Beyond Stack Inspection: A Unified Access-Control and Information-Flow Security Model

Modern component-based systems, such as Java and Microsoft .NET common language runtime (CLR), have adopted stack-based access control (SBAC). Its purpose is to use stack inspection to verify that all the code responsible for a security-sensitive action is sufficiently authorized to perform that action. Previous literature has shown that the security model enforced by SBAC is flawed in that stack inspection may allow unauthorized code no longer on the stack to influence the execution of security-sensitive code. A different approach, history-based access control (HBAC), is safe but may prevent authorized code from executing a security-sensitive operation if less trusted code was previously executed. In this paper, we formally introduce information-based access control (IBAC), a novel security model that verifies that all and only the code responsible for a security-sensitive operation is sufficiently authorized. Given an access-control policy a, we present a mechanism to extract from it an implicit integrity policy i, and we prove that IBAC enforces i. Furthermore, we discuss large-scale application code scenarios to which IBAC can be successfully applied.

[1]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[2]  Dan S. Wallach,et al.  Understanding Java stack inspection , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[3]  Scott F. Smith,et al.  A systematic approach to static access control , 2001, TOPL.

[4]  Alley Stoughton Access Flow: A Protection Model which Integrates Access Control and Information Flow , 1981, 1981 IEEE Symposium on Security and Privacy.

[5]  David Grove,et al.  A framework for call graph construction algorithms , 2001, TOPL.

[6]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[7]  Martín Abadi,et al.  Access Control Based on Execution History , 2003, NDSS.

[8]  Nathanael Paul,et al.  .NET security: lessons learned and missed from Java , 2004, 20th Annual Computer Security Applications Conference.

[9]  Gian Luigi Ferrari,et al.  Static Analysis for Stack Inspection , 2001, ConCoord.

[10]  Gregor Snelting,et al.  Information Flow Control for Java Based on Path Conditions in Dependence Graphs , 2006, ISSSE.

[11]  Gregor Snelting,et al.  Efficient path conditions in dependence graphs for software safety analysis , 2006, TSEM.

[12]  Larry Wall,et al.  Programming Perl , 1991 .

[13]  Marco Pistoia,et al.  Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection , 2005, ECOOP.

[14]  Marco Pistoia,et al.  Access rights analysis for Java , 2002, OOPSLA '02.

[15]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[16]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[17]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[18]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[19]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[20]  Anindya Banerjee,et al.  History-Based Access Control and Secure Information Flow , 2004, CASSIS.

[21]  HardyNorm The Confused Deputy , 1988 .

[22]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[23]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[24]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[25]  Gilles Barthe,et al.  Non-interference for a JVM-like language , 2005, TLDI '05.

[26]  David A. Naumann Verifying a Secure Information Flow Analyzer , 2005, TPHOLs.

[27]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[28]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[29]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[30]  BanerjeeAnindya,et al.  Stack-based access control and secure information flow , 2005 .

[31]  Daniel Le Métayer,et al.  Verification of control flow based security properties , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[32]  Hemma Prafullchandra,et al.  Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2 , 1997, USENIX Symposium on Internet Technologies and Systems.

[33]  Cédric Fournet,et al.  Stack inspection: Theory and variants , 2003, TOPL.

[34]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[35]  John Tang Boyland,et al.  Type annotations to improve stack-based access control , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[36]  Dawson R. Engler,et al.  Using programmer-written compiler extensions to catch security holes , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[37]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[38]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[39]  Andrew D. Gordon,et al.  From stack inspection to access control: a security analysis for libraries , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[40]  Gary A. Kildall,et al.  A unified approach to global program optimization , 1973, POPL.

[41]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[42]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[43]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.

[44]  Gilles Barthe,et al.  Deriving an information flow checker and certifying compiler for Java , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).