Current Techniques in Language-based Security
Steve Zdancewic  U. Penn

Formalizing Stack Inspection

  Abstract permissions
    p, q \in P		Set of all permissions
    R, S \includein P	Principals (sets of permissions)

  Hide the details of classloading, etc
  E.g.
    System = { fileWrtie("f1"), fileWrtie("f2"), ... }
    Applet = { fileWrite("f1") }

  Lagnuage Syntax (\Lamda sec Syntax
    e, f	::=		expressions
       x			variable
       \lamda x.e		function
       e f			application
       R{e}			framed expr
       enable p in e		enable
       test p then e else f	check perm
       fail			failure

    v 		::=	x  | \lamda x.e		values
    o 		::= 	v | fail		outcome

  Framing a Term (evaluation semantics)
    Models the ClassLoader that marks the (unframed)
    code with its protection domain:

    R[[x]]		= x
    R[[\lamda x.e]]	= \lambda x.R{R[[e]]}
    R[[e f]]		= R[[e]] R[[f]]
    R[[enale p in e]]	= enable p in R[[e]]
    R[[test p then e else f]]
			= test R[[p]] then R[[e]] else R[[f]]
    R[[fail]]		= fail

    E.g.
      readFile = \lambda fileName.System {
        tset fileWrite( fileName) then
	  // primitive file IO (native code)
        else fail
      }

      Applet{readFile "f2"} |L fail
      System{readFile "f2"} |L <f2 contents>

Evaluation contexts: (operation semantics)
  E	::=
    []			Hole
    E e			Eval. Function
    v E			Eval. Arg.
    enable p in E	Tagged frame
    R{E}		frame

  E models the control stack

    E[ (\lamda x.e) v ]		-> E[ e{v/x} ]
    E[ enable p in v ]		-> E[v]
    E[ R{v} ]			-> E[v]
    E[ fail ]			-> fail
    E[ test p then e else f ]	-> E[ e ]
		if Stack(E) |- p
    E[ test p then e else f ] 	-> E[ f ]
		if not(Stack(E) |- p)	(stack inspection)
    e |L o       iff  e ->* o

  E.g.
    Applet{ readFile "f2"}

    E = Applet{ [] }
    r = readfile "f2"
      = \lambda fileName.System {
    E' = Applet{ system[] }
    r' = test fileWrite( fileName) then
	  // primitive file IO (native code)
        else fail
      }


  Abstract Stack Inspection
    .  |-  p			empty stack axiom
    x |- p   p \in R
    ----------------		protection domain check
      x.R |- p
        x |- p
    --------------------        p <> q irrelevant enable
      x.enable(q) |- p
	x |= p
    --------------------        check enable
     x.enable(p) |- p

     . |= p			empty stack enables all
       p \in R
     -----------		enable succeeds, should occur only
      x.R |= p       		in trusted coede
       x |= p
     ------------------		p <> q irrelevant enable
      x.enable(q) |= p
 
  Equational Reasoning
    e |L  iff there exists o such that e |L o

    Let C[] be an arbitrary program context.

    Say that e =~= e' iff
      for all C[], if C[e] and C[e'] are closed then
      C[e] |L  iff C[e'] |L	// |L holds

  Example Inequality
    let x = e in e' = (\lamdax.e') e
    ok = \lamda x.x
    loop = (\lamda x.x x)(\lamda x.x x)		(note: loop doesn't |L)
    f = \lamda x. let z = x ok in \lamda_.z
    g = \lamda x. let z = x ok in \lamda_.(x ok)

    Claim: f <> g

    Proof:
    Let C[] = \emptyStack{[]\lamda_.test p then loop else ok} ok
       C[f] = \emptyStack{f\lamda_.test p then loop else ok} ok
	    ->\emptyStack{let z = \lamda_.test p then loop else ok} ok
			  in \lamda_.z} ok
	    ->\emptyStack{let z = \lamda_.test p then loop else ok} ok
			  in \lamda_.z} ok
	    ->\emptyStack{let z = \lamda_.test p then loop else ok} ok
			  in \lamda_.z} ok
	    ->\emptyStack{\lamda_.ok} ok
	    ->(\lamda_.ok) ok
	    ->ok

  Axiomatic Equivalence
    See papers for details

  Static analysis for stack inspection.
    Type system for stack inspection
  Connections to information-flow analysis
