MASSACHUSETTS INSTITUTE OF TECHNOLOGY ARTIFICIAL INTELLIGENCE LABORATORY A.I. Memo No. 1564 March, 1996 A Security Kernel Based on the Lamb da-Calculus Jonathan A. Rees This publication can b e retrieved byanonymous ftp to publications.ai.mit.edu. Abstract Co op eration b etween indep endent agents dep ends up on establishing a degree of security.Eachofthe co op erating agents needs assurance that the co op eration will not endanger resources of value to that agent. In a computer system, a computational mechanism can assure safe co op eration among the system's users by mediating resource access according to desired security p olicy.Such a mechanism, which is called a security kernel , lies at the heart of many op erating systems and programming environments. This rep ort describ es Scheme 48, a programming environment whose design is guided by established prin- ciples of op erating system security.Scheme 48's securitykernel is small, consisting of the call-by-value -calculus with a few simple extensions to supp ort abstract data typ es, ob ject mutation, and access to hardware resources. Eachagent (user or subsystem) has a separate evaluation environment that holds ob- jects representing privileges granted to that agent. Because environments ultimately determine availability of ob ject references, protection and sharing can b e controlled largely by the wayinwhichenvironments are constructed. I will describ e exp erience with Scheme 48 that shows how it serves as a robust and exible exp erimental platform. Two successful applications of Scheme 48 are the programming environment for the Cornell mobile rob ots, where Scheme 48 runs with no (other) op erating system supp ort; and a secure multi-user environment that runs on workstations. c Copyright Massachusetts Institute of Technology, 1996 This rep ort describ es research done at the Arti cial Intelligence Lab oratory of the Massachusetts Institute of Technology. Supp ort for this researchwas provided in part by the Advanced Research Pro jects Agency of the Department of Defense under Oce of Naval Researchcontract N00014-92-J-4097. in which the -calculus and W7 provide protection is 1 Intro duction through closure : a pro cedure is not just a program but Co op eration b etween indep endent agents dep ends up on a program coupled with its environment of origin. A pro- establishing a degree of security. Each of the co op er- cedure cannot access the environment of its call, and its ating agents needs assurance that the co op eration will caller cannot access the pro cedure's environmentofori- not endanger resources of value to that agent. In a com- gin. The caller and callee are therefore protected from puter system, a computational mechanism can assure one another. Sharing is accomplished through shared safe co op eration among the system's users by mediat- p ortions of environments, whichmay include pro cedures ing resource access according to desired security p olicy. that allow still other ob jects to b e shared. Such a mechanism, whichiscalledasecurity kernel , lies To address a numberofauthentication and certi ca- at the heart of many op erating systems and program- tion problems, W7 includes an abstract data typ e facil- ming environments. ity. (Usually this term refers to typ e abstraction enforced I claim that the -calculus can serve as the central through compile-timetyp e checking, but here it means comp onent of a simple and exible securitykernel. The a dynamic information hiding mechanism.) The facil- present rep ort supp orts this thesis by motivating and de- ity is akin to digital signatures: a subsystem may sign scribing sucha-calculus-based securitykernel and by an ob ject in suchaway that the signed ob ject maybe giving several lines of evidence of the kernel's e ective- recognized as having b een de nitely signed by that sub- ness. system. In particular, a compiler might use a particular 1 The W7 securitykernel consists of the call-by-value signature to mean that the signed pro cedure is one that -calculus with a few simple extensions to supp ort ab- is \harmless" (in a technical sense) and is therefore safe stract data types,objectmutation, and access to hard- to apply to fragile arguments. ware resources. Within W7, each agent (user or subsys- tem) has a separate evaluation environment that holds 1.2 Scheme 48 ob jects representing privileges granted to that agent. Scheme 48 is a complete Scheme system that tests W7's Because environments ultimately determine availability capacity to supp ort safe co op eration. Scheme 48 was of ob ject references, protection and sharing can b e con- a ma jor design and implementation e ort and therefore trolled largely bytheway in whichenvironments are