Skip to main content Accessibility help
×
×
Home

Security monitor inlining and certification for multithreaded Java

  • MADS DAM (a1), BART JACOBS (a2), ANDREAS LUNDBLAD (a1) and FRANK PIESSENS (a2)

Abstract

Security monitor inlining is a technique for security policy enforcement whereby monitor functionality is injected into application code in the style of aspect-oriented programming. The intention is that the injected code enforces compliance with the policy (security), and otherwise interferes with the application as little as possible (conservativity and transparency). Such inliners are said to be correct. For sequential Java-like languages, inlining is well understood, and several provably correct inliners have been proposed. For multithreaded Java one difficulty is the need to maintain a shared monitor state. We show that this problem introduces fundamental limitations in the type of security policies that can be correctly enforced by inlining. A class of race-free policies is identified that precisely characterizes the inlineable policies by showing that inlining of a policy outside this class is either not secure or not transparent, and by exhibiting a concrete inliner for policies inside the class which is secure, conservative and transparent. The inliner is implemented for Java and applied to a number of practical application security policies. Finally, we discuss how certification in the style of proof-carrying code could be supported for inlined programs by using annotations to reduce a potentially complex verification problem for multithreaded Java bytecode to sequential verification of just the inlined code snippets.

Copyright

References

Hide All
Aktug, I., Dam, M. and Gurov, D. (2009) Provably correct runtime monitoring. Journal of Logic and Algebraic Programming 78 (5)304339.
Aktug, I. and Naliuka, K. (2008) Conspec–a formal language for policy specification. Science of Computer Programming 74 (1-2)212. (Special issue on Security and Trust.)
Apache Software Foundation (2002) Servlet api documentation. Available at http://download.oracle.com/docs/cd/E17802_01/products/products/servlet/2.5/docs/servlet-2_5-mr2/index.html.
Bannwart, F. Y. and Müller, P. (2005) A logic for bytecode. In: Bytecode Semantics, Verification, Analysis and Transformation (BYTECODE). Elsevier Electronic Notes in Theoretical Computer Science 141-1 255273.
Bauer, L., Ligatti, J. and Walker, D. (2003) Types and effects for non-interfering program monitors. In: Okada, M., Pierce, B., Scedrov, A., Tokuda, H. and Yonezawa, A. (eds.) Software Security–Theories and Systems. Mext-NSF-JSPS International Symposium. Springer Lecture Notes in Computer Science 2609 154171.
Bauer, L., Ligatti, J. and Walker, D. (2005) Composing security policies with Polymer. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) 305314.
Bielova, N., Dragoni, N., Massacci, F., Naliuka, K. and Siahaan, I. (2009) Matching in security-by-contract for mobile code. Journal of Logic and Algebraic Programming 78 (5)340358.
Chen, F. (2005) Java-MOP: a monitoring oriented programming environment for Java. In: Proceedings of the Eleventh International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), Springer 546550.
Chudnov, A. and Naumann, D. A. (2010) Information flow monitor inlining. In: Computer Security Foundations 200214.
Dam, M., Jacobs, B., Lundblad, A. and Piessens, F. (2009) Security monitor inlining for multithreaded Java. In: Proceeding of ECOOP 2009 - Object-Oriented Programming, 23rd European Conference, Genova, Italy, 6–10 July, 2009, Springer-Verlag 546569.
Dam, M., Jacobs, B., Lundblad, A. and Piessens, F. (2010) Provably correct inline monitoring for multithreaded Java-like programs. Journal of Computer Security 18 3759.
DeLine, R. and Fähndrich, M. (2001) Enforcing high-level protocols in low-level software. In: PLDI'01: Proceedings of the ACM SIGPLAN 2001 Conference on Programming Language Design and Implementation, ACM 5969.
Desmet, L., Joosen, W., Massacci, F., Philippaerts, P., Piessens, F., Siahaan, I. and Vanoverberghe, D. (2008) Security-by-contract on the .NET platform. Information Security Technical Report 13 (1)2532.
Deutsch, P. and Grant, C. A. (1971) A flexible measurement tool for software systems. Information Processing 71, Proceeding International Federation for Information Processing Congress 1 320326.
Erlingsson, U. (2004) The Inlined Reference Monitor Approach to Security Policy Enforcement. Ph.D. thesis, Department of Computer Science, Cornell University.
Erlingsson, U. and Schneider, F. B. (2000a) IRM enforcement of Java stack inspection. In: IEEE Symposium on Security and Privacy, IEEE Computer Society 0246.
Erlingsson, U. and Schneider, F. B. (2000b) SASI enforcement of security policies: a retrospective. In: Proceedings of the Workshop on New Security Paradigms (NSPW'99), ACM Press 8795.
Evans, D. and Twyman, A. (1999) Flexible policy-directed code safety. In: IEEE Symposium on Security and Privacy 3245.
Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A. and Stewart, L. (1999) HTTP authentication: Basic and digest access authentication. Request for Comments 2617 (Draft Standard).
Gosling, J., Joy, B., Steele, G. and Bracha, G. (2005) Java(TM) Language Specification, The (3rd Edition) (Java (Addison-Wesley)). Addison-Wesley Professional.
Hamlen, K. W. and Jones, M. (2008) Aspect-oriented in-lined reference monitors. In: PLAS'08: Proceedings of the 3rd ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, ACM 1120.
Hamlen, K. W., Morrisett, G. and Schneider, F. B. (2006a) Certified in-lined reference monitoring on .NET. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS'06) 716.
Hamlen, K. W., Morrisett, G. and Schneider, F. B. (2006b) Computability classes for enforcement mechanisms. ACM Transactions on Programming Languages and Systems 28 (1)175205.
HATS (2010) Evaluation of the core framework, deliverable 5.2 of project fp7-231620 (hats). Available at http://www.cse.chalmers.se/research/hats/sites/default/files/Deliverable52.pdf.
Jones, M. and Hamlen, K. W. (2010) Disambiguating aspect-oriented security policies. In: Aspect-Oriented Software Development 193204.
Kim, M., Kannan, S., Lee, I., Sokolsky, O. and Viswanathan, M. (2001) Java-MaC: A run-time assurance tool for Java programs. Electronic Notes in Theoretical Computer Science 55 (2)218235. (RV'2001, Runtime Verification (in connection with CAV '01)).
Leroy, X. (2003) Java bytecode verification: Algorithms and formalizations. Journal of Automated Reasoning 30 (3–4)235269.
Ligatti, J., Bauer, L. and Walker, D. (2005) Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security 4 (1–2)216.
Ligatti, J. A. (2006) Policy Enforcement via Program Monitoring, Ph.D. thesis, Princeton University.
Lindholm, T. and Yellin, F. (1999) Java Virtual Machine Specification, volume 2, Addison-Wesley Longman Publishing Co., Inc.
Lipton, R. J. (1975) Reduction: A method of proving properties of parallel programs. Communications of the ACM 18 717721.
Lundblad, A. (2010) Inlined reference monitors for multithreaded java: Case-studies. Available at http://www.csc.kth.se/~landreas/mt_inlining/.
Dragoni, N., Massacci, F., Naliuka, K. and Siahaan, I. (2007) Security-by-contract: Toward a semantics for digital signatures on mobile code. In: Proceedings of the 4th European PKI Workshop. Springer Lecture Notes in Computer Science 4582 297312.
Necula, G. C. (1997) Proof-carrying code. In: POPL'97: Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press 106119.
OWASP (2010) Owasp top 10 - 2010. Available at http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf.
Reynal, S. (2010) Jpicedt website. Available at http://jpicedt.sourceforge.net/.
S3MS (2008) Project web page. Available at http://www.s3ms.org.
Schneider, F. B. (2000) Enforceable security policies. ACM Transactions Information and Systems Security 3 (1)3050.
Skalka, C. and Smith, S. (2004) History effects and verification. In: Asian Programming Languages Symposium 107128.
Sridhar, M. and Hamlen, K. W. (2010a) Actionscript in-lined reference monitoring in prolog. In: Practical Aspects of Declarative Languages 149151.
Sridhar, M. and Hamlen, K. W. (2010b) Model checking in-lined reference monitors. In: Verification, Model Checking, and Abstract Interpretation 312327.
Sridhar, M. and Hamlen, K. W. (2011) Flexible in-lined reference monitor certification: Challenges and future directions. In: Proceedings of the 5th ACM Workshop on Programming Languages Meets Program Verification, PLPV'11, New York, NY, USA. ACM 5560.
Vanoverberghe, D. and Piessens, F. (2009) Security enforcement aware software development. Information and Software Technology 51 (7)11721185.
Viswanathan, M. (2000) Foundations for the Run-Time Analysis of Software Systems, Ph.D. thesis, University of Pennsylvania.
Walker, D. (2000) A type system for expressive security policies. In: POPL'00: Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM 254267.
Recommend this journal

Email your librarian or administrator to recommend adding this journal to your organisation's collection.

Mathematical Structures in Computer Science
  • ISSN: 0960-1295
  • EISSN: 1469-8072
  • URL: /core/journals/mathematical-structures-in-computer-science
Please enter your name
Please enter a valid email address
Who would you like to send this to? *
×

Metrics

Full text views

Total number of HTML views: 0
Total number of PDF views: 0 *
Loading metrics...

Abstract views

Total abstract views: 0 *
Loading metrics...

* Views captured on Cambridge Core between <date>. This data will be updated every 24 hours.

Usage data cannot currently be displayed