article

Stack inspection: theory and variants

Authors:

Cédric Fournet and

Andrew D. GordonAuthors Info & Claims

ACM SIGPLAN Notices, Volume 37, Issue 1

Pages 307 - 318

https://doi.org/10.1145/565816.503301

Published: 01 January 2002 Publication History

Abstract

Stack inspection is a security mechanism implemented in runtimes such as the JVM and the CLR to accommodate components with diverse levels of trust. Although stack inspection enables the fine-grained expression of access control policies, it has rather a complex and subtle semantics. We present a formal semantics and an equational theory to explain how stack inspection affects program behaviour and code optimisations. We discuss the security properties enforced by stack inspection, and also consider variants with stronger, simpler properties.

References

[1]

M. Abadi, B. Lampson, and J.-J. Levy. Analysis and caching of dependencies. In First ACM SIGPLAN International Conference on Functional Programming (ICFP'96), pages 83-91, May 1996.]]

Digital Library

[2]

S. Abramsky and L. Ong. Full abstraction in the lazy lambda calculus. Information and Computation, 105:159-267, 1993.]]

Digital Library

[3]

A. Banerjee and D. Naumann. A simple semantics and static analysis for Java security. CS Report 2001-1, Stevens Institute of Technology, 2001.]]

[4]

A. Banerjee and D. Naumann. Representation independence, confinement, and access control. In 29th ACM Symposium on Principles of Programming Languages (POPL'02), 2002. This volume.]]

Digital Library

[5]

M. Bartoletti, P. Degano, and G. Ferrari. Static analysis for stack inspection. In ConCoord: International Workshop on Concurrency and Coordination, volume 54 of ENTCS. Elsevier, 2001.]]

[6]

N. Benton, A. Kennedy, and G. Russell. Compiling Standard ML to Java bytecodes. In Third ACM SIG- PLAN International Conference on Functional Programming (ICFP'98), pages 129-140, 1998.]]

Digital Library

[7]

F. Besson, T. Jensen, D. L. M~tayer, and T. Thorn. Model checking security properties of control flow graphs. Journal of Computer Security, 9:217-250, 2001.]]

Digital Library

[8]

D. Box. Essential .NET Volume I: The Common Language Runtime. Addison Wesley, 2002. To appear.]]

Digital Library

[9]

U. Erlingsson and F. Schneider. IRM enforcement of Java stack inspection. In Proceedings 2000 IEEE Symposium on Security and Privacy, pages 246-255. IEEE Computer Society Press, 2000.]]

Digital Library

[10]

C. Fournet and A. D. Gordon. Stack inspection: Theory and variants. Technical Report MSR-TR-2001- 103, Microsoft Research, 2001.]]

[11]

L. Gong. Inside Java TM 2 Platform Security. Addison Wesley, 1999.]]

Digital Library

[12]

A. Gordon and A. Pitts, editors. Higher Order Operational Techniques in Semantics, Publications of the Newton Institute. Cambridge University Press, 1998.]]

Digital Library

[13]

D. Grossman, G. Morrisett, and S. Zdancewic. Syntactic type abstraction. ACM Transactions on Programming Languages and Systems, 22(6):1037-1080, 2000.]]

Digital Library

[14]

N. Hardy. The confused deputy. ACM Operating Systems Review, 22(4):36-38, Oct 1988. http://www.cis. upenn.edu/KeyKOS/ConfusedDeputy.html.]]

Digital Library

[15]

D. J. Howe. Proving congruence of bisimulation in functional programming languages. Information and Computation, 124(2):103-112, 1996.]]

Digital Library

[16]

T. Jensen, D. L. Metayer, and T. Thorn. Verification of control flow based security properties. In Proceedings 1999 IEEE Symposium on Security and Privacy, pages 89-103. IEEE Computer Society Press, 1999.]]

[17]

G. Karjoth. An operational semantics for Java 2 access control. In 13th Computer Security Foundations Workshop, pages 224-232. IEEE Computer Society Press, 2000.]]

