1 / 15

Secure Composition of Untrusted Code: Wrappers and Causality Types

This paper delves into the secure composition of untrusted code through the lens of wrappers and causality types. It contrasts the principles of calculus, logic, and algebra before introducing Pi calculus and its variants, emphasizing their significance in defining communication processes. The study presents filtering examples, illustrates the role of unidirectional-flow wrappers, and discusses the importance of a type system that captures causal flows. Ultimately, it highlights how security policies can be established for components without detailed internal analysis, ensuring safety through causality.

allayna
Télécharger la présentation

Secure Composition of Untrusted Code: Wrappers and Causality Types

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Composition of Untrusted Code: Wrappers and Causality Types Kyle Taylor

  2. Introduction

  3. Calculus Vs. Logic Vs. Algebra • Calculus • Branch of mathematics that studies continuously changing properties • Characterized by the use of infinite processes, involving passage to a limit • Logic • Systematic study of valid inference • Necessitates a distinction between logical validity and truth • Algebra • Branch of mathematics concerned with operations on sets • Find solutions to systems of equations

  4. Pi Calculus • Generalization of Calculus of Communicating Systems(CCS) • Contains two entities • Processes • Channels • Processes interact by by synchronous rendezvous on channels • Basic Lotos is a combination of CCS and CSP

  5. Boxed pi Calculus • Based on unordered asynchronous message passing • Turning Complete • Includes a boxing primitive • Communication across box boundaries is strictly limited • Process terms can not be placed on the channel • No primitives for the movement of boxes • It is untyped

  6. Syntax • Names • All combination of letters except reserved letters • Values and Patterns • Values u, v • u ::= x • v ::= <v1 .. v2> • Pattern p • p ::= _ • p ::= x • p ::= <p1 .. p2>

  7. Syntax Continued • Process P • P ::= n[P] • P ::= P | P’ • P ::= xov • P ::= xip.P • P ::= !xip.P • P ::= (v x) P • Input tag i and output tag o can be *, , n

  8. Semantics • Operational Semantics • describes the meaning of a programming language by specifying how it executes on an abstract machine • Reduction Semantics • Defines the internal computation of the processes • Labeled semantics • Inductively defined on process structure by a structural operational semantics (SOS)

  9. Filtering Example • alice[P] | !inalicex | !outalicex | !netalicex • W1(_) def = (v a)( a[_] | B ) • B =!in x.inax | !outax.out x • W1 prevents Q from accessing the network • Assumes P=0 and Q=in x.net x

  10. Filtering Example Continued • inalicey | alice [P | W1(Q)] • inalicey | alice[(v a)(a[Q] | B)] • alice[in y | (v a)(a[Q] | B)] • alice[(v a)(in y | a[Q] | B)] • alice[(v a)(inay | a[Q] | B)] • alice[(v a)(a[in y | Q] | B)] • alice[(v a)(a[net y] | B)] • alice[(v a)(netay | a[0] | B)]

  11. Unidirectional-flow Wrapper • Provides ordered asynchronous communication • Eliminates the awkwardness of only using only unordered asynchronous communication while ensuring casual independence • Necessitates the maintaining of an unbounded buffer

  12. Colouring and Causal Flow • The box pi calculus is extended to handle coloring • Output processes are annotated with the sets of colours that record their histories • The sets of principles that have effected them in the past • Very simple colouring that only captures a limited amount of causality information

  13. Causality Types • The type system statically captures causal flows • A wrapper can be shown to satisfy the causal flow property simply by checking that it is well-typed

  14. Discussion • Wrappers impose security policies on components for which it is impractical to analyze the internal structure • Alternative policies • Java style sand boxing • Code signing

  15. Conclusions • Provided techniques for proving that software wrappers enforce user specified flow constraints • Security is solely a function of causality

More Related