Roles, stacks, histories: A triple for Hoare

Behavioral type and effect systems regulate properties such as adherence to object and communication protocols, dynamic security policies, avoidance of race conditions, and many others. Typically, each system is based on some specific syntax of constraints, and is checked with an ad hoc solver. Instead, we advocate types refined with first-order logic formulas as a basis for behavioral type systems, and general purpose automated theorem provers as an effective means of checking programs. To illustrate this approach, we define a triple of security-related type systems: for role-based access control, for stack inspection, and for history-based access control. The three are all instances of a refined state monad. Our semantics allows a precise comparison of the similarities and differences of these mechanisms. In our examples, the benefit of behavioral type-checking is to rule out the possibility of unexpected security exceptions, a common problem with code-based access control.

[1]  David Detlefs,et al.  Simplify: a theorem prover for program checking , 2005, JACM.

[2]  Martín Abadi,et al.  A calculus for access control in distributed systems , 1991, TOPL.

[3]  Philip Wadler,et al.  Comprehending monads , 1990, LISP and Functional Programming.

[4]  David K. Gifford,et al.  Integrating functional and imperative programming , 1986, LFP '86.

[5]  Giorgio Levi,et al.  Foundations of Logic and Functional Programming , 1988, Lecture Notes in Computer Science.

[6]  Marco Pistoia,et al.  Beyond Stack Inspection: A Unified Access-Control and Information-Flow Security Model , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[7]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[8]  Martín Abadi,et al.  Code-Carrying Authorization , 2008, ESORICS.

[9]  Eran Yahav,et al.  A survey of static analysis methods for identifying security vulnerabilities in software systems , 2007, IBM Syst. J..

[10]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[11]  Natarajan Shankar,et al.  Subtypes for Specifications: Predicate Subtyping in PVS , 1998, IEEE Trans. Software Eng..

[12]  M. Felleisen,et al.  Reasoning about programs in continuation-passing style , 1993 .

[13]  Steve Zdancewic,et al.  AURA: Preliminary Technical Results , 2008 .

[14]  Scott F. Smith,et al.  A systematic approach to static access control , 2001, TOPL.

[15]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[16]  Lars Birkedal,et al.  Polymorphism and separation in hoare type theory , 2006, ICFP '06.

[17]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[18]  Andrew D. Gordon,et al.  From stack inspection to access control: a security analysis for libraries , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[19]  Access control in a core calculus of dependency , 2006, ICFP '06.

[20]  Rance Cleaveland,et al.  Implementing mathematics with the Nuprl proof development system , 1986 .

[21]  Anindya Banerjee,et al.  History-Based Access Control and Secure Information Flow , 2004, CASSIS.

[22]  David Aspinall,et al.  Subtyping dependent types , 2001, Theor. Comput. Sci..

[23]  B. Pierce,et al.  Typing and subtyping for mobile processes , 1993, [1993] Proceedings Eighth Annual IEEE Symposium on Logic in Computer Science.

[24]  Cormac Flanagan,et al.  Hybrid type checking , 2006, POPL '06.

[25]  Andrew D. Gordon,et al.  Principles and Applications of Refinement Types , 2010, Logics and Languages for Reliability and Security.

[26]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.

[27]  Robert Atkey,et al.  Parameterised notions of computation , 2006, J. Funct. Program..

[28]  Eugenio Moggi,et al.  Notions of Computation and Monads , 1991, Inf. Comput..

[29]  Frank Pfenning,et al.  Refinement types for ML , 1991, PLDI '91.

[30]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[31]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[32]  Cédric Fournet,et al.  Stack inspection: Theory and variants , 2003, TOPL.

[33]  Andrew D. Gordon,et al.  A Type Discipline for Authorization in Distributed Systems , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[34]  Yann Régis-Gianas,et al.  A Hoare Logic for Call-by-Value Functional Programs , 2008, MPC.

[35]  Robert D. Tennent,et al.  Semantics of programming languages , 1991, Prentice Hall International Series in Computer Science.

[36]  Patrick Maxim Rondon,et al.  Liquid types , 2008, PLDI '08.

[37]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[38]  Stephen N. Freund,et al.  Sage: Hybrid Checking for Flexible Specifications , 2006 .

[39]  Robert DeLine,et al.  Enforcing high-level protocols in low-level software , 2001, PLDI '01.

[40]  Peter Sewell,et al.  Cassandra: flexible trust management, applied to electronic health records , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[41]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[42]  Frank Pfenning,et al.  Dependent types in practical programming , 1999, POPL '99.

[43]  Andrew D. Gordon,et al.  Proceedings of the 21st IEEE Computer Security Foundations Symposium, CSF 2008, Pittsburgh, Pennsylvania, USA, 23-25 June 2008 , 2008, CSF.

[44]  Andrew D. Gordon,et al.  Roles, Stacks, Histories: A Triple for Hoare , 2010, Reflections on the Work of C. A. R. Hoare.

[45]  Robert E. Strom,et al.  Typestate: A programming language concept for enhancing software reliability , 1986, IEEE Transactions on Software Engineering.

[46]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[47]  Andrew D. Gordon,et al.  Authenticity by typing for security protocols , 2003 .