Capabilities as Alias Control: Secure Cooperation in Dynamically Extensible Systems

Secure cooperation is the problem of protecting mutually suspicious code units within the same execution environment from their potentially malicious peers. A statically enforceable capability type system is proposed for the JVM bytecode language to provide fine-grained access control of shared resources among peer code units. The design of the type system is inspired by recent advances in alias control type systems for object-oriented programming languages. The exercise of access rights and the propagation of capabilities are given a uniform interpretation as alias creation events. Each capability type assigns to a reference a dataflow trajectory, prescribing the set of aliases that is allowed to be created from the reference. An orthogonal and complementary type system for controlling object creation and downcasting is also designed to avoid a class of capability spoofing attacks. The combined type system successfully addresses a number of classical protection problems recast in a programming language context. This work therefore demonstrates the need and the feasibility of a languagebased approach to enforce application-level security among peer code units.

[1]  Giovanni Vigna,et al.  Designing Distributed Applications with Mobile Code Paradigms , 1997, Proceedings of the (19th) International Conference on Software Engineering.

[2]  Scott F. Smith,et al.  Static enforcement of security with types , 2000, ICFP '00.

[3]  Robert D. Cameron,et al.  Proof linking: modular verification of mobile programs in the presence of lazy, dynamic linking , 2000, TSEM.

[4]  Michael D. Schroeder,et al.  Cooperation of mutually suspicious subsystems in a computer utility , 1972 .

[5]  Craig Chambers,et al.  Alias annotations for program understanding , 2002, OOPSLA '02.

[6]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[7]  John Hogg,et al.  Islands: aliasing protection in object-oriented languages , 1991, OOPSLA '91.

[8]  David C. Luckham,et al.  An Event-Based Architecture Definition Language , 1995, IEEE Trans. Software Eng..

[9]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[10]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[11]  Philip Wadler,et al.  Featherweight Java: a minimal core calculus for Java and GJ , 2001, TOPL.

[12]  Jan Vitek,et al.  Flexible Alias Protection , 1998, ECOOP.

[13]  Wan Fokkink,et al.  Introduction to Process Algebra , 1999, Texts in Theoretical Computer Science. An EATCS Series.

[14]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[15]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[16]  Cédric Fournet,et al.  Stack inspection: Theory and variants , 2003, TOPL.

[17]  Vipin Chaudhary,et al.  History-based access control for mobile code , 1998, CCS '98.

[18]  James Noble,et al.  Ownership types for flexible alias protection , 1998, OOPSLA '98.

[19]  Jan Vitek,et al.  Confined types in Java , 2001, Softw. Pract. Exp..

[20]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.

[21]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[22]  Daniel C. DuVarney,et al.  Model-carrying code: a practical approach for safe execution of untrusted applications , 2003, SOSP '03.

[23]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[24]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[25]  Deyu Hu,et al.  Implementing Multiple Protection Domains in Java , 1998, USENIX Annual Technical Conference.

[26]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[27]  Tomoyuki Higuchi,et al.  A static type system for JVM access control , 2003, TOPL.

[28]  Jonathan Rees,et al.  A security kernel based on the lambda-calculus , 1995 .

[29]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[30]  Paulo Sérgio Almeida Balloon Types: Controlling Sharing of State in Data Types , 1997, ECOOP.

[31]  David Jefferson,et al.  Protection in the Hydra Operating System , 1975, SOSP.

[32]  John Tang Boyland,et al.  Capabilities for Sharing: A Generalisation of Uniqueness and Read-Only , 2001, ECOOP.

[33]  Philip W. L. Fong Access control by tracking shallow execution history , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[34]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[35]  Naftaly H. Minsky Towards Alias-Free Pointers , 1996, ECOOP.

[36]  Philip W. L. Fong Proof linking: a modular verification architecture for mobile code systems , 2004 .

[37]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[38]  Allen L. Ambler,et al.  A study of protection in programming languages , 1977 .

[39]  Philip W. L. Fong Pluggable verification modules: an extensible protection mechanism for the JVM , 2004, OOPSLA.

[40]  Dirk Theisen,et al.  JAC—Access right based encapsulation for Java , 2001, Softw. Pract. Exp..

[41]  Martín Abadi,et al.  Access Control Based on Execution History , 2003, NDSS.

[42]  Tommy Thorne,et al.  Programming languages for mobile code , 1997, CSUR.

[43]  Tomoyuki Higuchi,et al.  A static type system for JVM access control , 2007, ACM Trans. Program. Lang. Syst..