Connections between memory safety and privacy/confidentiality... Hyperledger Blockchains: Architecture Working Group Clive Boulton Research at CertifiedTrue

Credit: Mark S. Miller Co-author w/ Eric Drexler of the Agoric Papers Author of the E object capabilities programming language. PhD: Robust Composition [reprised at PWL] TC39 EcmaScript / Google Research Staff / Caja Author of Dr. SES (distributed resilient secure ecmascript) 2018: TC39 / Agoric: secure smart contracts (https://agoric.com/) Inset diagrams unless noted all Mark S. Miller (generally open source via TC39).

Multi-party computation Distributed systems Doing business with strangers! Doing business with friends... * Necessary Paranoia * Who has access? http://ward.bay.wiki.org/view/agreeing-with-strangers

Stopping Exfiltration in Smart Contracts Current smart contracts have developer IDEs (similar to stored procedures). More inclusive smart contracts likely have Word / Excel like editors We can expect web interfaces… (javascript, wasm) Example: (screenshot tabs) Tab 1, 2, and 3 …..

Tab 1. Open encrypted email Tab 2. Watch a movie triggers a malicious advertisement in Tab 3. When encrypted email is decrypted, Tab 3 learns information about user’s secret key (from cache)

3 things to look at... Anticipate Composition Implement extreme modularity with least authority Memory safe Ocap based languages

No content

No content

Frozen Realms API Maximum modularity / least coupling (as close as practical, remove destructive behavior). TC39 2016 https://github.com/tc39/proposal-frozen-realms TC39 2018 Building Membranes in JavaScript “The simplest option is to freeze what you can, so that certain values can't be changed”

Reduce Surface Attack Area Menger sponge analogy: Apply object capabilities (least authority). Extreme modularity (put capabilities into small boxes). Approach taken by mobile apps (iOS / Android). Also package management approach taken by Node (Hyperledger Composer). Miller’s Caja (js sanitizer).

What are capabilities? A capability is single thing that both designates a resource and authorizes some kind of access to it. A first class move from ACL (access control lists) by closing the loopholes bad actors are exploiting in e-commerce. Capabilities solve “The Confused Deputy” problem in Windows, MacOS, and Unix derived OS Linux, Android, etc.

OCap based language (or a first class candidate). “If language A is correctly implemented in language B, and new code enters the system only in language A, then the nature of language B doesn't matter much. JavaScript is indeed normally implemented in C, but unlike C, JavaScript is a memory-safe language. Regarding safety and security, this makes all the difference in the world. If the only new code admitted is JavaScript code, and if the JavaScript implementation actually is correctly memory safe, then it doesn't matter that this implementation is written in C.” - Mark Miller (by correspondence)

No content

No content

Object-capabilities at ACM: Sigplan (Splash 2017) JavaScript as first designed for everything can mess with everything (fine for web page scripting) JavaScript now used for complex applications, even series distributed applications (requiring defensive code). JavaScript functions as a very good approximation of lexical functions encapsulating the functions it captures. But not perfectly tamper proof objects (ES5 is statically scoped). - Freezing objects - Freezing realms

No content

Objects as closures Examples of Dr. SES a variant of JavaScript Function makeCounter ( ) { var count = 0 return { incr: function ( ) { return ++ count:}. decr: function ( ) {return - count:} }); }

No content

No content

No content

Secure Ecmascript ➢ When Alice asks: bob.foo(carol) Alice grants Bob access to Carol, as needed for foo ➢ Memory-safe encapsulated objects Protect objects from their outside world ➢ OCaps: Causality only by references No powerful references by default Protect world from objects ➢ Reference graph === Access graph Deny authority by withholding connectivity

ECMAScript 5 / ES6 ‘strict mode’ more in ES2017/18/19... Use ‘strict mode’ Objects who can defend their integrity Properly defensive 7 steps of initialization is strict JS === Dr. SES SES: runs atop an ES6-compliant platform, enabling safe interaction of mutually-suspicious code, using object-capability -style programming. https://github.com/Agoric/SES

Summary Anticipate Composition Implement extreme modularity with least authority Memory safe Ocap based languages