constitutes the heart of the pro ject. Section 3 gives an constructed. overview of Scheme 48, but most of the information on The e ectiveness of W7 as a securitykernel is demon- it is to b e found in the related rep orts [13,23,6,19]. strated through three lines of evidence: A large amount of engineering go es into making a 1. its ability to address certain fundamental security practical programming environment, and in Scheme 48 problems that are imp ortant for co op eration (Sec- security has b een a concern in nearly every comp onent. tions 2.2{2.3); Ma jor facilities whose design has b een shap ed by secu- 2. a structural corresp ondence with familiar op erating rity concerns include the following: system kernels (Section 2.4); and The mo dule system [19]. Mo dules are truly encap- 3. the success of Scheme 48, a complete implemen- sulated, just as pro cedures are, allowing them to tation of the Scheme programming language built b e shared safely. on W7, as a basis for secure, robust, and exible The macro facility [6]. Macros are also closed, like programming systems (Section 3). pro cedures. This allows a form of compile-time se- curityinwhich a mo dule may exp ort a macro while 1.1 Security Kernel Based on -calculus protecting ob jects used in the macro's implemen- The -calculus is a calculus of functions, and is con- tation. cerned with how computations are abstracted and in- stantiated and how names come to have meanings. W7 Dynamic variables. Information can b e communi- is a -calculus of procedures, which are generalized func- cated from caller to callee through an implicit dy- tions capable of p erforming side e ects. Pro cedures cor- namic environment. However, a dynamic variable resp ond to what in an op erating system would b e pro- must b e accessed via a key,andsuchkeys can b e grams and servers. Side e ects include access to input protected. and output devices and to memory cells. It is through A ma jor theme running through the design of Scheme side e ects that communication, and therefore co op era- 48 is avoidance or minimization of shared global state. tion, is p ossible. However, side e ects can b e harmful. For example, the virtual machine (byte-co de interpreter) For example, a computer-controlled rob ot arm can easily has only an essential minimum set of registers; there are hurt a p erson who gets in its way. no registers that hold global symb ol tables or environ- The purp ose of a securitykernel is to allowcontrol ment structure as there is in most Lisp and Scheme im- over access to ob jects. The challenge in designing a se- plementations. Another example is in the run-time sys- curitykernel is not to supp ort sharing or protection p er tem mo dules, which never alter global state (in Scheme se, but rather to allow exible control over the extent terms, no top-level variable is ever assigned with set!). to which an ob ject is shared or protected. One way Data structures manipulated by these mo dules can b e 1 instantiated multiple times to avoid con ict over their This name was chosen to have no mnemonic or cuteness value. use. 1 resources of value to that agent, so those resources are Finally, the success of Scheme 48 (and therefore of also put at risk when the program is invoked. W7) is demonstrated by its use in a numb er of applica- tions. These include the programming environmentfor Consider the following scenario: the Cornell mobile rob ots, where Scheme 48 runs with Bart writes a program that sorts a list of num- no (other) op erating system supp ort [23], and a secure b ers. Being a generous fellow, he gives this multi-user environment that runs on workstations. useful program to Lisa, who has expressed an interest in using such a program. But 2 The Security Kernel Lisa is hesitant to use Bart's program, since Bart mayhave arranged for the program to This section is an exp osition, starting from rst princi- do sneaky things. For example, the program ples, of the problem of secure co op eration b etween inde- mightcovertly send the list to b e sorted back p endent agents. It describ es a simple idealized security to Bart via electronic mail. That would b e kernel that addresses this problem. The presentation is unfortunate, since Lisa wants to sort a list intended to show the essential unity of security concerns of credit card numb ers, and she would liketo in op erating systems and programming languages. keep these secret. What should Bart and Lisa The idealized kernel is based on a graph of encapsu- do? lated ob jects. Accessibility of one ob ject from another is constrained by the connectivity of the ob ject graph and There are two distinct approaches to solving the safe further limited by ob ject-sp eci c gatekeep er programs.