Confined types

Authors:
Jan Vitek

Purdue University, Dept. of Computer Sciences

Purdue University, Dept. of Computer Sciences
View Profile

,
Boris Bokowski

Freie Universität Berlin, GMD-FIRST Berlin, Germany

Freie Universität Berlin, GMD-FIRST Berlin, Germany
View Profile

OOPSLA '99: Proceedings of the 14th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applicationsOctober 1999Pages 82–96https://doi.org/10.1145/320384.320392

Published:01 October 1999Publication History

OOPSLA '99: Proceedings of the 14th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications

Pages 82–96

ABSTRACT

Sharing and transfer of object references is difficult to control in object-oriented languages. Unconstrained sharing poses serious problems for writing secure components in object-oriented languages. In this paper, we present a set of inexpensive syntactic constraints that strengthen encapsulation in object-oriented programs and facilitate the implementation of secure systems. We introduce two mechanisms: confined types to impose static scoping on dynamic object references and, for technical reasons, anonymous methods which are methods that do not reveal the identity of the current instance (this). Confined types protect objects from use by untrusted code, while anonymous methods allow standard classes to be reused from confined classes. We have implemented a verifier which performs a modular analysis of Java programs and provides a static guarantee that confinement is respected. We present security related programming examples.

References

1.P. S. Almeida. Balloon types: Controlling sharing of state in data types. In M. Aksit and S. Matsuoka, editors, ECO OP '97--Object-Oriented Programming, 11th European Conference, volume 1241 of Lecture Notes in Computer Science, pages 32-59, Jyv~kyl~i, Finland, 9-13 June 1997. Springer.]]Google Scholar
2.B. Bokowski. Coffeestrainer: Statically-checked constraints on the definition and use of types in Java. In Proceedings of ESEC/FSE'99, Toulouse, France, Sept. 1999.]] Google ScholarDigital Library
3.B. Bokowski and M. Dahm. Poor man's genericity for Java. In JIT Proceedings. Springer-Verlag, Frankfurt, Germany, Nov. 1998.]] Google ScholarDigital Library
4.J. Boyland. Deferring destruction when reading unique variables. Technical report, University of Wisconsin- Milwaukee~ Mar. 1999.]]Google Scholar
5.G. Bracha, M. Odersky, D. Stoutamire, and P. Wadler. Making the future safe for the past: Adding genericity to the Java programming language. In OOPSLA Proceedings. ACM Press, Vancouver, BC, Oct. 1998.]] Google ScholarDigital Library
6.J. Chase, H. Levy, M. Baker-Harvey, and E. Lazowska. Opal: A single address space system for 64-bit architectures. In Proceedings of the Fourth Workshop on Workstation Operating Systems, pages 80-85, 1993.]]Google ScholarCross Ref
7.D. G. Clarke, J. M. Potter, and J. Noble. Ownership types for flexible alias protection. In OOPSLA '98 Conference Proceedings, volume 33(10) of A CM SIGPLAN Notices, pages 48-64. ACM, Oct. 1998.]] Google ScholarDigital Library
8.D. Denning. A lattice model of secure information flow. Communications of the A CM, 19(5):236-243, May 1976.]] Google ScholarDigital Library
9.E~ Gamma, R. Helm, R. Johnson, and J. Vlissides. Design Patterns - Elements of Reusable Object-Oriented Software. Addison-Wesley, 1995.]] Google ScholarDigital Library
10.D. Genius, M. Trapp, and W. Zimmermann. An approach to improve locality using Sandwich Types. In Proceedings of the 2nd Types in Compilation workshop, volume LNCS 1473, Kyoto, Japan~ March 1998. Springer Verlag.]] Google ScholarDigital Library
11.L. Gong. Java security architecture (JDK 1.2). Technical report, JavaSoft, July 1997. Revision 0.5.]]Google Scholar
12.L. Gong. Guarding objects. In G. Vigna, editor, Mobile Agents and Security, volume 576 of LNCS, pages 1-23, Berlin, Germany, Aug. 1998. Springer.]]Google Scholar
13.J. Gosling, B. Joy, and G. L. Steele. The Java Language Specification. The Java Series. Addison-Wesley, Reading, MA, USA, 1996.]] Google ScholarDigital Library
14.R. Grimm and B. N. Bershad. Security for extensible systems. In Proceedings of 6th Workshop on Hot Topics in Operating Sytems, pages 62-66, Cape Cod, Massachusetts, May 1997.]] Google ScholarDigital Library
15.D. Hagimont, J. Mossi~re, X. R. de Pina, and F. Saunier. Hidden software capabilities. In 16th International Conference on Distributed Computing System, Hong Kong, May 1996. IEEE CS Press.]] Google ScholarDigital Library
16.C. Hawblitzel, C.-C. Chang, G. Czajkowski, D. Hu, and T. von Eicken. Implementing Multiple Protection Domains in Java. Technical Report 97-1660, Cornell University, Department of Computer Science, 1997.]]Google Scholar
17.N. Heintze and J. G. Riecke. The SLam calculus: Programming with secrecy and integrity. In Proceedings of the 25th POPL, Jan. 1998.]] Google ScholarDigital Library
18.J. Hogg. islands: Aliasing Protection in Object-Oriented Languages. In Proceedings of the OOPSLA '91 Conference on Object-Oriented Programming Systems, Languages and Applications, pages 271-285, Nov. 1991. Published as ACM SIGPLAN Notices, volume 26, number 11.]] Google ScholarDigital Library
19.J. Hogg, D. Lea, A. Wills, D. de Champeaux, and R. Holt. The Geneva convention on the treatment of object aliasing. OOPS Messenger, 3(2), Apr. 1992.]] Google ScholarDigital Library
20.S. Kent and i. Maung. Encapsulation and Aggregation. In Proceedings of TOOLS PACIFIC 95 (TOOLS 18). Prentice Hall, 1995.]]Google Scholar
21.W. Landi. Undecidability of static analysis. A CM Letters on Programming Languages and Systems, 1(4), Dec. 1992.]] Google ScholarDigital Library
22.X. Leroy and F. Rouai~. Security properties of typed applets. In Conference Record of POPL '98: The 25th A CM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 391-403, San Diego, California, 19- 21 Jan. 1998.]] Google ScholarDigital Library
23.H. Levy, editor. Capability Based Computer Systems. Digital Press, 1984.]] Google ScholarDigital Library
24.G. Lopez, B. Freeman-Benson, and A. Borning. Constraints and object identity. In ECOOP Proceedings, LNCS 821, pages 260-279. Springer-Verlag, Bologna, Italy, July I994.]] Google Scholar
25.S. Lucco, O. Sharp, and R. Wahbe. Omniware: A Universal Substrate for Web Programming. World Wide Web Journal, 1(1):359-368, Dec. 1995.]]Google Scholar
26.J. McLean. Security models. In J. Marciniak, editor, Encyclopedia of Software Engineering. Wiley & Sons, 1994.]]Google Scholar
27.A. Myers, j. Bank, and B. Liskov. Pararneterized types for Java. In POPL Proceedings. ACM Press, Paris, France, Jan. 1997.]] Google ScholarDigital Library
28.A. C. Myers. Jflow: Practical static information flow control. In Proceedings of the 26th A CM Symposium on Principles of Programming Languages (POPL 99), 1999.]] Google ScholarDigital Library
29.A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In Proceedings oj' the 1998 IEEE Symposium on Security and Privacy, Oakland, California, pages 186-197, 1998.]]Google ScholarCross Ref
30.J. Noble, J. Potter, and J. Vitek. Flexible alias protection. In Proceedings of ECOOP'98, Brussels, Belgium, July 20 - 24 1998.]] Google ScholarDigital Library
31.M. Odersky and P. Wadler. Pizza into Java: Translating theory into practice. In Proc. 24th A CM Symposium on Principles of Programming Languages, January 1997.]] Google ScholarDigital Library
32.J. Potter, J. Noble, and D. Clarke. The ins and outs of objects. In Australian Software Engineering Conference, Adelaide, Australia, November 1998. }EEE Press.]] Google ScholarDigital Library
33.J. C. Riecke and C. A. Stone. Privacy via Subsumption. In Fifth Workshop on Foundations o~ Object-Oriented Languages, 1998.]]Google Scholar
34.R. Rivest, A. Shamir, and L. Aldeman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Commun. A CM, 21(2), 1978.]] Google ScholarDigital Library
35.Secure Internet Programming Group. http://www.cs- .princeton.edu/sip/news/apri129.html. 1997.]]Google Scholar
36.G. Smith and D. VoIpano. Secure information flow in a multi-threaded imperative language, in Conference Record of POPL '98: The 25th A CM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 355- 364, San Diego, California, 19-21 Jan. 1998.]] Google ScholarDigital Library
37.J. Tardo and L. Valente. Mobile agent security and Telescript. In IEEE CompCon, 1996.]] Google ScholarDigital Library
38.K. K. Thorup and M. Torgersen. Unifying genericitycombining the benefits of virtual types and parameterized classes, tn ECOOP Proceedings. Springer-Verlag, Lisbon, Portugal, June 1999.]] Google ScholarDigital Library
39.F. Tip, C. Laffra, P. F. Sweeney, and D. Streeter. Size matters: Reducing the size of java class file archives. Technical report, IBM Research Report RC 21321, Oct. 1998.]]Google Scholar
40.J. Vitek and C. Bryce. Secure mobile code: the JavaSeal experiment. Manuscript, 1999.]]Google Scholar
41.J. Vitek, M. Serrano, and D. Thanos. Security and communication in mobile object systems. In D. Tsichritzis, editor, Objects at Large. University of Geneva, 1997.]]Google Scholar
42.D. Volpano and G. Smith. A type-based approach to program security. Lecture Notes in Computer Science, 1214~ 1997.]]Google Scholar
43.D. Volpano and G. Smith. Confinement properties for programming languages. SIGACT News, 29(3):33-42, Sept. 1998.]] Google ScholarDigital Library
44.D. Wallach, D. BaIfanz, D. Dean, and E. Felten. Extensible Security Architectures for Java. In Proceedings of the 16th Symposium on Operating System Principles, 1997.]] Google ScholarDigital Library
45.F. Yellin. Low level security in Java. In Fourth lnternational Conference on ~he World-Wide Web, MIT, Boston, Dec. 1995.]]Google Scholar

