Remove SensePlus virus – get rid of SensePlus virus completely from your windows System
Building a Virus-Safe Platform Don’t add security, remove insecurity
description
Transcript of Building a Virus-Safe Platform Don’t add security, remove insecurity
![Page 1: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/1.jpg)
Mark S. MillerVirus-Safe Computing InitiativeHewlett Packard Laboratories
Building a Virus-Safe PlatformDon’t add security, remove insecurity
![Page 2: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/2.jpg)
Virus-Safe Computing Initiative
A Very Powerful Program
This program can delete any file you can.
![Page 3: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/3.jpg)
Virus Safe Computing Initiative
Functionality vs. Security?
Integratable
Isolated
E & CapDeskLeast Authority
Applets:No Authority
Applications:User’s Authority
SafeDangerous
“Sandboxing”Firewalls
![Page 4: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/4.jpg)
Virus-Safe Computing Initiative
A Tale of Two Copies
$ cp foo.txt bar.txt
vs.$ cat < foo.txt > bar.txt
•Bundle permission with designation•Let “knowledge of” shape “access to”•Remove ambient authority
![Page 5: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/5.jpg)
Virus-Safe Computing Initiative
CapDesk: Usable POLA
• Double click launch• File Explorer• Open dialog• Drag/Drop• Etc...
Moral: Bundle permission with designation
![Page 6: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/6.jpg)
Virus-Safe Computing Initiative
How do I designate thee?
• by Introduction– ref to Carol– ref to Bob– decides to share
• by Parenthood• by Endowment• by Initial
Conditions
How might object Bob come to know of object Carol?
![Page 7: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/7.jpg)
Virus-Safe Computing Initiative
How do I designate thee?
• by Introduction– ref to Carol– ref to Bob– decides to share
• by Parenthood• by Endowment• by Initial
Conditions
Alice says: bob.foo(carol)
![Page 8: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/8.jpg)
Virus-Safe Computing Initiative
How do I designate thee?
• by Introduction– ref to Carol– ref to Bob– decides to share
• by Parenthood• by Endowment• by Initial
Conditions
Alice says: bob.foo(carol)
![Page 9: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/9.jpg)
Virus-Safe Computing Initiative
How do I designate thee?
• by Introduction– ref to Carol– ref to Bob– decides to share
• by Parenthood• by Endowment• by Initial
Conditions
Alice says: bob.foo(carol)
![Page 10: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/10.jpg)
Virus-Safe Computing Initiative
How do I designate thee?
• by Introduction– ref to Carol– ref to Bob– decides to share
• by Parenthood• by Endowment• by Initial Conditions
Alice says: bob.foo(carol)
Think in names. Speak in references.
![Page 11: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/11.jpg)
Virus-Safe Computing Initiative
How do I designate thee?
• by Introduction– ref to Carol– ref to Bob– decides to share
• by Parenthood• by Endowment• by Initial Conditions
Alice says: bob.foo(carol)
![Page 12: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/12.jpg)
Virus-Safe Computing Initiative
How do I designate thee?
• by Introduction– ref to Carol– ref to Bob– decides to share
• by Parenthood• by Endowment• by Initial Conditions
Bob says: def carol { ... }
![Page 13: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/13.jpg)
Virus-Safe Computing Initiative
How do I designate thee?
• by Introduction– ref to Carol– ref to Bob– decides to share
• by Parenthood• by Endowment• by Initial Conditions
Alice says: def bob { ... carol ... }
![Page 14: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/14.jpg)
Virus-Safe Computing Initiative
How do I designate thee?
• by Introduction– ref to Carol– ref to Bob– decides to share
• by Parenthood• by Endowment• by Initial Conditions
At t0:
![Page 15: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/15.jpg)
Virus-Safe Computing Initiative
What are Object-Capabilities?
• by Introduction– ref to Carol– ref to Bob– decides to share
• by Parenthood• by Endowment• by Initial Conditions
• Absolute encapsulation—causality only by messages• Only references permit causality
Reference Graph == Access Graph
![Page 16: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/16.jpg)
Virus-Safe Computing Initiative
Not Discretionary!
• by Introduction– ref to Carol– ref to Bob– decides to share
• by Parenthood• by Endowment• by Initial
Conditions
Alice says: bob.foo(carol)
• Overlooked requirement. Enables confinement.• Only connectivity begets connectivity.
![Page 17: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/17.jpg)
Virus-Safe Computing Initiative
Distributed Crypto Object-Caps
Alice says:
bob <- foo(carol)
![Page 18: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/18.jpg)
Virus-Safe Computing Initiative
Distributed Crypto Object-Caps
![Page 19: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/19.jpg)
Virus-Safe Computing Initiative
Distributed Crypto Object-Caps
![Page 20: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/20.jpg)
Virus-Safe Computing Initiative
Distributed Crypto Object-Caps
![Page 21: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/21.jpg)
Virus-Safe Computing Initiative
The Two Impostor Problems
VatID:
Is this the Carol
Alice Meant?
SwissNumber:
Is this the Bob
Alice Meant?
![Page 22: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/22.jpg)
POLA
Virus SafeComputing
Objects
Object-C
apabilities
Roadmap, in Hindsight
SafeReflection
Scheme
Mutable Static State
Static Native “Devices”
Shared State Concurrency
Unprincipled Libraries
Oak, pre.NET, Squeak , Oz
What about
Security?
ClassLoaders as Principals
Stack Introspection
Security Managers Signed Applets
Safe Loading
No problemo
Java, .NET
What about
Security?
Lexical NestingMessage Passing, Encapsulation
Memory Safety, GC, Eval / Loading
W7 E
![Page 23: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/23.jpg)
Message Passing, Encapsulation Lexical Nesting POLA
Virus SafeComputing
Objects
Object-C
apabilities
Detour is Non-Object Causality
SafeReflection
Scheme W7 E
Squeak-E, Oz-E
What about
Security?
ClassLoaders as Principals
Stack Introspection
Security Managers Signed Applets
Memory Safety, GC, Eval / Loading Safe Loading
No problemo
Java, .NET
Mutable Static State
Static Native “Devices”
Shared State Concurrency
Unprincipled Libraries
![Page 24: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/24.jpg)
Virus-Safe Computing Initiative
def makePoint { to run(x :int, y :int) :any { def point { to getX() :int { return x } to getY() :int { return y } to add(otherPt) :any { def x2 := x.add(otherPt.getX()) def y2 := y.add(otherPt.getY()) return makePoint.run(x2, y2) } } return point} }
Objects as Closures
![Page 25: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/25.jpg)
Virus-Safe Computing Initiative
def makePoint(x :int, y :int) :any { def point { to getX() :int { return x } to getY() :int { return y } to add(otherPt) :any { def x2 := x + otherPt.getX() def y2 := y + otherPt.getY() return makePoint(x2, y2) } } return point}
def makePoint { to run(x :int, y :int) :any { def point { to getX() :int { return x } to getY() :int { return y } to add(otherPt) :any { def x2 := x.add(otherPt.getX()) def y2 := y.add(otherPt.getY()) return makePoint.run(x2, y2) } } return point} }
+ a pinch of sugar
![Page 26: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/26.jpg)
Virus-Safe Computing Initiative
Redell’s 1974 Caretaker Pattern
def makeCaretaker(var target) :any { def caretaker { match [verb :String, args :any[]] { E.call(target, verb, args) } } def revoker { to revoke() :void { target := null } } return [caretaker, revoker]}
![Page 27: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/27.jpg)
Virus-Safe Computing Initiative
Redell’s 1974 Caretaker Pattern
def makeCaretaker(var target) :any { def caretaker { match [verb :String, args :any[]] { E.call(target, verb, args) } } def revoker { to revoke() :void { target := null } } return [caretaker, revoker]}
Alice says: def [carol2, carol2revoker] := makeCaretaker(carol) bob.foo(carol2)
![Page 28: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/28.jpg)
Virus-Safe Computing Initiative
Can’t Revoke Permissions, but...
Alice says: carol2revoker.revoke()Bob says: carol2.doThis(...)
Bob says: carol2.doThat(...)
![Page 29: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/29.jpg)
Virus-Safe Computing Initiative
... Can Revoke Authority
Alice says: carol2revoker.revoke()Bob says: carol2.doThis(...)
Bob says: carol2.doThat(...)
![Page 30: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/30.jpg)
Virus-Safe Computing Initiative
No Permissions Were Revoked
Alice says: carol2revoker.revoke()Bob says: carol2.doThis(...)
Bob says: carol2.doThat(...)
![Page 31: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/31.jpg)
Virus-Safe Computing Initiative
Cashing in on Distributed Objects
Alice Bob
mint
$100 $0
$200
def payment := myPurse <- makePurse()payment <- deposit(10, myPurse)bob <- buy(..., payment)
when (payment) -> ... { when (myPurse <- deposit(10, payment)) ... { ... # dispense value }}
namesealerunsealer
buy
$90 $210
$10
makePurse
deposit
deposit
![Page 32: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/32.jpg)
Virus-Safe Computing Initiative
Distributed Secure Money in Edef makeMint(name :String) :any { def [sealer, unsealer] := makeBrandPair(name) def mint { to makePurse(var balance :(int >= 0)) :any { def decr(amount :(0..balance)) :void { balance -= amount } def purse { to getBalance() :int { return balance } to makePurse() :any { return mint.makePurse(0) } to getDecr() :any { return sealer.seal(decr) } to deposit(amount :int, src) :void { unsealer.unseal(src.getDecr())(amount) balance += amount } } return purse } } return mint}
![Page 33: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/33.jpg)
Virus-Safe Computing Initiative
Rights Amplification
? def [sealer, unsealer] := makeBrandPair("MarkM")# value: [<MarkM sealer>, <MarkM unsealer>]
? def envelope := sealer.seal("Tuna") # value: <sealed by MarkM>
? unsealer.unseal(envelope) # value: "Tuna"
![Page 34: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/34.jpg)
Virus-Safe Computing Initiative
Distributed Secure Money in Edef makeMint(name :String) :any { def [sealer, unsealer] := makeBrandPair(name) def mint { to makePurse(var balance :(int >= 0)) :any { def decr(amount :(0..balance)) :void { balance -= amount } def purse { to getBalance() :int { return balance } to makePurse() :any { return mint.makePurse(0) } to getDecr() :any { return sealer.seal(decr) } to deposit(amount :int, src) :void { unsealer.unseal(src.getDecr())(amount) balance += amount } } return purse } } return mint}
![Page 35: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/35.jpg)
Virus-Safe Computing Initiative
Security is Just Extreme Modularity
• Good software engineering– Responsibility driven design– Omit needless coupling– assert(..) preconditions
• Information hiding– Designation, need to know– Dynamics of knowledge
• Lexical naming– Think names, speak refs– Avoid global variables
• Abstraction– Procedural, data, control, ...– Patterns and frameworks– Say what you mean
• Capability discipline– Authority driven design– Omit needless vulnerability– Validate inputs
• Principle of Least Authority– Permission, need to do– Dynamics of authorization
• No global name spaces– Think names, speak refs– Forbid mutable static state
• Abstraction– ... and access abstractions– Patterns of safe cooperation– Mean only what you say
![Page 36: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/36.jpg)
Virus-Safe Computing Initiative
Our Logo
The POLA Bear
![Page 37: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/37.jpg)
Virus-Safe Computing Initiative
Bibliography
• E in a Walnut skyhunter.com/marcs/ewalnut.html Download E from erights.org and try it! (It’s open source.)
• Paradigm Regained (HPL-2003-222) erights.org/talks/asian03/• A Security Kernel Based on the Lambda-Calculus
mumble.net/jar/pubs/secureos/• Capability-based Financial Instruments (the “Ode”)
erights.org/elib/capability/ode/index.html• Intro to Capability-based Security
skyhunter.com/marcs/capabilityIntro/index.html• Statements of Consensus
erights.org/elib/capability/consensus-9feb01.html• Web Calculus www.waterken.com/dev/Web/Calculus/• Web sites: erights.org , combex.com , eros-os.org ,
cap-lore.com/CapTheory , www.waterken.com
![Page 38: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/38.jpg)
Virus-Safe Computing Initiative
Thank You
![Page 39: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/39.jpg)
Virus-Safe Computing Initiative
Paradigm Lost: Unchallenged Myths
“On the Inability of an Unmodified Capability Machine to Enforce the *-Property”
“... an unmodified or classic capability system cannot ... solve the confinement problem”
“Since a capability is just a bit string, it can propagate in many ways without the detection of the kernel or the server...”
“Capability systems modeled as unforgeable references present the other extreme, where delegation is trivial, and revocation is infeasible”
• Capabilities vs. ACLs are just rows vs. columns• Capabilities are “tickets” or “keys”• Capabilities are discretionary• ACLs won. Capabilities lost.
![Page 40: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/40.jpg)
Virus-Safe Computing Initiative
Example: Oak’s Detour
• Mutable static state (class variables)– even when private, prevents confinement
• Static, native, authority-bearing methods– example: File opening, clock
• Ambient access to non-determinism– System.identityHashcode(obj), threads
• Locks as communication channels– synchronized (“foo”.intern()) {...}
• Non-POLA legacy libraries
![Page 41: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/41.jpg)
Virus-Safe Computing Initiative
Stay on the Pure Object Road
• Pure object (instance) model is fine as is– No features need be added or removed– Though some new primitives are convenient
• Non-object causality must be prohibited– Authority only according to references held & used
• Loading separately provided code and state– No implicit state bindings, no global scopes– Must support lexical nesting in the large– All free variables are virtualizable– Only main() starts with all authority, as instances
![Page 42: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/42.jpg)
Virus-Safe Computing Initiative
Let Knowledge Shape Access
“Make the Computer Recursive”—Alan Kay
• “Knows about” has fractal structure.– People know people. Organs know organs. Cells know cells.– Make access rights similarly self-similar!
•Information hiding: “Need to know”•POLA: “Need to do”
![Page 43: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/43.jpg)
Virus-Safe Computing Initiative
Spectrum of Models
Direct access +Indirect causality
Overt behavior +Covert+Side+Bugs
Permission
Rules
Arcs
Protection State
Permit
Authority
Legal Outcomes
Paths (with behavior)
Op. Semantics
Authorize
Ability
Actual Outcomes
Non-determinism
Implementation
Enable
Tractable Realistic
![Page 44: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/44.jpg)
Virus-Safe Computing Initiative
Paradigm Regained: Access Abstraction
Alice says: carol2revoker.revoke()Bob says: carol2.doThis(...)
Bob says: carol2.doThat(...)
• Caretaker is smart ref• Alice uses behaviour to
express policy• Further limits Bob’s
authority• Tighter POLA
![Page 45: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/45.jpg)
Virus-Safe Computing Initiative
No Permissions Were Granted
• She’s only authorizing Bob.• By practicing POLA, as she
should, Alice has inadvertently thwarted the intent of this prohibition.
• Policy ignores Alice’s possible behaviour
• Confinement of permissions, by itself, is mostly pointless
• Confinement of authority, isn’t enough if we’ve got covert channels
What if Alice couldn’t permit Bob to access Carol?
![Page 46: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/46.jpg)
Other Capability Models
Equivalence? Revocability? Confinement?
Capabilities as Rows Capabilities as Keys
![Page 47: Building a Virus-Safe Platform Don’t add security, remove insecurity](https://reader035.fdocuments.in/reader035/viewer/2022081520/56814cf8550346895dba0618/html5/thumbnails/47.jpg)
Virus-Safe Computing Initiative
Capability Myths DemolishedModels mostly missed virtues of actual systems