research-article

Open access

Robust and compositional verification of object capability patterns

Authors:

Derek DreyerAuthors Info & Claims

Proceedings of the ACM on Programming Languages, Volume 1, Issue OOPSLA

Article No.: 89, Pages 1 - 26

https://doi.org/10.1145/3133913

Published: 12 October 2017 Publication History

Abstract

In scenarios such as web programming, where code is linked together from multiple sources, object capability patterns (OCPs) provide an essential safeguard, enabling programmers to protect the private state of their objects from corruption by unknown and untrusted code. However, the benefits of OCPs in terms of program verification have never been properly formalized. In this paper, building on the recently developed Iris framework for concurrent separation logic, we develop OCPL, the first program logic for compositionally specifying and verifying OCPs in a language with closures, mutable state, and concurrency. The key idea of OCPL is to account for the interface between verified and untrusted code by adopting a well-known idea from the literature on security protocol verification, namely robust safety. Programs that export only properly wrapped values to their environment can be proven robustly safe, meaning that their untrusted environment cannot violate their internal invariants. We use OCPL to give the first general, compositional, and machine-checked specs for several commonly-used OCPs—including the dynamic sealing, membrane, and caretaker patterns—which we then use to verify robust safety for representative client code. All our results are fully mechanized in the Coq proof assistant.

References

[1]

Martín Abadi. 1999. Secrecy by typing in security protocols. J. ACM 46, 5 (Sept. 1999), 749–786.

Digital Library

[2]

Andrew W. Appel, Paul-André Melliès, Christopher D. Richards, and Jérôme Vouillon. 2007. A very modal model of a modern, major, general type system. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’07). 109–122.

Digital Library

[3]

Anindya Banerjee and David A. Naumann. 2005a. Ownership confinement ensures representation independence for object-oriented programs. J. ACM 52, 6 (Nov. 2005), 894–960.

Digital Library

[4]

Anindya Banerjee and David A. Naumann. 2005b. State based ownership, reentrance, and encapsulation. In Proceedings of the 19th European Conference on Object-Oriented Programming (ECOOP ’05). 387–411.

Digital Library

[5]

Adam Barth. 2011. The Web origin concept. RFC 6454. https://www.rfc- editor.org/rfc/rfc6454.txt

[6]

Jesper Bengtson, Karthikeyan Bhargavan, Cédric Fournet, Andrew D. Gordon, and Sergio Maffeis. 2011. Refinement types for secure implementations. ACM Trans. Program. Lang. Syst. 33, 2 (Feb. 2011), 8:1–8:45.

Digital Library

[7]

Lars Birkedal, Bernhard Reus, Jan Schwinghammer, Kristian Støvring, Jacob Thamsborg, and Hongseok Yang. 2011. Stepindexed Kripke models over recursive worlds. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’11). 119–132.

Digital Library

[8]

Dave Clarke, Johan Östlund, Ilya Sergey, and Tobias Wrigstad. 2013. Ownership types: A survey. In Aliasing in ObjectOriented Programming: Types, Analysis, and Verification, Dave Clarke, James Noble, and Tobias Wrigstad (Eds.). Springer LNCS 7850, 15–58.

[9]

David G. Clarke, John M. Potter, and James Noble. 1998. Ownership types for flexible alias protection. In Proceedings of the 13th ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications (OOPSLA ’98). 48–64.

Digital Library

[10]

Douglas Crockford. 2008. Making JavaScript safe for advertising. (2008). Retrieved April 2017 from http://www.adsafe.org/

[11]

Dominique Devriese, Lars Birkedal, and Frank Piessens. 2016. Reasoning about object capabilities with logical relations and effect parametricity. In IEEE European Symposium on Security and Privacy (EuroS&P). 147–162.

[12]

Thomas Dinsdale-Young, Mike Dodds, Philippa Gardner, Matthew J. Parkinson, and Viktor Vafeiadis. 2010. Concurrent abstract predicates. In Proceedings of the 24th European Conference on Object-Oriented Programming (ECOOP ’10). 504–528.

[13]

Sophia Drossopoulou, James Noble, and Mark S. Miller. 2015a. Swapsies on the internet: First steps towards reasoning about risk and trust in an open world. In Proceedings of the 10th ACM Workshop on Programming Languages and Analysis for Security (PLAS ’15). 2–15.

Digital Library

[14]

Sophia Drossopoulou, James Noble, Mark S. Miller, and Toby Murray. 2015b. Reasoning about risk and trust in an open world. Technical Report ECSTR-15-08. Victoria University of Wellington.

[15]

Matthias Felleisen and Robert Hieb. 1992. The revised report on the syntactic theories of sequential control and state. Theor. Comput. Sci. 103, 2 (Sept. 1992), 235–271.

Digital Library

[16]

Google, Inc. 2015. Caja membrane implementation. (Feb. 2015). https://github.com/google/caja/blob/master/src/com/google/ caja/plugin/taming- membrane.js

[17]

Andrew D. Gordon and Alan Jeffrey. 2001. Authenticity by typing for security protocols. In Proceedings of the 14th IEEE Workshop on Computer Security Foundations (CSFW ’01). 145–159.

[18]

Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order ghost state. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming (ICFP ’16). 256–269.

Digital Library

[19]

Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Aleš Bizjak, Lars Birkedal, and Derek Dreyer. 2017. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. (2017). Submitted for publication.

[20]

Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’15). 637–650.

Digital Library

[21]

Robbert Krebbers, Ralf Jung, Aleš Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. 2017a. The essence of higher-order concurrent separation logic. In Proceedings of the 26th European Symposium on Programming (ESOP ’17). 696–723.

Digital Library

[22]

Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017b. Interactive proofs in higher-order concurrent separation logic. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL ’17). 205–217.

Digital Library

[23]

Adrian Mettler, David Wagner, and Tyler Close. 2010. Joe-E: A security-oriented subset of Java. In Proceedings of the Network and Distributed System Security Symposium (NDSS ’10).

[24]

Mark Samuel Miller. 2006. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. Ph.D. Dissertation. Johns Hopkins University.

[25]

Mark S. Miller, Tom Van Cutsem, and Bill Tulloh. 2013. Distributed electronic rights in JavaScript. In Proceedings of the 22nd European Conference on Programming Languages and Systems (ESOP ’13). 1–20.

Digital Library

[26]

Mark S. Miller, Chip Morningstar, and Bill Frantz. 2000. Capability-based financial instruments. In Proceedings of the 4th International Conference on Financial Cryptography (FC ’00). 349–378.

Digital Library

[27]

Mark S. Miller, Mike Samuel, Ben Laurie, Ihab Awad, and Mike Stay. 2008. Caja: Safe active content in sanitized JavaScript. (June 2008).

[28]

Mark S. Miller and Jonathan S. Shapiro. 2003. Paradigm regained: Abstraction mechanisms for access control. In Advances in Computing Science – ASIAN 2003 Programming Languages and Distributed Computation, 8th Asian Computing Science Conference (ASIAN ’03). Springer LNCS 2896, 224–242.

[29]

James H. Morris, Jr. 1973. Protection in programming languages. Commun. ACM 16, 1 (Jan. 1973), 15–21.

Digital Library

[30]

Mozilla. 2016. Script security. (Aug. 2016). https://developer.mozilla.org/en- US/docs/Mozilla/Gecko/Script_security Overview of the Firefox membrane.

[31]

Toby Murray. 2010. Analysing the Security Properties of Object-Capability Patterns. Ph.D. Dissertation. Hertford College.

[32]

OCPL 2017. Long version of this paper (with appendices) and Coq development. (Sept. 2017). Available at the Iris project website at http://iris- project.org .

[33]

Marco Patrignani, Dave Clarke, and Davide Sangiorgi. 2011. Ownership types for the join calculus. In Proceedings of the Joint 13th IFIP WG 6.1 and 30th IFIP WG 6.1 International Conference on Formal Techniques for Distributed Systems (FMOODS’11/FORTE’11). 289–303.

[34]

Joe Gibbs Politz, Arjun Guha, and Shriram Krishnamurthi. 2014. Typed-based verification of Web sandboxes. J. Comput. Secur. 22, 4 (July 2014), 511–565.

[35]

Alfred Spiessens. 2007. Patterns of Safe Collaboration. Ph.D. Dissertation. Université catholique de Louvain.

[36]

Fred Spiessens and Peter Van Roy. 2004. The Oz-E project: Design guidelines for a secure multiparadigm programming language. In Proceedings of the Second International Conference on Multiparadigm Programming in Mozart/Oz (MOZ ’04). 21–40.

[37]

Fred Spiessens and Peter Van Roy. 2005. A practical formal model for safety analysis in capability-based systems. In Proceedings of the 1st International Conference on Trustworthy Global Computing (TGC ’05). 248–278.

[38]

Marc Stiegler and Mark Miller. 2006. How Emily tamed the Caml. Technical Report HPL-2006-116. HP Laboratories.

[39]

Eijiro Sumii and Benjamin C. Pierce. 2004. A bisimulation for dynamic sealing. In Proceedings of the 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’04). 161–172.

Digital Library

[40]

Tom Van Cutsem and Mark S. Miller. 2013. Trustworthy proxies: Virtualizing objects with invariants. In Proceedings of the 27th European Conference on Object-Oriented Programming (ECOOP ’13). 154–178.

Digital Library

Cited By

Legoupil MRousseau JGeorges APichon-Pharabod JBirkedal L(2024)Iris-MSWasm: Elucidating and Mechanising the Security Invariants of Memory-Safe WebAssemblyProceedings of the ACM on Programming Languages10.1145/36897228:OOPSLA2(304-332)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689722
Georges AGuéneau AVan Strydonck TTimany ATrieu ADevriese DBirkedal L(2024)Cerise: Program Verification on a Capability Machine in the Presence of Untrusted CodeJournal of the ACM10.1145/362351071:1(1-59)Online publication date: 11-Feb-2024
https://dl.acm.org/doi/10.1145/3623510
Patterson DWagner AAhmed ACong YDagand P(2023)Semantic Encapsulation using Linking TypesProceedings of the 8th ACM SIGPLAN International Workshop on Type-Driven Development10.1145/3609027.3609405(14-28)Online publication date: 30-Aug-2023
https://dl.acm.org/doi/10.1145/3609027.3609405
Show More Cited By

Index Terms

Robust and compositional verification of object capability patterns
1. Security and privacy
  1. Formal methods and theory of security
    1. Security requirements
2. Theory of computation
  1. Logic
    1. Separation logic
  2. Semantics and reasoning
    1. Program reasoning
      1. Program specifications

Recommendations

Automated interface refinement for compositional verification

Compositional verification is essential for verifying large systems. However, approximate environments are needed when verifying the constituent modules in a system. Effective compositional verification requires finding a simple but accurate ...
Interactive proofs in higher-order concurrent separation logic
POPL '17: Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages

When using a proof assistant to reason in an embedded logic -- like separation logic -- one cannot benefit from the proof contexts and basic tactics of the proof assistant. This results in proofs that are at a too low level of abstraction because they ...
Compositional reachability analysis for efficient modular verification of asynchronous designs

Compositional verification is essential to address state explosion in model checking. Traditionally, an over-approximate context is needed for each individual component in a system for sound verification. This may cause state explosion for the ...

Comments

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Programming Languages

Proceedings of the ACM on Programming Languages Volume 1, Issue OOPSLA

October 2017

1786 pages

EISSN:2475-1421

DOI:10.1145/3152284

Issue’s Table of Contents

Copyright © 2017 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2017

Published in PACMPL Volume 1, Issue OOPSLA

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Artifacts Evaluated & Functional

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

35
Total Citations
View Citations
468
Total Downloads

Downloads (Last 12 months)110
Downloads (Last 6 weeks)10

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Legoupil MRousseau JGeorges APichon-Pharabod JBirkedal L(2024)Iris-MSWasm: Elucidating and Mechanising the Security Invariants of Memory-Safe WebAssemblyProceedings of the ACM on Programming Languages10.1145/36897228:OOPSLA2(304-332)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689722
Georges AGuéneau AVan Strydonck TTimany ATrieu ADevriese DBirkedal L(2024)Cerise: Program Verification on a Capability Machine in the Presence of Untrusted CodeJournal of the ACM10.1145/362351071:1(1-59)Online publication date: 11-Feb-2024
https://dl.acm.org/doi/10.1145/3623510
Patterson DWagner AAhmed ACong YDagand P(2023)Semantic Encapsulation using Linking TypesProceedings of the 8th ACM SIGPLAN International Workshop on Type-Driven Development10.1145/3609027.3609405(14-28)Online publication date: 30-Aug-2023
https://dl.acm.org/doi/10.1145/3609027.3609405
Liu ZStepanenko SPichon-Pharabod JTimany AAskarov ABirkedal L(2023)VMSL: A Separation Logic for Mechanised Robust Safety of Virtual Machines Communicating above FF-AProceedings of the ACM on Programming Languages10.1145/35912797:PLDI(1438-1462)Online publication date: 6-Jun-2023
https://dl.acm.org/doi/10.1145/3591279
Rao XGeorges ALegoupil MWatt CPichon-Pharabod JGardner PBirkedal L(2023)Iris-Wasm: Robust and Modular Verification of WebAssembly ProgramsProceedings of the ACM on Programming Languages10.1145/35912657:PLDI(1096-1120)Online publication date: 6-Jun-2023
https://dl.acm.org/doi/10.1145/3591265
Huyghebaert SKeuchel SDe Roover CDevriese DMeng WJensen CCremers CKirda E(2023)Formalizing, Verifying and Applying ISA Security Guarantees as Universal ContractsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616602(2083-2097)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616602
Yan MXu HLi CTian JBi BWang WXu XZhang JHuang SHuang FSi LJin R(2023)Achieving Human Parity on Visual Question AnsweringACM Transactions on Information Systems10.1145/357283341:3(1-40)Online publication date: 4-Apr-2023
https://dl.acm.org/doi/10.1145/3572833
Johnson ELaufer EZhao ZGohman DNarayan SSavage SStefan DBrown F(2023)WaVe: a verifiably secure WebAssembly sandboxing runtime2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179357(2940-2955)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179357
Patrignani MBlackshear S(2023)Robust Safety for Move2023 IEEE 36th Computer Security Foundations Symposium (CSF)10.1109/CSF57540.2023.00045(308-323)Online publication date: Jul-2023
https://doi.org/10.1109/CSF57540.2023.00045
Atkinson EYuan CBaudart GMandel LCarbin M(2022)Semi-symbolic inference for efficient streaming probabilistic programmingProceedings of the ACM on Programming Languages10.1145/35633476:OOPSLA2(1668-1696)Online publication date: 31-Oct-2022
https://dl.acm.org/doi/10.1145/3563347
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents