the hardware precisely; for dangerous

instructions, the sup ervisor program is invoked.

Program invo cation therefore plays a critical role in

Use of an emulator makes programs run slowly,soa computer-mediated co op eration. But when a program

more common alternative is the use of a sp ecial hard- is untrusted (as most programs should b e!), invoking it

ware feature available on many computers called \user is fraught with p eril. The invoking agent puts at risk

mo de". When the pro cessor is in user mo de, all dan- resources of value, such as inputs and the use of parts

gerous op erations are preempted, causing the sup ervisor of the computer system. Similarly, the agent who sup-

program to b e invoked. The sup ervisor program runs in plied the program mayhaveendowed it with (access to) 2

an ordinary (non-user or \sup ervisor") mo de, so it may 3. If not, the invoker runs the program on the real ma-

implement whatever protection p olicy it likes. chine. Harmful op erations needn't b e prevented,

since they won't o ccur (if the certi er is correct).

Here is how safe program invo cation mightbeaccom-

plished using an architecture with user-mo de supp ort:

Screening has the drawback that some co op eration is

required from the p erson supplying the program. He

1. The invoker runs the program in user mo de, telling

must go to the trouble of obtaining certi cation, and

the sup ervisor program which op erations are to b e

p erhaps even change the program so that it is certi able.

p ermitted.

2. The sup ervisor program monitors all p otentially

2.2 A Simple Kernel

dangerous op erations, refusing to p erform op era-

A security kernel is the innermost layer of an op erating

tions that are not p ermitted.

system or programming language, the fundamental com-

3. When the program is done, it executes a sp ecial

ponent resp onsible for protecting valued resources from

op eration to return to sup ervisor mo de.

unwanted disclosure or manipulation. Isolating the se-

curitykernel from the rest of the system helps to ensure

2.1.2 Screening and Certi cation

reliability and trustworthiness. Simplicity is imp ortant

Another waytoavoid disclosure of her list of numbers

in a kernel b ecause the simpler the kernel, the more eas-

would b e for Lisa to screen Bart's program to verify that

ily it can b e tested and veri ed.

it contains no dubious op erations (such as calls to the

What follows is just one of manyways to de ne a se-

send-email program). This would probably require her

curitykernel. This design, which I'll call W7, is intended

receiving the program in source form, not as a binary;

to b e suitable for use in either an op erating system or

the program would have to b e of mo dest size and writ-

a programming language. W7 might also b e seen as a

ten in a language familiar to Lisa. She would also need

theory of security that can b e used to describ e security

access to a compiler and time on her hands to run the

in existing programming languages and op erating sys-

compiler. But even if Lisa were willing and able to go to

tems.

this trouble, Bart mightbeunwilling to give the source

W7 organizes the computer's resources into a network

program to her b ecause it contains information that he

of logical entities that I'll call objects . Ob jects are the

wants to keep secret, suchaspasswords, material sub ject

basic units of protection in W7. A link in the network

to copyright, trade secrets, or p ersonal information.

from one ob ject to another means that the second is

This dilemma could b e solved with the help of a

accessible from the rst. The ob jects to whichagiven

trusted third party. There are many di erentways in

ob ject has access are its successors, and the ob jects that

which a third partymight help; the following is a vari-

haveaccesstoagiven ob ject are its predecessors.

ant of the screening metho d suggested ab ove that do esn't

Ob jects may b e thoughtofasrepresenting particu-

require Lisa to obtain Bart's source program.

lar privileges, capabilities, or resources. For example,

an ob ject might represent the abilitytodraw pictures

Supp ose that Bart and Lisa b oth trust Ned.

Bart gives his source program to Ned with on a display, to transmit messages over a communica-

the instructions that Ned is not to givethe tions line, to read information from a data le, or to run

programs on a pro cessing element.

source program to Lisa, but he mayanswer

the question of whether the program is ob- New no des enter the ob ject network when a running

viously harmless to run. (\Obviously harm- program requests the creation of a new ob ject. In or-

less" could mean that the program uses no der to avoid the dangers of dangling references (links to

p otentially harmful op erations, or it could b e deleted no des) and memory leaks, ob ject deletion is left

a more sophisticated test. Because harmless- in the hands of the kernel. The kernel may delete an ob-

ness is uncomputable, anysuch test will b e ject as so on as there is no path through the networktoit

an approximation.) Lisa obtains the machine from the current computation. Absence of such a path is

program as b efore, and asks Ned whether detected by an automatic mechanism such as reference

the machine program is obviously harmless to counts or garbage collection.

run; if he says it is, she runs it with assurance.

There are several di erent kinds of ob jects. These will

be intro duced as they are needed in the presentation.

In the screening approach, the agentinvoking the pro-

gram rejects it unless it b ears a recognized certi cate of

2.2.1 On the Choice of Notation

safety.Following this initial check, invoking the program

In order to elucidate the kernel design and describ e its

is just as simple as invoking any fully trusted program.

consequences, it will b e necessary to present sp ecimen

There is no need for an emulator program or user-mo de

programs, and for this purp ose I must cho ose a notation

hardware supp ort.

| that is, a programming language. The choice is in

Here is how safe program invo cation mightbeaccom-

principle arbitrary, but is imp ortant b ecause it a ects

plished using the screening approach:

the exp osition.

1. The invoker checks to see whether the program is

Unfortunately, \ob ject" has b ecome a loaded term in

de nitely restricted to op erations p ermitted by the

computer science. To many p eople it implies complicated

invoker.

phenomena such as metho ds, classes and inheritance. I don't

2. The invoker refuses to run the program if it app ears

mean to suggest any of this baggage. It maybebesttotake

it as an unde ned term, as is \p oint" in geometry. to use any unp ermitted op erations. 3

to b e applicable only to symb ols and cells. If I were most interested in comparing W7 to cur-

I'll use the term value to describ e integers, b o oleans, rently p opular and familiar securitykernels in op erating

systems, I would presentmy examples as programs that

symb ols, and other entities that carry only information,

p erform kernel op erations in the traditional way, using

not privileges. Whether or not values are considered to

b e ob jects is unimp ortant. system calls. Programs would b e written in an Algol-like

language, or p erhaps in a machine-level language suchas

2.2.3 Pro cedures

C. This would b e a viable approach, since there is noth-

The W7 kernel is principally concerned with proce-

ing in the theory that precludes it (see Section 4.3.3).

dures. Every pro cedure has an asso ciated program.

However, this approachmakes some of the examples

The pro cedure's program can access the pro cedure's suc-

awkward to write and to understand. Particularly awk-

cessors and use them in various op erations. Access is not

ward is the frequent case where in creating a new ob ject,

transitive, however: access to a pro cedure do es not im-

a program must sp ecify a second program. Most tra-

ply the ability to access the pro cedure's successors. Any

ditional languages don't haveagoodway for a program

such access is necessarily controlled by the pro cedure's

to sp ecify another entire program. Even given sucha

program. In this sense, the pro cedure's program is a

notation, the division of lab or b etween the language and

\gatekeep er" that protects the pro cedure's successors.

the securitykernel might b e dicult to tease apart.

The primary op eration on a pro cedure is application

For this reason I prefer to use a notation in which

to an argument sequence. When a pro cedure is applied

kernel op erations have natural forms of expression. The

to arguments (whichmay include other ob jects or values,

language of the Unix \shell" approaches this goal since

suchasintegers), its program is run. In addition to

program invo cation has a natural syntax, and op erations

the pro cedure's successors, the program has access to

on programs and pro cesses are more concise than they

the arguments. It mayuseany of these ob jects, but no

would b e in Algol or C.

others, in making new ob jects or in p erforming further

However,Iwould like to go a step further in the di-

applications. Applications are written in Scheme using

rection of languages with integrated kernel supp ort, and

the syntax

useaversion of Scheme [7]inwhich all Scheme values,

including pro cedures, are identi ed with ob jects known

(procedureargument ...).

to the W7 kernel. ML [16]would have b een another

For example, if f names a link to a pro cedure, then (f

reasonable choice of language.

xy)denotes an application of that pro cedure to x and

2.2.2 On the Notation

Toavoid confusion with other Scheme dialects, I'll re-

The essential source of security in W7 is that a pro ce-

fer to the small dialect of Scheme to b e used in examples

dure's program is absolutely limited to using the pro ce-

as \Scheme ." The grammar given in Figure 1 summa-

dure's successors and the ob jects that are in the appli-

rizes Scheme . E stands for an expression.

cation's argument sequence.

The meaning of most of the constructs is as in full

Scheme lambda-expressions are a concise notation

Scheme. The rst group of constructs is Scheme 's -

for sp ecifying pro cedures. When a program evaluates a

calculus core: variable reference, pro cedure abstraction

lambda-expression, a new pro cedure is created. The new

(lambda), and application. Each of the second group of

pro cedure's successors are the ob jects that are the val-

constructs (if, etc.) has a sp ecial evaluation rule.

ues of the lambda-expression's free variables, and its pro-

The third group is a set of primitive op erators. In

gram is sp eci ed by the b o dy of the lambda-expression.

every case all of the op erand expressions are evaluated

Here is an example illustrating lambda and applica-

b efore the op erator is applied. Most of these are familiar,

tion.

but a few require explanation:

(lambda (x) (g (f x)))

A cel l is a mutable ob ject with a single outgoing access

link ( eld). (new-cell) creates a new, uninitialized cell,

sp eci es a pro cedure with two successors, whichitknows

(cell-ref cel l ) returns the ob ject to which cel l cur-

as f and g. When the resulting pro cedure (say, h)is

rently has a link, and (cell-set! cel l obj ) redirects

applied to an argument, it applies f to that argument,

cel l 's outgoing link to obj .

and then applies g to the result obtained from applying

The enclose op erator takes a program and a sp eci-

f. Finally, g's result b ecomes the result of the call to h.

cation of a successor set and converts them to a pro-

h therefore acts as the functional comp osition of f and

cedure. enclose might b e called on the output of a

Scheme or Algol compiler. Its details are unimp ortant.

An pro cedure's program could b e written in a lan-

See Section 2.2.4.

guage other than Scheme , for example, Algol, C, or a

The control op erator controls hardware devices. For

machine language. I will consider this p ossibility later

example,

(Section 4.3.3).

(control keyboard 'read-char)

2.2.4 Initial program

Supp ose that someone | let's call her Marge | ob- might read a character from a particular keyb oard. Its

tains a brand-new machine running W7 as its op erating arguments are interpreted di erently for di erent kinds

system kernel. She turns it on, and the machine b egins of devices.

executing an initial program. The initial program is an To reduce the complexity of the exp osition, pairs will

ordinary program with no sp ecial relation to the kernel b e assumed to b e immutable, and eq? will b e assumed 4

E ::= var

| (lambda (var ...) E )

|(EE...)

| constant

| (if EE E)

| (begin E ...)

| (let ((var E ) ...) E )

| (let var ((var E ) ...) E )

|(arith EE)

| (cons EE) | (car E ) | (cdr E )

| (null? E ) | (pair? E ) | (list E ...)

| (symbol? E ) | (eq? EE)

| (new-cell) | (cell-ref E ) | (cell-set!\ EE)

| (enclose EE) | (control EE)

arith ::=+|-|*|/|<|=|>

Figure 1: A grammar for Scheme .

The environment initially includes two kinds of re- other than that it is executed on p ower-up. In princi-

sources: I/O devices (with names like the-display and ple, the initial program is arbitrary; it is whatever the

the-fax-machine), and handy utilities that the user manufacturer has chosen to provide.

could have written but the manufacturer has thought- The initial program is given access to ob jects that rep-

fully supplied. The utilities are the usual Scheme pro ce- resent all of the computer system's attached hardware

dures suchasassoc, write, read,and string-append, resources, which might include keyb oards, displays, fac-

as well as a few others to b e describ ed b elow. simile machines, trac lights, etc. (Hardware maybe

The initial program just describ ed, including utilities manipulated with the control primitive op erator, whose

and command pro cessor, mighthave b een written en- details are not imp ortant here.) Because these resources

tirely in Scheme ,inwhichcaseitwould resemble the are ob jects, any given program will only have access to

program of Figure 2: eval is a utility that executes a those hardware resources to which it has b een explicitly

Scheme expression, of which a representation has b een granted access by the initial program (p erhaps indirectly

obtained from the user or otherwise received or com- through a series of other programs).

puted. It makes use of a compiler that translates the ex- In order to make the computer as generally useful as

pression into a form acceptable to the kernel's primitive p ossible, the manufacturer has installed an initial pro-

enclose op erator. The translated expression is given gram that executes commands entered from the key-

access to a sp eci ed environment, and executed. b oard. One kind of command is simply a Scheme ex-

pression. When an expression is seen, the initial pro-

(define eval

gram compiles and executes the expression and displays

(lambda (expression env)

its result. For example, the command

((enclose (compile-scheme-expression

(map car env))

(+ 2 3)

(map cdr env)))))

causes the numb er 5 to b e displayed.

De nitions are handled using bind, which extends a

A second kind of command is a de nition , whichlooks

given environmentby adding a binding of a variable to

avalue. With environments represented as asso ciation

(define var E ).

lists, bind could b e de ned with

De nitions givea way for a user to extend the envi-

(define bind

ronment so that new ob jects can b e given names that

(lambda (name value env)

subsequent commands can see. For example, Marge can

(cons (cons name value) env))).

write

2.2.5 Administration

(define square (lambda (x) (* x x)))

Nowwehave enough mechanism at our disp osal to

to de ne a squaring pro cedure, and

consider some examples.

(square 17)

Marge intends to set up her machine so that Lisa and

Bart can use it and its resources. As a means for the

to invoke it and display the result.

machine's users to share ob jects with one another, she

To b e able to use existing resources, commands need

de nes a simple ob ject rep ository:

to have access to them. For this reason they are

(define *repository* (new-cell)) pro cessed relativetoanenvironment, or set of vari-

(cell-set! *repository* '()) able bindings, allowing ob jects to b e accessed byname. 5

(define command-processor

(lambda (env source sink)

(let loop ((env env))

(let ((command (read source)))

(if (definition? command)

(loop (bind (cadr command)

(eval (caddr command) env)

env))

(begin (write (eval command env) sink)

(loop env)))))))

(define definition?

(lambda (command)

(if (pair? command)

(eq? (car command) 'define)

#f)))

Figure 2: A simple initial program.

(define lookup Similarly for Lisa's:

(lambda (name)

(command-processor Lisa-env

(let ((probe (assoc name *repository*)))

from-Lisa to-Lisa)

(if probe (cdr probe) #f))))

Security results from the omission of vulnerable ob jects

(define publish!

from users' initial environments. For example, Lisa's I/O

(lambda (name object)

devices (from-Lisa and to-Lisa) aren't accessible from

(cell-set! *repository*

Bart's environment, so Bart won't b e able to cause any

(cons (cons name object)

mischief by reading or writing them.

*repository*))))

Bart and Lisa are able to share ob jects with each other

through the rep ository:

Anyone with access to Marge's lookup pro cedure can ob-

Bart:

tain values from the rep ository, while anyone with access

(define really-sort

to publish! can store values in the rep ository. (assoc

(lambda (list-of-numbers)

is assumed to b e Lisp's traditional asso ciation list search

(if (null? list-of-numbers)

function.)

'()

Next, Marge makes an environment for Bart's com-

(insert (car list-of-numbers)

mand pro cessor. It must include all of the ob jects that

(really-sort

Bart is to b e able to access initially. There is no harm in

(cdr list-of-numbers))))))

including all of the system's utility pro cedures (assoc,

read, etc.), since no harm can come from his using them.

(define insert

However, she needs to b e careful ab out the I/O devices.

(lambda (x l)

For the sakeofsafety, she includes only Bart's own I/O

(let recur ((l l))

devices in Bart-env:

(if (null? l)

(list x)

(define make-user-env

(if (< x (car l))

(lambda (from-user to-user)

(cons x l)

(bind 'standard-input from-user

(cons (car l)

(bind 'standard-output to-user

(recur (cdr l))))))))

(bind 'lookup lookup

(bind 'publish! publish!

(publish! 'sort sort)

utilities-env))))))

(define Bart-env

Lisa:

(make-user-env from-Bart to-Bart))

(define Bart-sort (lookup 'sort))

(Bart-sort '(9 2 7)) ! '(2 7 9)

Bart's command pro cessor can now b e initiated with

Of course, Bart and Lisa must b oth trust Marge, who

(command-processor Bart-env

still has full control over all resources. They must treat

from-Bart to-Bart)

her administrative structure as part of the machine's

trusted substrate. (Trust cannot b e avoided. Bart and

For simplicity, it is assumed that concurrency is not an

Lisa must trust Marge's software and machine just as

issue. In a multipro cessin g or multitasking system, access to

the *repository* cell would have to b e serialized. Marge trusts the manufacturer's installed software, the 6

manufacturer trusts the semiconductor chip factories, Whether a program \might divulge" its input is unde-

the chip factories trust the solid state physicists, and cidable, so any test for this prop erty is necessarily con-

so on.) servative: such a test will reject p erfectly b enign, useful

programs that can't easily b e cast into a recognizably

2.2.6 Trusted Third Party Establishes Safety

safe form.

There are many p ossible tests. One simple test is the

There is already a great deal of safety built in to the

following one: a program might divulge its input if the

structure of the W7 kernel. When a pro cedure is in-

program is not obviously applicative; and a program is

voked, the only privileges the invoked pro cedure's pro-

obviously applicativei noneofits lambda-expressions

gram has are (1) those that it was given when created

contains a (cell-set! ...) expression.

(\installed"), and (2) those that are passed as argu-

ments. If the two privilege sets contain no dangerous One can clearly do b etter than this; some metho ds will

privileges, then there is no way that any harm can come b e discussed later (in the context of the mo dule system,

from the invo cation. However, sometimes there is reason section 3.2).

to pass privileges or sensitive information to an unknown Toseehow this safe compilation service mightwork,

program. This can b e a problem if when installed the

let's continue with the scenario b egun ab ove in which

program was given access to channels over which the in-

Marge has established a public ob ject rep ository.The

formation might b e transmitted, or to a cell in which rst problem is that Lisa needs a way to determine au-

a privilege or information maybesaved for later unex-

thorship of a rep ository entry, to distinguish Bart's en-

p ected use.

tries from Ned's. Assuming that all ob jects published by

Ned are safe, she must makesurethatthesort pro ce-

To return to the main example from the intro duction:

dure she uses is published byNed,notby Bart.

Lisa wants to call Bart's sort program without risking

disclosure of the input, whichmaycontain sensitivein- This is a fundamental aw in the rep ository,soMarge

must x it. See Figure 3. Eachobjectinthereposi-

formation. Sp eci cally, the risk she runs is that Bart has

tory is now accompanied by the name of the user who

written something like

put it there, and each user's environmentnow has its

(define *list-of-numbers* (new-cell))

own publish! pro cedure. Bart's publish! pro cedure,

for example, will store entries of the form (cons 'Bart

(define sort

object ) into the rep ository.

(lambda (list-of-numbers)

Here is the complete scenario:

(begin (cell-set! *list-of-numbers*

list-of-numbers)

Ned:

(really-sort list-of-numbers))))

(define publish-if-safe!

(lambda (name program)

(define really-sort

(if (safe? program)

(lambda (list-of-numbers)

(publish! name (eval program))

(if (null? list-of-numbers)

'not-obviously-safe)))

'()

(define safe?

(insert (car list-of-numbers)

(lambda (program) ...))

(really-sort

(publish! 'publish-if-safe! publish-if-safe!)

(cdr list-of-numbers))))))

(publish! 'sort sort)

Bart:

(define sort-program

This deceit would allow Bart to extract the most re-

'(begin (define sort ...)

cent input passed to sort byevaluating (cell-ref

(define insert ...)

*list-of-numbers*).

sort))

Sketch of a rudimentary solution:

(define publish-if-safe!

1. Ned, who b oth Bart and Lisa trust, sets up a \safe

(cdr (lookup 'publish-if-safe!)))

compilation" service.

(publish-if-safe! 'safe-sort sort-program)

2. Bart submits the source co de for his sort program

Lisa:

to Ned's service.

(define safe-sort-entry (lookup 'safe-sort))

(define safe-sort

3. Ned's service analyzes Bart's source co de to de-

(if (eq? (car safe-sort-entry) 'Ned)

termine whether the program might divulge its in-

(cdr safe-sort-entry)

put to Bart or to anyone else. (For a de nition of

"safe-sort not published by Ned"))

\might divulge," see b elow.)

(safe-sort '(9 2 7))

4. Ned evaluates (for initialization) Bart's program in

a fresh environment and extracts access to the re-

There is nothing Bart can do to trick Lisa. If he tries

sulting sort pro cedure.

to publish an unsafe safe-sort pro cedure, he will have

5. Ned makes sort available to Lisa.

to use his own publish! pro cedure to do so, since Ned's

6. Lisa obtains the program from Ned, and runs it publish! isn't accessible to him. In this case, when Lisa

with assurance that the input will not b e divulged. do es (lookup 'safe-sort), the result will b e marked 7

(define make-publish!

(lambda (submitter)

(lambda (name object)

(publish! name (cons submitter object)))))

(define make-user-env

(lambda (user-name from-user to-user)

(bind 'standard-input from-user

(bind 'standard-output to-user

(bind 'lookup lookup

(bind 'publish!

(make-publish! user-name)

utilities-env))))))

(define Bart-env

(make-user-env 'Bart from-Bart to-Bart))

(define Lisa-env

(make-user-env 'Lisa from-Lisa to-Lisa))

(define Ned-env

(make-user-env 'Ned from-Ned to-Ned))

Figure 3: Marge's improved rep ository.

with Bart's name, not Ned's, and Lisa will discard it. analogy for a capsule would b e a lo cked b ox to which

only the receiver has a key.

2.3 Authentication

When the ob ject is digital information, suchasa

This section treats the problem of authentication and

sequence of characters or numb ers, well-known digital

considers its solution in W7. Broadly sp eaking, authen-

cryptographic techniques can b e used to implement au-

tication is any pro cedure or test that determines whether

thenticated transmission [24]. However, ob ject transmis-

an ob ject is trustworthy or genuine. For example, check-

sion in a securitykernel that limits ob ject access accord-

ing a student identi cation card authenticates the p erson

ing to an accessibility graph requires a di erentmecha-

presenting the card as b eing a student as indicated on

nism. With suchakernel, transmitting a name for an

the card. Having b een found authentic, the p erson may

ob ject, whether encrypted or not, is never the same as

b e granted privileges appropriate to that status, suchas

transmitting access to that ob ject, since interpretation

p ermission to use an ice rink.

of names | and therefore accessibility of named ob jects

| is lo cal to each ob ject. Access can only b e transmitted Authentication is an imp ortant capability of secure

through approved channels such as argument and result computer systems. Some examples of authentication in

such systems are:

transmission in a pro cedure invo cation.

A request received from an untrusted source such

2.3.1 Abstract Data Typ es

as a public communications network must b e au-

Authentication is required whenever the results of one

thenticated as originating from an agent that has

pro cedure are intended to constitute the only valid in-

the right to p erform the action sp eci ed bythere-

puts to another pro cedure. These ob jects, the results

quest.

and valid inputs for a related set of pro cedures, are called

In a dynamically typ ed programming language

the instances of a type or abstract data type . The set of

such as Lisp or Snob ol, a value must b e authen-

related pro cedures is called a module or cluster in the

ticated as b eing of the correct typ e for an op erator

context of programming languages, or a protectedsub-

receiving it as an op erand.

system or server in classical op erating systems parlance.

The solution to the safe invo cation example of Sec-

For example, consider a central accounting oce that

tion 2.2 involves a test for the authenticityofa

issues account ob jects to clients. Clients may create new

putatively safe or trustworthy ob ject (Bart's pro-

accounts using a new-account pro cedure and transfer

gram).

money b etween accounts using a transfer pro cedure.

The integrity of accounts is of great imp ortance to the

Authentication is necessary for reliable transmission

accounting oce; it would b e unfortunate if a clientcre-

of an ob ject using an untrusted messenger (or channel).

ated a counterfeit account and then transferred money

To authenticate an ob ject transmitted from a sender to

from it intoavalid account. Therefore, transfer needs

receiver, the sender must lab el or package the ob ject so

to authenticate the accounts it's asked to manipulate as

that it can b e recognized (authenticated) by the receiver,

genuine | that is, created by new-account.

and this lab eling or packaging must b e done in an un-

From the clients' p oint of view, accounts are ob jects forgeable and tamp er-pro of manner. I'll use the word

that clients may manipulate a certain set of op erators. capsule for an ob ject so lab eled or packaged. A physical 8

Memory management: How can the kernel know From the accounting oce's p oint of view, accounts are

whether it is safe to delete an ob ject? Straight- capsules transmitted from new-account to transfer via

forward garbage collection techniques don't work an untrusted network of interacting clients.

b ecause the central table holds links to all of the

2.3.2 Key-based Authentication

typ e's instances, and the garbage collector is ig-

norant of the asso ciation b etween the key and the Section 2.2.6's solution to the safe invo cation prob-

ob ject. lem relies on the exchange of ob ject names. Bart tells

Lisa the name of his ob ject in the trusted rep ository

Semantic obscurity: It would b e unfortunate if cre-

(safe-sort), and Lisa obtains from the rep ository (1)

ating an ob ject of an abstract data typ e were nec-

the fact that the ob ject is authentically safe (i.e. placed

essarily a side e ect, as it would b e if a key had to

there by Ned), and (2) the ob ject itself, which Lisa can

b e generated. The side e ect defeats optimizations

then use.

such as subgraph sharing.

If Bart wishes to keep his ob ject a secret b etween him

A direct approach, not involving a keyed table, re-

and Lisa, he maygive it a secret key in the form of an

quires kernel supp ort. The following argumentshows

unguessable name, i.e. a password, and transmit that

that in the W7 kernel without abstract data typ e sup-

name to Lisa. Passwords can b e made long enough and

p ort, a recipient can b e fo oled no matter what packaging

random enough to make the probability of unauthorized

metho d is used.

discovery arbitrarily small. (Of course, this assumes that

there is no wayforuntrusted agents to obtain a list of

Consider a candidate encapsulation and au-

all names de ned in the rep ository.)

thentication technique. Without loss of gen-

Instead of passwords, it is p ossible to use cells (Sec-

erality,we can assume that capsules are pro-

tion 2.2.2) as keys, as suggested by Morris [18]. Like

cedures. In order to authenticate a capsule,

passwords, cells are ob jects with unique, recognizable

the recipient has no choice but to apply it to

identities. Unlikepasswords, they have all the security

some argument sequence, since there is noth-

advantages of ob jects: access to them can only b e trans-

ing else that can b e done with a pro cedure.

ferred through kernel-supp orted op erations.

This application can appropriately b e called a

There is no need to use a single rep ository,suchas

\challenge," since examining its result distin-

Marge's, to store all ob jects that might need to b e au-

guishes authentic capsules from nonauthentic

thenticated. Each separate abstract data typ e can have

ones. If the challenge is correctly met, then

its own mapping from keys to ob jects.

an additional application of the capsule (or

Figure 4 gives an implementation of a general authen-

of some related ob ject returned by the chal-

tication facility (essentially the same as that describ ed

lenge) will then either return or p erform some

by Morris [18]). Eachcalltonew-seal returns a new

op eration on the underlying ob ject.

triple of ob jects hseal, unseal, sealed? i. Eachsuch triple

But given an authentic capsule, an untrusted

represents a new abstract data typ e. seal encloses an

messenger may easily make a counterfeit, as

ob ject in a capsule that can b e authenticated; unseal is

follows: the counterfeit answers challenges by

an extraction op erator that reveals the encapsulated ob-

consulting the authentic capsule and return-

ject i the capsule is authentic (i.e. was made by this

ing what it returns, and handles other appli-

seal ); and sealed? is a predicate that returns true i the

cations in anywayitlikes.

capsule is authentic.

This argument do esn't even consider the problem that

It is assumed that assq (asso ciation list lo okup) can

the challenge might diverge, signal an error, or cause

determine cell identity. Cells (other than the one hold-

troublesome side e ects. The annoyance of handling

ing the asso ciation list) are used only for their identities,

these situations (see section 4.3.1) would argue against

not for holding references to ob jects. As an example,

using pro cedures, even were there a waytodoso.

the program of Figure 5 is an implementation of the

accounting system describ ed ab ove. It's very imp ortant Kernel supp ort can b e provided in W7 byadding

not to publish account-cell, since doing so would allow new-seal as a new primitive op erator:

clients of the accounting system to set account balances

E ::= (new-seal)

to arbitrary values.

Capsules are a new kind of ob ject that can b e imple-

2.3.3 The Case for Kernel Supp ort

mented eciently. A capsule can b e represented as a

As seen ab ove, existing kernel mechanisms (cells, pro-

record with two elds, one containing the unique seal,

cedures) can b e used to implement authentication. How-

and the other holding the encapsulated ob ject.

ever, I would liketoargueinfavor of a direct authen-

tication mechanism implemented in the W7 kernel. An

It is an inelegant asp ect of this design that there are

argumentinfavor of this is required due to the stated

two distinct encapsulation mechanisms (pro cedures and cap-

sules). There are various ways to remedy this; for example,

goal of keeping the kernel as simple as p ossible.

instead of intro ducing capsules as a separate kind of ob ject,

Akey-based authentication mechanism has several

lambda and application could b e extended to take unique

practical problems.

markers, with the requirement that a pro cedure's marker

Performance: It's inecienttohave to search the

must match the marker sp eci ed in an application of the

pro cedure: central table on every use of an instance. 9

(define (new-seal)

(let ((instances (new-cell)))

(cell-set! instances '())

(let ((seal

(lambda (rep)

(let ((abs (new-cell)))

(cell-set! instances

(cons (cons abs rep)

(cell-ref instances)))

abs)))

(unseal

(lambda (abs)

(let ((probe (assq abs (cell-ref instances))))

(if probe

(cdr probe)

(error "invalid argument" abs)))))

(sealed?

(lambda (x)

(if (assq x (cell-ref instances))

#f))))

(list seal unseal sealed?))))

Figure 4: Implementation of seals.

(define account-operators (new-seal))

(define make-account (car account-operators))

(define account-cell (cadr account-operators))

(define account? (caddr account-operators))

(define new-account

(lambda ()

(make-account (new-cell 0))))

(define transfer

(lambda (amount from to)

(let ((from-cell (account-cell from))

(to-cell (account-cell to)))

(if (>= (cell-ref from-cell) amount)

(begin (cell-set! from-cell

(- (cell-ref from-cell) amount))

(cell-set! to-cell

(+ (cell-ref to-cell) amount)))

(error (error "insufficient funds"))))))

(publish! 'new-account new-account)

(publish! 'transfer transfer)

Figure 5: Accounting mo dule. 10 Segment 1 Object 1 (code) (string)

Domain A Environment A Segment 2 Object 2 (data) (list)

Handle F Segment 3 Procedure F Object 3 PC 4e78 (shared) (lambda (x) ...) (list)

Handle G Domain B Procedure G Environment B PC 55f4 (lambda (z w) ...) Segment 4 Object 4 (code) (table)

Network Segment 5 Network Object 5

(data) (vector)

Figure 6: In an op erating system, accessibilityofre- Figure 7: In a -calculus interpreter, accessibilityofre-

sources is controlled bykernel data structures called pro- sources is controlled byinterpreter data structures called

tection domains (or simply domains). A domain includes environments. An environmentcontains references to

a segment table or page table that sp eci es which mem- data structures, such as lists, that are directly accessible

ory segments are directly accessible by a program run- to a program running in that environment. An environ-

ning in that domain. A domain also sp eci es availability ment also sp eci es availability of other resources, such

of other resources, such as I/O devices (here represented as I/O devices (here represented by a network) and pro-

bya network) and pro cedures residing in other domains. cedures connected to other environments.

(References to such pro cedures are called remote proce-

dure hand les or inter-process communication hand les in

the literature.)

The program refers to ob jects using short names

(numb ers). For example, a load or store machine in-

struction uses a memory address to access a memory seg-

2.4 Protection Domains

ment ob ject, while a system call instruction requesting

that information b e read from a le uses a le descriptor

This section attempts to explain the corresp ondence b e-

numb er to sp ecify the le.

tween W7 and more conventional op erating system ker-

The domain determines how these names are to b e in-

nels.

terpreted. The domain contains a segment table or page

In a typical secure op erating system, the ob jects that

table for use by the hardware in interpreting memory

are immediately accessible to a running program con-

addresses, and tables of descriptors and handles for use

stitute its protection domain (or simply domain ). These

by system call handlers in interpreting I/O and cross-

ob jects are of various sorts, including the following (there

domain pro cedure call requests.

may b e others):

Just as a domain maps a name (address or descrip-

1. Mapp ed memory segments. These contain b oth

tor numb er) to an accessible ob ject (memory segmentor

programs and the data stuctures that programs di-

descriptor), an environmentinW7mapsaname(iden-

rectly manipulate.

ti er) to its denotation (value or ob ject). The various

ob ject typ es are parallel in the two frameworks as well

2. Descriptors for hardware devices and les. Descrip-

(see Figures 6 and 7):

tors control access to devices and the le system,

and may include information such as bu ers or p o-

1. Mapp ed memory segments corresp ond to lists and

sition markers.

cells. (Full Scheme also has vector and string data

3. In some op erating systems, references to pro ce-

typ es, which are b etter approximations to memory

dures residing in other domains (variously called

segments than are lists and cells. A more com-

gateways, inter-process communication hand les, or

plete version W7 might supp ort memory segments

remote procedure hand les ); I will write simply han-

directly.)

d le. A handle consists of a domain together with

2. Device and le descriptors corresp ond to W7 de-

an address within that domain sp ecifying the pro-

vices.

cedure's entry p oint.

3. Handles corresp ond to W7 pro cedures. Just as a

(lambda marker (var ...) body )

handle is a domain coupled with an entry p oint,

(applicate marker procedurearg ...)

a pro cedure is an environment coupled with exe-

cutable co de. Anumb er of other uni cations have b een prop osed [22, 1, 25]. 11

An agent could defeat securityby constructing and 3 Implementation Exp erience

executing co de streams containing privileged in-

Avariant of the W7 kernel forms the basis of a complete

structions. For example, the closure-env instruc-

Scheme implementation called Scheme 48. This section

tion allows unrestricted access to all the successors

describ es Scheme 48, analyzes it from a security stand-

of an arbitrary pro cedure.

p oint, and discusses exp erience with its use in various

An agent could execute an ob ject access instruction

applications in which security is imp ortant.

with an index sp ecifying a lo cation b eyond the end

The implementation of Scheme 48 consists of two

of the ob ject b eing accessed. This mightfetcha

parts: a virtual machine that manages memory and ex-

reference to an ob ject that shouldn't b e seen. (For

ecutes a byte-co de instruction set, and a set of mo dules

p erformance reasons, some instructions p erform no

that are executed by the virtual machine. Virtual ma-

b ounds checking. They rely on the byte-co de com-

chine co de could in principle b e replaced by real ma-

piler to ensure that indexes are valid.)

chine co de, but this would require a signi cant compiler

construction e ort, and that is b eyond the scop e of the

Abstract data typ es (Section 2.3.2) are used heavily

pro ject at this time. The virtual machine approach has

in the Scheme 48 run-time system. They are provided

the virtues of robustness, small size, and ease of p orta-

in the form of a record facility, which is more convenient

bility.

and ecient than the theoretically equivalent but more

(A thorough discussion of Scheme 48 as a Scheme sys-

elegant new-seal would b e. In the common case where

tem can b e found elsewhere [13].)

a capsule is a tuple (that is, has several elds), only a

single ob ject (a record) is created for b oth the tuple and

3.1 Scheme 48 Security Kernel

the capsule. Not only is less memory consumed, but eld

Scheme 48's securitykernel is implemented in part by the

references require only one indirection instead of two.

virtual machine and in part by a set of run-time system

The features of Scheme 48's securitykernel b eyond

mo dules de ned using privileged instructions supplied

what W7 de nes are the following:

by the virtual machine. The VM comp onent includes

The basic features of standard Scheme [12]: char-

instructions suchascar, which is secure b ecause the VM

acters, vectors, the full suite of numeric op erators,

raises an exception if it is applied to anything other than

strings, string/symbol conversion. None of these

a pair, and application, which raises an exception when

has security implications; they b elong to the kernel

given a non-pro cedure. The run-time mo dules include

for the sake of eciency.

the exception system and the byte-co de compiler. Both

of these exp ort interfaces whose use is unrestricted, but

Exception handling. It is imp ortant for the agent

they are de ned in terms of lower-level op erations that

initiating a computation to b e able to gain con-

are restricted.

trol when the computation leads to an exceptional

Typ e safety for instructions suchascar and pro cedure

eventsuch as division by zero. A sp ecial construct

application rely on an assiduously followed tagging dis-

allows all exceptions or exceptions of certain typ es

cipline. All values, b oth immediate values suchassmall

to b e intercepted.

integers and access links to ob jects stored in memory,are

Fluid variables. Every application implicitly passes

represented as descriptors. A descriptor has a tag that

an environment that maps unique tokens (called

distinguishes immediate values from links. Arithmetic

uid variables ) to cells. A sp ecial construct ex-

op erations require immediate-tagged op erands and af-

tends the environment with a new binding. The in-

x immediate tags to results. The non-tag p ortion of a

teresting asp ect from a security p ersp ectiveisthat

descriptor for a link holds the hardware address of the

if the uid variable (unique token) is protected,

stored ob ject. A stored ob ject is represented as a con-

then bindings of the uid variable will b e protected. tiguous series of memory lo cations. The rst memory

Thus if X calls Y calls Z , then it can b e the case

lo cation holds a header sp ecifying the ob ject's size and

that Z can access uid bindings established by X ,

typ e (pro cedure, capsule, cell, etc.), while subsequent lo-

cations hold descriptors (which include the links to the while Y can't. This contrasts with a similar facility

in Unix (pro cess environments), which has no such

ob ject's successors in the accessibility network).

protection.

The tagging discipline guarantees that ob ject ad-

dresses are never seen by the programmer. Not only do es

Multiple threads of control. A new thread of con-

this promote security, italsogives the memory manager

trol may b e started with (spawn thunk ).Synchro-

freedom to move ob jects from one place to another, guar-

nization mechanisms include lo cks and condition

anteeing that such relo cations will not a ect any running

variables. Each thread has its own separate excep-

computations.

tion context and uid environment. (Threads are

The securitykernel do es not provide direct access to

not really secure; see Section 4.3.1.)

the byte-co de interpreter. Instead, new programs must

Immutability. This feature is somewhat of a b e given as Scheme programs that are byte-compiled

frill, but useful. Apair,vector, or string can by eval. The compiler translates the program to a

b e made read-only, as if it had b een created by byte-co de instruction stream, and then uses a privileged

(quote ...).Immutable ob jects may b e passed make-closure instruction to make a pro cedure. Use of

to untrusted pro cedures without worry that they the make-closure instruction is restricted for two rea-

might b e altered, since an attempted mutation sons: 12

useful to know whether a pro cedure has access to any (set-car!, vector-set!, etc.) will raise an ex-

resource that could b e used as a communication channel ception.

to the outside world. If it were p ossible to traverse the

Variables and pairs are mutable, as in Scheme.

access graph starting from the pro cedure, it would b e

p ossible to determine the answer to this question. How-

3.2 Mo dule System

ever, such a traversal cannot b e done outside the security

Scheme 48 provides op erators for constructing and

kernel.

querying environments. Environmentcontrolisasim-

In Scheme 48, information necessary to p erform cer-

p ortant for determining what is in an environmentas

tain safetychecks is contained in the network of struc-

it is for advertising what is not in an environment.

tures and packages. This network can b e considered a

Roughly sp eaking, an environment that excludes dan-

quotient (summary) of the true access network. A pro ce-

gerous things can't b e dangerous.

dure is considered safe when the structure that exp orts

The environments that are manipulated as ob jects

it is safe; a structure is safe if its underlying package

and passed to the compiler are called top-level environ-

is safe; and a package is safe if every structure that it

ments or packages. Packages have b oth static and dy-

op ens is safe. This de nition of \safe" is recursive, so

namic comp onents. The static comp onent de nes infor-

it can b e made relative to a basis set of structures that

mation imp ortant for compilation: syntactic keywords,

are assumed safe. Following is a crude implementation

typ e information, and early binding information suchas

of such a safety predicate:

de nitions of in-line pro cedures. The dynamic comp o-

nent of a package determines howvariables obtain their

(define (safe? struct assumed-safe)

values at run time.

(cond ((memq struct assumed-safe) #t)

Bindings movebetween packages via another kind of

((structure? struct)

environment-like ob ject called a structure . A structure is

(every (lambda (o)

a particular package's implementation of a particular in-

(safe? o assumed-safe))

terface ; and an interface is a set of names, with optional

(package-opens

typ es attached:

(structure-package struct))))

(else #f)))

(make-simple-interface names )

! interface

This isn't a precise test, but it has the virtue of b eing

(make-structure package interface )

simple and intuitive. Rather than rely on sophisticated

! structure

techniques suchastyp es, e ects, veri cation, or other

kinds of co de analysis, it only involves visibilityofval-

Dually,a package receives bindings from other packages

ues.

via their structures:

The usual Scheme 48 run-time system provides a num-

(make-package structures ) ! package

b er of structures, some of whichmay b e considered safe

Borrowing terminology from Standard ML, I'll say that

for the purp ose of guaranteeing the absence of com-

a package opens the structures from whichitreceives

munication channels. The structure implementing the

bindings.

standard Scheme dialect is not one of these b ecause it

Here is a simple example. Assume that scheme is

is so easy to use it to create suchchannels. A di er-

de ned to b e a structure holding useful bindings suchas

ent safe-scheme structure is de ned that eliminates the

define, lambda, and so forth.

p ossibility of suchchannels, as describ ed following:

One source of channels is assignments to top-level

(define repository-package

variables. For example:

(make-package (list scheme)))

(eval '(begin

(define *last-sorted-list* #f)

(define *repository* ...)

(define (sort l)

(define lookup ...)

(set! *last-sorted-list* l)

(define publish! ...))

(really-sort l))

repository-package)

We cannot get rid of top-level de nitions, so to prevent

(define repository-interface

this, set! must b e disallowed on top-level variables (ex-

'(lookup publish!))

cept p ossibly during initialization). The currentsolu-

(define repository

tion is to exclude set! entirely from safe-scheme, since

(make-structure repository-package

otherwise the compiler would have to b e mo di ed, and

repository-interface))

pro ject time constraints didn't allow this.

...

Mutations to data structures reachable from top-level

(define repository-client

variables also must b e prohibited, but now instead of

(make-package (list scheme repository)))

excluding mutations entirely (as suggested in Section

(I describ e the Scheme 48 mo dule system in more de-

2.2.6), we exclude top-level variables that hold muta-

tail elsewhere [19].)

ble data structures. Thisisdoneby excluding nor-

mal Scheme define and replacing it with a variantthat

3.2.1 Checking Structures for Safety

makes the right assurances:

As seen in Section 2.2.6, it is useful to b e able to de-

(define (var var ...) body ) is allowed. termine whether a pro cedure is safe. In particular, it is 13

The Scheme 48 virtual machine running on the rob ot (define var exp ) is allowed i exp evaluates to a

communicates with a developmentenvironment running veri ably immutable ob ject.

in either Scheme 48 or Common Lisp on a worksta-

Veri ably immutable ob jects include scalars suchas

tion. The byte-co de compiler runs on the workstation

numb ers and characters, immutable strings, and im-

and sends byte co des to b e executed on the rob ot. This

mutable pairs, vectors, and capsules that haveveri -

\teledebugging" link ooads to the workstation all de-

ably immutable comp onents. Note that the category

bugging and programming environment supp ort, includ-

do esn't include pro cedures, since pro cedures can easily

ing the byte-co de compiler. This division of lab or frees

hide channels.

up precious memory on the rob ot. The tether, which

Of course, safe-scheme also excludes all op era-

can b e a physical encumbrance, can b e detached with-

tions that access the le system. It includes I/O

out a ecting the virtual machine, and reattached at any

routines that take explicit p ort arguments (suchas

time for debugging or downloading.

(display xport )) but excludes their implicit-p ort vari-

(A more detailed description of the mobile rob ot sys-

ants ((display x )).

tem can b e found elsewhere [23].)

3.2.2 Static Privileges

3.3.2 Multi-User System

The fact that static bindings of syntactic keywords,

The Scheme 48 developmentenvironment can b e con-

macros, and primitive op erators are all determined rel-

gured to b e accessed over the Internet bymultiple users,

ative to a package means that any suchentitymaybe

with each user given a separate initial evaluation en-

considered a privilege to b e granted or not. For exam-

vironment and thread of control. This con guration,

ple, a particular agent (user or subsystem) mightbede-

develop ed byFranklyn Turbak and Dan Winship and

nied access to all op erators that have side e ects just

called Museme, is a multi-user simulation environment

by excluding those op erators from environments avail-

(MUSE) similar to Lamb daMOO [8].

able to the agent. Scoping of all syntactic and static

entities e ectively allows an equation b etween languages

3.3.3 WWW Evaluation Server

and mo dules, with the derivative ideas of safe languages

Scheme 48 can b e con gured to b e run byaWorld-

and mo dules that are safe b ecause they are written in

Wide Web server (httpd) in resp onse to an appropriate

safe languages.

request arriving over the Internet. This service aims to

Macros are secure in a precise sense: names that a

promote Scheme by giving the general network public a

macro intro duces into expanded program text are re-

chance to exp eriment with it easily. A request contains

solved in the environment of the macro's de nition, not

aScheme program and a Scheme expression, whichex-

in the environment of its use. For example, a package

ecute on the server. The server replies with the printed

might de ne letrec in terms of set! and then exp ort

representation of the result of evaluating the expression.

letrec without exp orting set!. The structure with

The environment in which the programs and expressions

letrec and its clients can b e considered applicative (or

run has b een explicitly reduced from the default envi-

safe) even though the pro cess of compiling it involves

ronment in order to limit the capabilities of programs,

source to source rewrites containing imp erative op era-

which, b ecause they come from anyone on the Internet,

tors.

shouldn't b e trusted.

(Further explanation of the problem of lexically

scop ed macros and the algorithm used byScheme 48

3.4 Security in Standard Scheme

to implement them can b e found elsewhere [6].)

Scheme 48 implements the Scheme standard [12]. In

order to maintain security,however, users are given dif-

3.3 Deployed Con gurations

ferent instantiations of some of the built-in pro cedures,

The Scheme 48 con gurations describ ed here are the

much as a conventional time-sharing system would pro-

more interesting ones with resp ect to protection prob-

vides users with di erent address spaces. If shared b e-

lems. Other con gurations include the single-user devel-

tween agents, the following pro cedures would sp ell trou-

opmentenvironment(by far the most evolved), a mul-

ble for safe co op eration:

tipro cessor version written at MIT by Bob Brown, and

a distributed version develop ed by Richard Kelsey and Any built-in pro cedure that op ens a le, suchas

others at NEC. open-output-file. A buggy or malevolentpro-

gram could overwrite imp ortant les or read sensi-

3.3.1 Mobile Rob ot System

tive information from les.

Scheme 48 is the op erating system running on four

Anything that binds or accesses the currentinput

mobile rob ots at the Cornell Computer Science Rob otics

and output p orts, suchasdisplay with no explicit

and Vision Lab (CSRVL). The main on-b oard computer

p ort argument. Use of such pro cedures would al-

system is a 16 MHz MC68000 with 500K RAM and 250K

low \sp o o ng" | misleading output that could b e

EPROM.

mistaken for valid messages coming from legitimate

User co de is isolated from op erating system internals

source such as an error handler or command pro-

byScheme's typ e and b ounds checking; this means that

cessor.

there's nothing that a user program can do to harm the

rob ot. This is imp ortant b ecause the rob ots are pro- load,which not only accesses the le system, but

grammed by undergraduates taking the rob otics course, also reads and writes a \current" interaction envi-

many of whom are relatively novice programmers. ronment. 14

Multi-agentScheme 48 systems need to ensure non- 3. Certify that the program has passed a reliable

con icting use of the external le system (assuming there safetytest.

is an external le system). Eachagenthasherown in-

4. Lab el or \seal" ob jects so that they can b e authen-

stantiations of le-op ening pro cedures; the private ver-

ticated later.

sions implement le system access sp eci c to that agent.

None of these ideas is particularly new. Some can

Because le op ening pro cedures have access to an

b e derived from Saltzer and Schro eder's 1975 pap er on

agent's les, a utility that op ens les must b e given

protection in computer systems [26], whichlays down

not le names, but rather access to the les in the

desiderata for secure systems. (1) is their principle of

form of pro cedures, p orts, or some appropriate data ab-

economy of mechanism, (2) is the principle of least priv-

straction. This transition from name-oriented to value-

ilege, and (4) is the principle of separation of privilege.

oriented protection is exactly what is necessary in order

Rather, the main noveltyinthepresentwork is the

to implement the principle of least privilege [26], whichis

demonstration that a spare securitykernel, derived from

also b ehind the analogous shift from Lisp 1.5's dynamic

rst principles and spanning the op erating system / pro-

scoping to Scheme's lexical scoping.

gramming language gulf, can b e simultaneously secure

As with les, one agent's current-output-port pro-

and practical.

cedure is not allowed to access an output p ort that mat-

ters to another agent. Each agent has his own version

4.1 Previous Work

of current-output-port, display, write-char, read,

4.1.1 Actors

etc.

The connection b etween lamb da-calculus and message

The call-with-current-continuation pro cedure

passing or \actor" semantics is well known [29]. Applica-

raises a fundamental question: is the abilitytoinvoke

tion in lamb da-calculus corresp onds to message passing

one's continuation multiple times a privilege that should

in actor systems, with argument sequences playing the

be available to all agents? The answer isn't obvious; see

role of messages.

Section 4.3.2.

The actor languages [2]andScheme were b oth devel-

The following features accepted by the Scheme rep ort

op ed as programming language frameworks, with little

authors for inclusion in a Revised rep ort [20] are also

explicit attention to security concerns or co op eration b e-

troubling:

tween mutually suspicious agents. Security is of course

(interaction-environment). Given eval, this

implicit in the fact that an actor (pro cedure) can only b e

has the same problem as load.

sent a message, not insp ected, and that on a transfer of

control only the argument sequence is transmitted, not

dynamic-wind. This op erator is supp osed to es-

any other part of the caller's environment.

tablish a dynamic context suchthatallentries into

There is no provision for authentication (actor recog-

and exits from the context are guarded by sp eci ed

nition or abstract data typ es) either in the actor lan-

actions. A mischievous program could initiate long-

guages or in Scheme.

running or continuation-invoking computations in

an unwind action, and/or set up an arbitrarily large

4.1.2 MUSEs

numberofnested dynamic-winds, p erhaps defeat-

A\multi-user simulation environment" (MUSE, also

ing time-sharing or mechanisms established for re-

MUD (multi-user dungeon) or MOO (MUD ob ject-

gaining control after an error or ab ort request.

oriented)) simulates a world with a numb er of places

(ro oms) and inhabited by users (players or characters).

A MUSE typically runs on a network and accepts con-

4 Conclusion

nections from many users at once. Users move from place

The basic premise of this work is that program exchange

to place, communicate with each other, and manipulate

and interaction are p owerful mo des of co op eration, and

simulated physical ob jects. Because ob jects mayhave

should b e encouraged by a computational infrastructure

value to users and users and their programs may attempt

that makes them as risk-free as p ossible. Program ex-

actions that can harm ob jects, and b ecause of their gen-

change and interaction are b ecoming easier and more

erally op en do or p olicy, security is an imp ortant issue in

common, thanks to advances in hardware infrastructure

MUSE design and administration.

(increasing numb ers of computers and growing network

Programming languages for MUSEs (in particular,

connectivity), but they are hindered b ecause most com-

that for Lamb daMOO [8]) have the feature that a caller's

puter systems provide little protection against the dan-

privileges aren't implicitly passed on to a called pro-

ger that might b e in icted by unknown programs.

gram. This is certainly an improvementover the b e-

The techniques prop osed here to attain safety are:

havior of mainstream op erating systems, whichgiveall

of the caller's privileges to the callee. The correct b ehav-

1. Employ a securitykernel with a simple but p ower-

ior is dictated by the demands of the environment: users

ful semantics that allows ne-grained control over

encounter strange ob jects and do things to them; this

privileges.

causes invo cation of programs b elonging to the ob jects

(or rather their creators). 2. Grantaninvoked program only the privileges it

MUSEs are generally based on ad ho c programming needs to do its job. Rights to secondary storage

languages with many p eculiar features that lead to secu- and I/O devices shouldn't b e implicitly inherited

rity problems [3], in exibility, or b oth. An overall lack from the invoking agents' privilege set. 15

descriptors). An open system call co erces a p ersistent of security in MUSEs is b etrayed by the fact that it is a

ob ject to a volatile one. Persistent ob jects have global sp ecial privilege to b e a \programmer." New memb ers

names, while volatile ob jects have short numeric indexes of a MUSE must convince an administrator that they are

that are interpreted lo cally to a running program. This worthy b efore they are allowed to write new programs.

\scoping" makes them resemble a pro cedure's successor

4.1.3 Oo oz

links. Volatile ob jects can b e passed from one program

Strandh's Oo oz system [30] resembles Scheme 48 in

(pro cess) to another that it invokes, but not in any other

aspiring to b e a simple, multi-user, Scheme-based pro-

way.

gramming environment and op erating system. The sim-

Many op erating system designs supp ort secure pro-

ilarity ends there. Oo oz extends Scheme with a hier-

gram invo cation in ways similar to what I describ e, but

archical, globally accessible namespace and an ob ject-

these designs aren't deployed.

oriented programming framework. The global names-

It is remarkable that wegetby without secure co op er-

pace is analogous to a conventional le system, with ac-

ation. We do so only b ecause p eople who use programs

cess controlled by access control lists attached to ob jects.

place such a high level of trust in the p eople who write

There is no obvious way in Oo oz to implement abstract

those programs. The basic reason for this high level of

data typ es or authentication.

trust is that computer systems are isolated from one an-

other. Without communication, there can b e no theft,

4.2 Discussion

since stolen go o ds must b e communicated backtothe

4.2.1 Schro eder's Thesis

thief. Any harm that arises is either vandalism or acci-

dent. Vandalism (e.g. the current epidemic of computer

Schro eder studied the problem of co op eration b etween

viruses) sophisticated enough to b e untraceable is di-

mutually suspicious principals in his 1972 dissertation

cult to carry o and has little payo for the p erp etrator,

[27]. He describ es an extension to the Multics op erating

while really harmful accidents (as when a commercial

system in which caller and callee in a cross-domain call

software pro duct accidentally erases a disk) are merci-

may protect resources from one another.

fully rare.

He was aware of the problem of protecting parame-

ters from unauthorized transmission, but had nothing in

4.3 Future Work

particular to say ab out it:

This section p oints out various shortcomings of W7 and

In some cases it may b e desirable to guaran-

Scheme 48, and attempts to suggest ways of xing them.

tee that a protected subsystem invoked byan-

One of the dreams driving this workistoextendScheme

other cannot rememb er and later divulge the

48 to cover all op erating system services, including de-

values of input parameters. This problem ap-

vice drivers. At that p ointitshouldbepossibletodis-

pearstobevery dicult to solve in a purely

p ense with the host op erating system and run Scheme

technical way and will not b e considered in

48 stand-alone on a workstation, as it do es on the mobile

this thesis. ([27], page 16)

rob ots.

4.2.2 Op erating System Security

4.3.1 Preemption

Status quo op erating systems (VMS, Unix, DOS Win-

A means to preempt a running pro cess is necessary

dows, etc.) don't e ectively address safe invo cation prob-

in any op erating system. An agent, in invoking an un-

lems. When a program is invoked, it inherits all of the

known ob ject, runs the risk that the invo cation will b e

privileges of the invoker. The assumption is that every

nonterminating; therefore the agentmust have some way

program that a user runs is absolutely trustworthy.

to request that the invo cation b e halted on some condi-

Safe invo cation could b e implemented in some ver-

tion, such as receipt of sp ecial input from outside the

sions of Unix, but it would require some heavy machin-

pro cessor (an ab ort key or button) or the passage of a

ery. One waywould b e to have a privileged program that

predetermined amount of time.

invokes a given program with the privileges of a sp ecially

Preemption is also desirable in that it is necessary

unprivileged user. Such a program is not standard and

and, together with supp ort for rst-class continuations

cannot b e created by an ordinary user. A di erent imple-

or coroutines, sucient for constructing a scheduler that

mentation would b e to have a network server dedicated

simulates multiple hardware pro cessing elements in soft-

to the purp ose, but the result would b e strangely limited

ware. One particularly elegant design for a timed pre-

and awkward to use ( le descriptors couldn't b e passed,

emption facility is a mechanism known as engines ,of

interrupts might act strangely, etc.).

whichDybvig and Hieb have published a general imple-

Unix do es have a facility whereby a program's owner

mentation [11, 9]. Engines abstract over timed preemp-

can mark the program in suchaway that when the

tion by providing a way to run a computation for a sp ec-

program is invoked, it runs with the program's owner's

i ed amount of time. They are sucient to construct a

privileges instead of with the invoker's (except for argu-

user-mo de task scheduler.

ments). This sounds very similar to safe invo cation of

Dybvig and Hieb's engine implementation has two

pro cedures, until one reads the ne print, whichpoints

problems for a system in which caller and callee are mu-

out that such a program can obtain all of the invoker's

tually suspicious:

privileges simply bydoinga setuid system call.

1. Resp onse time is sensitive to engine nesting depth; Most common op erating systems distinguish p ersis-

thus a malevolent callee could pile up a very deeply tent ob jects ( les) from volatile ob jects (in Unix, le 16

nested sequence of engines, making resp onse to an jump to them. Any ob ject that uses memory in the

outer engine (which should have priority) arbitrar- machine program's address space, or that is accessible

ily sluggish. via any sequence of machine instructions, is at risk.

There are several approaches to eliminating the risks

2. No design is given sp ecifying how engines should

asso ciated with machine programs:

interact with waits and interrupts asso ciated with

Limitation: switch into a limited hardware-

concurrent activities (suchasI/O).

provided \user mo de" when invoking the machine

If these problems can b e solved, and I b elieve they can,

program. This is the approachusedbymostoper-

then engines should servewell as part of W7.

ating systems. In user mo de, memory not b elong-

(Scheme 48 supp orts a multitasking scheduler via a

ing to the program is protected from access, and

threads system, but threads are inferior to engines in

no hardware I/O is p ermitted. Some instructions,

several ways. Threads are less secure than engines, since

such as those that alter memory protection regis-

one's share of the pro cessor is prop ortional to howmany

ters, are disabled. A protected environmentisthus

threads you have; if you wanttotakeover a pro cessor,

established, and all instructions are either p ermit-

you need only create lots of threads. Scheme 48's threads

ted or actively prohibited.

give no reliable way to monitor the execution time of a

Veri cation: a trusted program scans the machine

sup ervised untrusted computation, since the computa-

program to make sure that it do esn't do anything

tion can spawn new threads. And there is no wayto

that it shouldn't. Unveri ed programs are rejected.

limit or even monitor the amount of pro cessor time allo-

cated to a thread, since the threads system do esn't keep

Sandb oxing: similar to veri cation, except that ex-

track of pro cessor time used p er thread.)

tra co de is inserted around all troublesome instruc-

tions to dynamically ensure that securitypolicyis

4.3.2 Continuations

resp ected [33]. Some programs may still b e re-

First-class continuations are troublesome when caller

jected, but fewer are than would b e with veri ca-

and callee are mutually untrusting. With Scheme's

tion.

call-with-current-continuation op erator, the callee

Trusted compilation: a program generated bya

can obtain the continuation and invokeittwice. An un-

compiler may resp ect security p olicy by construc-

wary caller who has continuation co de that p erforms a

tion; if we trust the compiler, we will trust its out-

side e ect is then vulnerable to having the side e ect

put.

happ en twice, whichmay b e unexp ected and undesired.

The typ e and array b ounds safetyofmany compilers,

Must all co de that invokes untrusted ob jects b e prepared

suchasmanyScheme and Pascal compilers, are su-

for this p ossibility? To deal with the contingency re-

cient to guarantee that the kernel's security p olicy is

quires co de similar to the following:

resp ected. Such compilers may b e used without change.

(let ((returned? (new-cell)))

Limitation may b e the only option if one has little in-

(cell-set! returned? #f)

uence over the compiler and program b eing compiled.

(let ((result (untrusted arg ...)))

For example, most C programs use p ointers in ways that

(if (cell-ref returned?)

are dicult to guarantee safe byveri cation or sand-

(error "I didn't expect this")

boxing, and few C compilers generate ob ject co de that

(begin (cell-set! returned? #t)

checks validity of p ointers. Limitation is to b e avoided

(side-effect-to-be-done-

b ecause transfers into and out of user mo de are exp en-

only-once!)

siveinmany hardware architectures. On the other hand,

...))))

for programs that do few control transfers to other pro-

grams, use of memory protection hardware maybethe

An unwillingly retained continuation is also undesir-

most ecientway to detect invalid p ointers and array

able from a resource allo cation standp oint, since the con-

indexes (that is, to implementkernel security p olicy).

tinuation's creator might b e p enalized for tying down

An imp ortant part of the implementation of machine

resources (space) consumed by the continuation.

program supp ort is the interface b etween machine pro-

4.3.3 Machine Programs

grams and the kernel. That is, howdoesamachine

Supp orting execution of compiler-generated machine

program p erform a kernel op eration, such as creating

co de programs is imp ortant for two reasons: it would

or invoking a pro cedure, and how are the op erands |

vastly improve p erformance relativetoScheme 48's cur-

generally ob ject references | sp eci ed? This will b e an-

rentbyte-co de interpreter; and, by using existing com-

swered di erently dep ending on the extent to whichthe

pilers, Scheme 48 could b e made to run useful programs

machine program can b e trusted.

written in a variety of languages (suchasPascal and C).

When the machine program is trusted, ob ject refer-

ences can b e represented as p ointers to data structures The main diculty in supp orting machine programs

representing ob jects, and kernel op erations can b e im- is ensuring that the kernel's security p olicy is followed;

plemented either as subroutine calls (e.g. ob ject creation the machine program must not obtain access to anyre-

can b e accomplished by a call to an allo cation routine) sources that it shouldn't have access to. This could very

or as co de sequences o ccurring directly in the program easily happ en, since machine programs can construct ar-

(e.g. invo cation of a W7 pro cedure might b e compiled bitrary addresses and attempt to dereference them, or

similarly to lo cal pro cedure call). even construct arbitrary machine co de sequences and 17

When the machine program is untrusted, transfers of yond the fact that access to the le system as a whole

control outside of the program must b e generally accom- can b e limited.

plished by a trap or system call. (A few hardware ar-

Quotas. Limits should b e imp osed on the amountof

chitectures supp ort general calls across protection do-

memory agents should b e allowed to use. Without this,

mains). Ob ject references must b e amenable to valida- a malevolent or buggy program can consume all avail-

tion on use, since the program may present an arbitrary

able space, making the system unuseable. Memory lim-

bit pattern as a putative ob ject reference. The metho d

itation is more dicult than execution time limitation;

used by most op erating systems in similar circumstances the allowed space decreases as memory is allo cated, but

is to asso ciate, with each activation of an untrusted ma-

must increase as memory is reclaimed by garbage col-

chine program, a table mapping small integer indexes to

lection. With each ob ject, then, must b e asso ciated an

ob jects. (In Unix, the indexes are known as \ le de- \account" to b e credited when the ob ject is reclaimed.

scriptors.") The program presents an index, which the

This could b e done either by putting an extra eld in

kernel interprets as sp ecifying the ob ject at that p osition each ob ject indicating the account, or by maintaining

in the table. Validation consists of a simple range check distinct regions of memory for di erent accounts. The

to determine that the index is within the table.

latter is reminiscentofmulti-stage garbage collection ,

Alternatively, ob jects maybegiven unique names and could p erhaps b e uni ed with it.

(p erhaps their addresses in memory), and these names

Accountability. When something go es wrong, it's nice

can b e used byuntrusted machine programs. When the to know who is resp onsible, if not exactly howitwent

program presents a name in a kernel op eration, the ker-

wrong. But resp onsibility is dicult to assign in co op er-

nel validates the name by determining whether it o ccurs

ativeenterprises. In particular, if something go es wrong

in an ob ject table sp eci c to the program's activation when one agentinvokes another agent's program, who is

(as ab ove). This approach is similar to the \capability-

resp onsible? If a server receives a request from a client, is

based" approach to protection [15]. For the W7 kernel,

it the server or the client who is resp onsible for ensuring

there is little reason to prefer this over the small-index that the request is a reasonable and safe one?

approach, since table searches and unique name mainte-

Revocation. There is no wayinW7orScheme 48 to

nance are likely to b e complicated and inecient relative

revoke access to an ob ject. Ob jects simulating revokable

to use of indexes, which can b e determined when a pro-

links could b e de ned using cells, but it's not obvious

gram is compiled or installed.

that this would b e sucient. One would have to decide

when giving out access to an ob ject. The times when

4.3.4 Re ection

one would wanttorevoke a link might b e precisely the

Re ection is reasoning ab out self [28]. In a computing

times when one didn't anticipate that one would want

system, the concept of re ection comprehends examin-

to.

ing the internal structure of ob jects and continuations

Distribution. Anetwork of encapsulated ob jects lends

for purp oses of debugging, analysis, or optimization. Re-

itself to distribution overanetwork of computer systems.

ection interacts with securityissuesinways that to my

One ma jor comp onent of a distributed op erating system

knowledge have not b een researched, much less resolved.

that is missing from W7/Scheme 48 is a remote invoca-

For example, Scheme 48's debugger has access to sp e-

tion mechanism (classically called RPC, or remote pro ce-

cial re ective op erators that break all protection b ound-

dure call). Suchamechanism should have the following

aries; it can examine the internals of pro cedures, records,

prop erties:

and continuations. This is very useful, but unfortunately

Ob jects can b e passed as arguments and returned

the debugger is egregiously insecure, since it allows any

as results. This requires automatic creation of

user access to anyvalue transitively accessible from an

\stub" or delegate ob jects that forward calls over

accessible ob ject. It is easy enough to achieve security

the network.

in Scheme 48 by disabling the debugger, but a b etter

Calls are prop erly tail recursive: in a call from no de

solution would b e for the kernel to provide a simple, safe

AtonodeB,Bcanmake a call to no de C sp ecifying

way to examine continuations and pro cedures, so that

that the result is to b e sent to A, not B.

an unprivileged debugger could b e built. I b elieve that

this can b e done in suchawaythatauserisableto

Exceptions are distributed transparently,inthat

see what she oughttobeentitled to see, but nothing

an exception on one machine can nd the correct

else. In particular, a user should b e able to see anyof

exception handler even if it's on another machine.

the information that exists in ob ject representations, as

Alan Bawden has describ ed and implemented something

long as that information mighthavebeenavailable to

relevant in his PhD thesis [4].

her had she included extra debugging ho oks in her own

programs.

4.4 Contributions

4.3.5 Other Issues

The success of Scheme 48 shows that a spare security

kernel can provide exible and solid security without b e-

Persistence. Some supp ort is needed for keeping ob-

jects in secondary storage eciently, and there should coming dicult to use or to program.

b e some guarantees ab out which ob jects will necessarily Is W7 simpler than all other securitykernels? Much

survive crashes. Currently Scheme 48 relies on an ex- of the complexity in op erating system kernels arises from

ternal le system to store information p ersistently; this p erformance concerns that W7 has yet to address, so a

is not integrated with the internal protection system b e- rational comparison is dicult. It is dicult to see how 18

it could b e smaller, since all of the services it provides are Laura Burns, Katy Heine, Kris Jacobson, and Geo Lin-

burn, for their generosity and emotional supp ort in strange

(as is shown) necessary: program (ob ject) creation and

times.

invo cation; ob ject marking and authentication; primitive

ARPA and NSF, for grants to the pro jects that employed

access to I/O devices.

me.

There are some minimalists in the Scheme commu-

Others to o numerous to mention.

nity who b elieve that pro cedures, p erhaps together with

Finally, Oakley Ho erth, for the diverse array of mo del

some primitivedatatyp es such as symb ols and cells,

arthrop o ds: glow-in-the-dark cicada, wind-up b eetle, p op-up

serve as a basis for the construction of all other useful

and pupp et ants, cricket stickers, and many others.

programming constructs. I hop e that the discussion of

authentication and abstract data typ es (Section 2.3.3)

References

will b e seen to refute this p osition and to showtheneed

[1] Norman I. Adams IV and Jonathan A. Rees.

for a built-in authentication mechanism in minimal pro-

Ob ject-oriented programming in Scheme.

gramming languages.

Proceedings of the 1988 ACM ConferenceonLispand

The ease with whichTro jan horses and viruses may

Functional Programming, pages 277{288.

in ltrate computer systems is appalling, as is the extent

[2] Gul A. Agha.

to which users must blindly trust software provided by

Actors: A Model of Concurrent Computation in Dis-

vendors. I hop e I havecontributed a bit to the currently

tributed Systems.

unp opular cause of principled solutions to security prob-

MIT Press, Cambridge, MA, 1986.

lems suchasthese.

[3] David B. Alb ert.

I hop e the do cument helps to break down the arti-

Issues in MUSE security.

cial distinction b etween programming languages and

Manuscript (?), 1994.

op erating systems. Progress in b oth of these areas is

[4] Alan Bawden.

hindered by a failure to recognize that the concerns of

Linear Graph Reduction: Confronting the Cost of Nam-

b oth are fundamentally the same. What is needed is op-

ing.

erating systems that provide services that are useful to

PhD thesis, MIT, 1992.

languages, and languages that giveconvenientaccessto

[5] Nathaniel Borenstein and Marshall T. Rose.

op erating system services.

MIME extensions for mail-enabled applications:

application /Safe-TCL and multipart/enabl ed-mai l.

Acknowledgements

Working draft, 1993.

Internet:

This rep ort is extracted from a dissertation [21], of whichthe

ftp://ftp.fv.com/pub/code/other/safe-tcl.tar.

complete acknowledgements section is repro duced here.

[6] William Clinger and Jonathan Rees.

Joseph Weizenbaum, for generously allowing me the use

Macros that work.

of his oce during the long nal stretch.

Proceedings of the Eighteenth Annual ACM Symposium

Gerry Sussman of 4AI, Bruce Donald of Cornell, and Gre-

on Principles of Programming Languages, pages 155{

gor Kiczales of XeroxPARC, for moral and nancial supp ort,

162, January 1991.

guidance, and ideas.

Hal Ab elson and Tom Knight, for serving on my commit-

[7] William Clinger and Jonathan Rees (editors).

tee.

Revised rep ort on the algorithmic language Scheme.

Richard Kelsey, for hard work and heroic deeds that

LISP Pointers IV(3):1{55, July{Septemb er 1991.

help ed to bring Scheme 48 to life.

[8] Pavel Curtis.

Norman Adams and Will Clinger, for pro ductive collab o-

Lamb daMOO programmer's manual for Lamb daMOO

rations.

version 1.7.6.

Alan Bawden, David Espinosa, Dave Gi ord, Philip

Xerox Corp., ftp://parcftp.xerox.com/pub/MOO/

Greenspun, Ian Horswill, Kleanthes Koniaris, Dave

ProgrammersManual.txt, 1993.

McAllester, Jim O'To ole, Brian Reistad, Bill Rozas, Mark

[9] R. KentDybvig and Rob ert Hieb.

Sheldon, Olin Shivers, Franklyn Turbak, and many others at

Engines from Continuations.

Tech Square, for making life at MIT not just tolerable but

Computer Languages 14(2):109{123, 1989.

interesting and even amusing.

Russell Brown, Jim Jennings, Daniela Rus, and others at

[10] Adele Goldb erg and David Robson.

the Cornell Computer Science Rob otics and Vision Lab ora-

Smal ltalk-80: The Language and its Implementation.

tory, for their go o d humor and courageous rob otry.

Addison-Wesley, 1983.

Kathleen Akins, Mike Dixon, John Lamping, Brian Smith,

[11] Christopher P.Haynes and Daniel P.Friedman.

and others at XeroxPARC, for creating an environmentin

Engines build pro cess abstractions.

which p eculiar ideas ourish.

ConferenceRecord of the 1984 ACM Symposium on Lisp

Butler Lampson, for his dazzlingly clear explanations .

and Functional Programming, pages 18{24.

Hal Ab elson, Oakley Ho erth, Frans Kaasho ek, Tom

[12] IEEE Std 1178-1990.

Knight, Mark Sheldon, Olin Shivers, Gerry Sussman, and

IEEE Standard for the Scheme Programming Language.

Franklyn Turbak, for their comments and suggestions on

Institute of Electrical and Electronic Engineers, Inc.,

drafts of the do cument.

New York, NY, 1991.

Marilyn Pierce, for making the administrative nightmares

go away.

[13] Richard Kelsey and Jonathan Rees.

Reb ecca Bisb ee, for making everything work.

A tractable Scheme implementation .

Alb ert Meyer, for urging exp edience. Lisp and Symbolic Computation 7(4):315{335, 1995 (to

Tom Collett, for giving me a reason to nish. app ear). 19

[31] Gerald Jay Sussman and Guy Lewis Steele Jr. [14] Butler W. Lampson.

Scheme: an interpreter for extended lamb da calculus. A note on the con nement problem.

MIT AI Memo 349, 1975. CACM 16(10):613{615, 1973.

[15] Henry M. Levy.

[32] Swinehart et al.

Capability-based Computer Systems.

Cedar.

Bedford, MA: Digital Press, 1984.

TOPLAS 4(8), 1986.

[16] Robin Milner, Mads Tofte, and Rob ert Harp er.

[33] Rob ert Wahb e, Steven Lucco, Thomas E. Anderson, and

The De nition of StandardML.

Susan L. Graham.

MIT Press, 1990.

Ecient software-based fault isolation.

Proceedings of the Fourteenth ACM Symposium on Op-

[17] David Mo on.

erating System Principles, pages 203{216, December

Genera retrosp ective.

1993.

International Workshop on Object-OrientedOperating

Systems, 1991.

[34] William A. Wulf, Roy Levin, and Samuel P. Harbison.

HYDRA/C.mmp: AnExperimental Computer System.

[18] James H. Morris Jr.

McGraw-Hill, 1981.

Protection in Programming Languages.

CACM 16(1):15{21, 1973.

[19] Jonathan Rees.

Another mo dule system for Scheme.

In ftp://ftp-swiss.ai.mit.edu/pub/s48/

scheme48-0.36.tar.gz, March 1994.

[20] Jonathan A. Rees.

The June 1992 Meeting.

Lisp Pointers V(4):40{45, Octob er{Decemb er 1992.

[21] Jonathan A. Rees.

ASecurity Kernel Based on the Lambda-Calculus.

Ph.D. dissertation, MIT, 1995.

[22] Jonathan A. Rees and Norman I. Adams.

T: A dialect of Lisp or, LAMBDA: the ultimate software

to ol.

In ConferenceRecord of the 1982 ACM Symposium on

Lisp and Functional Programming, pages 114{122.

[23] Jonathan Rees and Bruce Donald.

Program mobile rob ots in Scheme.

Proceedings of the 1992 IEEE International Conference

on Robotics and Automation, pages 2681{2688.

[24] R. L. Rivest, A. Shamir, and L. Adleman.

A metho d for obtaining digital signatures and public-

key cryptosystems.

Communication of the ACM 21:120{126, Feb. 1978.

[25] Guillermo J. Rozas.

Transluscent Procedures, Abstraction Without Opacity.

PhD thesis, MIT, May 1993.

[26] Jerome H. Saltzer and M. D. Schro eder.

The protection of information in computer systems.

Pro ceedings of the IEEE 63(9):1278{1308, 1975.

[27] Michael D. Schro eder.

Cooperation of Mutual ly Suspicious Subsystems in a

Computer Utility.

Ph.D. thesis, MIT Pro ject MAC TR-104, 1972.

[28] Brian C. Smith.

Re ection and Semantics in LISP.

In Proceedings of the Eleventh Annual ACM Symposium

on Principles of Programming Languages, pages 23{35,

Salt LakeCity,January 1986.

[29] Guy Lewis Steele Jr. and Gerald Jay Sussman.

Lamb da: the ultimate imp erative.

MIT AI Memo 353, 1976.

[30] Rob ert Strandh.

Oo oz, a multi-user programming environment based on

Scheme.

BIGRE Bul letin 65, IRISA, Campus de Beaulieu, F-

35042, Rennex Cedex, France, July 1989. 20