►
From YouTube: Don't Add Security, Remove Insecurity
Description
This is the inaugural talk in F5 Public Tech Talk series.
Abstract
Complexity is the enemy of security. The conventional approach takes systems that are already too complicated and "secures" them by adding even more mechanisms. Rather than provide a model of secure computation, these "security" mechanisms are bolted on to computation that occurs by other means, requiring programmers to program in two unrelated paradigms simultaneously. The resulting "security" has failures of excess authority, ambient authority, co-mingled authority, and insufficient expressiveness. There is a better way.
In 2007 we started with JavaScript, a famously complicated, messy, and irregular language, and added "subtractive" enablers --- like Object.freeze and strict mode --- for turning off some of JavaScript's worst mis-features. We use these enablers to create Hardened JavaScript (aka SES), an enforced object-capability secure subset of JavaScript, supporting flexible, expressive, compositional, and fine-grain security. Hardened JavaScript turns off so little of JavaScript that a tremendous amount of existing JavaScript code, not written to run under Hardened JavaScript, nevertheless does so successfully.
If you are uninterested in JavaScript, consider it merely an example. Learn from our success. The lessons generalize well to other systems.
Speaker Bio
Mark S. Miller is a pioneer of agoric (market-based secure distributed) computing and smart contracts, the main designer of the E and Dr. SES distributed persistent object-capability programming languages, inventor of Miller Columns, an architect of the Xanadu hypertext publishing system, a representative to the EcmaScript committee, a former Google research scientist and member of the WebAssembly (Wasm) group, and a senior fellow of the Foresight Institute.
A
Mark
is
one
of
the
world's
foremost
experts
on
programming
languages
and
security,
and
he's
also
done
groundbreaking.
Work
on
programming
languages
and
economics
and
finance
he's
one
of
the
leading
lights
on
smart
contracts,
for
example,
he's
the
inventor
of
the
concept
of
ocap
of
object
capabilities,
which
is
combining
the
classic
notion
of
capabilities
with
with
objects
in
programming
languages.
A
B
B
B
Well,
not
quite
block
chains,
do
solve
an
important
problem
and
crypto,
of
course
solves
many
important
problems,
but
it
solves
those
problems
at
a
low
level.
Abstraction
blockchains
give
us
the
equivalent
of
a
credible
computer
built
by
massive
multi-way
agreement
of
many
physical
computers,
together
with
cross-checking
consensus
protocols,
but
even
with
the
credible
computer.
B
B
B
B
B
This
kind
of
software
supply
chain
attack
is
quite
a
serious
threat.
The
this
over
here
is
the
package
dependency
graph
of
another
crypto
wallet,
meta
mask
and
the
purple
dot
there
is
the
software
that's
specific
to
metamask.
All
of
the
other
dots
are
third-party
packages
that
are
linked
in,
and
this
is
typical.
B
B
B
The
greeks
approached
astronomy,
with
the
premise
that
the
circle
was
the
most
perfect
shape
and
therefore
the
orbits
of
the
planets
had
to
be
built
out
of
circles,
but
they
didn't
quite
fit
circles.
So
ptolemy
came
up
with
this
notion
of
epicycles
of
circles
on
circles
and
that
seemed
to
work
until
people
took
more
accurate
measurements
and
they
couldn't
fit
that
to
circles
on
circles,
so
they
had
circles
on
circles
on
circles
and
every
time
you
had
more
accurate
measurements.
B
Back
in
the
1970s
was
the
golden
age
of
operating
systems,
when
people
were
first
figuring
out
access,
control,
architectures-
and
there
was
a
fundamental
split
between
the
identity
based
approach
to
access
control.
Architecture
is
represented
by
access
control
lists,
in
which
every
access
decision
starts.
B
The
industry
ended
up
effectively,
choosing
the
identity
based
fork
in
the
road
and
since
then,
we've
been
wandering
in
the
desert
for
40
years,
trying
to
build
secure
systems,
starting
from
that
part
of
the
search
space.
Well,
one
of
the
things
that
we
know
from
the
science
of
search
algorithms
is,
if
you
make
a
speculative
choice
before
you
know
what
you're
doing,
and
then
you
search
the
subspace
a
lot
and
don't
make
progress.
B
You
have
to
consider
the
possibility
that
you're
stuck
in
a
cul-de-sac
and
the
identity-based
approach
to
access
control
has
some
fundamental
problems,
some
problems
that
seem
unsolvable
within
that
within
those
premises
that
it
only
admits
further
tinkering
that
doesn't
make
overall
progress
and
we
can
understand
the
main
one
as
excess
authority
when
a
program
runs
on
your
computer,
the
computer.
The
program
is
running
as
you
when
the
program
makes
a
request.
B
B
B
B
These
things
by
themselves
are
not
secure,
but
they
provide
a
starting
point
for
security
and
they
provide
a
starting
point
for
the
kind
of
security
that
would
have
descended
had
we
made
the
other
choice,
but
you
can't
simply
start
with
the
safe
object-oriented
programming
language
and
start
securing
it
and
hope
to
make
progress.
If,
again,
you
have
the
wrong
premises,
and
a
case
in
point
is
oak
was
the
early
java.
B
It
was
a
memory
safe
and
statically
type,
safe,
object,
oriented
programming,
language
with
encapsulated
objects,
but
to
turn
it
into
a
secure
programming
language
with
the
security
that
java
provides.
They
kept
fiddling,
they
kept
adding
these
epicycles
and
the
result
by
the
time
they
declared
it
secure.
B
B
What
about
javascript
well
javascript
starts
even
worse
than
oak
in
oak,
at
least.
It
was
the
case
that
you
that
a
program
could
not
change
the
definition
of
arrays
in
javascript.
Any
piece
of
code
can
engage
in
what's
called
prototype.
Poisoning
can
replace
the
push
method
on
array
prototype
with
some
evil
function,
that
might
exfiltrate
secrets,
for
example,
and
then
any
other
code
running
in
that
environment
when
it
tries
to
push
onto
an
array,
engages
the
attacker's
code.
B
B
B
It
creates
a
count
variable
and
a
record,
and
it
returns
a
record
of
two
functions:
inker
and
decker,
where
the
record
operates
effectively
as
an
object
where
inker
and
decker
are
the
methods
of
the
object
and
count
is
the
encapsulated
instance
variable
and
every
time
may
counter
is
called.
It
makes
a
new
instance,
and
each
of
these
instances
is
isolated
from
each
of
the
other
instances.
B
The
individual
methods
are
separate
permissions
to
manipulate
the
underlying
counter.
So,
for
example,
we
can
give
an
entry
guard
access
to
the
anchor
method,
a
exit
card,
access
to
the
decker
method,
and
now
the
entry
guard
can
only
increment.
The
counter
has
no
other
ability.
The
the
exit
guard
can
only
decrement
the
counter,
so
the
fundamental
security
mechanism
here
is
these
pointing
relationships.
Are
these
memory
safe,
protected
pointers
to
objects.
B
And
this
is
the
fundamental
logic
universal
to
memory:
safe
object,
programming,
languages
that
recapitulates
the
original
capability
concepts
and
even
without
secure
further
securing
the
language
in
a
memory
safe
programming
language
they
already
are
a
form
of
they
already
provide
a
form
of
security.
If
object,
bob
does
not
start
off
with
a
protected
pointer
to
object
carroll,
then
bob
cannot
make
use
of
carol's
public
api
if
object
alice.
B
They're
the
only
means
that
an
object
can
cause
effects,
and
once
we
take
that
step,
then
the
reference
graph
familiar
from
the
programming
language
literature
becomes
identical
to
the
access
graph
from
the
access
control,
literature,
and
this
becomes
our
first
big
step
in
reducing
excess
authority,
which
is
simply
that
we
design
object
interfaces
naturally
for
modularity's
sake,
where
we
only
provide
as
arguments
the
permissions.
The
the
other
objects
that
the
object
bob
in
this
case
needs
to
perform
its
work.
We
don't
give
it
irrelevant
access
that
it
can
abuse
the
principle
of
least
authority.
B
A
B
B
B
So
I'm
going
to
introduce
hardened
javascript
in
terms
of
three
primitives.
The
first
one
is
lockdown,
which
is
the
primitive
that
turns
a
normal
javascript
environment
into
a
hardened
javascript
environment
and
the
main
thing
that
it
does.
Is
it
hardens
the
primordial
objects.
The
objects
that
exist
before
any
code
starts
running
like
array
and
array.prototype
after
lockdown
is
called
you're
now
in
a
hardened
javascript
environment,
in
which
all
of
those
primordial
objects
have
been
made
immutable.
B
B
B
Of
course,
hardin
javascript
retains
the
fundamental
nature
of
javascript,
in
which
you
can
evaluate
code
and
code
evaluates
in
some
scope
and
the
free
variables
in
the
code
are
dereferenced
according
to
that
scope,
including
the
variables
in
the
global
scope,
when
you
create
a
compartment
you're,
creating
an
evaluation
context
with
a
new
fresh
global
object
and
global
scope
that
contains
nothing
dangerous
and
then
code,
that's
evaluated
in
that
compartment
is
evaluated
only
within
that
global
scope.
So
if
it
refers
to
variables
that
are
not
on
that
global
object,
that
code
fails.
B
B
B
B
B
B
In
this
escape
room
in
that
box,
you
can
type
whatever
hardened
javascript
code.
You
want,
and
it
will
run
it's
running
in
a
compartment
controlled
by
the
escape
room
itself,
and
what
the
escape
room
has
provided
to
your
code
is
a
function
that
it
can
call
where
the
duration
of
the
function,
the
amount
of
time
it
takes
that
function
to
return,
depends
on
the
secret
that
the
escape
room
knows
and
that
your
code
starts
off
not
knowing,
and
the
challenge
is
to
discover
the
secret.
B
B
So
how
did
we
get
to
harden
javascript,
starting
with
the
javascript
that
we
came
across
in
2007
when
we
started
on
this
mission?
That
was
the
javascript
known
as
ecmascript
3,
and
it
had
some
really
really
horrible
misfeatures
that
really
made
the
the
overall
task
seem
hopeless
in
particular,
had
non-static
scoping.
B
B
However,
strict
mode
does
not
enable
us
to
deal
with
things
like
the
event
stream
incident
does
not
allow
us
to
to
does
not
help
with
those
supply
chain
attacks,
because
it's
still
the
case
that
all
the
primordials
are
mutable,
so
you
can
engage
in
that
prototype
poisoning
attack.
It's
still
the
case
that
there's
one
global
object
on
which
all
of
the
host
objects
are
accessible.
There
are
no
compartments
and
therefore
we
have
all.
We
still
have
many
of
the
problems
of
excess
authority.
B
So
we
use
the
enablers
that
we
got
into
the
javascript
standard
to
create
a
further
enforced
subset
of
es,
strict,
which
we
call
hardened
javascript,
in
which
all
of
the
primordials
are
pure.
They
they
have
no
ability,
they
provide
no
ability
to
cause
effects
and
we
introduce
this
compartment
abstraction
to
intervene
in
the
global
scope.
B
But
hardened
javascript
having
changed
so
little
of
javascript
still
includes
many
confusing
parts
of
javascript.
These
can
these
remaining
confusing
parts
obey
now
the
formal
properties
of
the
capabilities.
It
still
prevents
one
confined
piece
of
code
from
attacking
another,
but
it
doesn't
prevent
the
all
the
programmer,
the
author
from
writing
code,
that,
where
they're
confused
what
the
code
means,
the
javascript
is
still
a
confusing
language.
If
you
use
the
entire
language,
so
we
define
an
advisory
subset
of
hardened
javascript
called
jesse.
B
B
So
the
hierarchy
of
subsets
here
is:
we
started
with
the
full
standard
javascript
we
introduced
into
the
standard
ecmascript
strict.
We
introduced
enablers
that
enable
us
to
build
hardened
javascript
out
of
javascript
and
the
compartments
that
we're
providing
as
we're
about
to
see
are
really
featherweight.
They
cost
almost
nothing
just
a
few
objects.
You
can
afford
many
of
them
inside
that
we
define
this
very
small,
clean,
sub-language
called
jessie,
and
it's
small
enough
that
it's
easy
to
build
a
jesse
interpreter
in
any
conventional
imperative.
B
So
what
does
lockdown
do?
How
does
it
transmute
a
javascript
system
into
a
hardened
javascript
system,
while
object
capabilities
again,
are
all
about
the
pointing
relationships.
These
protected
pointers
are
the
permissions,
and
this
is
a
representative
representative
sample
of
what
the
primordial
heap
looks
like
what
the
pointing
relationships
are
among
the
primordial
objects.
B
B
And
the
elements
of
that
initial
heap
that
are
like
the
eval
function
and
the
function
constructor
are
a
special
category.
They
were
category,
we
call
the
evaluators,
they
have
a
special
relationship
to
the
global
object
in
that
they
evaluate
code
code,
evaluates
in
a
scope
and
that
scope
is
rooted
in
the
global
object.
B
B
So
document
is
dangerous
as
an
ability
to
cause
effects
that
is
provided
by
the
host
date
is
part
of
standard
javascript,
so
we
still
have
to
provide
a
binding
for
date,
but
the
but
the
original
date
object
itself
is
dangerous,
because
these
objects
are
dangerous
and
can
be
can
be
obtained
from
the
global
object.
The
global
object
is
dangerous
because
the
global
object
is
dangerous
and
these
evaluators
evaluate
code
in
the
global
object.
B
The
evaluators
are
dangerous.
So
what
lockdown
does?
Is
it
quarantines
these
dangerous
objects
into
the
start,
compartment
into
the
initial
code
that
code,
the
initial
context
that
code
runs
in
that
still
has
a
global
object
with
these
dangerous
authorities
and
it
points
into
the
frozen
shared
primordials.
This
primordial
heap,
that's
now
locked
down
and
frozen,
and
the
key
thing
is
that
all
of
the
pointing
relationships
between
these
two
worlds
are
from
left
to
right.
The
frozen
primordials
are
completely
self-contained
with
access
only
to
them.
B
You
can't
get
to
anything
else
and
as
a
result,
when
you
create
a
new
compartment
that
new
compartment
is
much
like
the
start
compartment.
It
has
a
new
global
object
that
mostly
just
points
into
the
shared
primordials,
except
that
it
has
to
have
its
own
evaluators,
that
evaluate
code
in
its
own
global
object,
and
it
has
to
have
the
virtual
host
objects.
The
powerful
objects
provided
by
the
creator
of
the
compartment
that
the
code
in
the
compartment
might
think
of
as
global
objects.
B
B
B
B
But
now
you
can
economize
on
your
security
review
effort.
You
can
more
deeply
examine
the
packages
that
are
given
more
authority
and
therefore
have
a
greater
potential
for
abuse,
and
you
can
inspect
them
to
see
what
authorities
they
are
that
they're
dependent
on
as
well
as
what
their
connection
is
to
other
packages.
B
B
An
ultimate
form
of
such
intermediation
is
the
membrane
where
we
create
these
attenuating
intermediaries.
The
half
circles
here
using
javascript
proxies
and
they
grow
on
demand
to
maintain
the
connectivity
separation
between
the
blue
objects
and
the
red
objects.
So
they
have
no
direct
access
to
each
other,
and
then
we
can
we
can,
starting
from
here
we
can
introduce
many
kinds
of
attenuation.
B
A
great
example
is
revocation
revocation
is
temporal
attenuation.
It's
it's
attenuation
in
time
where
the
boundary
seems
to
not
exist
is
trying
to
be
transparent
until
the
revoking
action.
So
we
can
abstract
this
to
say
that
it's
as
if
the
boundary
doesn't
exist
until
somebody
hits
the
plunge
on
the
revoker
object,
it's
the
plunger
on
the
revoker
object,
but
once
they
do
all
of
the
connectivity
provided
at
that
membrane,
boundary
is
severed
and
the
garbage
collector
is
thereby
able
to
collect
everything
within
the
boundary,
because
nothing
can
any
longer
point
at
it.
B
This
is
the
core
logic
of
the
money
that
we're
creating
of
the
the
of
the
one
kind
of
the
digital
assets
that
we're
building
on
top
of
hardened
javascript,
the
actual
one
that
we're
running
is
substantially
more
complicated
than
the
code
shown
here,
but
the
code
shown
here
is
real
code.
It
really
works,
it
really
does
have
the
security
properties
desired
of
a
cryptocurrency
and
it's
built
using
only
the
elements.
I've
already
explained.
B
Those
security
reviews
do
find
flaws.
We
fix
them
as
we
go,
but
so
far
the
security
reviews
have
very
much
been
confirming
for
us
that
we
got
the
premises
right,
that
the
object
capability,
foundations
and
the
philosophy
that
they
bring
is
a
good
starting
point
for
building
such
systems
and,
in
fact
the
object
capability
philosophy
generalized,
is
also
how
we
approach
security
at
the
financial
level,
which
is
itself
the
subject
of
of
what
could
be
a
whole
other
talk.
A
B
B
The
demand
for
authority,
according
to
the
current
analysis,
that's
beyond
the
authority
that
the
previous
analysis
provided
and
that
and
the
previous
analysis
is
what
you
reviewed.
And
then,
when
you
see
that,
oh,
why
does
this
linear
algebra
package
need
network
access
for
me
to
access
my
final
system?
A
Great
thank
you.
So
another
question
had
to
do
with
essentially
contrasting
this.
I
guess
to
to
the
traditional
approach
or
or
perhaps
melding
it
with
a
traditional
approach.
How
should
we
think
about
the
efficacy
of
the
hardening
approach
versus
signing
scripts
or
binaries
to
prevent
non-approved
versions
from
executing
at
all
I
mean.
Is
there
any
role
for
for
combining
those,
for
example,.
B
We
don't
want
to
depend
on
npm
telling
us
that
the
code
we're
installing
is
the
same
as
the
code
that
we
approved.
We
want
to
there's
something
called
sub
sub
sub
something
integrity.
