Connections between Memory Safety and Privacy Confidentiality

manager
Updated on

Research presented by Clive Boulton based on Mark S. Miller’s original work to Hyperledger Architecture Working Group. We attempted to show how memory safety impacts privacy/confidentiality in Hyperledger Blockchains.

  1. Connections between memory safety and privacy/confidentiality… Hyperledger Blockchains: Architecture Working

    Group Clive Boulton Research at CertifiedTrue

  2. Credit: Mark S. Miller Co-author w/ Eric Drexler of the

    Agoric Papers Author of the E object capabilities programming language. PhD: Robust Composition [reprised at PWL] TC39 EcmaScript / Google Research Staff / Caja Author of Dr. SES (distributed resilient secure ecmascript) 2018: TC39 / Agoric: secure smart contracts (https://agoric.com/) Inset diagrams unless noted all Mark S. Miller (generally open source via TC39).

  3. Multi-party computation Distributed systems Doing business with strangers! Doing business

    with friends… * Necessary Paranoia * Who has access? http://ward.bay.wiki.org/view/agreeing-with-strangers

  4. Stopping Exfiltration in Smart Contracts Current smart contracts have developer

    IDEs (similar to stored procedures). More inclusive smart contracts likely have Word / Excel like editors We can expect web interfaces… (javascript, wasm) Example: (screenshot tabs) Tab 1, 2, and 3 …..

  5. Tab 1. Open encrypted email Tab 2. Watch a movie

    triggers a malicious advertisement in Tab 3. When encrypted email is decrypted, Tab 3 learns information about user’s secret key (from cache)

  6. 3 things to look at… Anticipate Composition Implement extreme modularity

    with least authority Memory safe Ocap based languages

  7. None
  8. None
  9. Frozen Realms API Maximum modularity / least coupling (as close

    as practical, remove destructive behavior). TC39 2016 https://github.com/tc39/proposal-frozen-realms TC39 2018 Building Membranes in JavaScript “The simplest option is to freeze what you can, so that certain values can’t be changed”

  10. Reduce Surface Attack Area Menger sponge analogy: Apply object capabilities

    (least authority). Extreme modularity (put capabilities into small boxes). Approach taken by mobile apps (iOS / Android). Also package management approach taken by Node (Hyperledger Composer). Miller’s Caja (js sanitizer).

  11. What are capabilities? A capability is single thing that both

    designates a resource and authorizes some kind of access to it. A first class move from ACL (access control lists) by closing the loopholes bad actors are exploiting in e-commerce. Capabilities solve “The Confused Deputy” problem in Windows, MacOS, and Unix derived OS Linux, Android, etc.

  12. OCap based language (or a first class candidate). “If language

    A is correctly implemented in language B, and new code enters the system only in language A, then the nature of language B doesn’t matter much. JavaScript is indeed normally implemented in C, but unlike C, JavaScript is a memory-safe language. Regarding safety and security, this makes all the difference in the world. If the only new code admitted is JavaScript code, and if the JavaScript implementation actually is correctly memory safe, then it doesn’t matter that this implementation is written in C.” – Mark Miller (by correspondence)

  13. None
  14. None
  15. Object-capabilities at ACM: Sigplan (Splash 2017) JavaScript as first designed

    for everything can mess with everything (fine for web page scripting) JavaScript now used for complex applications, even series distributed applications (requiring defensive code). JavaScript functions as a very good approximation of lexical functions encapsulating the functions it captures. But not perfectly tamper proof objects (ES5 is statically scoped). – Freezing objects – Freezing realms

  16. None
  17. Objects as closures Examples of Dr. SES a variant of

    JavaScript Function makeCounter ( ) { var count = 0 return { incr: function ( ) { return ++ count:}. decr: function ( ) {return – count:} }); }

  18. None
  19. None
  20. None
  21. Secure Ecmascript ➢ When Alice asks: bob.foo(carol) Alice grants Bob

    access to Carol, as needed for foo ➢ Memory-safe encapsulated objects Protect objects from their outside world ➢ OCaps: Causality only by references No powerful references by default Protect world from objects ➢ Reference graph === Access graph Deny authority by withholding connectivity

  22. ECMAScript 5 / ES6 ‘strict mode’ more in ES2017/18/19… Use

    ‘strict mode’ Objects who can defend their integrity Properly defensive 7 steps of initialization is strict JS === Dr. SES SES: runs atop an ES6-compliant platform, enabling safe interaction of mutually-suspicious code, using object-capability -style programming. https://github.com/Agoric/SES

  23. Summary Anticipate Composition Implement extreme modularity with least authority Memory

    safe Ocap based languages