B. Bokowski and J. Vitek. Confined Types. In Object-Oriented Programming Systems, Languages, and Applications, November 1999.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....deals specifically with restricting the aliases of expressions. The syntax is confine e 1 in e2 meaning that aliases of the location e1 refers to are restricted in the scope e2 . Note that our use of the word confine is not related to the term as used in object oriented alias control systems [28]. The expression e1 itself serves as the name for the restricted location. Assuming all program variables have been renamed to be distinct, we define confine syntactically by translation to restrict: confine e 1 in(e2 [e1 x] restrict x =e1 in e2 where x is a fresh variable that is ....

J. Vitek and B. Bokowski. Confined Types. In Proceedings of the fourteenth annual conference on Object-oriented programming systems, languages, and applications, pages 82--96, Oct. 1999.

....(borrowed from [17] Figure 2.3: An example of aliasing 7 Figure 2.4: An alias to the array of identities allows a malicious applet to modify its capabilities 2.2.3 Java Applet Security Breach in JDK 1.1. 1 This example is borrowed from the paper on confined types by Bokowski and Vitek [1]: In Java, each class object (instance of class Class) stores a list of signers, which contains references to objects of type java.security.Identity, representing the principals under whose authority the class acts. This list is used by the security architecture to determine the access rights ....

.... private Identity[ signers; public Identity[ getSigners( Identity[ pub; pub = new Identity[signers.length] for (int i = 0; i signers.length; i ) pub[i] signers[i] return pub; An important point to note about this example, as pointed out by Bokowski and Vitek in [1], is that none of the standard Java protection mechanisms seem to help. Such things as access modifiers and type abstraction are not relevant here, since the attack does not interact with Identity objects, it only needs to acquire references to them and copy those references. The paper goes ....

[Article contains additional citation context not shown here]

Boris Bokowski and Jan Vitek. Confined types. In Proceedings of OOPSLA'99, ACM Press, 1999.

.... Types 10 Ownership type systems are designed to enforce object encapsulation properties [9, 6, 5, 8, 2] In this capacity, they can be used to ensure that objects from one instance of an abstraction are not used to inappropriately communicate with other instances of the same abstraction [4, 2]. For example, one might use ownership types in a multithreaded web server to ensure that the sockets associated with one server thread do not escape to be used by another server thread. Our system focuses on extracting communication patterns. Encapsulation violations in our system therefore show ....

B. Bokowski and J. Vitek. Confined types. In Object-Oriented Programming Systems, Languages and Applications, Denver, CO, Nov. 1999.

....ESC Java s specification system enables program specific reasoning about pivot objects that are similar to our owned objects [DLN98] however, their system could not guarantee that pivot objects are not accessed by unrelated parts of the program. A more recent variation, Confined Types [BV99], allows programmers to restrict object references to within a particular package; the system has been extended to support inference of confined types [GPV01] The ownership annotations in AliasJava are most closely related to Flexible Alias Protection [NVP98] and its successors [CNP01,Cla01] ....

Boris Bokowski and Jan Vitek. Confined Types. In Proceedings 14th Annual ACM SIGPLAN Conference on ObjectOriented Programming Systems, Languages, and Applications, Denver, Colorado, USA, November 1999.

....p p p p p There still are many issues that need deeper exploration. For instance, we do not yet consider JAC a means to improve Java system security, although a version of the JVM that enforces JAC s restrictions could definitely contribute here. e.g. the Java security breach described in [BV99] could have easily been fixed by defining the critical get method to return a readonly reference to the security sensitive array of signers. However, the most interesting direction of research towards better encapsulation seems to be, in our opinion, an integration of the two basic ideas of ....

Boris Bokowski and Jan Vitek. Confined Types. In IWAOOS99 [IWA99].

....management schemes can also address more general problems. For example, representation exposure is a specific case of privileged information (the representation) reaching an unprivileged part of the program, that is, of a security problem. Some alias management schemes, such as Confined Types [3] address these security problems directly, while others address optimisation [9] Finally, some schemes may aim primarily to describe the general invariants about program s data structures [11] 3 The Objects of Aliasing Alias management schemes can deal with any language construct where ....

....this paper we address only object aliasing. 2 3.1 Drawing Abstraction Boundaries Considering object aliasing, then, there are several different kinds of aliases which can be managed. For example, managing aliases within a static program entity (such as a class or package, as in Confined Types [3] or Sandwich Types [9] is generally easier than managing aliases within dynamically allocated objects. Alias management schemes can also differ about scope of an object, that is, where an object s encapsulation boundary should be drawn. Many schemes, including Islands and Balloons, provide full ....

[Article contains additional citation context not shown here]

Boris Bokowski and Jan Vitek. Confined types. in preparation, 1999.

....is duplicated to the destination. This may cause a serious security flaw because a secret data may be duplicated to a remote site implicitly. Our mobile language system does not provide a protection mechanism for that kind of flaws, but our system can be combined with various proposed techniques [2, 11] that prevent security flaws. Though objects on a heap can be transmitted to a remote site, resources such as files, windows and sockets cannot be. These stationary resources, thus, cause a problem on migration if a mobile agent has references to them. We have two options for dealing with these ....

.... Instructions that put a state object as an extra parameter for a method invocation instruction. 5.2 State Class public class STSamplefoo extends javago.StackFrame implements java.io. Serializable public int MEntryPoint; public int[ ArrayI = new int[1] public long[ ArrayL = new long[2]; public float[ ArrayF = new float[3] public double[ ArrayD = new double[4] public Object[ ArrayA = new Object[5] Fig. 1. A state class. Our transformation algorithm defines a state class for each method. An execution state of a method is stored into an instance of the state class. Fig. ....

Boris Bokowski and Jan Vitek. Confined Types. In Intercontinental Workshop on Aliasing in Object-Oriented Systems in Association with ECOOP Conference, 1999.

....for kernel interface objects, since a serious error could occur if a user program gained hold of a reference to an internal object. An example of this is the security bug that allowed an applet to gain a reference to its list of code signers in JDK1.1. 1, which the applet could then modify [4]. By adding signer Identity objects to this list, the applet could inherit the privileges associated with that signer. private Vector of Identity object signers; public Vector getSigners( return signers; The JDK actually used an array to represent the signers [4] arrays require ....

....could then modify [4] By adding signer Identity objects to this list, the applet could inherit the privileges associated with that signer. private Vector of Identity object signers; public Vector getSigners( return signers; The JDK actually used an array to represent the signers [4]; arrays require special treatment in the object space model, as will be seen in Section 4. This example also shows that declaring a variable as private is not enough to control access to the object bound to that variable. In the object space model, stronger encapsulation of internal objects ....

[Article contains additional citation context not shown here]

B. Bokowski and J. Vitek. Confined Types. In Proceeings of the 1999 ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages & Applications (OOPSLA `99), volume 34 of ACM Sigplan Notices, pages 82--96, N. Y., Nov. 1--5 1999. ACM Press.

....for programs, i.e. that a certain reference should not be allowed to propagate out of another object. Our own scope analysis answers the related question whether a certain reference can propagate out of a given object. More recent work on these issues includes the concept of confined types [2], and escape analysis [3] 5 Conclusion We have shown that information about static properties of a program, such as object immutability and scoping of object references, is essential for finding good distribution strategies. The analysis algorithms that we developed for the Pangaea system allow ....

Boris Bokowski and Jan Vitek. Confined types. In Proc. OOPSLA '99, pages 82--96, November 1999.

....implementation of digital signatures which allowed untrusted code to acquire extended access rights [30] This was caused by mistakenly returning a reference to the system s key ring which allowed any applet to increase its own access rights by adding signers to the key ring. As we observe in [5] there is no systematic way to ensure that such channels do not exist. Faithfulness: Java version control does not guarantee faithfulness because version numbers are not guaranteed to be unique. Further, subtyping can be used to mount code injection attacks. In this attack, instead of sending an ....

B. Bokowski and J. Vitek. Confined Types. In Proceedings 14th Annual ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA'99) , Denver, Colorado, USA, November 1999.

....an outside object will acquire a reference to an Account. The issue here is that subtyping allows to get around the security provided by static access modifiers. A similar problem has been the source of a major security breach in a previous implementation of the Java security architecture [8]. Subtyping can also be used to inject code into another class. That is, when a class expects an object of some type as argument to a method, a client may call that method with any subtype of the expected class. The security risk is that a malicious client may hand out an object specifically ....

B. Bokowski and J. Vitek. Confined Types. In Proceedings 14th Annual ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA'99), Denver, Colorado, USA, November 1999.

....implementation of digital signatures which allowed untrusted code to acquire extended access rights [30] This was caused by mistakenly returning a reference to the system s key ring which allowed any applet to increase its own access rights by adding signers to the key ring. As we observe in [5] there is no systematic way to ensure that such channels do not exist. Faithfulness: Java version control does not guarantee faithfulness because version numbers are not guaranteed to be unique. Further, subtyping can be used to mount code injection attacks. In this attack, instead of sending an ....

B. Bokowski and J. Vitek. Confined Types. In Proceedings 14th Annual ACM SIGPLAN Conference on ObjectOriented Programming Systems, Languages, and Applications (OOPSLA'99), Denver, Colorado, USA, November 1999.

No context found.

B. Bokowski and J. Vitek. Confined Types. In Object-Oriented Programming Systems, Languages, and Applications, November 1999.

No context found.

Boris Bokowski and Jan Vitek. Confined Types. In OOPSLA Proceedings, 1999.

No context found.

Boris Bokowski and Jan Vitek. Confined types. In Proceedings of Conference on Object-Oriented Programming, Languages, and Applications. ACM Press, 1999.

No context found.

Boris Bokowski and Jan Vitek. Confined types. In Proceedings of the 1999.

No context found.

Boris Bokowski and Jan Vitek. Confined Types. In Proceedings 14th Annual ACM SIGPLAN Conference on ObjectOriented Programming Systems, Languages, and Applications, Denver, Colorado, USA, November 1999.

No context found.

J. Vitek and B. Bokowski. Confined types. In Proceedings of the 1999.

No context found.

J. Vitek and B. Bokowski. Confined Types. In Proceedings of the fourteenth annual conference on Object-oriented programming systems, languages, and applications, pages 82--96, Oct. 1999.

No context found.

B. Bokowski and J. Vitek. Confined types. In Proceedings of the 14th Annual ACM SIGPLAN Conference on ObjectOriented Programming Systems, Languages, and Applications (OOPSLA '99), November 1999.

No context found.

Boris Bokowski and Jan Vitek. Confined types. In Proceedings of the 1999 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages and Applications (OOPSLA '99), volume 34, number 10 in SIGPLAN Notices, pages 82--96. ACM, October 1999.

No context found.

Boris Bokowski and Jan Vitek. Confined types. In Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), October 1999.

No context found.

B. Bokowski and J. Vitek. Confined types. In Applications (OOPSLA), October 1999.

No context found.

Boris Bokowski and Jan Vitek. Confined types. In Proceedings of the 1999.

No context found.

Boris Bokowski and Jan Vitek. Confined types. In OOPSLA Proceedings, 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC