DOCSLIB.ORG

Analysing the Security Properties of Object-Capability Patterns

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Analysing the Security Properties of Object-Capability Patterns Analysing the Security Properties of Object-Capability Patterns Toby Murray Hertford College Oxford University Computing Laboratory A thesis submitted for the degree of Doctor of Philosophy Hilary Term, 2010 This thesis is dedicated to Bel, who has taught me more than anyone else. Acknowledgements Thanks firstly to my supervisor, Gavin Lowe, whose conscientious and ded- icated supervision of this work improved it, and its presentation, more than I can say, and whose wisdom and guidance were invaluable throughout this entire process. I couldn't have asked for a better supervisor. Gavin also contributed directly to the development of valuable parts of this work, as explained in the statement of authorship that follows. Thanks to Fred Spiessens and Bill Roscoe for examining this thesis. Thanks to Andrew Simpson and Bill Roscoe for their advice and feedback on this work as it progressed during my transfer and confirmation of status. Thanks to Bill Roscoe for valuable discussions about CSP and to Fred Spiessens for the same regarding Scoll and authority. Thanks to the anonymous reviewers of [ML09b] and [ML09a], and those at NICTA, whose feedback helped to improve the presentation in Chapter5. Thanks to David Wagner for useful discussions about authority and cau- sation that ultimately influenced the work in Chapter7, and for indirectly bringing to my attention the need to consider vulnerabilities due to recursive invocation. Thanks to Bill Frantz, David-Sarah Hopwood, Matej Koˇs´ık, Charles Landau, Alex Murray, Mark Seaborn and David Wagner, who helped me assemble Table 2.1. Thanks to all of the people on cap-talk and e-lang, including Mark Miller and Jonathan Shapiro, and all of my old workmates from DSTO's Annex project. You have greatly influenced my thinking about capability systems and have undoubtedly influenced the work contained in this thesis. My greatest thanks to Duncan Grove and Chris North, and also to Dave Munro, Rob Esser, Ed Lowrey and Ken Yiu, for encouraging and facilitating me to undertake this doctorate. Thanks so much to my family and friends, both in Oxford and back home, for their love and support. Thanks especially to Mark Larsen, whose friendship helped make Oxford home. Thanks finally to my wife, Bel, for her unwavering support during times of crisis, and her sacrifice throughout this adventure. She knew from the beginning that Oxford was the place to be. This work was supported by a John Crampton Travelling Scholarship, for which I am extremely grateful. Statement of Authorship The following parts of this thesis contain work carried out jointly with my supervisor, Gavin Lowe. • The use and form of the PosConjEqT safe abstraction of the Trade- marks guard object, which appears in Section 4.1.3, was conceived by Gavin Lowe. • Gavin Lowe also conceived the technique used to model and analyse the Membrane in the concurrent context, which appears in Section 4.3.4. • The proofs of Lemmas 5.3.6 and 5.3.7 were adapted from a proof that was co-written with Gavin Lowe and appears in [ML07]. • The basic structure of the refinement check for testing weakened refinement-closed noninterference properties, which appears in Sec- tion 5.3.3, was conceived by Gavin Lowe. This work also appears in [ML09b]. • The proof of Theorem 5.5.3 is a simple generalisation of a proof that was conceived by Gavin Lowe. This work also appears in [ML09a]. • The proof of Lemma A.0.6 is a simple extension of a proof that was co-written with Gavin Lowe and appears in [ML07]. Analysing the Security Properties of Object-Capability Patterns Toby Murray Hertford College University of Oxford A thesis submitted for the degree of Doctor of Philosophy Hilary Term, 2010 The object-capability model is an increasingly popular architecture for build- ing secure software systems. This model promotes the construction of reusable patterns for enforcing security properties within object-capability systems. In this thesis, we apply the process algebra CSP, and its auto- matic refinement-checker FDR, to analyse object-capability patterns and prove whether they uphold the security properties they are designed to en- force. We show how CSP can accurately model object-capability systems and patterns, and express their wide variety of features. We show that complex safety properties of object-capability patterns can be reasoned about by encoding them as CSP refinement checks for FDR. This enables one to detect vulnerabilities automatically in patterns due to concurrent and recursive invocation. We show that CSP's theory of data-independence can be applied to al- low one to generalise the results obtained from analysing small fixed-sized systems, to systems of arbitrary size. We show how to reason about the information flow properties of object- capability patterns. We argue that in order to do so sensibly, one must make the assumption that objects can directly influence each other only through their overt interactions together. We show how traditional noninterference properties can be adapted to take this assumption into account, and how they can then be tested with FDR. We consider how to reason about liveness properties of object-capability patterns under necessary fairness assumptions. We prove that such proper- ties cannot always be expressed as CSP refinement checks for FDR, making them impossible for FDR to test precisely, but how FDR can be applied to reason about them by testing sufficient conditions for them instead. To reason about authority, we develop a framework for expressing gen- eral non-causation properties and show how it can capture various kinds of authority, as well as the notions of defensive correctness and defensive con- sistency. We show that, for deterministic systems, non-causation of safety effects can be expressed as refinement checks in CSP models that FDR can support. However, for nondeterministic systems, we prove that even certain simple non-causation properties cannot be precisely captured this way. Engineers in established fields use applied mathematics to predict the behavior and properties of their designs with great accuracy. Software engineers, despite the fact that their cre- ations exhibit far more complexity than physical systems, do not generally do this and the practice of the discipline is still at the pre-scientific or craft stage. [T]he applied mathematics of software is formal logic, and calculating the behavior of software is an exercise in theorem proving. Just as engineers in other dis- ciplines need the speed and accuracy of computers to help them perform their engineering calculations, so software engineers can use the speed and accuracy of computers to help them prove the . theorems required to predict the behavior of software. John Rushby [Rus89]. Contents 1 Introduction1 1.1 The Problem...........................1 1.2 Our Approach...........................2 1.3 Contribution and Thesis Organisation.............3 2 Preliminaries6 2.1 CSP................................6 2.1.1 Syntax...........................6 2.1.2 Notation..........................8 2.1.3 Semantics.........................9 2.1.4 Verifying Properties of CSP Processes......... 12 2.2 The Object-Capability Model.................. 13 2.2.1 Current Object-Capability Systems........... 14 2.3 Modelling Object-Capability Systems in CSP......... 17 2.3.1 System Model....................... 17 2.3.2 An Example System................... 20 2.3.3 Modelling Trusted Objects............... 21 2.3.4 Non-Blocking Communication.............. 23 2.3.5 Single-Threaded Systems................ 24 2.3.6 Data Independence.................... 26 3 Safety 30 3.1 Safe Authenticating Trademarks................ 30 3.1.1 Deriving a Safe Implementation............. 31 3.1.2 Summary......................... 39 3.2 Safe Coercing Sealer-Unsealers................. 39 3.2.1 Deriving a Safe Implementation............. 40 3.3 Related Work........................... 50 3.4 Conclusion............................ 52 4 Analysing Systems of Arbitrary Size 54 4.1 Generalising Previous Results.................. 54 4.1.1 Safe Abstraction and Aggregation........... 56 4.1.2 Aggregation via Untrusted Objects........... 58 4.1.3 Data-Independence on Aggregated Identities..... 62 4.1.4 Concluding the Trademarks Safety Analysis...... 67 4.1.5 Generalising the Sealer-Unsealer Safety Analysis... 69 4.1.6 Summary......................... 70 4.2 Handling Object Creation.................... 71 4.2.1 Implicit Object Creation via Aggregation....... 71 4.3 Safe Revocable Membranes................... 72 4.3.1 The Membrane Pattern................. 72 4.3.2 Revocable Membranes.................. 74 4.3.3 The Single-Threaded Case................ 76 4.3.4 The Concurrent Case.................. 79 4.3.5 Summary......................... 86 4.4 Related Work........................... 86 4.5 Conclusion............................ 90 5 Information Flow 92 5.1 Introduction............................ 92 5.2 Defining Information Flow for Object-Capability Patterns.. 94 5.2.1 Refinement........................ 94 5.2.2 A Necessary Assumption................ 96 5.2.3 A Definition........................ 96 5.3 Testing Information Flow for Object-Capability Patterns... 97 5.3.1 Choosing an Appropriate Property........... 98 5.3.2 Deriving a Testable Characterisation.......... 103 5.3.3 Deriving an Automatic Test............... 110 5.4 Applying the Test........................ 114 5.4.1 Modelling the Data-Diode Implementation...... 115 5.4.2 Analysing the Data-Diode Implementation...... 116 5.4.3 Fixing the Data-Diode Implementation.......
Load more

Recommended publications
  • CHERI Instruction-Set Architecture
    UCAM-CL-TR-876 Technical Report ISSN 1476-2986 Number 876 Computer Laboratory Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture Robert N. M. Watson, Peter G. Neumann, Jonathan Woodruff, Michael Roe, Jonathan Anderson, David Chisnall, Brooks Davis, Alexandre Joannou, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Robert Norton, Stacey Son September 2015 15 JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone +44 1223 763500 http://www.cl.cam.ac.uk/ c 2015 Robert N. M. Watson, Peter G. Neumann, Jonathan Woodruff, Michael Roe, Jonathan Anderson, David Chisnall, Brooks Davis, Alexandre Joannou, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Robert Norton, Stacey Son, SRI International Approved for public release; distribution is unlimited. Sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (“CTSRD”) and FA8750-11-C-0249 (“MRC2”) as part of the DARPA CRASH and DARPA MRC research programs. The views, opinions, and/or findings contained in this report are those of the authors and should not be interpreted as representing the official views or policies, either expressed or implied, of the Department of Defense or the U.S. Government. Additional support was received from St John’s College Cambridge, the SOAAP Google Focused Research Award, the RCUK’s Horizon Digital Economy Research Hub Grant (EP/G065802/1), the EPSRC REMS Programme Grant (EP/K008528/1), the Isaac Newton Trust, the UK Higher Education Innovation Fund (HEIF), and Thales E-Security. Technical reports published by the University of Cambridge Computer Laboratory are freely available via the Internet: http://www.cl.cam.ac.uk/techreports/ ISSN 1476-2986 Abstract This technical report describes CHERI ISAv4, the fourth version of the Capability Hardware Enhanced RISC Instructions (CHERI) Instruction-Set Architecture (ISA)1 being developed by SRI International and the University of Cambridge.
    [Show full text]
  • Research Purpose Operating Systems – a Wide Survey
    GESJ: Computer Science and Telecommunications 2010|No.3(26) ISSN 1512-1232 RESEARCH PURPOSE OPERATING SYSTEMS – A WIDE SURVEY Pinaki Chakraborty School of Computer and Systems Sciences, Jawaharlal Nehru University, New Delhi – 110067, India. E-mail: [email protected] Abstract Operating systems constitute a class of vital software. A plethora of operating systems, of different types and developed by different manufacturers over the years, are available now. This paper concentrates on research purpose operating systems because many of them have high technological significance and they have been vividly documented in the research literature. Thirty-four academic and research purpose operating systems have been briefly reviewed in this paper. It was observed that the microkernel based architecture is being used widely to design research purpose operating systems. It was also noticed that object oriented operating systems are emerging as a promising option. Hence, the paper concludes by suggesting a study of the scope of microkernel based object oriented operating systems. Keywords: Operating system, research purpose operating system, object oriented operating system, microkernel 1. Introduction An operating system is a software that manages all the resources of a computer, both hardware and software, and provides an environment in which a user can execute programs in a convenient and efficient manner [1]. However, the principles and concepts used in the operating systems were not standardized in a day. In fact, operating systems have been evolving through the years [2]. There were no operating systems in the early computers. In those systems, every program required full hardware specification to execute correctly and perform each trivial task, and its own drivers for peripheral devices like card readers and line printers.
    [Show full text]
  • Os Verification - a Survey As a Source of Future Challenges
    International Journal of Computer Science & Engineering Survey (IJCSES) Vol.6, No.4, August 2015 OS VERIFICATION - A SURVEY AS A SOURCE OF FUTURE CHALLENGES Kushal Anjaria and Arun Mishra Department of Computer Science &Engineering, DIAT, Pune, India ABSTRACT Formal verification of an operating system kernel manifests absence of errors in the kernel and establishes trust in it. This paper evaluates various projects on operating system kernel verification and presents in- depth survey of them. The methodologies and contributions of operating system verification projects have been discussed in the present work. At the end, few unattended and interesting future challenges in operating system verification area have been discussed and possible directions towards the challenge solution have been described in brief. KEYWORDS Formal verification, operating system, kernel. 1. INTRODUCTION The security and reliability of computer system is dependent on the underlying operating system kernel; kernel is the core of operating system. The kernel provide mechanism for user level applications to access hardware, scheduling and inter-process communication. Therefore, if anything goes wrong in the kernel while programming or implementation, it will affect the operation of entire system. To ensure the correct working of a kernel, testing and/or verification techniques have been used. Testing reduces frequency of failures, while verification detects errors and eliminates failures. Consider the fragment of C code shown in figure-1 int div(int p, int q) { int r; if (p<q) r=p/q; else r=q/p; return r; } Figure1. Fragment of C code Here r being an integer, if testing has been performed with p=8, q=4 and p=16, q=32, full coverage of code can be achieved.
    [Show full text]
  • Acknowledgments Preface 1 Overview I MICRO ERNEL ABSTRACTIONS
    Coyotos Microkernel Specification http://coyotos.org/docs/ukernel/spec.html Coyotos Microkernel Specification Version 0.3+ March 20, 2006 Jonathan S. Shapiro, Ph.D., Eric Northup, M. Scott Doerrie, Swaroop Sridhar Systems Research Laboratory Dept. of Computer Science Johns Hopkins University Neal H. Walfield, Marcus Brinkmann GNU Hurd Project Copyright 2006, Jonathan S. Shapiro. Verbatim copies of this document may be duplicated or distributed in print or electronic form for non-commercial purposes. Legal Notice THIS SPECIFICATION IS PROVIDED ``AS IS'' WITHOUT ANY WARRANTIES, INCLUDING ANY WARRANTY OF MERCHANTABILITY, NON-INFRINGEMENT, FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OF ANY PROPOSAL, SPECIFICATION OR SAMPLE. Table of Contents Acknowledgments Preface The Original Plan Overrun by the Hurd Coyotos: Take II A Brief Word on Terminology 1 Overview 1.1 Microkernel Objects 1.2 Sender Capabilities 1.3 Activations 1.4 Messages 1.5 Naming and Invocation 1.6 Exception and Interrupt Handling 1.7 Protection Model I MICROKERNEL ABSTRACTIONS 2 Capabilities 2.1 Representation 2.1.1 Capabilities to Memory Objects 2.1.2 Message-Related Capabilities 2.1.3 Capabilities to Processes 2.1.4 Miscellaneous Capabilities 2.2 Validity 2.3 Extensibility 3 Processes 3.1 State of a Process 3.2 FCRBs 3.3 Execution Model 3.3.1 Event Arrival and Run-In 3.3.2 Preemption 3.3.3 Exception Handling 1 of 38 04/10/06 11:19 Coyotos Microkernel Specification http://coyotos.org/docs/ukernel/spec.html 3.4 Event Delivery 4 Address Spaces 4.1 Memory
    [Show full text]
  • A Look at the EROS Operating System Jonathan S
    A Look at the EROS Operating System Jonathan S. Shapiro Johns Hopkins University Abstract EROS is a capability-based, secure operating system originally designed to address the needs of shared computing utilities involving mutually suspicious users. The deploy­ ment plan for the original design was to provide leased compute service to competing business entities, potentially running on a single machine. As a result, the system was structured to preserve security in the face of both hostile dynamic content and hostile users. While the EROS platform can support the efficient deployment of multilevel se­ cure environments, it is primarily focused on business security requirements. These re­ quirements often address integrity as well as security concerns. An EROS-based deploy­ ment can ensure that business-critical data is manipulated exclusively by authorized ap­ plication software, which in turn is guarded against user tampering. Simultaneously, EROS enables users to run untrusted utility software, hand private or proprietary data to that software, and be assured (within reason) that the data cannot be disclosed to the out­ side world. This paper gives a general overview of the EROS system and what it can do. The EROS research project has now ended. Further work based on the EROS system is being pursued under the CapROS project (www.capros.org). The EROS team has moved on to a successor system: Coyotos (www.coyotos.org). 1 Introduction in other publications. Others result from chains of reasoning that are omitted for reasons of space. A This paper accompanies a talk for the 2005 Libre few are opinions derived from years of in-depth Software Meeting in Dijon, France.
    [Show full text]
  • Protection Nov. 14, 2008 15-410
    15-410 “...1969 > 1999?...” Protection Nov. 14, 2008 Dave Eckhardt Roger Dannenberg 1 L32_Protection 15-410, F'08 Synchronization Project 3 due tonight Please remember to register for late days as appropriate One registration per day Please register for the midnight floppy disc seminar in the 5th floor lobby Registrations before 16:00 are most useful Carefully consider the P3extra overtime In general, getting a really solid kernel is the best thing » For your grade » For your education! So once the dust has settled, run all the tests and carefully read the P4 requirements If you know early that you will p3extra, please register early 2 15-410, F'08 Synchronization 15-610 (Spring '09) If you want hands-on experience with tricks of the trade N mini-projects: hints, prefetching, transactions, ... Small, intimate class Achievable without panic 15-412 (Fall '09) If 410 was fun... If you want to do more, If you want to see how it's done “in real life”, If you want to write real OS code used by real people, Consider 15-412 3 15-410, F'08 Synchronization Project 4 Monday's lecture might be beneficial 4 15-410, F'08 Outline Protection (Chapter 14) Protection vs. Security Domains (Unix, Multics) Access Matrix Concept, Implementation Revocation – not really covered today (see text) Mentioning EROS 5 15-410, F'08 Protection vs. Security Textbook's distinction Protection happens inside a computer Which parts may access which other parts (how)? Security considers external threats Is the system's model intact or compromised? 6 15-410, F'08 Protection Goals Prevent intentional attacks “Prove” access policies are always obeyed Detect bugs “Wild pointer” example Policy specifications System administrators Users - May want to add new privileges to system 7 15-410, F'08 Objects Hardware Exclusive-use: printer, serial port, CD writer, ..
    [Show full text]
  • CHERI Instruction-Set Architecture
    UCAM-CL-TR-850 Technical Report ISSN 1476-2986 Number 850 Computer Laboratory Capability Hardware Enhanced RISC Instructions: CHERI Instruction-set architecture Robert N.M. Watson, Peter G. Neumann, Jonathan Woodruff, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Michael Roe April 2014 15 JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone +44 1223 763500 http://www.cl.cam.ac.uk/ c 2014 Robert N.M. Watson, Peter G. Neumann, Jonathan Woodruff, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Michael Roe SRI International is acknowledged as an additional copyright holder Technical reports published by the University of Cambridge Computer Laboratory are freely available via the Internet: http://www.cl.cam.ac.uk/techreports/ ISSN 1476-2986 Abstract This document describes the rapidly maturing design for the Capability Hardware Enhanced RISC Instructions (CHERI) Instruction-Set Architecture (ISA), which is being developed by SRI International and the University of Cambridge. The document is intended to capture our evolving architecture, as it is being refined, tested, and formally analyzed. We have now reached 70% of the time for our research and development cycle. CHERI is a hybrid capability-system architecture that combines new processor primitives with the commodity 64-bit RISC ISA enabling software to efficiently implement fine-grained memory protection and a hardware-software object-capability security model. These extensions support incrementally adoptable, high-performance, formally based, programmer-friendly un- derpinnings for fine-grained software decomposition and compartmentalization, motivated by and capable of enforcing the principle of least privilege.
    [Show full text]
  • Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture (Version 6)
    UCAM-CL-TR-907 Technical Report ISSN 1476-2986 Number 907 Computer Laboratory Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture (Version 6) Robert N. M. Watson, Peter G. Neumann, Jonathan Woodruff, Michael Roe, Jonathan Anderson, John Baldwin, David Chisnall, Brooks Davis, Alexandre Joannou, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Robert Norton, Stacey Son, Hongyan Xia April 2017 15 JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone +44 1223 763500 http://www.cl.cam.ac.uk/ c 2017 Robert N. M. Watson, Peter G. Neumann, Jonathan Woodruff, Michael Roe, Jonathan Anderson, John Baldwin, David Chisnall, Brooks Davis, Alexandre Joannou, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Robert Norton, Stacey Son, Hongyan Xia, SRI International Approved for public release; distribution is unlimited. Sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (“CTSRD”) and FA8750-11-C-0249 (“MRC2”) as part of the DARPA CRASH and DARPA MRC research programs. The views, opinions, and/or findings contained in this report are those of the authors and should not be interpreted as representing the official views or policies, either expressed or implied, of the Department of Defense or the U.S. Government. Additional support was received from St John’s College Cambridge, the Google SOAAP Focused Research Award, the RCUK’s Horizon Digital Economy Research Hub Grant (EP/G065802/1), the EPSRC REMS Programme Grant (EP/K008528/1), the EPSRC Impact Acceleration Account (EP/K503757/1), the Isaac Newton Trust, the UK Higher Education Innovation Fund (HEIF), Thales E-Security, ARM Ltd, and HP Enterprise.
    [Show full text]
  • A Survey of Distributed Capability File Systems and Their Application to Cloud Environments
    Calhoun: The NPS Institutional Archive Theses and Dissertations Thesis Collection 2014-09 A survey of distributed capability file systems and their application to cloud environments Jatho, Edgar W., III Monterey, California: Naval Postgraduate School http://hdl.handle.net/10945/43930 NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS A SURVEY OF DISTRIBUTED CAPABILITY FILE SYSTEMS AND THEIR APPLICATION TO CLOUD ENVIRONMENTS by Edgar W. Jatho, III September 2014 Thesis Co-Advisors: Peter Denning Mark Gondree Approved for public release; distribution is unlimited THIS PAGE INTENTIONALLY LEFT BLANK REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704{0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202{4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503. 1. AGENCY USE ONLY (Leave Blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED 09-26-2014 Master’s Thesis 09-01-2013 to 09-26-2014 4. TITLE AND SUBTITLE 5. FUNDING NUMBERS A SURVEY OF DISTRIBUTED CAPABILITY FILE SYSTEMS AND THEIR APPLI- CATION TO CLOUD ENVIRONMENTS 6. AUTHOR(S) Edgar W. Jatho, III 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION REPORT NUMBER Naval Postgraduate School Monterey, CA 93943 9.
    [Show full text]
  • Navigating the Attack Surface
    Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript Imperial College, March 2018 Risk as Attack Surface a Expected Risk: ∫likelihood * damage Potential damage Likelihood of exploitable vulnerability a Expected Risk: ∫likelihood * damage Resources to damage Fallible agents a Access Matrix Permission or Authority? Resources to damage Fallible agents a Hollow Out the Attack Surface! /etc/passwd Alan’s stuff Barb’s stuff Doug’s stuff Kernel + root OS’s TCB ~alan ~barb ~doug a Decouple accounts /etc/passwd Alan’s stuff Barb’s stuff Doug’s stuff Kernel + root OS’s TCB ~alan ~barb ~doug a a Decouple applications contact info pgp keyring calc.xls Net access Shell, Desktop Browser Spreadsheet Email client a Decouple apps contact info pgp keyring calc.xls Net access MobileOS Doug’s TCB Browser app Spreadsheet doc Mail a app Decouple apps contact info pgp keyring calc.xls Net access MobileOS Doug’s TCB Browser app Spreadsheet doc Mail a app Substrate Historical System System CMNM, Plessey 250, C.mmp, CM*, Crash-SAFE, CHERI, Risc-V Hardware CAP, Flex, IBM System/38, Intel 432 DVH, Hydra, StarOS, RATS, Capsicum, CloudABI, Genode, OS Cal-TSS, PSOS, NLTSS, Spring Barrelfish, Fuchsia Gnosis, KeyKOS, GuardOS, seL4 KeyKOS family OS EROS, CapROS, Coyotos Distributed OS Ameoba, Mach, Midori Gedanken, W7, J-Kernel, Joe-E, Emily, Monte, Frozen Realms, Language CaPerl, Caja, Tamed Pict, Plash shill, Wyvern, wasm-gc Act-1, Eden, Emerald, Pony, Kappa, Dr.SES Distributed Language Vulcan, Joule, E, Oz-E, M# Distributed Storage
    [Show full text]
  • CHERI Instruction-Set Architecture
    UCAM-CL-TR-850 Technical Report ISSN 1476-2986 Number 850 Computer Laboratory Capability Hardware Enhanced RISC Instructions: CHERI Instruction-set architecture Robert N.M. Watson, Peter G. Neumann, Jonathan Woodruff, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Michael Roe April 2014 15 JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone +44 1223 763500 http://www.cl.cam.ac.uk/ c 2014 Robert N.M. Watson, Peter G. Neumann, Jonathan Woodruff, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Michael Roe Sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contract FA8750-10-C-0237 (“CTSRD”) as part of the DARPA CRASH research program. The views, opinions, and/or findings contained in this report are those of the authors and should not be interpreted as representing the official views or policies, either expressed or implied, of the Defense Advanced Research Projects Agency or the Department of Defense. Portions of this work were sponsored by the RCUK’s Horizon Digital Economy Research Hub grant, EP/G065802/1. Portions of this work were sponsored by Google, Inc. Technical reports published by the University of Cambridge Computer Laboratory are freely available via the Internet: http://www.cl.cam.ac.uk/techreports/ ISSN 1476-2986 Abstract This document describes the rapidly maturing design for the Capability Hardware Enhanced RISC Instructions (CHERI) Instruction-Set Architecture (ISA), which is being developed by SRI International and the University of Cambridge. The document is intended to capture our evolving architecture, as it is being refined, tested, and formally analyzed.
    [Show full text]
  • Capsicum: Practical Capabilities for UNIX
    Capsicum: practical capabilities for UNIX Robert N. M. Watson∗ and Jonathan Andersony Ben Laurie and Kris Kennaway University of Cambridge Google Computer Laboratory Belgrave House 15 JJ Thomson Avenue 76 Buckingham Palace Road Cambridge CB3 0FD London SW1W 9TQ United Kingdom United Kingdom frobert.watson, [email protected] fbenl, [email protected] 5 February, 2010 Abstract Capsicum is a lightweight operating system capability and sandbox framework planned for inclusion in FreeBSD 9. Capsicum extends, rather than replaces, UNIX APIs, providing new kernel primitives (sandboxed capability mode and capabilities) and a userspace sandbox API. These tools support the compartmentalization of monolithic UNIX applications into logical applications. We demonstrate our approach by adapting core FreeBSD utilities and Google’s Chromium web browser to use Capsicum primitives, and compare the complexity and robustness of Capsicum with other sandboxing techniques. 1 Introduction Capsicum is an API that brings capabilities to UNIX1. Capabilities are unforgeable tokens of authority, and have long been the province of research operating systems such as PSOS [16] and EROS [23]. UNIX systems have less fine-grained access control than capability systems, but are very widely deployed. By adding capability primitives to standard UNIX APIs, Capsicum gives application authors a realistic adoption path towards one of the ideals of OS security: least-privilege operation. Today, many popular, security-critical applications have been decomposed into parts with different priv- ilege requirements. Privilege separation, or compartmentalisation, is a pattern that has been adopted by ap- plications such as OpenSSH, Apple’s SecurityServer, and, more recently, Google’s Chromium web browser.
    [Show full text]