D. Wallach. A New Approach to Mobile Code Security. PhD thesis, Princeton University, 1999.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....# P # that describe the set P of permissions necessary for executing a function. In a sequel paper, Pottier, Skalka and Smith [PSS01] recast the type system in more standard terms by translating # sec into a standard lambda calculus by generalising Wallach s security pasing programming style [Wal99] to higher order functions. Bartoletti, Degano and Ferrari [BDF01] develop a data flow analysis for control flow graphs that determines the set of permissions that will always or will never be available at a given node in the graph. This information can be used to optimise the stack inspection ....

D. S. Wallach. A new approach to mobile code security. PhD thesis, Dept. of Computer Science, Princeton University, January 1999.

....a trusted rewriter instruments applications with checks that cannot be circumvented and that cause execution to be monitored for violations of a specified security policy. Two IRM implementations of stack inspection are reported one is a reformulation of security passing style proposed in [18, 19]; the other is new and exhibits performance that is competitive with existing commercial JVM resident implementations. For example, certain access control policies can be implemented with stack inspection only by creating multiple copies of the same class in di#erent code bases or by creating ....

....JVM. We proceed as follows. Section 2 briefly summarizes our PoET PSLang toolkit for synthesizing IRMs; PoET PSLang is a successor to our SASI tool [7] Section 3 reviews Java 2 s stack inspection policy and the primitives that implement this policy. An IRM version of the security passing style [18, 19] implementation of stack inspection is described in Section 4; an IRM implementation for a new way to support Java 2 s stack inspection policy is given in Section 5. Finally, Section 6 concludes with some remarks about the IRM approach and about limitations we discovered in Java s stack inspection ....

[Article contains additional citation context not shown here]

Wallach, D.S. A New Approach to Mobile Code Security, Ph.D. thesis, Princeton University, New Jersey, January 1999.

....a trusted rewriter instruments applications with checks that cannot be circumvented and that cause execution to be monitored for violations of a specified security policy. Two IRM implementations of stack inspection are reported one is a reformulation of security passing style proposed in [19, 20]; the other is new and exhibits performance that is competitive with existing commercial JVM resident implementations. For example, certain access control policies can be implemented with stack inspection only by creating multiple copies of the same class in different code bases or by creating ....

....JVM. We proceed as follows. Section 2 briefly summarizes our PoET PSLang toolkit for synthesizing IRMs; PoET PSLang is a successor to our SASI tool [7] Section 3 reviews Java 2 s stack inspection policy and the primitives that implement this policy. An IRM version of the securitypassing style [19, 20] implementation of stack inspection is described in Section 4; an IRM implementation for a new way to support Java 2 s stack inspection policy is given in Section 5. Finally, Section 6 concludes with some remarks about the IRM approach and about limitations we discovered in Java s stack inspection ....

[Article contains additional citation context not shown here]

Wallach, D.S. A New Approach to Mobile Code Security, Ph.D. thesis, Princeton University, New Jersey, January 1999.

....By reducing the visibility of a channel these operators block external communication but permit local communication along screened channels, thus contextualising the meaning of channel names. As a result, they may be used to encode the notions of name space (cf. Java s dynamic linking of applets [14]) encapsulation, and dynamic binding of names, common features in distributed an object based systems. In fact, it was very early noted that in the object oriented paradigm the idea of encapsulation can be modeled by restricting the visibility of operators (Abramsky [10] We claim that this is ....

Dan Seth Wallach. A New Approach to Mobile Code Security. PhD thesis, Princeton University, 1999.

....They also attempt to detect and prevent accidental or intentional misuse. Typically, these mechanisms tend to be static and it is very dicult to change the security policy or the mechanisms, once the system is installed. Researchers have developed a number of new techniques and mechanisms [7, 5, 10, 9, 15] but very few systems provide support to incorporate these changes. In a distributed computing environment, applications and users have varying security requirements. In existing systems, these applications or users have very little choice regarding the type of policy or security mechanism and ....

Dan S. Wallach. A new Approach to Mobile Code Security. PhD thesis, Department of Computer Science, Princeton University, January 1999.

....users for their service, or that manage the access to secure information; our system programmers had similar requirements because they want users to be accountable for their agents. Unfortunately, the model of access control supported by Java does not take users into account. Stack inspection [28] is the mechanism that determines whether sensitive operations may be allowed. Permissions are allocated, via the policy manager, to classes codebases and signatures. The stack inspection algorithm grants permissions to perform an operation if it is permitted by the codebase or the signature of ....

