David Walker
ABSTRACT
Certified code is a general mechanism for enforcing security properties. In this paradigm, untrusted mobile code carries annotations that allow a host to verify its trustworthiness. Before running the agent, the host checks the annotations and proves that they imply the host's security policy. Despite the flexibility of this scheme, so far, compilers that generate certified code have focused on simple type safety properties rather than more general security properties.
Security automata can specify an expressive collection of security policies including access control and resource bounds. In this paper, we describe how to instrument well-typed programs with security checks and typing annotations. The resulting programs obey the policies specified by security automata and can be mechanically checked for safety. This work provides a foundation for the process of automatically generating certified code for expressive security policies.
- 1.Karl Crary, Stephanie Weirich, and Greg Morrisett. Intensional polymorphism in type-erasure semantics. In A CM International Conference on Functional Programming, p~ges 301-312, Baltimore, September 1998. Google Scholar
Digital Library
- 2.David Evans and Andrew Twyman. Flexible policydirected code safety. In IEEE Security and Privacy, Oakland, May 1999. Google ScholarDigital Library
- 3.Stephen Fickas and Martin Feather. Requirements monitoring in dynamic environments. In 2nd IEEE International Symposium on Requirements Engineering, March 1995. Google ScholarDigital Library
- 4.Patrice Godefroid. Model checking for programming languages using VeriSoft. In Twenty-Fourth A CM Symposium on Principles of Programming Languages, pages 174-186, Paris, January 1997. Google ScholarDigital Library
- 5.Robert Harper and Mark Lillibridge. A type-theoretic approach to higher-order modules with sharing. In Twenty-First A CM Symposium on Principles of Programming Languages, pages 188-201, Portland, Oregon, January 1994. Google ScholarDigital Library
- 6.Robert Harper and Greg Morrisett. Compiling polymorphism using intensional type analysis. In Twenty- Second A CM Symposium on Principles of Programming Languages, pages 130-141, San Francisco, January 1995. Google ScholarDigital Library
- 7.John E. Hopcroft and Jeffrey D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley, 1979. Google ScholarDigital Library
- 8.Dexter Kozen. Efficient code certification. Technical Report TR98-1661, Cornell University, January 1998. Google ScholarDigital Library
- 9.Christopher League, Zhong Shao, and Valery Trifonov. Representing java classes in a typed intermediate language. In A CM International Conference on Functional Programming, pages 183-196, Paris, January 1999. Google ScholarDigital Library
- 10.Xavier Leroy. Manifest types, modules, and separate compilation. In Twenty-First A CM Symposium on Principles of Programming Languages, pages 109- 122, Portland, OR, January 1994. Google ScholarDigital Library
- 11.Xavier Leroy and Francois Rouaix. Security properties of typed applets. In Twenty-Fifth A CM Symposium on Principles of Programming Languages, pages 391-403, San Diego, January 1998. Google ScholarDigital Library
- 12.Tim Lindholm and Frank Yellin. The Java Virtual Machine Specification. Addison-Wesley, 1996. Google ScholarDigital Library
- 13.Y. Minamide, G. Morrisett, and R. Harper. Typed closure conversion. In Twenty-Third A CM Symposium on Principles of Programming Languages, pages 271-283, St. Petersburg, January 1996. Google ScholarDigital Library
- 14.John C. Mitchell and Gordon D. Plotkin. Abstract types have existential type. A CM ~ansactions on Progamming Languages and Systems, 10(3):470-502, July 1988. Google ScholarDigital Library
- 15.Creg Morrisett, Karl Crary, Neal Clew, Dan Crossman, Richard Samuels, Frederick Smith, David Walker, Stephanie Weirich, and Steve Zdancewic. TALx86: A realistic typed assembly language. In A CM SIGPLAN Workshop on Compiler Support for System Software, pages 25-35, Atlanta, GA, May 1999.Google Scholar
- 16.Greg Morrisett, Matthias Felleisen, and Robert Harper. Abstract models of memory management. In A CM Conference on Functional Programming and Computer Architecture, pages 66-77, La Jolla, June 1995. Google ScholarDigital Library
- 17.Greg Morrisett, David Walker, Karl Crary, and Neal Glew. From System F to Typed Assembly Language. In Twenty-Fifth A CM Symposium on Principles of Programming Languages, pages 85-97, San Diego, January 1998. Google ScholarDigital Library
- 18.Greg Morrisett, David Walker, Karl Crary, and Neal Glew. From System F to Typed Assembly Language. A CM Transactions on Progamming Languages and Systems, 21(3):528-569, May 1999. Google ScholarDigital Library
- 19.George Necula. Proof-carrying code. In Twenty-Fourth A CM Symposium on Principles of Programming Languages, pages 106-119, Paris, 1997. Google ScholarDigital Library
- 20.Ceorge Necula and Peter Lee. Safe kernel extensions without run-time checking. In Proceedings of Operating System Design and Implementation, pages 229-243, Seattle, October 1996. Google ScholarDigital Library
- 21.George Necula and Peter Lee. The design and implementation of a certifying compiler. In A CM Conference on Programming Language Design and Implementation, pages 333 - 344, Montreal, June 1998. Google ScholarDigital Library
- 22.George C. Necula and Peter Lee. Safe, untrusted agents using proof-carrying code. LNCS 1419: Special Issue on Mobile Agent Security, October 1997.Google Scholar
- 23.Anders Sandholm and Michael Schwartzbach. Distributed safety controllers for web services. In Fundamental approaches to Software Engineering, volume 1382, pages 270-284. Lecture Notes in Computer Science, Springer-Verlag, 1998.Google Scholar
- 24.Fred Schneider. Enforceable security policies. Technical Report TR98-1664, Cornell University, January 1998. Google ScholarDigital Library
- 25.Chris Small. MISFIT: A tool for constructing safe extensible C++ systems: In Proceedings of the Third USENIX Conference on Object-Oriented Technologies, Portland, OR, June 1997. Google ScholarDigital Library
- 26.Frederick Smith, David Walker, and Greg Morrisett. Alias types. Technical Report TR99-1773, Cornell University, October 1999. Google ScholarDigital Library
- 27.l~llfar Erlingsson and Fred B. Schneider. SASI enforcement of security policies: A retrospective. In Proceedings of the 1999 New Security Paradigms Workshop, Caledon Hills, September 1999. Google ScholarDigital Library
- 28.Robert Wahbe, Steven Lucco, Thomas Anderson, and Susan Graham. Efficient software-based fault isolation. In Fourteenth A CM Symposium on Operating Systems Principles, pages 203-216, Asheville, December 1993. Google ScholarDigital Library
- 29.David Walker. A type system for expressive security policies. Technical Report TR99-1740, Cornell University, April 1999. Google ScholarDigital Library
- 30.Andrew K. Wright and Matthias Felleisen. A syntactic approach to type soundness. In.formation and Computation, 115(1):38-94, 1994. Google ScholarDigital Library
- 31.Hongwei Xi. Dependent Types in Practical Programming. PhD thesis, Carnegie Mellon University, 1999. Google ScholarDigital Library
- 32.Hongwei Xi and Frank Pfenning. Eliminating array boUnd checking through dependent types. In A CM Conference on Programming Language Design and implementation, pages 249-257, Montreal, Quebec, june 1998. Google ScholarDigital Library
- 33.Hongwei Xi and Frank Pfenning. Dependent types in practical programming. In Twenty-Sixth A CM Symposium on Principles of Programming Languages, pages 214-227, San Antonio, TX, January 1999. Google ScholarDigital Library
Index Terms
- A type system for expressive security policies
Recommendations
Security policies for downgrading
CCS '04: Proceedings of the 11th ACM conference on Computer and communications securityA long-standing problem in information security is how to specify and enforce expressive security policies that control information flow while also permitting information release (i.e., declassification) where appropriate. This paper presents security ...
Comments