{-# LANGUAGE CPP #-} #if defined(__GLASGOW_HASKELL__) && (__GLASGOW_HASKELL__ >= 702) && (__GLASGOW_HASKELL__ < 704) {-# LANGUAGE SafeImports #-} #endif #if defined(__GLASGOW_HASKELL__) && (__GLASGOW_HASKELL__ >= 704) {-# LANGUAGE Unsafe #-} #endif {-# LANGUAGE TypeSynonymInstances #-} {-# LANGUAGE FlexibleInstances #-} {-# LANGUAGE MultiParamTypeClasses #-} {-| This module implements Disjunction Category Labels. A DCLabel is a pair of 'secrecy' and 'integrity' category sets or components, of type 'Component'. Each component is simply a set of clauses in propositional logic (without negation). A component can either correspond to the term 'MkComponentAll', representing falsehood, or a set of categories (clauses): (of type 'Conj') corresponding to the conjunction of ategories (of type 'Disj'). Each category, in turn, is a disjunction of 'Principal's, where a 'Principal' is just a 'ByteString' whose meaning is up to the application. A category imposes an information flow restriction. In the case of secrecy, a category restricts who can read, receive, or propagate the information, while in the case of integrity it restricts who can modify a piece of data. The principals constructing a category are said to /own/ the category. For information to flow from a source labeled @L_1@ to a sink @L_2@, the restrictions imposed by the categories of @L_2@ must at least as restrictive as all the restrictions imposed by the categories of @L_1@ (hence the conjunction) in the case of secrecy, and at least as permissive in the case of integrity. More specifically, for information to flow from @L_1@ to @L_2@, the labels must satisfy the \"can-flow-to\" relation: @L_1 ⊑ L_2@. The ⊑ label check is implemented by the 'canflowto' function. For labels @L_1=\@, @L_2=\@ the can-flow-to relation is satisfied if the secrecy category set @S_2@ 'implies' @S_1@ and @I_1@ 'implies' @I_2@ (recall that a category set is a conjunction of disjunctions of principals). For example, @\<{[P_1 ⋁ P_2]},{}\> ⊑ \<{[P_1]},{}\>@ because data that can be read by @P_1@ is more restricting than that readable by @P_1@ or @P_2@. Conversely, @\<{{},[P_1]}\> ⊑ \<{},[P_1 ⋁ P_2]},{}\>@ because data vouched for by @P_1@ or @P_2@ is more permissive than just @P_1@ (note the same idea holds when writing to sinks with such labeling). A piece of a code running with a privilege object (of type 'TCBPriv'), i.e., owning a 'Principal' confers the right to modify labels by removing any 'secrecy' categories containing that 'Principal' and adding any 'integrity' categories containing the 'Principal' (hence the name disjunction categories: the category @[P1 ⋁ P2]@ can be /downgraded/ by either 'Principal' @P1@ or @P2@). More specifically, privileges can be used to bypass information flow restrictions by using the more permissive \"can-flow-to given permission\" relation:⊑ᵨ. The label check function implementing this restriction is 'canflowto_p', taking an additional argument (of type 'TCBPriv'). For example, if @L_1=\<{[P_1 ⋁ P_2] ⋀ [P_3]},{}\>@, and @L_2=\<{[P_1]},{}\>@, then @L_1 ⋢ L_2@, but given a privilege object corresponding to @[P_3]@ the @L_1 ⊑ᵨ L_2@ holds. To construct DC labels and privilege objects the constructors exported by this module may be used, but we strongly suggest using "DCLabel.NanoEDSL" as exported by "DCLabel.TCB" and "DCLabel.Safe". The former is to be used by trusted code only, while the latter module should be imported by untrusted code as it prevents the creation of arbitrary privileges. -} module DCLabel.Core ( -- * Components -- $labels Disj(..), Conj(..), Component(..) , emptyComponent, allComponent , Lattice(..) , ToLNF(..) -- ** DC Components , DCLabel(..) -- * Principals , Principal(..), principal -- * Privileges -- $privs , TCBPriv(..), Priv , RelaxedLattice(..) , noPriv, rootPrivTCB , delegatePriv, createPrivTCB , CanDelegate(..), Owns(..) -- * Component/internal operations , and_component, or_component, cleanComponent, implies , DisjToFromList(..) , listToComponent, componentToList ) where #if defined(__GLASGOW_HASKELL__) && (__GLASGOW_HASKELL__ >= 702) import safe Data.List (nub, sort, (\\)) import safe Data.Maybe (fromJust) import safe Data.Monoid import safe Data.Functor ((<$>)) #else import Data.List (nub, sort, (\\)) import Data.Maybe (fromJust) import Data.Monoid import safe Data.Functor ((<$>)) #endif import qualified Data.ByteString as B import qualified Data.ByteString.Char8 as C import Data.Serialize -- -- Categories -- -- | A category, i.e., disjunction, of 'Principal's. -- The empty list '[]' corresponds to the disjunction of all principals. -- Conceptually, @[] = [P_1 ⋁ P_2 ⋁ ...]@ newtype Disj = MkDisj { disj :: [Principal] } deriving (Eq, Ord, Show, Read) -- | A category set, i.e., a conjunction of disjunctions. -- The empty list '[]' corresponds to the single disjunction of all principals. -- In other words, conceptually, @[] = {[P_1 ⋁ P_2 ⋁ ...]}@ -- Logically '[]' = @True@. newtype Conj = MkConj { conj :: [Disj] } deriving (Eq, Ord, Show, Read) -- -- Components -- {- $labels A component is a conjunction of disjunctions of principals. A 'DCLabel' is simply a pair of such components. Hence, we define almost all operations in terms of this construct, from which the 'DCLabel' implementation follows almost trivially. Moreover, we note that secrecy-only and integrity-only labels are implemented in "DCLabel.Secrecy" and "DCLabel.Integrity", respectively. -} -- | Labels form a partial order according to the ⊑ relation. -- Specifically, this means that for any two labels @L_1@ and @L_2@ there is a -- unique label @L_3 = L_1 ⊔ L_2@, known as the /join/, such that -- @L_1 ⊑ L_3@ and @L_2 ⊑ L_3@. Similarly, there is a unique label -- @L_3' = L_1 ⊓ L_2@, known as the /meet/, such that -- @L_3 ⊑ L_1@ and @L_3 ⊑ L_2@. This class defines a /bounded/ -- lattice, which further requires the definition of the /bottom/ ⊥ and -- /top/ ⊤ elements of the lattice, such that @⊥ ⊑ L@ and -- @L ⊑ ⊤@ for any label @L@. class Eq a => Lattice a where bottom :: a -- ^ Bottom of lattice, ⊥ top :: a -- ^ Top of lattice, ⊤ join :: a -> a -> a -- ^ Join of two elements, ⊔ meet :: a -> a -> a -- ^ Meet of two elements, ⊓ canflowto :: a -> a -> Bool -- ^ Partial order relation, ⊑ -- | A components is a conjunction of disjunctions, where @MkComponentAll@ is -- the constructor that is associated with the logical @False@. data Component = MkComponentAll | MkComponent { component :: Conj } deriving (Show, Read) -- | Components have a unique LNF (see 'ToLNF') form, and equality testing is -- perfomed on labels of this form. instance Eq Component where (==) MkComponentAll MkComponentAll = True (==) MkComponentAll _ = False (==) _ MkComponentAll = False (==) l1 l2 = (component . toLNF $ l1) == (component . toLNF $ l2) -- | A component without any disjunctions or conjunctions. This -- component, conceptually corresponds to the label consisting of -- a single category containing all principals. Conceptually (in a -- closed-world system), -- @emptyComponent = \<{[P_1 ⋁ P_2 ⋁ ...]}\>@. -- Logically, of course, this is equivalent to @True@. emptyComponent :: Component emptyComponent = MkComponent (MkConj []) -- | The dual of 'emptyComponent', 'allComponent' consists of the conjunction of -- all possible disjunctions, i.e., it is the label that implies all -- other labels. Conceptually (in a closed-world system), -- @allComponent = \<{[P_1] ⋀ [P_2] ⋀ ...