Your SlideShare is downloading. ×
  • Like
Secure Compilation of a Multi-Tier Web Language (Semantics Lunch)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Secure Compilation of a Multi-Tier Web Language (Semantics Lunch)

  • 5,958 views
Published

Presentation from the Computer Laboratory's Semantics Lunch

Presentation from the Computer Laboratory's Semantics Lunch

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
5,958
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
8
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Secure Compilation of a Multi-Tier Web Language Ioannis G. Baltopoulos (ioannis.baltopoulos@cl.cam.ac.uk) Computer Laboratory Joint work with Andrew D. Gordon from Microsoft Research To appear in TLDI ’09 Semantics Lunch - Monday, December 8, 2008 Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 2. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Web Programming Languages - Issues Nobody would question the success of the web, but people do question the need for so many web programming languages. One must be well versed in multiple languages to write even trivial applications. Impedance mismatch [Meijer et al., 2003] The data exchanged between the different tiers of the same application often comes in incompatible shapes and formats. Security reviews They require detailed knowledge of the language on each tier. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 3. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Multi-Tier Languages - A solution Multi-tier programming language. A high-level web programming language that compiles to code, split between each of the tiers of a web application. Links is a strongly typed, multi-tier, functional programming language for the web [Cooper et al., 2006]; HOP [Serrano et al., 2006] is a Scheme-based language for creating interactive applications across the web; Hilda, ML5, GWT, LINQ. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 4. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Principle of Source-Based Reasoning To say a language is high-level means that it supports a programming model that abstracts from the details of the lower-level code to which the language is compiled. Links in particular abstracts from the details of JavaScript and SQL and supports a high-level model based on call-by-value functional programming with XML literals. Security is an aspect of correctness, so high-level languages should allow security reasoning in terms of the abstract programming model. Principle of Source-Based Reasoning. Security properties of compiled code should follow from review of the source code and its source-level semantics. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 5. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References This talk Motivation: In the context of programming languages that implement continuations on the client side using either cookies or hidden fields, the continuations are open to client manipulation. Objective: Allow security reasoning about multi-tier programs at the source level. We are studying specific anomalies, such as those arising from storing state in untrusted clients, and seeking countermeasures. Solution: We propose to apply authenticated encryption to closures to fix these problems. Authenticated encryption is a combination of secrecy and integrity protection where we initially hash the data and subsequently encrypt the data itself along with the hash. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 6. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Outline The Links Multi-Tier Programming Language 1 Source-Based Reasoning for Links 2 Standard and Secure Semantics 3 Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 7. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References The HTTP protocol (review) The HyperText Transfer Protocol (HTTP) is a stateless, request-response protocol that uses a client-server model. The GET method instructs the browser to retrieve the resource associated with the URI; its production should cause no side-effects. In the case of a dynamic resource an additional query string contains data to be passed to the web application. The POST method is used to send data to the server, potentially updating server state. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 8. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References The Edinburgh Links implementation Links is a simply-typed, call-by-value λ-calculus with XML values for representing web pages. The Links system is called as a CGI program, to process an HTTP request and produce an XML response. A user executes the program by entering its URL; this corresponds to a GET request with no query string. A user can click on a link; this corresponds to a GET request with a query string. A user can fill in a form and submit it; this corresponds to a POST request. Suspended expressions inside XML pages are transformed, along with their environment bindings, into a continuation string. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 9. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References A Simple Web Application: Sale fun buy(value, dbpass) server { intToXml(value) # omitting actual call to the database } fun sellAt(price) server { var dbpass = quot;secretquot;; <form l:onsubmit=quot;{buy(price,dbpass)}quot; method=quot;POSTquot;> <button type=quot;submitquot;>Buy</button> </form> } sellAt(42) Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 10. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References An attack on secrecy and integrity We will now demonstrate an attack on the sale program. Demo Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 11. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References So what went wrong? The expressions that are to be evaluated as a result of clicking buttons or reference links are encoded, along with their necessary surrounding context, into a continuation string. For example, the expression buy(price,dbpass) along with the environment env = {price → 42, dbpass → ”secret”} got encoded into EPY5uxEAquKhp4g-aOicyAQBBXByaWNlBgECNDI= The one that I used for the hack was the same expression under the environment binding env = {price → 10, dbpass → ”secret”} which was encoded into EPY5uxEAquKhp4g-aOicyAQBBXByaWNlBgECMTA= Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 12. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Failures of Source-Based Reasoning The client may learn secret data that is held in a closure 1 embedded in a web page; for example, they may learn server data such as a password. The client may break the integrity of server data by 2 modifying a closure embedded in a web page so as to change future behaviour of the application; for example, the client may change the price of an item in a shopping cart. The client may change the control flow of the program by 3 discovering an unreachable function held in one closure, and then modifying a function value held in another closure. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 13. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Outline The Links Multi-Tier Programming Language 1 Source-Based Reasoning for Links 2 Standard and Secure Semantics 3 Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 14. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Threat model In what follows we assume: An untrustworthy client browser controlled by the attacker, who may run software to capture, decode, and modify web pages received from the server. That transport layer security (SSL/TLS) protects against attacks by a third party. That the source code of both the application program and the Links system itself are public (and hence implementation mechanisms such as encoding formats are known to the attacker). We only consider Links programs that keep no mutable state in a database, and where all functions reside on the server. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 15. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Formalisation We define a formal semantics for an extended fragment which 1 we call TinyLinks, and develop a type-and-effect system that allows source level reasoning about integrity. We then develop a translation of type correct programs to a 2 concurrent λ-calculus with refinement types and formal cryptography (F7). Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 16. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Values of TinyLinks: f , y, x Variables p Predicate symbol c ::= Data type constructor Unit | Zero | Succ | String unit, integers, string Nil | Cons | Tuple list, tuple Elem | Text HTML constructors g ::= + | − | intToXml | . . . Primitive functions L ::= p(V1 , . . . , Vn ) Event: tag p with a list of values V , U ::= Value x variable c(V1 , . . . , Vn ) constructor λx1 , . . . , xn .E abstraction href (E ) link form ([ℓ1 , . . . , ℓn ], E ) form Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 17. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Links and forms An href value represents a link which, when clicked, evaluates the suspended expression E . The evaluation request for the expression is implemented using a GET message. A form value represents an HTML form with a suspended computation that requires additional user input to proceed. The labels represent the available input fields a client can provide or modify, both visible and hidden. The evaluation request for a form is implemented using a POST message. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 18. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Expressions of TinyLinks: E ::= Expression V value (E :W ) type-and-effect annotation var x = E1 ; E2 variable binding g (U1 , . . . , Un ) primitive application V (U1 , . . . , Un ) function application switch (V ) { case c(x1 , . . . , xn ) → E1 pattern matching case → E2 } get (V ) get request post ((li = Vi )i ∈1..n , U) post request event L mark an event assert L assertion of a prior event Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 19. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Modelling browsing behaviour We have included get and post expressions within TinyLinks so we may formally express the browsing behaviour of users as TinyLinks expressions. Let a client be any expression context Eclient within TinyLinks containing a hole of the form href (−). The value href (Eurl ) represents a link to the main page of the web application Eurl . The expression Eclient [Eurl ] obtained by filling the hole in Eclient with Eurl is a formal representation of the client Eclient browsing the web application Eurl . We thus reduce source-based reasoning about the security properties of a web application Eurl to a formal question: for all client contexts Eclient , does Eclient [Eurl ] enjoy the intended property? Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 20. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Correspondence assertions The annotations assert L and event L have no computational significance, and are included in TinyLinks simply to express certain safety properties. We say an expression is safe to mean that whenever an assertion assert L occurs in an execution, there is a previous occurrence within the execution of an event event L. Such properties are known as (non-injective) correspondences [Woo and Lam, 1993], and are widely used for specifying integrity properties of security mechanisms [Gollmann, 2003]. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 21. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References A Type-and-Effect system Inspired by a simple system for typing correspondences in a process calculus. A type describes a value, and a type-and-effect describes an expression. The rules are in bidirectional style [Pierce and Turner, 1998] and correspond directly to our implementation. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 22. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Syntax of Types, Effects, and Environments: F ::= L1 , . . . , Lm Effect: a set of events W ::= x:T {F } (monadic) Type-and-Effect P ::= x1 :T1 . . . xn :Tn {F } polyadic Type-and-Effect B ::= unit | int | string | xml Base Types S, T , H ::= Types B base type [T ] list T1 × · · · × Tn tuple P →W polyadic function Γ ::= x1 :T1 , . . . , xn :Tn Environment dom(x1 :T1 , . . . , xn :Tn ) = {x1 , . . . , xn } Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 23. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Judgments: Γ⊢⋄ Γ is well-formed val Γ; F ⊢ V T value V synthesises output type T val Γ; F ⊢ V T value V type-checks against input T exp Γ; F ⊢ E W expression E synthesises output W exp Γ; F ⊢ E W expression E type-checks against input W Assigning a type-and-effect W = x:T {F ′ } to an expression means that: assuming that the set of events in T have occurred, evaluation of the expression is safe; the effect F is a precondition, a set of events assumed to have occurred before execution; the effect F ′ is a postcondition, a set of events safe to assume after execution. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 24. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Algorithmic Typing Rules for Values (partial): (T-Abs) exp Γ, x1 :T1 . . . xn :Tn ; F , F1 ⊢ E W T = x1 :T1 . . . xn :Tn {F1 } → W x1 , . . . , xn ∈ fv(F ), T closed / val Γ; F ⊢ (λx1 , . . . , xn .E ) T (T-Swap) (T-Href) exp val Γ; F ⊢ E ( : xml ) {} Γ; F ⊢ V T val val Γ; F ⊢ href (E ) xml Γ; F ⊢ V T (T-Form) exp Γ, ℓ1 :string , . . . , ℓn :string ; F ⊢ E ( : xml ) {} ℓ1 . . . ℓn ∈ fv(F ) / val Γ; F ⊢ (form ([ℓ1 , . . . , ℓn ], E )) xml Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 25. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Algorithmic Rules for Expressions (partial) (T-App) val Γ; F ⊢ U T T = x1 :T1 . . . xn :Tn {F1 } → W T closed val Γ; F ⊢ Vi Ti ∀i ∈ 1..n F1 [V1 /x1 ] . . . [Vn /xn ] ⊆ F exp Γ; F ⊢ U(V1 , . . . , Vn ) W [V1 /x1 ] . . . [Vn /xn ] (T-Assert) Γ ⊢ ⋄ fv(F , L) ⊆ dom(Γ) L ∈ F val L = p(V1 , . . . , Vn ) Γ; F ⊢ Vi Ti ∀i ∈ 1..n exp Γ; F ⊢ assert L :unit {L} (T-Event) Γ ⊢ ⋄ fv(F , L) ⊆ dom(Γ) val L = p(V1 , . . . , Vn ) Γ; F ⊢ Vi Ti ∀i ∈ 1..n exp Γ; F ⊢ event L :unit {L} Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 26. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Provable safety Definition A web application Eurl is provably safe if and only if there is a proof within the type-and-effect system of the judgment exp ∅; ∅ ⊢ Eurl ( : xml ) {}. The idea is that a web application is a closed expression that yields a page of type xml , and that no assert involved in creating this page, or any subsequent page, may fail. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 27. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Data Integrity with Assertions: Sale sig buy : <value:int, dbpass:string>{PriceIs(value)} → <r:xml>{} fun buy(value,dbpass) server { assert PriceIs(value); intToXml(value) # omitting actual call to the database } sig sellAt: <price:int>{} → <r:xml>{} fun sellAt(price) server { var dbpass = quot;secretquot;; event PriceIs(price); <form l:onsubmit=quot;{buy(price,dbpass)}quot; method=quot;POSTquot;> <button type=quot;submitquot;>Buy</button> </form> } sellAt(42) Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 28. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Outline The Links Multi-Tier Programming Language 1 Source-Based Reasoning for Links 2 Standard and Secure Semantics 3 Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 29. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Semantics We use a concurrent λ-calculus (RCF) with refinement types, 1 and its implementation in the practical typechecker F7 A server implementing TinyLinks is modelled as a function 2 from HTTP requests to XML responses in F7. We give a semantics for the standard implementation of 3 Links by translating a provably safe TinyLinks web application Eurl to an F7 expression [[Eurl ]]. We describe our secure implementation strategy as a simple 4 modification of the standard implementation. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 30. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Translation algorithm Throughout the two translations, we consider some fixed well-typed TinyLinks expression Eurl , and a structure W = (Eurl , J , H). The first step is to perform type-directed closure conversion on all the λ-abstractions, forms and links occurring in the source and generate suitable datatypes for representing them in F7. Generate mutually recursive function listeners (fHj ); each corresponding to the closures that were generated previously. Finally, translate the top level web server listener. Translation from Eurl in TinyLinks to [ Eurl ]] in F7: Let [[Eurl ]]be the F7 module obtained from Eurl by concatenating the type and function definitions: (M1) fixed datatypes; (M2) gener- ated datatypes; (M3) generated functions; (M4) toplevel webserver function. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 31. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References A Datatype for the Web (M1) Types for HTTP, XHTML, and Web Applications: type (’g, ’p) req = | Get of ’g option | Post of ’p ∗ string list type (’g, ’p) xml = | Elem of string ∗ (’g, ’p) xml list | Text of string | Href of ’g | FormElem of ’p ∗ string list type (’g, ’p) webapp = (’g, ’p) req → (’g, ’p) xml Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 32. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Translation of types and values The translation rules for types are mostly structural. The following two cases are of interest: [[xml ]] = (linkclos , formclos )xml [[P → W ]] = funclos P→W Similarly for values the interesting cases are generating the closures: [[(λx1 , . . . , xn .E )]] = C[[λx1 , . . . , xn .E ]] [[href (E )]] = Href ( C[[href (E )]] ) [[form ([ℓ1 , . . . , ℓn ], E )]] = FormElem (C[[form ([ℓ1 , . . . , ℓn ], E )]], [ℓ1 , . . . , ℓn ]) C[[V ]] = HJ ((x1 , . . . , xn )) for J = ((xi :Ui )i ∈1..n , F , V , T ) ∧ J ∈ J Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 33. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References (M2) Generated datatypes: type funclos P→W = HJ of [[Γ; F ]] | J = (Γ, F , (λx1 , . . . , xn .E ), P → W ) ∧ J ∈ J and formclos = HJ of [[Γ; F ]] | J = (Γ, F , form ([ℓ1 , . . . , ℓm ], E ), xml ) ∧ J ∈ J (HJ of [[Γ; F ]]) and linkclos = | J = (Γ, F , href (E ), xml ) ∧ J ∈ J where [[Γ; F ]] = (x1 : [[T1 ]]∗ · · · ∗ xn : [[T. ]]){F } if Γ = x1 :T1 , . . . , xn :Tn n Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 34. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References (M3) Generated Functions: fHJ : (xi :Ui )i ∈1..n ; F → [[P]] → [[W ]] let rec fHJ g y = match g with (x1 , . . . , xn ) → match y with (y1 , . . . , yn ) → E [[E ]] where J = ((xi :Ui )i ∈1..n , F , λx1 , . . . , xn .E , P → W ) and J ∈ J fHJ : (xi :Ui )i ∈1..n ; F → xml and fHJ g = match g with (x1 , . . . , xn ) → E [[E ]] where J = ((xi :Ui )i ∈1..n , F , href (E ), xml ) and J ∈ J fHJ : (xi :Ui )i ∈1..n ; F → string list → xml and fHJ g ls = match g with (x1 , . . . , xn ) → match ls with [ℓ1 ; . . . ; ℓn ] → E [[E ]] where J = ((xi :Ui )i ∈1..n , F , form ([ℓ1 , . . . , ℓn ], E ), xml ) and J ∈ J Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 35. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References (M4) Top Level Web Server Listener: and webserver req : (linkclos , formclos )webapp = match req with | Get (None ) → E [[Eurl ]] | Get (Some (l )) → match l with (| HJ (g ) → fHJ g ) J∈J ∧J=(Γ,F ,href (E ),T ) | Post (clos , ls ) → match clos , ls with | HJ (g ), [ℓ1 ; . . . ; ℓn ] → fHJ g [ℓ1 ; . . . ; ℓn ] J∈J ∧J=(Γ,F ,form ([ℓ1 ,...,ℓn ],E ),T ) Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 36. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Translation from Eurl in TinyLinks to [ Eurl ]] in F7: Let [[Eurl ]] be the F7 module obtained from Eurl by concatenating the type and function definitions displayed previously: (M1) fixed datatypes; (M2) generated datatypes; (M3) generated functions; (M4) toplevel webserver function. Let the interface of the module be: val webserver : (linkclos , formclos )webapp . Lemma If Eurl is provably safe then [[Eurl ]] is a closed expression of F7 of type: [[Eurl ]]:(linkclos , formclos )webapp . Theorem If Eurl is provably safe at the source level, then the (standard) webserver [[Eurl ]] is safe. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 37. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Robust safety in F7 Let an opponent be an arbitrary F7 expression context. We say an F7 expression is robustly safe if it is safe whenever it is placed within any opponent context. A significant result concerning F7 is the robust-safety-by-typing theorem: that a closed well-typed expression is robustly safe, provided its type satisfies conditions for being public. In particular, the function type (linkclos,formclos)webapp is not public, because of the refinements on types for the constructors HJ of linkclos and formclos . Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 38. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References The make and check functions construct and deconstruct the authenticated encryption of a continuation. We use different keys for hashing and encrypting; in total there are four keys used for hashing links and forms, and for encrypting links and forms respectively. Modifications for the Secure Translation: [[Eurl ]]s [[xml ]]s = (cipher , cipher )xml [[href (E )]]s = let ciph = make lkSKey lkHKey (C[[href (E )]]s ) in Href ( ciph ) [[form ([ℓ1 , . . . , ℓn ], E )]]s = let ciph = make fSKey fHKey ( C[[form ([ℓ1 , . . . , ℓn ], E )]]s ) in FormElem (ciph , [ℓ1 , . . . , ℓn ]) Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 39. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Modifications for the Secure Top-Level Listener let webserver (req : (cipher , cipher )req ) → (cipher , cipher )xml = match req with | Get (None ) → E [[Eurl ]]s | Get (Some (ciph )) → match (check lSKey HKey ciph ) with (| HJ (g ) → fHJ g ) J∈J ∧J=(Γ,F ,href (E ),T ) | Post (ciph , ls ) → match (check fSKey fHKey ciph ), ls with | HJ (g ), [ℓ1 ; . . . ; ℓn ] → fHJ g [ℓ1 ; . . . ; ℓn ] J∈J ∧J=(Γ,F ,form ([ℓ1 ,...,ℓn ],E ),T ) The function type (cipher,cipher)webapp is public, because there are no refinement types in its argument type. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 40. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Our main theorem is a corollary, given the robust-safety-by-typing theorem of F7, of Lemma 2. Lemma exp Suppose that ∅; ∅ ⊢ Eurl ( : xml ) {}. Then [[Eurl ]]s is a closed expression of F7 of type: [[Eurl ]]:(cipher , cipher )webapp . Theorem If Eurl is provably safe at the source level, then the (secure) webserver [[Eurl ]]s is robustly safe. Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 41. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Summary We have obtained practical and theoretical results demonstrating that it is possible to perform source-based security analysis in a multi-tier web programming language. To further validate our approach, we have implemented both a type-and-effect checker and our secure translation producing executable semantics in F#, that can form part of a certified web server. What about state? What about concurrency? Fully distributed implementation? http://www.cl.cam.ac.uk/~ib249/ Thank you! Ioannis G. Baltopoulos Secure Compilation of a Multi-Tier Web Language
  • 42. The Links Multi-Tier Programming Language Source-Based Reasoning for Links Standard and Secure Semantics References Bibliography E. Cooper, S. Lindley, P. Wadler, and J. Yallop. Links: Web Programming Without Tiers. In FMCO: Proceedings of 5th International Symposium on Formal Methods for Components and Objects, LNCS. Springer-Verlag, 2006. D. Gollmann. Authentication by correspondence. IEEE Journal on Selected Areas in Communication, 21(1):88–95, 2003. E. Meijer, W. Schulte, and G. Bierman. Programming with circles, triangles and rectangles. In XML Conference, 2003. B. C. Pierce and D. N. Turner. Local type inference. In ACM Symposium on Principles of Programming Languages (POPL’98), pages 252–265, 1998. M. Serrano, E. Gallesio, and F. Loitsch. Hop: a language for programming the web 2.0. In OOPSLA ’06: Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, Baltopoulos Ioannis G. languages, and applications, pages Secure Compilation of a Multi-Tier Web Language