Stack inspection: Theory and variants

Stack inspection is a security mechanism implemented in runtimes such as the JVM and the CLR to accommodate components with diverse levels of trust. Although stack inspection enables the fine-grained expression of access control policies, it has rather a complex and subtle semantics. We present a formal semantics and an equational theory to explain how stack inspection affects program behavior and code optimisations. We discuss the security properties enforced by stack inspection, and also consider variants with stronger, simpler properties.

[1]  Dan Grossman,et al.  Syntactic type abstraction , 2000, TOPL.

[2]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[3]  James H. Morris,et al.  Lambda-calculus models of programming languages. , 1969 .

[4]  Martin Odersky,et al.  Tail call elimination on the Java Virtual Machine , 2001, Electron. Notes Theor. Comput. Sci..

[5]  HardyNorm The Confused Deputy , 1988 .

[6]  Eugenio Moggi,et al.  Notions of Computation and Monads , 1991, Inf. Comput..

[7]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[8]  Gian Luigi Ferrari,et al.  Static Analysis for Stack Inspection , 2001, ConCoord.

[9]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[10]  Anindya Banerjee,et al.  Representation independence, confinement and access control [extended abstract] , 2002, POPL '02.

[11]  C.-H. Luke Ong,et al.  Full Abstraction in the Lazy Lambda Calculus , 1993, Inf. Comput..

[12]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[13]  Jan Vitek,et al.  Secure Internet Programming: Security Issues for Mobile and Distributed Objects , 1999 .

[14]  Andrew D. Gordon,et al.  Stack inspection: theory and variants , 2002, POPL '02.

[15]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[16]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[17]  Xavier Leroy,et al.  Security properties of typed applets , 1998, POPL '98.

[18]  Don Box,et al.  Essential .NET: The Common Language Runtime , 2002 .

[19]  Scott F. Smith,et al.  A Systematic Approach to Static Access Control , 2001, ESOP.

[20]  Martín Abadi,et al.  Access Control Based on Execution History , 2003, NDSS.

[21]  Daniel Le Métayer,et al.  Model Checking Security Properties of Control Flow Graphs , 2001, J. Comput. Secur..

[22]  Anindya Banerjee,et al.  A Simple Semantics and Static Analysis for Java Security , 2001 .

[23]  Douglas J. Howe Proving Congruence of Bisimulation in Functional Programming Languages , 1996, Inf. Comput..

[24]  Nick Benton,et al.  Compiling standard ML to Java bytecodes , 1998, ICFP '98.

[25]  Andrew M. Pitts,et al.  Higher order operational techniques in semantics , 1999 .

[26]  Scott F. Smith,et al.  Static enforcement of security with types , 2000, ICFP '00.

[27]  Andrew D. Gordon Bisimilarity as a theory of functional programming , 1995, MFPS.

[28]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[29]  Robin Milner,et al.  Fully Abstract Models of Typed lambda-Calculi , 1977, Theor. Comput. Sci..

[30]  Günter Karjoth An operational semantics of Java 2 access control , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[31]  Daniel Le Métayer,et al.  Verification of control flow based security properties , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[32]  Analysis and caching of dependencies , 1996, ICFP '96.

[33]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.