Index Terms

Recommendations

Confined types

Sharing and transfer of object references is difficult to control in object-oriented languages. Unconstrained sharing poses serious problems for writing secure components in object-oriented languages. In this paper, we present a set of inexpensive ...
Read More
Confined gradual typing
OOPSLA '14

Gradual typing combines static and dynamic typing flexibly and safely in a single programming language. To do so, gradually typed languages implicitly insert casts where needed, to ensure at runtime that typing assumptions are not violated by untyped ...
Read More
Depending on types
ICFP '14: Proceedings of the 19th ACM SIGPLAN international conference on Functional programming

Is Haskell a dependently typed programming language? Should it be? GHC's many type-system features, such as Generalized Algebraic Datatypes (GADTs), datatype promotion, multiparameter type classes, and type families, give programmers the ability to ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
OOPSLA '99: Proceedings of the 14th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
October 1999
462 pages
ISBN:1581132387
DOI:10.1145/320384
Chairmen:
Brent Hailpern
IBM T. J. Watson Research Center
,
Linda M. Northrop
Carnegie Mellon Univ., Pittsburgh, PA
,
Editor:
A. Michael Berman
ACM SIGPLAN Notices Volume 34, Issue 10
Oct. 1999
460 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/320385
Chairman:
Brent Hailpern,
Editors:
A. Michael Berman,
Linda M. Northrop
Issue’s Table of Contents
Copyright © 1999 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 October 1999
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- Article
Conference

Acceptance Rates
OOPSLA '99 Paper Acceptance Rate30of152submissions,20%Overall Acceptance Rate268of1,244submissions,22%
More
Upcoming Conference
SPLASH '24

Sponsor:

sigplan

ACM SIGPLAN International Conference on Systems, Programming, Languages, and Applications: Software for Humanity

October 20 - 25, 2024

Pasadena , CA , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 82
  Total Citations
  View Citations
- 807
  Total Downloads
- Downloads (Last 12 months)83
- Downloads (Last 6 weeks)15
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Confined types

OOPSLA '99: Proceedings of the 14th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications

ABSTRACT

References

Cited By

Index Terms

Recommendations

Confined types

Confined gradual typing

Depending on types