Language and Framework Support for Reviewably- Secure Software Systems Adrian Mettler Electrical Engineering and Computer Sciences University of California at Berkeley Technical Report No. UCB/EECS-2012-244 http://www.eecs.berkeley.edu/Pubs/TechRpts/2012/EECS-2012-244.html December 13, 2012 Copyright © 2012, by the author(s). All rights reserved. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission. Language and Framework Support for Reviewably-Secure Software Systems by Adrian Matthew Mettler A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of California, Berkeley Committee in charge: Professor David Wagner, Chair Professor Deirdre Mulligan Professor Dawn Song Fall 2012 Language and Framework Support for Reviewably-Secure Software Systems Copyright 2012 by Adrian Matthew Mettler 1 Abstract Language and Framework Support for Reviewably-Secure Software Systems by Adrian Matthew Mettler Doctor of Philosophy in Computer Science University of California, Berkeley Professor David Wagner, Chair My thesis is that languages and frameworks can and should be designed to make it easier for programmers to write reviewably secure systems. A system is reviewably secure if its security is easy for an experienced programmer to verify, given access to the source code. A security reviewer should be able, with a reasonable amount of effort, to gain confidence that such a system meets its stated security goals. This dissertation includes work on on language subsetting and web application framework design. It presents Joe-E, a subset of the Java programming language designed to enforce object- capability security, simplifying the task of verifying a variety of security properties by en- abling sound, local reasoning. Joe-E also enforces determinism-by-default, which permits functionally-pure methods to be identified by their signature. Functional purity is a useful property that can greatly simplify the task of correctly implementing and reasoning about application code. A number of applications of the Joe-E language are presented and evalu- ated. The second part of this dissertation presents tool and framework enhancements for improving the security of web applications. I present techniques for retrofitting existing web applications to use template systems effectively to prevent cross-site scripting and content injection vulnerabilities while preserving functionality. I also show how HTML templates can be rewritten to normalize their output, improving the assurance of security provided by automatic escaping and other static analyses. These two applications of my thesis demonstrate that practical enhancements to lan- guages and frameworks can support developers in creating more secure software that is easier to review. Continued improvement in language and framework support for reviewability is a promising approach toward improving the security provided by modern software. i To everyone who has believed in me, especially my family. ii Contents List of Figures vii List of Tables ix Acknowledgements x 1 Introduction 1 1.1 Background . 1 1.1.1 Security Review . 1 1.1.2 Programming Languages and Abstractions . 3 1.1.3 Web Templating Languages . 4 1.2 Summary . 5 1.2.1 Joe-E: A Security-Oriented Subset of Java . 6 1.2.2 Improving Security of Template-Based Web Applications . 9 2 Joe-E: An Object-Capability Subset of Java 11 2.1 Introduction . 11 2.2 Goals and Overview . 17 2.2.1 Ease of use . 17 2.2.2 Supporting secure software . 18 2.2.3 Supporting security code review . 19 2.3 Approach . 20 2.3.1 Subsetting . 21 2.4 Design of Joe-E . 21 2.4.1 Memory Safety and Encapsulation . 22 2.4.2 Removing Ambient Authority . 23 2.4.3 Exceptions and Errors . 26 2.5 Programming Patterns . 28 2.5.1 Reachability and Object Graph analysis . 28 2.5.2 Leveraging Static Typing . 29 2.5.3 Defensive Consistency . 31 2.5.4 Immutability . 31 Contents iii 2.5.5 Attenuation of Authority . 32 2.5.6 Facets . 32 2.6 Implementation . 33 2.7 Conclusions . 36 3 Verifiable Functional Purity in Joe-E 37 3.1 Introduction . 37 3.2 Applications . 39 3.2.1 Reproducibility . 40 3.2.2 Invertibility . 40 3.2.3 Untrusted code execution . 41 3.2.4 Building robust systems . 43 3.2.5 Bug reduction . 43 3.2.6 Assertions and Specifications . 44 3.3 Definitions . 45 3.3.1 Side-effect freeness . 45 3.3.2 Determinism . 45 3.4 Approach . 46 3.4.1 Equivalence of reference lists . 47 3.4.2 Immutability . 48 3.5 Pure methods . 49 3.6 Implementation . 49 3.6.1 Side effects and Nondeterminism . 50 3.6.2 Immutability . 53 3.6.3 Verifying Purity . 53 3.7 Evaluation and Experience . 54 3.7.1 AES library . 55 3.7.2 Voting machine . 56 3.7.3 HTML parser . 57 3.7.4 Summary of patterns . 60 3.7.5 Waterken Server . 60 3.8 Discussion . 61 3.9 Conclusions . 62 4 Joe-E's Overlay Type System and Marker Interfaces 63 4.1 Introduction . 63 4.2 Overlay Type System . 65 4.2.1 Marker Interfaces . 66 4.2.2 Properties . 67 4.2.3 Formalizations . 67 4.3 Immutability . 72 4.3.1 Ensuring Final Means Final . 73 Contents iv 4.4 Identity-based Authority . 74 4.4.1 Power and Tokens . 75 4.4.2 Powerless . 76 4.5 Selfless and Equatable . 78 4.6 Conclusions . 81 4.7 Appendix: Proofs of Theorems . 82 4.7.1 Completeness . 82 4.7.2 Non-circularity . 83 5 Applications of Joe-E 85 5.1 Waterken . 85 5.1.1 Consistent Persistence . 86 5.1.2 Cache Coherence . 87 5.1.3 Remote capabilities . 88 5.2 Capsules . 89 5.2.1 Design . 89 5.2.2 Implementation . 90 5.2.3 Evaluation . 91 6 Related Work: Joe-E 99 6.1 Capabilities . 99 6.1.1 Object-Capability Languages . 99 6.1.2 Privilege Separation . 100 6.2 Security for Java and Related Languages . 100 6.3 Functional Purity . 101 6.3.1 Side Effects . 102 6.3.2 Functionally Pure Languages . 103 6.4 Overlay Type Systems . 104 7 Retrofitting Web Applications for Security Review of Cross-Site Scripting Resistance 106 7.1 Introduction . 106 7.2 Background . 108 7.3 Problem . 110 7.4 Approach . 112 7.4.1 Mitigation Mode . ..
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages184 Page
-
File Size-