论文信息 - Secure the Clones - Static Enforcement of Policies for Secure Object Copying

Secure the Clones - Static Enforcement of Policies for Secure Object Copying

Exchanging mutable data objects with untrusted code is a delicate matter because of the risk of creating a data space that is accessible by an attacker. Consequently, secure programming guidelines for Java stress the importance of using defensive copying before accepting or handing out references to an internal mutable object. However, implementation of a copy method (like clone()) is entirely left to the programmer. It may not provide a sufficiently deep copy of an object and is subject to overriding by a malicious sub-class. Currently no language-based mechanism supports secure object cloning. This paper proposes a type-based annotation system for defining modular copy policies for class-based object-oriented programs. A copy policy specifies the maximally allowed sharing between an object and its clone. We present a static enforcement mechanism that will guarantee that all classes fulfill their copy policy, even in the presence of overriding of copy methods, and establish the semantic correctness of the overall approach in Coq. The mechanism has been implemented and experimentally evaluated on clone methods from several Java libraries.

David Pichardie | Thomas P. Jensen | Florent Kirchner

[1] K. Rustan M. Leino,et al. Declaring and checking non-null types in an object-oriented language , 2003, OOPSLA 2003.

[2] Patrick Cousot,et al. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[3] David Pichardie,et al. Secure the Clones , 2012, Log. Methods Comput. Sci..

[4] K. Rustan M. Leino,et al. Declaring and checking non-null types in an object-oriented language , 2003, OOPSLA.

[5] David Pichardie,et al. Semantic Foundations and Inference of Non-null Annotations , 2008, FMOODS.

[6] Bruno Blanchet,et al. Escape analysis for object-oriented languages: application to Java , 1999, OOPSLA '99.

[7] James Noble,et al. Ownership types for flexible alias protection , 1998, OOPSLA '98.

[8] Reinhard Wilhelm,et al. Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[9] David Gay,et al. Lightweight annotations for controlling sharing in concurrent data structures , 2009, PLDI '09.

[10] Mads Tofte,et al. Region-based Memory Management , 1997, Inf. Comput..

[11] Jan Vitek,et al. Flexible Alias Protection , 1998, ECOOP.

[12] Jong-Deok Choi,et al. Escape analysis for Java , 1999, OOPSLA '99.

[13] Peter W. O'Hearn,et al. Separation and information hiding , 2004, POPL.

[14] Alexander Aiken,et al. Checking and inferring local non-aliasing , 2003, PLDI '03.