Digital Library

[18]

X. Leroy and F. Rouaix. Security properties of typed applets. In J. Vitek and C. Jensen, editors, Secure Internet Programming - Security issues for Mobile and Distributed Objects, volume 1603 of LNCS, pages 147- 182. Springer-Verlag, 1999.]]

Digital Library

[19]

T. Lindholm and F. Yellin. The Java TM Virtual Machine Specification. Addison Wesley, 1997.]]

Digital Library

[20]

Microsoft Corporation. .NET Framework Developer's Guide: Security Optimizations, 2001. http://msdn.microsoft.com/library/en-us/ cpguidnf/html/cpconsecurityoptimizations.asp.]]

[21]

R. Milner. Fully abstract models of typed lambdacalculi. Theoretical Computer Science, 4:1-23, 1977.]]

[22]

E. Moggi. Notions of computations and monads. Theoretical Computer Science, 93:55-92, 1989.]]

Digital Library

[23]

J. H. Morris. Lambda-Calculus Models of Programming Languages. PhD thesis, MIT, Dec. 1968.]]

[24]

A. C. Myers. JFlow: Practical, mostly-static information flow control. In 26th ACM Symposium on Principles of Programming Languages (POPL'99), pages 228- 241, 1999.]]

Digital Library

[25]

P. Orbaek and J. Palsberg. Trust in the calculus. Journal of Functional Programming, 3(2):75-85, 1997.]]

Digital Library

[26]

G. D. Plotkin. Call-by-name, call-by-value and the calculus. Theoretical Computer Science, 1:125-159, 1975.]]

[27]

F. Pottier, C. Skalka, and S. Smith. A systematic approach to access control. In Programming Languages and Systems (ESOP 2001), volume 2028 of LNCS, pages 30-45. Springer, 2001.]]

Digital Library

[28]

M. Schinz and M. Odersky. Tail call elimination on the Java Virtual Machine. In SIGPLAN Workshop on Multi-Language Infrastructure and Interoperability (BABEL'01), volume 59(1) of ENTCS, pages 155-168. Elsevier, 2001.]]

[29]

C. Skalka and S. Smith. Static enforcement of security with types. In Fifth ACM SIGPLAN International Conference on Functional Programming (ICFP'00), pages 34-45, 2000.]]

Digital Library

[30]

D. S. Wallach, A. W. Appel, and E. W. Felten. Safkasi: A security mechanism for language-based systems. ACM Transactions on Software Engineering and Methodology, 9(4):341-378, 2000.]]

Digital Library

Cited By

Skalka CSmith S(2018)Static use-based object confinementInternational Journal of Information Security10.1007/s10207-004-0049-54:1-2(87-104)Online publication date: 24-Dec-2018
https://dl.acm.org/doi/10.1007/s10207-004-0049-5
Soni PBudianto ESaxena PRay ILi NKruegel C(2015)The SICILIAN DefenseProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security10.1145/2810103.2813710(1542-1557)Online publication date: 12-Oct-2015
https://dl.acm.org/doi/10.1145/2810103.2813710
Kolundžija M(2009)Security Types for Sessions and PipelinesWeb Services and Formal Methods10.1007/978-3-642-01364-5_11(175-190)Online publication date: 30-Apr-2009
https://dl.acm.org/doi/10.1007/978-3-642-01364-5_11
Show More Cited By

Index Terms

Stack inspection: theory and variants
1. Theory of computation
  1. Semantics and reasoning
    1. Program semantics

Index terms have been assigned to the content through auto-classification.

Recommendations

Stack inspection: Theory and variants

Stack inspection is a security mechanism implemented in runtimes such as the JVM and the CLR to accommodate components with diverse levels of trust. Although stack inspection enables the fine-grained expression of access control policies, it has rather ...
Read More
Stack inspection: theory and variants
POPL '02: Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages

Stack inspection is a security mechanism implemented in runtimes such as the JVM and the CLR to accommodate components with diverse levels of trust. Although stack inspection enables the fine-grained expression of access control policies, it has rather ...
Read More
Beyond Stack Inspection: A Unified Access-Control and Information-Flow Security Model
SP '07: Proceedings of the 2007 IEEE Symposium on Security and Privacy

Modern component-based systems, such as Java and Microsoft .NET Common Language Runtime (CLR), have adopted Stack-Based Access Control (SBAC). Its purpose is to use stack inspection to verify that all the code responsible for a security-sensitive action ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM SIGPLAN Notices

ACM SIGPLAN Notices Volume 37, Issue 1

Jan. 2002

342 pages

ISSN:0362-1340

EISSN:1558-1160

DOI:10.1145/565816

Issue’s Table of Contents

POPL '02: Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
January 2002
351 pages
ISBN:1581134509
DOI:10.1145/503272
Conference Chair:
John Launchbury
OGI and Galois Connections
,
Program Chair:
John C. Mitchell
Stanford University

Copyright © 2002 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 January 2002

Published in SIGPLAN Volume 37, Issue 1

Check for updates

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

47
Total Citations
View Citations
561
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)3

Other Metrics

View Author Metrics

Citations

Cited By

Skalka CSmith S(2018)Static use-based object confinementInternational Journal of Information Security10.1007/s10207-004-0049-54:1-2(87-104)Online publication date: 24-Dec-2018
https://dl.acm.org/doi/10.1007/s10207-004-0049-5
Soni PBudianto ESaxena PRay ILi NKruegel C(2015)The SICILIAN DefenseProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security10.1145/2810103.2813710(1542-1557)Online publication date: 12-Oct-2015
https://dl.acm.org/doi/10.1145/2810103.2813710
Kolundžija M(2009)Security Types for Sessions and PipelinesWeb Services and Formal Methods10.1007/978-3-642-01364-5_11(175-190)Online publication date: 30-Apr-2009
https://dl.acm.org/doi/10.1007/978-3-642-01364-5_11
Talhi CTawbi NDebbabi M(2008)Execution monitoring enforcement under memory-limitation constraintsInformation and Computation10.1016/j.ic.2007.07.009206:2-4(158-184)Online publication date: 1-Feb-2008
https://dl.acm.org/doi/10.1016/j.ic.2007.07.009
Liu D(2007)CSchemaJournal of Computer Science and Technology10.1007/s11390-007-9012-z22:1(44-53)Online publication date: 1-Jan-2007
https://dl.acm.org/doi/10.1007/s11390-007-9012-z
Yoshida N(2004)Channel dependent types for higher-order mobile processesACM SIGPLAN Notices10.1145/982962.96401439:1(147-160)Online publication date: 1-Jan-2004
https://dl.acm.org/doi/10.1145/982962.964014
Yoshida NJones NLeroy X(2004)Channel dependent types for higher-order mobile processesProceedings of the 31st ACM SIGPLAN-SIGACT symposium on Principles of programming languages10.1145/964001.964014(147-160)Online publication date: 14-Jan-2004
https://dl.acm.org/doi/10.1145/964001.964014
Lutze MMadsen MSchuster PBrachthäuser J(2023)With or Without You: Programming with Effect ExclusionProceedings of the ACM on Programming Languages10.1145/36078467:ICFP(448-475)Online publication date: 31-Aug-2023
https://dl.acm.org/doi/10.1145/3607846
Satake YUnno H(2018)Propositional Dynamic Logic for Higher-Order Functional ProgramsComputer Aided Verification10.1007/978-3-319-96145-3_6(105-123)Online publication date: 18-Jul-2018
https://doi.org/10.1007/978-3-319-96145-3_6
Lu YBae SKrishnan PRaghavendra K(2017)Inference of Security-Sensitive Entities in Libraries2017 IEEE Security and Privacy Workshops (SPW)10.1109/SPW.2017.26(102-109)Online publication date: May-2017
https://doi.org/10.1109/SPW.2017.26
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents