article

Open access

Stack inspection: Theory and variants

Authors:

Cédric Fournet,

Andrew D. GordonAuthors Info & Claims

ACM Transactions on Programming Languages and Systems (TOPLAS), Volume 25, Issue 3

Pages 360 - 399

https://doi.org/10.1145/641909.641912

Published: 01 May 2003 Publication History

PDF eReader

Abstract

Stack inspection is a security mechanism implemented in runtimes such as the JVM and the CLR to accommodate components with diverse levels of trust. Although stack inspection enables the fine-grained expression of access control policies, it has rather a complex and subtle semantics. We present a formal semantics and an equational theory to explain how stack inspection affects program behavior and code optimisations. We discuss the security properties enforced by stack inspection, and also consider variants with stronger, simpler properties.

References

[1]

Abadi, M. and Fournet, C. 2003. Access control based on execution history. In Proceedings of the 10th Annual Network and Distributed System Symposium (NDSS'03). Internet Society, 107--121.]]

Google Scholar

[2]

Abadi, M., Lampson, B., and Lévy, J.-J. 1996. Analysis and caching of dependencies. In Proceedings of the 1st ACM SIGPLAN International Conference on Functional Programming (ICFP'96). ACM, New York, 83--91.]]

Crossref

Google Scholar

[3]

Abramsky, S. and Ong, L. 1993. Full abstraction in the lazy lambda calculus. Inf. Comput. 105, 159--267.]]

Crossref

Google Scholar

[4]

Banerjee, A. and Naumann, D. 2001. A simple semantics and static analysis for Java security. CS Report 2001--1, Stevens Institute of Technology.]]

Google Scholar

[5]

Banerjee, A. and Naumann, D. 2002. Representation independence, confinement, and access control. In Proceedings of the 29th ACM Symposium on Principles of Programming Languages (POPL'02). ACM, New York, 166--277.]]

Crossref

Google Scholar

[6]

Bartoletti, M., Degano, P., and Ferrari, G. 2001. Static analysis for stack inspection. In ConCoord: International Workshop on Concurrency and Coordination. ENTCS, vol. 54. Elsevier North-Holland, Amsterdam, The Netherlands.]]

Google Scholar

[7]

Benton, N., Kennedy, A., and Russell, G. 1998. Compiling Standard ML to Java bytecodes. In Proceedings of the 3rd ACM SIGPLAN International Conference on Functional Programming (ICFP'98). ACM, New York, 129--140.]]

Crossref

Google Scholar

[8]

Besson, F., Jensen, T., Métayer, D. L., and Thorn, T. 2001. Model checking security properties of control flow graphs. J. Comput. Sec. 9, 217--250.]]

Crossref

Google Scholar

[9]

Box, D. 2002. Essential .NET Volume I: The Common Language Runtime. Addison-Wesley, Reading, Mass.]]

Crossref

Google Scholar

[10]

Erlingsson, Ú. and Schneider, F. 2000. IRM enforcement of Java stack inspection. In Proceedings of the 2000 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos Calif., 246--255.]]

Crossref

Google Scholar

[11]

Fournet, C. and Gordon, A. D. 2001. Stack inspection: Theory and variants. Tech. Rep. MSR--TR--2001--103, Microsoft Research. http://research.microsoft.com/scripts/pubs/view.asp?TR_ID=MSR-TR-2001-103.]]

Google Scholar

[12]

Fournet, C. and Gordon, A. D. 2002. Stack inspection: Theory and variants. In Proceedings of the 29th ACM Symposium on Principles of Programming Languages (POPL'02). ACM, New York, 307--318.]]

Crossref

Google Scholar

[13]

Gong, L. 1999. Inside JavaTM 2 Platform Security. Addison-Wesley, Reading, Mass.]]

Crossref

Google Scholar

[14]

Gordon, A. D. and Pitts, A. M., Eds. 1998. Higher Order Operational Techniques in Semantics. Publications of the Newton Institute. Cambridge University Press.]]

Crossref

Google Scholar

[15]

Grossman, D., Morrisett, G., and Zdancewic, S. 2000. Syntactic type abstraction. ACM Trans. Prog. Lang. and Systems 22, 6, 1037--1080.]]

Crossref

Google Scholar

[16]

Hardy, N. 1988. The confused deputy. ACM Oper. Syst. Rev. 22, 4 (Oct.), 36--38. http://www.cis.upenn.edu/&sim;KeyKOS/ConfusedDeputy.html.]]

Crossref

Google Scholar

[17]

Howe, D. J. 1996. Proving congruence of bisimulation in functional programming languages. Inf. Comput. 124, 2, 103--112.]]

Crossref

Google Scholar

[18]

Jensen, T., Metayer, D. L., and Thorn, T. 1999. Verification of control flow based security properties. In Proceedings of the 1999 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif., 89--103.]]

Google Scholar

[19]

Karjoth, G. 2000. An operational semantics for Java 2 access control. In 13th Computer Security Foundations Workshop. IEEE Computer Society Press, 224--232.]]

Crossref

Google Scholar

[20]

LaMacchia, B., Lange, S., Lyons, M., Martin, R., and Price, K. T. 2002. NET Framework Security. Addison-Wesley, Reading, Mass.]]

Crossref

Google Scholar

[21]

Leroy, X. and Rouaix, F. 1999. Security properties of typed applets. In Secure Internet Programming---Security Issues for Mobile and Distributed Objects, J. Vitek and C. Jensen, Eds. Lecture Notes in Computer Science, vol. 1603. Springer-Verlag, New York, 147--182.]]

Crossref

Google Scholar

[22]

Lindholm, T. and Yellin, F. 1997. The JavaTM Virtual Machine Specification. Addison-Wesley, Reading, Mass.]]

Crossref

Google Scholar

[23]

Microsoft. 2001. NET Framework Developer's Guide: Security Optimizations. http://msdn.microsoft.com/library/en-us/cpguide/html/cpconsecurityoptimizations.asp.]]

Google Scholar

[24]

Milner, R. 1977. Fully abstract models of typed lambda-calculi. Theoret. Comput. Sci. 4, 1--23.]]

Google Scholar

[25]

Moggi, E. 1989. Notions of computations and monads. Theoret. Comput. Sci. 93, 55--92.]]

Crossref

Google Scholar

[26]

Morris, J. H. 1968. Lambda-calculus models of programming languages. Ph.D. dissertation. MIT Cambridge, Mass.]]

Google Scholar

[27]

Myers, A. C. 1999. JFlow: Practical, mostly-static information flow control. In Proceedings of the 26th ACM Symposium on Principles of Programming Languages (POPL'99). ACM, New York, 228--241.]]

Crossref

Google Scholar

[28]

Ørbæek, P. and Palsberg, J. 1997. Trust in the λ-calculus. J. Funct. Prog. 3, 2, 75--85.]]

Google Scholar

[29]

Plotkin, G. D. 1975. Call-by-name, call-by-value and the λ-calculus. Theoret. Comput. Sci. 1, 125--159.]]

Google Scholar

[30]

Pottier, F., Skalka, C., and Smith, S. 2001. A systematic approach to access control. In Programming Languages and Systems (ESOP 2001). Lecture Notes in Computer Science, vol. 2028. Springer-Verlag, New York, 30--45.]]

Crossref

Google Scholar

[31]

Schinz, M. and Odersky, M. 2001. Tail call elimination on the Java Virtual Machine. In Proceedings of the SIGPLAN Workshop on Multi-Language Infrastructure and Interoperability (BABEL'01). ENTCS, vol. 59(1). Elsevier North Holland, Amsterdam, The Netherlands, 155--168.]]

Google Scholar

[32]

Skalka, C. and Smith, S. 2000. Static enforcement of security with types. In Proceedings of the 5th ACM SIGPLAN International Conference on Functional Programming (ICFP'00). ACM, New York, 34--45.]]

Crossref

Google Scholar

[33]

Wallach, D. S., Appel, A. W., and Felten, E. W. 2000. Safkasi: A security mechanism for language-based systems. ACM Trans. on Softw. Eng. Meth. 9, 4, 341--378.]]

Crossref

Google Scholar

Cited By

View all

Holzinger PHermann BLerch JBodden EMezini M(2017)Hardening Java’s Access Control by Abolishing Implicit Privilege Elevation2017 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2017.16(1027-1040)Online publication date: May-2017
https://doi.org/10.1109/SP.2017.16
Bodei CDinh VFerrari G(2017)Checking global usage of resources handled with local policiesScience of Computer Programming10.1016/j.scico.2016.06.005133(20-50)Online publication date: Jan-2017
https://doi.org/10.1016/j.scico.2016.06.005
BARTOLETTI MDEGANO PFERRARI GZUNINO R(2014)Model checking usage policiesMathematical Structures in Computer Science10.1017/S096012951200093X25:03(710-763)Online publication date: 10-Nov-2014
https://doi.org/10.1017/S096012951200093X
Show More Cited By

Index Terms

Stack inspection: Theory and variants

Recommendations

Stack inspection: theory and variants
POPL '02: Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages

Stack inspection is a security mechanism implemented in runtimes such as the JVM and the CLR to accommodate components with diverse levels of trust. Although stack inspection enables the fine-grained expression of access control policies, it has rather ...
Static check analysis for Java stack inspection

Most static analysis techniques for optimizing stack inspection approximate permission sets such as granted permissions and denied permissions. Because they compute permission sets following control flow, they usually take intra-procedural control flow ...
Security verification of programs with stack inspection
SACMAT '01: Proceedings of the sixth ACM symposium on Access control models and technologies

Java development kit 1.2 provides a runtime access control mechanism which inspects a control stack to examine whether the program has appropriate access permissions. Guaranteeing that each execution of a program with stack inspection satisfies required ...

Reviews

Reviewer: Maulik A Dave

For software written with components that have different levels of trust, safe runs are a major concern. Stack inspection is one technique used to ensure these safe runs. When untrusted and trusted components call each others? functions, stack inspection can play a major role in deciding whether or not to allow access to a particular resource, depending on the permissions set. This paper describes the stack inspection technique, and discusses related issues using the lambda calculus style of formalism. The major contribution of the paper is its presentation of the semantics with stack inspection incorporated. The paper also notes some limitations of the technique with respect to the general concept of safety. Section 1 briefly introduces the motivation for the work, and presents an outline of stack inspection. Section 2 describes the calculus of stack inspection, including its operational semantics. Section 3 explains the theory described in section 2, using five examples. Section 4 addresses the issue of stack inspection in the presence of program transformations. This is done by presenting a list of equational properties. The proofs of some of the representative equations are provided. In section 5, program transformations like function inlining and tail call elimination are discussed. Section 6 includes critical discussion of stack inspection, and presents some of the limitations of the technique. Section 7 presents conclusions, and related work. Two appendices are provided to support the discussions in the paper. The paper is 40 pages, including a two-page list of references. The URL for the technical report version of the paper is also provided. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Programming Languages and Systems

ACM Transactions on Programming Languages and Systems Volume 25, Issue 3

May 2003

109 pages

ISSN:0164-0925

EISSN:1558-4593

DOI:10.1145/641909

Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 May 2003

Published in TOPLAS Volume 25, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

42
Total Citations
View Citations
1,153
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)4

Reflects downloads up to 11 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Holzinger PHermann BLerch JBodden EMezini M(2017)Hardening Java’s Access Control by Abolishing Implicit Privilege Elevation2017 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2017.16(1027-1040)Online publication date: May-2017
https://doi.org/10.1109/SP.2017.16
Bodei CDinh VFerrari G(2017)Checking global usage of resources handled with local policiesScience of Computer Programming10.1016/j.scico.2016.06.005133(20-50)Online publication date: Jan-2017
https://doi.org/10.1016/j.scico.2016.06.005
BARTOLETTI MDEGANO PFERRARI GZUNINO R(2014)Model checking usage policiesMathematical Structures in Computer Science10.1017/S096012951200093X25:03(710-763)Online publication date: 10-Nov-2014
https://doi.org/10.1017/S096012951200093X
Banerjee ANaumann D(2013)A Simple Semantics and Static Analysis for Stack InspectionElectronic Proceedings in Theoretical Computer Science10.4204/EPTCS.129.17129(284-308)Online publication date: 19-Sep-2013
https://doi.org/10.4204/EPTCS.129.17
Toledo RTanter ÉMasuhara HKienzle JBaniassad ELorenz D(2013)Secure and modular access control with aspectsProceedings of the 12th annual international conference on Aspect-oriented software development10.1145/2451436.2451456(157-170)Online publication date: 24-Mar-2013
https://dl.acm.org/doi/10.1145/2451436.2451456
Schreuders ZPayne CMcgill T(2013)The functionality-based application confinement modelInternational Journal of Information Security10.1007/s10207-013-0199-412:5(393-422)Online publication date: 1-Oct-2013
https://dl.acm.org/doi/10.1007/s10207-013-0199-4
Dam MLe Guernic GLundblad AYu TDanezis GGligor V(2012)TreeDroidProceedings of the 2012 ACM conference on Computer and communications security10.1145/2382196.2382290(894-905)Online publication date: 16-Oct-2012
https://dl.acm.org/doi/10.1145/2382196.2382290
Toledo RBorba PChiba S(2011)Exploiting modular access control for advanced policiesProceedings of the tenth international conference on Aspect-oriented software development companion10.1145/1960314.1960348(87-88)Online publication date: 21-Mar-2011
https://dl.acm.org/doi/10.1145/1960314.1960348
Toledo RTanter E(2011)Access Control in JavaScriptIEEE Software10.1109/MS.2010.15428:5(76-84)Online publication date: 1-Sep-2011
https://dl.acm.org/doi/10.1109/MS.2010.154
Zarnett JTripunitara MLam PJoshi JCarminati B(2010)Role-based access control (RBAC) in Java via proxy objects using annotationsProceedings of the 15th ACM symposium on Access control models and technologies10.1145/1809842.1809858(79-88)Online publication date: 9-Jun-2010
https://dl.acm.org/doi/10.1145/1809842.1809858
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Index Terms

Recommendations