ABSTRACT
Sharing and transfer of object references is difficult to control in object-oriented languages. Unconstrained sharing poses serious problems for writing secure components in object-oriented languages. In this paper, we present a set of inexpensive syntactic constraints that strengthen encapsulation in object-oriented programs and facilitate the implementation of secure systems. We introduce two mechanisms: confined types to impose static scoping on dynamic object references and, for technical reasons, anonymous methods which are methods that do not reveal the identity of the current instance (this). Confined types protect objects from use by untrusted code, while anonymous methods allow standard classes to be reused from confined classes. We have implemented a verifier which performs a modular analysis of Java programs and provides a static guarantee that confinement is respected. We present security related programming examples.
- 1.P. S. Almeida. Balloon types: Controlling sharing of state in data types. In M. Aksit and S. Matsuoka, editors, ECO OP '97--Object-Oriented Programming, 11th European Conference, volume 1241 of Lecture Notes in Computer Science, pages 32-59, Jyv~kyl~i, Finland, 9-13 June 1997. Springer.]]Google Scholar
- 2.B. Bokowski. Coffeestrainer: Statically-checked constraints on the definition and use of types in Java. In Proceedings of ESEC/FSE'99, Toulouse, France, Sept. 1999.]] Google ScholarDigital Library
- 3.B. Bokowski and M. Dahm. Poor man's genericity for Java. In JIT Proceedings. Springer-Verlag, Frankfurt, Germany, Nov. 1998.]] Google ScholarDigital Library
- 4.J. Boyland. Deferring destruction when reading unique variables. Technical report, University of Wisconsin- Milwaukee~ Mar. 1999.]]Google Scholar
- 5.G. Bracha, M. Odersky, D. Stoutamire, and P. Wadler. Making the future safe for the past: Adding genericity to the Java programming language. In OOPSLA Proceedings. ACM Press, Vancouver, BC, Oct. 1998.]] Google ScholarDigital Library
- 6.J. Chase, H. Levy, M. Baker-Harvey, and E. Lazowska. Opal: A single address space system for 64-bit architectures. In Proceedings of the Fourth Workshop on Workstation Operating Systems, pages 80-85, 1993.]]Google ScholarCross Ref
- 7.D. G. Clarke, J. M. Potter, and J. Noble. Ownership types for flexible alias protection. In OOPSLA '98 Conference Proceedings, volume 33(10) of A CM SIGPLAN Notices, pages 48-64. ACM, Oct. 1998.]] Google ScholarDigital Library
- 8.D. Denning. A lattice model of secure information flow. Communications of the A CM, 19(5):236-243, May 1976.]] Google ScholarDigital Library
- 9.E~ Gamma, R. Helm, R. Johnson, and J. Vlissides. Design Patterns - Elements of Reusable Object-Oriented Software. Addison-Wesley, 1995.]] Google ScholarDigital Library
- 10.D. Genius, M. Trapp, and W. Zimmermann. An approach to improve locality using Sandwich Types. In Proceedings of the 2nd Types in Compilation workshop, volume LNCS 1473, Kyoto, Japan~ March 1998. Springer Verlag.]] Google ScholarDigital Library
- 11.L. Gong. Java security architecture (JDK 1.2). Technical report, JavaSoft, July 1997. Revision 0.5.]]Google Scholar
- 12.L. Gong. Guarding objects. In G. Vigna, editor, Mobile Agents and Security, volume 576 of LNCS, pages 1-23, Berlin, Germany, Aug. 1998. Springer.]]Google Scholar
- 13.J. Gosling, B. Joy, and G. L. Steele. The Java Language Specification. The Java Series. Addison-Wesley, Reading, MA, USA, 1996.]] Google ScholarDigital Library
- 14.R. Grimm and B. N. Bershad. Security for extensible systems. In Proceedings of 6th Workshop on Hot Topics in Operating Sytems, pages 62-66, Cape Cod, Massachusetts, May 1997.]] Google ScholarDigital Library
- 15.D. Hagimont, J. Mossi~re, X. R. de Pina, and F. Saunier. Hidden software capabilities. In 16th International Conference on Distributed Computing System, Hong Kong, May 1996. IEEE CS Press.]] Google ScholarDigital Library
- 16.C. Hawblitzel, C.-C. Chang, G. Czajkowski, D. Hu, and T. von Eicken. Implementing Multiple Protection Domains in Java. Technical Report 97-1660, Cornell University, Department of Computer Science, 1997.]]Google Scholar
- 17.N. Heintze and J. G. Riecke. The SLam calculus: Programming with secrecy and integrity. In Proceedings of the 25th POPL, Jan. 1998.]] Google ScholarDigital Library
- 18.J. Hogg. islands: Aliasing Protection in Object-Oriented Languages. In Proceedings of the OOPSLA '91 Conference on Object-Oriented Programming Systems, Languages and Applications, pages 271-285, Nov. 1991. Published as ACM SIGPLAN Notices, volume 26, number 11.]] Google ScholarDigital Library
- 19.J. Hogg, D. Lea, A. Wills, D. de Champeaux, and R. Holt. The Geneva convention on the treatment of object aliasing. OOPS Messenger, 3(2), Apr. 1992.]] Google ScholarDigital Library
- 20.S. Kent and i. Maung. Encapsulation and Aggregation. In Proceedings of TOOLS PACIFIC 95 (TOOLS 18). Prentice Hall, 1995.]]Google Scholar
- 21.W. Landi. Undecidability of static analysis. A CM Letters on Programming Languages and Systems, 1(4), Dec. 1992.]] Google ScholarDigital Library
- 22.X. Leroy and F. Rouai~. Security properties of typed applets. In Conference Record of POPL '98: The 25th A CM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 391-403, San Diego, California, 19- 21 Jan. 1998.]] Google ScholarDigital Library
- 23.H. Levy, editor. Capability Based Computer Systems. Digital Press, 1984.]] Google ScholarDigital Library
- 24.G. Lopez, B. Freeman-Benson, and A. Borning. Constraints and object identity. In ECOOP Proceedings, LNCS 821, pages 260-279. Springer-Verlag, Bologna, Italy, July I994.]] Google Scholar
- 25.S. Lucco, O. Sharp, and R. Wahbe. Omniware: A Universal Substrate for Web Programming. World Wide Web Journal, 1(1):359-368, Dec. 1995.]]Google Scholar
- 26.J. McLean. Security models. In J. Marciniak, editor, Encyclopedia of Software Engineering. Wiley & Sons, 1994.]]Google Scholar
- 27.A. Myers, j. Bank, and B. Liskov. Pararneterized types for Java. In POPL Proceedings. ACM Press, Paris, France, Jan. 1997.]] Google ScholarDigital Library
- 28.A. C. Myers. Jflow: Practical static information flow control. In Proceedings of the 26th A CM Symposium on Principles of Programming Languages (POPL 99), 1999.]] Google ScholarDigital Library
- 29.A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In Proceedings oj' the 1998 IEEE Symposium on Security and Privacy, Oakland, California, pages 186-197, 1998.]]Google ScholarCross Ref
- 30.J. Noble, J. Potter, and J. Vitek. Flexible alias protection. In Proceedings of ECOOP'98, Brussels, Belgium, July 20 - 24 1998.]] Google ScholarDigital Library
- 31.M. Odersky and P. Wadler. Pizza into Java: Translating theory into practice. In Proc. 24th A CM Symposium on Principles of Programming Languages, January 1997.]] Google ScholarDigital Library
- 32.J. Potter, J. Noble, and D. Clarke. The ins and outs of objects. In Australian Software Engineering Conference, Adelaide, Australia, November 1998. }EEE Press.]] Google ScholarDigital Library
- 33.J. C. Riecke and C. A. Stone. Privacy via Subsumption. In Fifth Workshop on Foundations o~ Object-Oriented Languages, 1998.]]Google Scholar
- 34.R. Rivest, A. Shamir, and L. Aldeman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Commun. A CM, 21(2), 1978.]] Google ScholarDigital Library
- 35.Secure Internet Programming Group. http://www.cs- .princeton.edu/sip/news/apri129.html. 1997.]]Google Scholar
- 36.G. Smith and D. VoIpano. Secure information flow in a multi-threaded imperative language, in Conference Record of POPL '98: The 25th A CM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 355- 364, San Diego, California, 19-21 Jan. 1998.]] Google ScholarDigital Library
- 37.J. Tardo and L. Valente. Mobile agent security and Telescript. In IEEE CompCon, 1996.]] Google ScholarDigital Library
- 38.K. K. Thorup and M. Torgersen. Unifying genericitycombining the benefits of virtual types and parameterized classes, tn ECOOP Proceedings. Springer-Verlag, Lisbon, Portugal, June 1999.]] Google ScholarDigital Library
- 39.F. Tip, C. Laffra, P. F. Sweeney, and D. Streeter. Size matters: Reducing the size of java class file archives. Technical report, IBM Research Report RC 21321, Oct. 1998.]]Google Scholar
- 40.J. Vitek and C. Bryce. Secure mobile code: the JavaSeal experiment. Manuscript, 1999.]]Google Scholar
- 41.J. Vitek, M. Serrano, and D. Thanos. Security and communication in mobile object systems. In D. Tsichritzis, editor, Objects at Large. University of Geneva, 1997.]]Google Scholar
- 42.D. Volpano and G. Smith. A type-based approach to program security. Lecture Notes in Computer Science, 1214~ 1997.]]Google Scholar
- 43.D. Volpano and G. Smith. Confinement properties for programming languages. SIGACT News, 29(3):33-42, Sept. 1998.]] Google ScholarDigital Library
- 44.D. Wallach, D. BaIfanz, D. Dean, and E. Felten. Extensible Security Architectures for Java. In Proceedings of the 16th Symposium on Operating System Principles, 1997.]] Google ScholarDigital Library
- 45.F. Yellin. Low level security in Java. In Fourth lnternational Conference on ~he World-Wide Web, MIT, Boston, Dec. 1995.]]Google Scholar
Index Terms
- Confined types
Recommendations
Confined types
Sharing and transfer of object references is difficult to control in object-oriented languages. Unconstrained sharing poses serious problems for writing secure components in object-oriented languages. In this paper, we present a set of inexpensive ...
Confined gradual typing
OOPSLA '14Gradual typing combines static and dynamic typing flexibly and safely in a single programming language. To do so, gradually typed languages implicitly insert casts where needed, to ensure at runtime that typing assumptions are not violated by untyped ...
Depending on types
ICFP '14: Proceedings of the 19th ACM SIGPLAN international conference on Functional programmingIs Haskell a dependently typed programming language? Should it be? GHC's many type-system features, such as Generalized Algebraic Datatypes (GADTs), datatype promotion, multiparameter type classes, and type families, give programmers the ability to ...
Comments