I'm
sorry,
I'm
I'm
not
remembering
the
term,
but
basically
we
want
to
accumulate
hashes
transitive,
hashes
across
dependency
graphs
and
ensure
that
the
code
that
we
believe
is
you
know
that
we
believe
corresponds
to
code.
That
we
examine
is
code
that
has
the
same
hash.
So
we
are
in
fact
assuming
those
protections
as
well.
B
A
You
thanks
to
to
jordan,
who
pointed
that
out.
Another
more
more
basic
question
which,
which
is
very
was
on
the
technical
side,
was
your
example
of
essentially
encapsulating
things,
so
you
couldn't
get
it
couldn't
figure
out
the
duration
and
so
forth,
and
the
literal
question
was:
wouldn't
you
be
able
to
tell
time
by
sending
message
back
to
the
client
on
an
interval,
and
you
should
be
able
to
explain
that
way.
B
Set
interval
and
set
timeout
are
not
part
of
the
standard
javascript
language
they
are
defined
as
part
of
the
host
now
they're
provided
across
many
hosts,
and
therefore
there
will
be
much
code
will
depend
on
the
existence
of
something
like
that.
But
now
it's
like
the
ho
the
controlling
code,
providing
a
virtual
bulb,
providing
virtual
host
objects
that
operate
according
to
the
controlling
codes
decisions.
B
So
you
can
provide
a
you,
can
provide
or
deny
or
virtualize,
set
timeout
and
set
interval.
As
you
wish,
a
bigger
issue
is
sources
of
non-determinacy,
so
we
actually
introduced
a
proposal
to
javascript
that
is
now
part
of
modern
javascript
that
provides
another
source
of
nondeterminacy
as
part
of
the
language
and
thereby
provides
a
really
quite
a
bad
side
channel,
which
is
weak
references,
weak
references
and
finalization
enable
enable
code
to
sense
garbage
collection.
B
It's
not
a
duration
side
channel,
but
it
is
a
non-determinism
that
can
be
used
to
leak
secrets
and
we
treat
the
hardened
javascript
treats
weak
references
very
much.
The
way
it
treats
date
that
only
the
starting
environment
has
the
powerful
weak
reference,
constructor
and
finalization
registry
constructor
and
compartments
by
default
do
not
now
the
other
thing.
That's
important
in
answering
that
question
is
that
many
applications,
I
would
say
most
applications.
B
Any
application
that
needs
access
to
the
network
or
access
to
the
user
has
inherent
sources
of
duration
measure.
It
doesn't
have
to
be
a
clock,
it
can
be.
You
know,
network
round,
trips
or
interaction
through
the
dom.
Those
also
enable
the
measurement
of
duration
that
subverts
the
confinement
shown
here.
So
the
important
point
is
not
that
we
can
deny
applications
the
ability
to
read
duration,
but
we
can
divide.
B
We
can
deny
it
to
a
substantial
number
of
packages,
many
packages,
many
algebra
libraries,
parser
generators
on
and
on
and
on
there's
a
tremendous
number
of
packages
that
are
just
transformational
that
don't
need
anything
non-deterministic
in
order
to
do
their
proper
job.
Some
of
them
will
and
those
can
still
reach,
read
slide
checks.
B
So
solidity
is
also
that
the
premise
is
again:
identity
based
access
control,
the
the
the
primitive
in
solidity
where
the
identity
check
is
hiding
is
something
called
message.sending
in
solidity.
Anyone
can
send
a
message
into
any
contract.
Therefore,
the
contract
can
get
a
message
from
anywhere
and
therefore
the
contract.
B
It's
this
message
on
the
sender
which
reveals
the
identity
of
the
sender,
the
immediate
sender,
so
it's
sort
of
the
the
top
of
the
stack,
the
immediate
caller
on
the
stack
there's
another
one
called
transaction.owner
or
transaction.org,
which
is
the
bottom
of
the
stack.
The
external
user
that
it
came
from.
Message.Sender
has
tremendous
failures
to
compose
it's.
A
tremendous
cost
on
expressivity
transaction.origin
has
tremendous
failures
of
excess
authority
and
we've
seen
both
in
the
failure
modes
of
solidity
contracts.
B
A
All
right
we're
perfectly
on
time.
We
just
have,
though
we
do
have
more
questions,
but
we'll
we'll
have
to
leave
them
for
another
time,
and
this
is
the
perfect
opportunity
to
thank
mark
for
spending
the
time
with
us
for
a
very
illuminating
and
interesting
talk,
and
I
hope
everyone
enjoyed
it
and
thank
you
and
maybe
we'll
be
able
to
twist
your
arm
and
come
to
talk
to
us
again.
Sometime.