}\>@ -- Logically, of course, this is equivalent to @False@. allComponent :: Component allComponent = MkComponentAll -- | Predicate function that returns @True@ if the label corresponds to -- the 'emptyComponent'. isEmptyComponent :: Component -> Bool isEmptyComponent MkComponentAll = False isEmptyComponent l = and [ null (disj d) | d <- conj (component l) ] -- | Predicate function that retuns @True@ if the label corresponds to -- the 'allComponent'. isAllComponent :: Component -> Bool isAllComponent MkComponentAll = True isAllComponent _ = False -- -- Helper functions -- -- | Given two components, take the union of the disjunctions, i.e., simply -- perform an \"and\". Note the new component is not necessarily in LNF. and_component :: Component -> Component -> Component and_component l1 l2 | isAllComponent l1 || isAllComponent l2 = allComponent | otherwise = MkComponent {component = MkConj $ conj (component l1) ++ conj (component l2)} -- | Given two components, perform an \"or\". -- Note that the new component is not necessarily in LNF. or_component :: Component -> Component -> Component or_component l1 l2 | isEmptyComponent l1 || isEmptyComponent l2 = emptyComponent | isAllComponent l2 = l1 | isAllComponent l1 = l2 | otherwise = MkComponent . MkConj $ [ MkDisj (disj d1 ++ disj d2) | d1 <- (conj (component l1)) , d2 <- (conj (component l2)) , not . null . disj $ d1 , not . null . disj $ d2] -- | Determines if a conjunction of disjunctions, i.e., a component, implies -- (in the logical sense) a disjunction. In other words, it checks if -- d_1 ⋀ ... ⋀ d_n => d_1. -- -- Properties: -- -- * ∀ X, 'allComponent' \``impliesDisj`\` X = True -- -- * ∀ X, X \``impliesDisj`\` 'emptyComponent' = True -- -- * ∀ X≠'emptyComponent', 'emptyComponent' \``impliesDisj`\` X = False -- -- Note that the first two guards are only included -- for safety; the function is always called with a non-ALL component and -- non-null disjunction. impliesDisj :: Component -> Disj -> Bool impliesDisj l d | isAllComponent l = True -- Asserts 1 | null (disj d) = True -- Asserts 2 | otherwise = or [ and [ e `elem` (disj d) | e <- disj d1 ] | d1 <- conj (component l) , not (isEmptyComponent l) ] -- Asserts 3 -- | Determines if a component logically implies another component. -- In other words, d_1 ⋀ ... ⋀ d_n => d_1' ⋀ ... ⋀ d_n'. -- -- Properties: -- -- * ∀ X, 'allComponent' \``implies`\` X := True -- -- * ∀ X≠'allComponent', X \``implies`\` 'allComponent' := False -- -- * ∀ X, X \``implies`\` 'emptyComponent' := True -- -- * ∀ X≠'emptyComponent', 'emptyComponent' \``implies`\` X := False implies :: Component -> Component -> Bool implies l1 l2 | isAllComponent l1 = True -- Asserts 1 | isAllComponent l2 = False -- Asserts 2 | otherwise = and [ impliesDisj (toLNF l1) d | d <- conj . component . toLNF $ l2 ] -- | Removes any duplicate principals from categories, and any duplicate -- categories from the component. To return a clean component, it sorts the -- component and removes empty disjunctions. cleanComponent :: Component -> Component cleanComponent MkComponentAll = MkComponentAll cleanComponent l = MkComponent . MkConj . sort . nub $ [ MkDisj ( (sort . nub) (disj d) ) | d <- conj (component l) , not . null $ disj d ] -- | Class used to reduce labels and components to unique label normal form -- (LNF), which corresponds to conjunctive normal form of principals. We use -- this class to overload the reduce function used by the 'Component', -- 'DCLabel', etc. class ToLNF a where toLNF :: a -> a -- | Reduce a 'Component' to LNF. -- First it applies @cleanComponent@ to remove duplicate principals -- and categories. Following, it removes extraneous/redundant -- categories. A category is said to be extraneous if there is another -- category in the component that implies it. instance ToLNF Component where toLNF MkComponentAll = MkComponentAll toLNF l = MkComponent . MkConj $ l' \\ extraneous where l' = conj . component $ cleanComponent l extraneous = [ d2 | d1 <- l', d2 <- l', d1 /= d2 , impliesDisj ((MkComponent . MkConj) [d1]) d2 ] -- -- DC Labels -- -- -- DC Labels : (Secrecy, Integrity) -- -- | A @DCLabel@ is a pair of secrecy and integrity category sets, i.e., -- a pair of 'Component's. data DCLabel = MkDCLabel { secrecy :: Component -- ^ Integrity category set. , integrity :: Component -- ^ Secrecy category set. } deriving (Eq, Show, Read) -- | Each 'DCLabel' can be reduced a unique label representation in LNF, using -- the 'toLNF' function. instance ToLNF DCLabel where toLNF l = MkDCLabel { secrecy = toLNF (secrecy l) , integrity = toLNF (integrity l)} -- | Elements of 'DCLabel' form a bounded lattice, where: -- -- * @⊥ = \<'emptyComponent', 'allComponent'\>@ -- -- * @⊤ = \<'allComponent', 'emptyComponent'\>@ -- -- * @ \ ⊔ \ = \@ -- -- * @ \ ⊓ \ = \@ -- -- * @ \ ⊑ \ = S_2 => S_1 ⋀ I_1 => I_2@ instance Lattice DCLabel where bottom = MkDCLabel { secrecy = emptyComponent , integrity = allComponent } top = MkDCLabel { secrecy = allComponent , integrity = emptyComponent } join l1 l2 = let s3 = (secrecy l1) `and_component` (secrecy l2) i3 = (integrity l1) `or_component` (integrity l2) in toLNF $ MkDCLabel { secrecy = s3 , integrity = i3 } meet l1 l2 = let s3 = (secrecy l1) `or_component` (secrecy l2) i3 = (integrity l1) `and_component` (integrity l2) in toLNF $ MkDCLabel { secrecy = s3 , integrity = i3 } canflowto l1 l2 = let l1' = toLNF l1 l2' = toLNF l2 in ((secrecy l2') `implies` (secrecy l1')) && ((integrity l1') `implies` (integrity l2')) -- -- Principals -- -- | Principal is a simple string representing a source of authority. Any piece -- of code can create principals, regarless of how untrusted it is. However, -- for principals to be used in integrity components or be ignoerd a -- corresponding privilege ('TCBPriv') must be created (by trusted code) or -- delegated. newtype Principal = MkPrincipal { name :: B.ByteString } deriving (Eq, Ord, Show, Read) -- | Generates a principal from an string. principal :: B.ByteString -> Principal principal = MkPrincipal -- -- Privileges -- {- $privs As previously mentioned privileges allow a piece of code to bypass certain information flow restrictions. Like principals, privileges of type 'Priv' may be created by any piece of code. A privilege is simply a conjunction of disjunctions, i.e., a 'Component' where a category consisting of a single principal corresponds to the notion of /owning/ that principal. We, however, allow for the more general notion of ownership of a category as to create a privilege-hierarchy. Specifically, a piece of code exercising a privilege @P@ can always exercise privilege @P'@ (instead), if @P' => P@. This is similar to the DLM notion of \"can act for\", and, as such, we provide a function which tests if one privilege may be use in pace of another: 'canDelegate'. Note that the privileges form a partial order over @=>@, such that @'rootPrivTCB' => P@ and @P => 'noPriv'@ for any privilege @P@. As such we have a privilege hierarchy which can be concretely built through delegation, with 'rootPrivTCB' corresponding to the /root/, or all, privileges from which all others may be created. More specifically, given a minted privilege @P'@ of type 'TCBPriv', and an un-minted privilege @P@ of type 'Priv', any piece of code can use 'delegatePriv' to mint @P@, assuming @P' => P@. Finally, given a set of privileges a piece of code can check if it owns a category using the 'owns' function. -} -- | Privilege object is just a conjunction of disjunctions, i.e., 'Component'. -- A trusted privileged object must be introduced by trusted code, after which -- trusted privileged objects can be created by delegation. data TCBPriv = MkTCBPriv { priv :: Component } deriving (Eq, Show) -- | Untrusted privileged object, which can be converted to a 'TCBPriv' with -- 'delegatePriv'. type Priv = Component -- | Class extending 'Lattice', by allowing for the more relaxed label -- comparison @canflowto_p@. class (Lattice a) => RelaxedLattice a where -- | Relaxed partial-order relation canflowto_p :: TCBPriv -> a -> a -> Bool instance RelaxedLattice DCLabel where canflowto_p p l1 l2 = let l1' = MkDCLabel { secrecy = (secrecy l1) , integrity = (and_component (priv p) (integrity l1)) } l2' = MkDCLabel { secrecy = (and_component (priv p) (secrecy l2)) , integrity = (integrity l2) } in canflowto l1' l2' -- | Given trusted privilege and a \"desired\" untrusted privilege, -- return a trusted version of the untrusted privilege, if the -- provided (trusted) privilege implies it. delegatePriv :: TCBPriv -> Priv -> Maybe TCBPriv delegatePriv tPriv rPriv = let rPriv' = toLNF rPriv in case (priv tPriv) `implies` rPriv' of True -> Just (MkTCBPriv rPriv') False -> Nothing -- | Privilege object corresponding to no privileges. noPriv :: TCBPriv noPriv = MkTCBPriv { priv = emptyComponent } -- | Privilege object corresponding to the \"root\", or all privileges. -- Any other privilege may be delegated using this privilege object and it must -- therefore not be exported to untrusted code. rootPrivTCB :: TCBPriv rootPrivTCB = MkTCBPriv { priv = allComponent } -- | This function creates any privilege object given an untrusted -- privilege 'Priv'. Note that this function should not be exported -- to untrusted code. createPrivTCB :: Priv -> TCBPriv createPrivTCB = fromJust . (delegatePriv rootPrivTCB) -- | @TCBPriv@ is an instance of 'Monoid'. instance Monoid TCBPriv where mempty = noPriv mappend p1 p2 = createPrivTCB $ toLNF ((priv p1) `and_component` (priv p2)) -- | Class used for checking if a computation can use a privilege in place of -- the other. This notion is similar to the DLM \"can-act-for\". class CanDelegate a b where -- | Can use first privilege in place of second. canDelegate :: a -> b -> Bool instance CanDelegate Priv Priv where canDelegate p1 p2 = p1 `implies` p2 instance CanDelegate Priv TCBPriv where canDelegate p1 p2 = p1 `implies` (priv p2) instance CanDelegate TCBPriv Priv where canDelegate p1 p2 = (priv p1) `implies` p2 instance CanDelegate TCBPriv TCBPriv where canDelegate p1 p2 = (priv p1) `implies` (priv p2) -- | We say a 'TCBPriv' privilege object owns a category when the privileges -- allow code to bypass restrictions implied by the category. This is the -- case if and only if the 'TCBPriv' object contains one of the 'Principal's -- in the 'Disj'. This class is used to check ownership class Owns a where -- | Checks if category restriction can be bypassed given the privilege. owns :: TCBPriv -> a -> Bool instance Owns Disj where owns p d = priv p `impliesDisj` d instance Owns Component where owns p l = priv p `implies` l -- | Class used to convert list of principals to a disjunction category and -- vice versa. class DisjToFromList a where listToDisj :: [a] -> Disj -- ^ Given list return category. disjToList :: Disj -> [a] -- ^ Given category return list. -- | To/from 'Principal's and 'Disj'unction categories. instance DisjToFromList Principal where listToDisj ps = MkDisj ps disjToList d = disj d -- | To/from 'String's and 'Disj'unction categories. instance DisjToFromList String where listToDisj ps = MkDisj $ map (principal . C.pack) ps disjToList d = map (C.unpack . name) $ disj d -- | To/from 'ByteString's and 'Disj'unction categories. instance DisjToFromList B.ByteString where listToDisj ps = MkDisj $ map principal ps disjToList d = map name $ disj d -- | Given a list of categories, return a component. listToComponent :: [Disj] -> Component -- ^ Given list return category. listToComponent = MkComponent . MkConj -- | Given a component return a list of categories. componentToList :: Component -> [Disj] -- ^ Given category return list. componentToList = conj . component -- -- Serialize instances -- instance Serialize Principal where put = put . name get = MkPrincipal <$> get instance Serialize Disj where put = put . disj get = MkDisj <$> get instance Serialize Conj where put = put . conj get = MkConj <$> get instance Serialize Component where put c | c == MkComponentAll = put (Nothing :: Maybe Conj) | otherwise = put (Just $ component c) get = do mc <- get case mc of Nothing -> return MkComponentAll Just c -> return $ MkComponent c instance Serialize DCLabel where put (MkDCLabel s i) = put s >> put i get = do s <- get i <- get return $ MkDCLabel s i