Secure calling contexts for stack inspection

Stack inspection is a mechanism for programming secure applications by which a method can obtain information from the call stack about the code that (directly or indirectly) invoked it. This mechanism plays a fundamental role in the security architecture of Java and the .NET Common Language Runtime. A central problem with stack inspection is to determine to what extent the <i>local</i> checks inserted into the code are sufficient to guarantee that a <i>global</i> security property is enforced. In this paper, we present a technique for inferring a <i>secure calling context</i> for a method. By a secure calling context we mean a pre-condition on the call stack sufficient for guaranteeing that execution of the method will not violate a given global property. This is particularly useful for annotating library code in order to avoid having to re-analyse libraries for every new application. The technique is a constraint based static program analysis implemented via fixed point iteration over an abstract domain of linear temporal logic properties.

[1]  David Grove,et al.  Call graph construction in object-oriented languages , 1997, OOPSLA '97.

[2]  Patrick Cousot,et al.  Automatic synthesis of optimal invariant assertions: Mathematical foundations , 1977, Artificial Intelligence and Programming Languages.

[3]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[4]  Hemma Prafullchandra,et al.  Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2 , 1997, USENIX Symposium on Internet Technologies and Systems.

[5]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[6]  Gian Luigi Ferrari,et al.  Static Analysis for Stack Inspection , 2001, ConCoord.

[7]  Jens Palsberg,et al.  Object-oriented type systems , 1994, Wiley professional computing.

[8]  Scott F. Smith,et al.  Static enforcement of security with types , 2000, ICFP '00.

[9]  Daniel Le Métayer,et al.  Model Checking Security Properties of Control Flow Graphs , 2001, J. Comput. Secur..

[10]  Moshe Y. Vardi An Automata-Theoretic Approach to Linear Temporal Logic , 1996, Banff Higher Order Workshop.

[11]  Gilles Barthe,et al.  Compositional Verification of Secure Applet Interactions , 2002, FASE.

[12]  Dan S. Wallach,et al.  A new approach to mobile code security , 1999 .

[13]  Cédric Fournet,et al.  Stack inspection: Theory and variants , 2003, TOPL.

[14]  Daniel Le Métayer,et al.  Verification of control flow based security properties , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[15]  Dan S. Wallach,et al.  Understanding Java stack inspection , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[16]  David F. Bacon,et al.  Fast static analysis of C++ virtual function calls , 1996, OOPSLA '96.

[17]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[18]  E. Allen Emerson,et al.  Temporal and Modal Logic , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[19]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[20]  Patrick Cousot,et al.  Formal language, grammar and set-constraint-based program analysis by abstract interpretation , 1995, FPCA '95.

[21]  Thomas Colcombet,et al.  Enforcing trace properties by program transformation , 2000, POPL '00.

[22]  Barbara G. Ryder,et al.  Data-Flow-Based Virtual Function Resolution , 1996, SAS.