Dan Seth Wallach. A new Approach to Mobile Code Security. PhD thesis, Priceton University, 1999.

....Bytecodes are the Java instructions which are executed by the Java virtual machine. By rewriting the classes bytecodes, we avoid having to change the system libraries or the virtual machine itself. It also essentially allows our system to be implemented on any Java platform with minimal reworking[Wal99]. The basic structure of our modi cations to the class les is as follows. First, we add a static variable which acts as a ag. It is initially set to false. If set to true, it indicates that the class should terminate. We then need to check this ag periodically in the code itself; if it is ever ....

Dan Wallach. A New Approach to Mobile Code Security. 1999.

....Bytecodes are the Java instructions which are executed by the Java virtual machine. By rewriting the classes bytecodes, we avoid having to change the system libraries or the virtual machine itself. It also essentially allows our system to be implemented on any Java platform with minimal reworking[Wal99]. The basic structure of our modi cations to the class les is as follows. First, we add a static variable which acts as a ag. It is initially set to false. If set to true, it indicates that the class should terminate. We then need to check this ag periodically in the code itself; if it is ever ....

Dan Wallach. A New Approach to Mobile Code Security. PhD thesis, Princeton University, January 1999. 16

....in the compiler, by extensions to the type system. There are several reasons to prefer a static approach: the access controls expressed in the types constitute a concise speci cation of the security policy; the dynamic nature of Java security checks interferes with compiler optimizations [14]; and, any errors in policy or access control will be caught at compile or link time rather than run time. A Brief Review of the JDK Security Architecture For lack of space, we cover the JDK security architecture in a cursory manner here; see [2, 8, 14] for more detailed background. To use the ....

....checks interferes with compiler optimizations [14] and, any errors in policy or access control will be caught at compile or link time rather than run time. A Brief Review of the JDK Security Architecture For lack of space, we cover the JDK security architecture in a cursory manner here; see [2, 8, 14] for more detailed background. To use the access control system, the programmer adds doPrivileged and checkPrivilege commands to the code. At run time, a doPrivileged command adds a ag to the current stack frame, enabling a particular privileged operation. The ag is implicitly eliminated when ....

[Article contains additional citation context not shown here]

Dan S. Wallach. A New Approach to Mobile Code Security. PhD thesis, Princeton University, January 1999. URL: http://www.cs.princeton.edu/sip/pub/ dwallach-dissertation.html.

....a estrictas restricciones de seguridad (como no poder accesar el sistema local de archivos o iniciar conexiones a sitios distintos del cual fue bajado) que limitan su utilidad, y estas limitaciones son las mismas para cualquier applet, independientemente de su origen. La propuesta de Wallach [22] permite otorgar permisos condicionales a programas escritos en Java. Un administrador de seguridad examina las solicitudes de acceso a recursos del programa, y decide si otorgarlas o no, dependiendo de las pol iticas de seguridad definidas por el usuario, y utilizando tecnolog ia de firmas ....

Dan S. Wallach, "A New Approach to Mobile Code Security", PhD Thesis, Princeton University, enero 1999.

....library. However, since access controls are enforced via ordinary method calls in the program itself, it is difficult to determine which access controls are actually in place by inspection of the code. Furthermore, the dynamic nature of security checks interferes with compiler optimizations (see [15]) Our goal is to develop a static, integrated and declarative security architecture for general purpose programming languages. In this paper, we develop a novel static type system for enforcing safety with respect to certain access control properties at run time. In this system, security ....

....algorithm is presented below (section 2) The Java security architecture is a solid proposal which is being applied in practice, but it has significant flaws. There is a performance penalty to pay due to the need for run time stack inspection though a technique called security passing style [15] has been proposed to lessen the need to literally inspect every stack frame. However, even this solution does not address the ad hoc nature of the architecture; all security properties are enforced by method calls, a highly non declarative form of specification. This makes the access control ....

D. S. Wallach. A new Approach to Mobile Code Security. PhD thesis, Princeton University, 1999.

....over a finite data domain. The data independence of the program guarantees that validity of the reduced property implies validity of the original property. Jonsson and Parrow [15] show that bisimulation between infinite state CCS 5 A step towards this is taken in chapter 7 of Wallach s thesis [29]. terms is decidable if these terms are dataindependent and have finite state control components. Dam [6] proves that model checking a modal mu calculus property over an infinitestate pi calculus agent only needs to explore a finite (property dependent) part of the state space, provided that the ....

D. S. Wallach. A new approach to mobile code security. PhD thesis, Dept. of Computer Science, Princeton University, January 1999.

....extra argument can be seen as a way of storing the current state of the instrumentation in the current frame. A method (function, procedure) call, corresponds to an edge in the call graph. Just before calling the method or when entering the method (a choice referred as caller says vs. callee says [22]) the new automaton state is computed as the image of the previous one by the transition corresponding to this edge. When the execution returns from a method, the frame is popped, and the previous frame (and thus state) is fetched. The store contains one automaton state per frame. As before, our ....

....if they focus on a specific property, the work of Wallach and Felten [23] has several common points with ours. They express the security model of Java by a pushdown automaton that is implemented by program transformation. The resulting code is then optimized using a kind of dead code elimination [22]. This is another evidence that, beyond correctness and portability benefits, a programming language approach also permits to specialize optimize the enforcement with respect to programs. 7Conclusion The initial inspiration of our work came from the study of aspect oriented programming (AOP) ....

D. S. Wallach. A New Approach to Mobile Code Security. PhD thesis, Faculty of Princeton University, January 1999.

....extra argument can be seen as a way of storing the current state of the instrumentation in the current frame. A method (function, procedure) call, corresponds to an edge in the call graph. Just before calling the method or when entering the method (a choice referred as caller says vs. callee says [22]) the new automaton state is computed as the image of the previous one by the transition corresponding to this edge. When the execution returns from a method, the frame is popped, and the previous frame (and thus state) is fetched. The store contains one automaton state per frame. As before, our ....

....if they focus on a specific property, the work of Wallach and Felten [23] has several common points with ours. They express the security model of Java by a pushdown automaton that is implemented by program transformation. The resulting code is then optimized using a kind of dead code elimination [22]. This is another evidence that, beyond correctness and portability benefits, a programming language approach also permits to specialize optimize the enforcement with respect to programs. 7 Conclusion The initial inspiration of our work came from the study of aspect oriented programming (AOP) ....

D. S. Wallach. A New Approach to Mobile Code Security. PhD thesis, Faculty of Princeton University, January 1999.

....agents at run time. Rule (9) essentially keeps track dynamically of which principals are executing in which stack frame. By adding primitives to the language to examine the lists of agents on embeddings, we gain a form of stack inspection, which has been studied in the context of Java security [22, 23]. We intend to investigate the kinds of security properties that can be expressed in such a language. 5 Related Work Perhaps the closest work to ours is Leroy and Rouaix s investigation into the safety properties of typed applets [9] They use a calculus augmented with state in order to prove ....

Dan Seth Wallach. A New Approach to Mobile Code Security. PhD thesis, Princeton University, 1999.

....states (formalised as a Galois connection) can be used to obtain an abstract transition system with the property that every formula in the 2 fragment of the modal mu calculus can be checked on the abstracted system. Cleaveland, Iyer 5 A step towards this is taken in chapter 7 of Wallach s thesis [29]. PI n1210 24 T. Jensen D. Le M etayer T. Thorn and Yankelevich [5] introduce democratic Kripke structures that can be obtained from ordinary Kripke structures by replacing the transition relation by two transition relations: a liberal (overestimating the possible transitions) and a conservative ....

D. S. Wallach. A new approach to mobile code security. PhD thesis, Dept. of Computer Science, Princeton University, January 1999. PI n1210 28 T. Jensen D. Le M'etayer T. Thorn

....system properties to find the font. This would be dangerous, however, since attackers may be able to exploit the wrapped method to manipulate resources unexpectedly. In fact, versions of the JDK were vulnerable to an attack in which programs exploited font loading to access restricted information [24]. In general, the platform interface should not define wrappers for any procedure unless we are absolutely certain how it manipulates resources. Figure 4 shows an excerpt from the Java API platform interface that defines wrappers for the java.io.FileOutputStream class. The RFile and RFileSystem ....

Dan S. Wallach. A New Approach to Mobile Code Security. PhD Thesis, Princeton University. January 1999.

No context found.

D. Wallach. A New Approach to Mobile Code Security. PhD thesis, Princeton University, 1999.

No context found.

D. S. Wallach. A New Approach to Mobile Code Security. PhD thesis, Princeton University, Jan. 1999.

No context found.

Dan Wallach. A New Approach to Mobile Code Security. PhD thesis, Department fo Computer Science, Princeton University, Princeton, New Jersey, January 1999.

No context found.

Dan Seth Wallach, "A new approach to mobile code security", PhD thesis, CS department, Princeton University, January 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC