Connections between Memory Safety and Privacy Confidentiality

Transcript

1. Connections between memory safety and privacy/confidentiality... Hyperledger Blockchains: Architecture Working

   Group Clive Boulton Research at CertifiedTrue

2. Credit: Mark S. Miller Co-author w/ Eric Drexler of the

   Agoric Papers Author of the E object capabilities programming language. PhD: Robust Composition [reprised at PWL] TC39 EcmaScript / Google Research Staff / Caja Author of Dr. SES (distributed resilient secure ecmascript) 2018: TC39 / Agoric: secure smart contracts (https://agoric.com/) Inset diagrams unless noted all Mark S. Miller (generally open source via TC39).

3. Multi-party computation Distributed systems Doing business with strangers! Doing business

   with friends... * Necessary Paranoia * Who has access? http://ward.bay.wiki.org/view/agreeing-with-strangers

4. Stopping Exfiltration in Smart Contracts Current smart contracts have developer

   IDEs (similar to stored procedures). More inclusive smart contracts likely have Word / Excel like editors We can expect web interfaces… (javascript, wasm) Example: (screenshot tabs) Tab 1, 2, and 3 …..

5. Tab 1. Open encrypted email Tab 2. Watch a movie

   triggers a malicious advertisement in Tab 3. When encrypted email is decrypted, Tab 3 learns information about user’s secret key (from cache)

6. 3 things to look at... Anticipate Composition Implement extreme modularity

   with least authority Memory safe Ocap based languages
7. None
8. None

9. Frozen Realms API Maximum modularity / least coupling (as close

   as practical, remove destructive behavior). TC39 2016 https://github.com/tc39/proposal-frozen-realms TC39 2018 Building Membranes in JavaScript “The simplest option is to freeze what you can, so that certain values can't be changed”

10. Reduce Surface Attack Area Menger sponge analogy: Apply object capabilities

    (least authority). Extreme modularity (put capabilities into small boxes). Approach taken by mobile apps (iOS / Android). Also package management approach taken by Node (Hyperledger Composer). Miller’s Caja (js sanitizer).

11. What are capabilities? A capability is single thing that both

    designates a resource and authorizes some kind of access to it. A first class move from ACL (access control lists) by closing the loopholes bad actors are exploiting in e-commerce. Capabilities solve “The Confused Deputy” problem in Windows, MacOS, and Unix derived OS Linux, Android, etc.

12. OCap based language (or a first class candidate). “If language

    A is correctly implemented in language B, and new code enters the system only in language A, then the nature of language B doesn't matter much. JavaScript is indeed normally implemented in C, but unlike C, JavaScript is a memory-safe language. Regarding safety and security, this makes all the difference in the world. If the only new code admitted is JavaScript code, and if the JavaScript implementation actually is correctly memory safe, then it doesn't matter that this implementation is written in C.” - Mark Miller (by correspondence)
13. None
14. None

15. Object-capabilities at ACM: Sigplan (Splash 2017) JavaScript as first designed

    for everything can mess with everything (fine for web page scripting) JavaScript now used for complex applications, even series distributed applications (requiring defensive code). JavaScript functions as a very good approximation of lexical functions encapsulating the functions it captures. But not perfectly tamper proof objects (ES5 is statically scoped). - Freezing objects - Freezing realms
16. None

17. Objects as closures Examples of Dr. SES a variant of

    JavaScript Function makeCounter ( ) { var count = 0 return { incr: function ( ) { return ++ count:}. decr: function ( ) {return - count:} }); }
18. None
19. None
20. None

21. Secure Ecmascript ➢ When Alice asks: bob.foo(carol) Alice grants Bob

    access to Carol, as needed for foo ➢ Memory-safe encapsulated objects Protect objects from their outside world ➢ OCaps: Causality only by references No powerful references by default Protect world from objects ➢ Reference graph === Access graph Deny authority by withholding connectivity

22. ECMAScript 5 / ES6 ‘strict mode’ more in ES2017/18/19... Use

    ‘strict mode’ Objects who can defend their integrity Properly defensive 7 steps of initialization is strict JS === Dr. SES SES: runs atop an ES6-compliant platform, enabling safe interaction of mutually-suspicious code, using object-capability -style programming. https://github.com/Agoric/SES

23. Summary Anticipate Composition Implement extreme modularity with least authority Memory

    safe Ocap based languages