A systematic approach to static access control

The Java Security Architecture includes a dynamic mechanism for enforcing access control checks, the so-called stack inspection process. While the architecture has several appealing features, access control checks are all implemented via dynamic method calls. This is a highly nondeclarative form of specification that is hard to read, and that leads to additional run-time overhead. This article develops type systems that can statically guarantee the success of these checks. Our systems allow security properties of programs to be clearly expressed within the types themselves, which thus serve as static declarations of the security policy. We develop these systems using a systematic methodology: we show that the security-passing style translation, proposed by Wallach et al. [2000] as a dynamic implementation technique, also gives rise to static security-aware type systems, by composition with conventional type systems. To define the latter, we use the general HM(X) framework, and easily construct several constraint- and unification-based type systems.

[1]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[2]  Martin Sulzmann A General Type Inference Framework for Hindley/Milner Style Systems , 2001, FLOPS.

[3]  Eugenio Moggi,et al.  Computational lambda-calculus and monads , 1989, [1989] Proceedings. Fourth Annual Symposium on Logic in Computer Science.

[4]  David Walker,et al.  A type system for expressive security policies , 2000, POPL '00.

[5]  Drew Dean,et al.  The security of static typing with dynamic linking , 1997, CCS '97.

[6]  Li Gong,et al.  User authentication and authorization in the Java/sup TM/ platform , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[7]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.

[8]  Dan S. Wallach,et al.  Understanding Java stack inspection , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[9]  Anindya Banerjee,et al.  A Simple Semantics and Static Analysis for Java Security , 2001 .

[10]  Scott F. Smith,et al.  Static enforcement of security with types , 2000, ICFP '00.

[11]  Gian Luigi Ferrari,et al.  Static Analysis for Stack Inspection , 2001, ConCoord.

[12]  François Pottier,et al.  A 3-Part Type Inference Engine , 2000, ESOP.

[13]  Scott F. Smith,et al.  A Systematic Approach to Static Access Control , 2001, ESOP.

[14]  P. Hudak,et al.  A general framework for hindley/milner type systems with constraints , 2000 .

[15]  Gleb Naumovich,et al.  A conservative algorithm for computing the flow of permissions in Java programs , 2002, ISSTA '02.

[16]  Didier Rémy,et al.  Type inference for records in natural extension of ML , 1994 .

[17]  Philip Wadler,et al.  Packrat parsing:: simple, powerful, lazy, linear time, functional pearl , 2002, ICFP '02.

[18]  Matthias Felleisen,et al.  A Syntactic Approach to Type Soundness , 1994, Inf. Comput..

[19]  Tomoyuki Higuchi,et al.  A static type system for JVM access control , 2003, TOPL.

[20]  François Pessaux,et al.  Type-based analysis of uncaught exceptions , 2000, TOPL.

[21]  John C. Mitchell,et al.  Theoretical aspects of object-oriented programming: types, semantics, and language design , 1994, Choice Reviews Online.

[22]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[23]  Peter Thiemann,et al.  Enforcing Safety Properties Using Type Specialization , 2001, ESOP.

[24]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[25]  Philip Wadler,et al.  The marriage of effects and monads , 1998, ICFP '98.

[26]  Andrzej Filinski,et al.  Representing layered monads , 1999, POPL '99.

[27]  Matthias Felleisen,et al.  A Tail-Recursive Semantics for Stack Inspections , 2003, ESOP.

[28]  Robert Cartwright,et al.  A practical soft type system for scheme , 1997, TOPL.

[29]  Luo Hong JAVA Security Architecture , 2000 .

[30]  Dan S. Wallach,et al.  A new approach to mobile code security , 1999 .

[31]  Alexander Aiken,et al.  Soft typing with conditional types , 1994, POPL '94.

[32]  Cédric Fournet,et al.  Stack inspection: Theory and variants , 2003, TOPL.

[33]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[34]  Juan Carlos Guzman,et al.  An extended type system for exceptions , 1994 .

[35]  Didier Rémy,et al.  Projective ML , 1992, LFP '92.

[36]  Daniel Le Métayer,et al.  Model Checking Security Properties of Control Flow Graphs , 2001, J. Comput. Secur..

[37]  Scott F. Smith,et al.  Types for programming language-based security , 2003 .

[38]  Alexander Aiken,et al.  Entailment with Conditional Equality Constraints , 2001, ESOP.

[39]  F. Pottier A constraint-based presentation and generalization of rows , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[40]  Thomas P. Jensen,et al.  Secure calling contexts for stack inspection , 2002, PPDP '02.

[41]  François Pottier,et al.  A Versatile Constraint-Based Type Inference System , 2000, Nord. J. Comput..

[42]  Marco Pistoia,et al.  Access rights analysis for Java , 2002, OOPSLA '02.

[43]  Simon L. Peyton Jones,et al.  Imperative functional programming , 1993, POPL '93.

[44]  Li Gong Java Security Architecture (JDK1.2) , 1997 .

[45]  Li Gong,et al.  Implementing Protection Domains in the JavaTM Development Kit 1.2 , 1998, NDSS.

[46]  Andrew D. Gordon,et al.  Stack inspection: theory and variants , 2002, POPL '02.

[47]  Martin Sulzmann,et al.  Hindley/Milner style type systems in constraint form , 1999 .

[48]  J. Michael Spivey,et al.  A Functional Theory of Exceptions , 1990, Sci. Comput. Program..

[49]  Vincent Simonet,et al.  Type Inference with Structural Subtyping: A Faithful Formalization of an Efficient Constraint Solver , 2003, APLAS.

[50]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.

[51]  Alexander Aiken,et al.  Program Analysis Using Mixed Term and Set Constraints , 1997, SAS.

[52]  Martin Odersky,et al.  Type Inference with Constrained Types , 1999, Theory Pract. Object Syst..

[53]  Christian Skalka,et al.  Syntactic Type Soundness for HM(X) , 2002, Electron. Notes Theor. Comput. Sci..