Stack inspection: theory and variants

Stack inspection is a security mechanism implemented in runtimes such as the JVM and the CLR to accommodate components with diverse levels of trust. Although stack inspection enables the fine-grained expression of access control policies, it has rather a complex and subtle semantics. We present a formal semantics and an equational theory to explain how stack inspection affects program behaviour and code optimisations. We discuss the security properties enforced by stack inspection, and also consider variants with stronger, simpler properties.

[1]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[2]  Daniel Le Métayer,et al.  Model Checking Security Properties of Control Flow Graphs , 2001, J. Comput. Secur..

[3]  Douglas J. Howe Proving Congruence of Bisimulation in Functional Programming Languages , 1996, Inf. Comput..

[4]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[5]  Anindya Banerjee,et al.  Representation independence, confinement and access control [extended abstract] , 2002, POPL '02.

[6]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[7]  Andrew D. Gordon,et al.  Bisimilarity as a theory of functional programming , 1999, MFPS.

[8]  Xavier Leroy,et al.  Security properties of typed applets , 1998, POPL '98.

[9]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[10]  Günter Karjoth An operational semantics of Java 2 access control , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[11]  Daniel Le Métayer,et al.  Verification of control flow based security properties , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[12]  Martin Odersky,et al.  Tail call elimination on the Java Virtual Machine , 2001, Electron. Notes Theor. Comput. Sci..

[13]  HardyNorm The Confused Deputy , 1988 .

[14]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[15]  Martín Abadi,et al.  Access Control Based on Execution History , 2003, NDSS.

[16]  Gordon D. Plotkin,et al.  Call-by-Name, Call-by-Value and the lambda-Calculus , 1975, Theor. Comput. Sci..

[17]  James H. Morris,et al.  Lambda-calculus models of programming languages. , 1969 .

[18]  Nick Benton,et al.  Compiling standard ML to Java bytecodes , 1998, ICFP '98.

[19]  Gian Luigi Ferrari,et al.  Static Analysis for Stack Inspection , 2001, Electron. Notes Theor. Comput. Sci..

[20]  Eugenio Moggi,et al.  Notions of Computation and Monads , 1991, Inf. Comput..

[21]  Anindya Banerjee,et al.  A Simple Semantics and Static Analysis for Java Security , 2001 .

[22]  Analysis and caching of dependencies , 1996, ICFP '96.

[23]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.

[24]  Dan Grossman,et al.  Syntactic type abstraction , 2000, TOPL.

[25]  Scott F. Smith,et al.  A Systematic Approach to Static Access Control , 2001, ESOP.

[26]  Andrew M. Pitts,et al.  Higher order operational techniques in semantics , 1999 .

[27]  Scott F. Smith,et al.  Static enforcement of security with types , 2000, ICFP '00.

[28]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[29]  Robin Milner,et al.  Fully Abstract Models of Typed lambda-Calculi , 1977, Theor. Comput. Sci..

[30]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[31]  Don Box,et al.  Essential .NET: The Common Language Runtime , 2002 .

[32]  Xavier Leroy,et al.  Security properties of typed applets , 1998, POPL '98.

[33]  C.-H. Luke Ong,et al.  Full Abstraction in the Lazy Lambda Calculus , 1993, Inf. Comput..