Stack inspection is a security mechanism implemented in runtimes such as the JVM and the CLR to accommodate components with diverse levels of trust. Although stack inspection enables the finegrained expression of access control policies, it has rather a complex and subtle semantics. We present a formal semantics and an equational theory to explain how stack inspection affects program behaviour and code optimisations. We discuss the security properties enforced by stack inspection, and also consider variants with stronger,
|
2762
|
Communication and Concurrency
– Milner
- 1989
|
|
565
|
Notions of computation and monads
– Moggi
- 1991
|
|
251
|
Call-by-name, call-by-value and the *-calculus
– Plotkin
- 1975
|
|
230
|
JFlow: Practical Mostly-Static Information Flow Control
– Myers
- 1999
|
|
128
|
Call-by-name, call-by-value and the λ-calculus
– Plotkin
- 1975
|
|
126
|
Lambda-Calculus Models of Programming Languages
– Morris
- 1968
|
|
120
|
Full abstraction in the lazy lambda calculus
– Abramsky, Ong
- 1993
|
|
110
|
Bisimilarity as a theory of functional programming: Mini-course
– GORDON
- 1995
|
|
103
|
Fully Abstract Models of Typed Lambda-Calculi
– Milner
- 1977
|
|
93
|
Compiling Standard ML to Java bytecodes
– Benton, Kennedy, et al.
- 1998
|
|
89
|
Proving congruence of bisimulation in functional programming languages
– Howe
- 1996
|
|
86
|
IRM enforcement of Java stack inspection
– Erlingsson, Schneider
- 2000
|
|
74
|
The Java TM Virtual Machine Specification
– Lindholm, Yellin
- 1996
|
|
64
|
Representation independence, confinement and access control
– Banerjee, Naumann
- 2002
|
|
63
|
Security properties of typed applets
– Leroy, Rouaix
- 1998
|
|
50
|
Analysis and caching of dependencies
– Abadi, Lampson, et al.
- 1996
|
|
46
|
Static enforcement of security with types
– Skalka, Smith
- 2000
|
|
45
|
Verification of control flow based security properties
– Jensen, Métayer, et al.
- 1999
|
|
43
|
SAFKASI: a security mechanism for language-based systems
– Wallach, Appel, et al.
|
|
34
|
Syntactic type abstraction
– Grossman, Morrisett, et al.
- 2000
|
|
30
|
Model checking security properties of control flow graphs
– Besson, Jensen, et al.
|
|
30
|
Trust in the λ-calculus
– Palsberg, Ørbæk
- 1995
|
|
24
|
The Confused Deputy
– Hardy
- 1988
|
|
20
|
Essential .NET, Volume I: The Common Language Runtime
– Box
- 2002
|
|
15
|
Static Analysis for Stack Inspection
– Bartoletti, Degano, et al.
- 2001
|
|
15
|
Inside Java TM 2 Platform Security
– Gong
- 1999
|
|
13
|
Tail call elimination of the Java Virtual Machine
– Schinz, Odersky
- 2001
|
|
10
|
A simple semantics and static analysis for Java security
– Banerjee, Naumann
- 2001
|
|
10
|
The Java TM Virtual Machine Speci
– Lindholm, Yellin
- 1999
|
|
7
|
An operational semantics for Java 2 access control
– Karjoth
- 2000
|
|
7
|
A systematic approach to access control
– Pottier, Skalka, et al.
- 2001
|
|
6
|
Veri of control based security properties
– Jensen, Metayer, et al.
- 1999
|
|
6
|
JFlow: practical mostly-static information ow control
– Myers
- 1999
|
|
2
|
Framework Developer’s Guide: Security Optimizations
– NET
- 2001
|
|
1
|
The .NET common language runtime
– Corporation
- 2000
|
|
1
|
Operational semantics with stack inspection (SI Appl) E((*x:e) v) w \Gamma ! E(efxvg) (SI Fail) E(fail e) w \Gamma ! E(fail) E(v fail) w \Gamma ! E(fail) (SI Frame) E(R[o]) w \Gamma ! E(o) (SI Grant) E(grant R in o) w \Gamma ! E(o) (SI Test) E(test R then
– Abramsky, Ong
- 1993
|
|
1
|
Model checking security properties of control flow graphs. Journal of Computer Security
– Box
- 2001
|
