D. Walker. A type system for expressive security policies. In Proc. POPL, pages 254--267, January 2000.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....static means we discuss in this paper can provide them at no additional cost. Stronger safety policies are also possible, including guarantees of the integrity of data stored on the stack [2] limits on resource consumption [3,4] and policies specified by allowable traces of program operations [5]. However, for policies such as these, the evidence of compliance (which we discuss in the next section) can be more complicated, thereby requiring greater expense both to produce and to verify that evidence, and possibly reducing confidence in the system s correctness. Thus the choice of safety ....

D. Walker, A type system for expressive security policies, in: TwentySeventh ACM Symposium on Principles of Programming Languages, Boston, Massachusetts, 2000, pp. 254--267.

....properties of interest include access control and information flow. Currently, the Java security manager performs all access control checks dynamically, using stack inspection [18] Various static analyses and program transformations have been proposed to perform some of these checks statically [25, 57, 42]. In the Java Card world, inter applet communications via shared objects raises delicate security issues; 7] applies model checking technology to this problem. As for information flow (an applet does not leak confidential information that it can access) this property is essentially impossible ....

Walker, D.: 2000, `A type system for expressive security policies'. In: 27th symposium Principles of Programming Languages. pp. 254--267.

....implementation of Ponder policies. We consider our work to be midway between the higher level domain specific languages like Ponder, and general purpose languages such as C or Java. Some research e#orts have explored techniques for checking and controlling the behaviour of programs statically[4, 14]. Naturally, due to the limited information available at compile time, these approaches are restricted in their ability to constrain access control or resource consumption. Static techniques for applying policies to program construction, such as Generative Programming[5] mean that the policy is ....

David Walker. A type system for expressive security policies. In Proceedings of POPL-00, pages 254--267. ACM Press, January 2000. 10

....produce object code along with a certificate, i.e. a machine checkable evidence that the object code respects certain security policies. This technique has been used, e. g, for generating Proof Carrying Code [Nec97,NL98] and enforcing standard security policies (like type and memory safety) In [Wal00], it is shown that this technique can be used to enforce any security policy that can be specified by a security automaton (given a security automaton specifying the policy to be enforced, it is shown how to insert run time security checks during program compilation and how to verify that the ....

D. Walker. A Type System for Expressive Security Policies. In Proceedings of POPL '00 [ACM00].

....determines its safety property by a type system for a generic assembly language; the enforcement mechanism type checks the agent to determine whether it satis es the safety property. Such an implementation of TAL requires modi cations to the type checker to modify to the safety property; Walker [Wal99] developed an extension of TAL that derives the type system from a security automaton [Sch99] A safe interpreter, such as the Java virtual machine (JVM) LY99] typically uses an ad hoc security policy that is based on the implementation of an enforcement mechanism determining precisely what ....

....a characteristic of the agent) requires a corresponding set of distinct implementations, each of which must be veri ed separately. Additional enforcement mechanisms increase the size of the trusted computing base, and make the system as a whole harder to trust. Systems based on security automata [Wal99, UES99b] promise to improve this situation, because security automata decouple the implementation of the enforcement mechanism from the speci cation of the security policy. Although security automata are good theoretical models security property recognizers, we seek to develop a notation that ....

[Article contains additional citation context not shown here]

David Walker. A type system for expressive security policies. In FLOC '99 Workshop on Run-time Result Verication, Trento, Italy, July 1999.

....run in constant space. Other properties of interest include access control and information ow. Currently, the Java security manager performs all access control checks dynamically. Various static analyses and program transformations have been proposed to perform some of these checks statically [35, 23]. As for information ow (an applet does not leak con dential information that it can access) this property is essentially impossible to check dynamically; several type systems have been proposed to enforce it statically [34, 33, 11, 1] Finally, the security of the sandbox model relies not ....

D. Walker. A type system for expressive security policies. In 27th symp. Principles of Progr. Lang, pages 254-267. ACM Press, 2000.

....and an ability to declare some constraints between capabilities. Those facilities can easily be encoded in LTT by an appropriate choice of propositions (represented equivalences and constraints) and proof terms. Beyond this, we conjecture that the security automata type system of Walker [19] and the alias tracking type system of Smith et al. 16] can easily be encoded in LTT as well. The casting of all these type systems into one uniform framework by itself promotes one sort of reuse, that of the typechecking software. In order to be able to re use safety proofs as well (which can be ....

David Walker. A type system for expressive security policies. In Twenty-Seventh ACM Symposium on Principles of Programming Languages, Boston, January 2000.

....foreign principal, guided by a safety policy. The transformed code propagates a run time encoding of a security state which is checked at run time to avoid illegal actions. They present an elaborate framework built around a new kind of automaton to optimize the management of these states. Walker [37] presents a sophisticated type system that can encode the passing of the security state on the type level. The type system enables powerful optimizations. However, a separate transformation system must be implemented and lemmas about the security policy must be proved separately and fed into the ....

....policy. Safety policies are particular trace policies which place certain restrictions on the set of traces. Schneider [30] has shown that all safety policies can be modeled by a state automaton with a distinguished sink state bad. A security automaton is a tuple S = Op; Value; 0 ; bad) [37] where is a countable set of states; Op is a nite set of operation symbols; 4 Syntax Exp 3 e : v j (if e e e) j O(e) j e e j (e; e) Value 3 v : x j a j fix f(x; x)e j (v; v) evaluation contexts C : if [ e e) j O( j [ e j v [ j (v; ....

D. Walker. A type system for expressive security policies. In Reps [29], pages 254-267.

....a foreign principal, guided by a safety policy. The transformed code propagates a run time encoding of a security state which is checked at run time to avoid illegal actions. They present an elaborate framework built around a new kind of automaton to optimize the management of these states. Walker [40] presents a sophisticated type system that can encode the passing of the security state on the type level. The type system enables powerful optimizations. However, a separate transformation system must be implemented and lemmas about the security policy must be proved separately and fed into the ....

....extension of type specialization by intersection types. This extension avoids unnecessary code duplication in the heterogeneous approach. Section 6 contains the formal background on the extension. Our prototype implementation automatically performs all example optimizations from Walker s paper [40]. Finally, we present a homogeneous translation that can be processed by traditional partial evaluation (x 4.4) It compiles each construct of the source program exactly once. The compiled programs have more run time checks than with the heterogeneous translation. The results are similar to the ....

[Article contains additional citation context not shown here]

David Walker. A type system for expressive security policies. In Reps [31], pages 254-267. 24

....static means we discuss in this paper can provide them at no additional cost. Stronger safety policies are also possible, including guarantees of the integrity of data stored on the stack [2] limits on resource consumption [3,4] and policies specified by allowable traces of program operations [5]. However, for policies such as these, the evidence of compliance (which we discuss in the next section) can be more complicated, thereby requiring greater expense both to produce and to verify that evidence, and possibly reducing confidence in the system s correctness. Thus the choice of safety ....

D. Walker, A type system for expressive security policies, in: TwentySeventh ACM Symposium on Principles of Programming Languages, Boston, Massachusetts, 2000, pp. 254--267.

....foreign principal, guided by a safety policy. The transformed code propagates a run time encoding of a security state which is checked at run time to avoid illegal actions. They present an elaborate framework built around a new kind of automaton to optimize the management of these states. Walker [37] presents a sophisticated type system that can encode the passing of the security state on the type level. The type system enables powerful optimizations. However, a separate transformation system must be implemented and lemmas about the security policy must be proved separately and fed into the ....

....approach to work. In Section 4, we introduce a novel extension of type specialization by intersection types and subtyping. It avoids unnecessary code duplication, thus making our approach practical. Our prototype implementation automatically performs all example optimizations from Walker s paper [37]. The main technical results are the correctness proofs of the translation and the non standard compilation performed by type specialization. They guarantee the safety of the translated code and of the compiled code. In addition, we have proved correct our extension of type specialization, which ....

[Article contains additional citation context not shown here]

D. Walker. A type system for expressive security policies. In Reps [29], pages 254-267. 17

....viewed as a systematic construction of an e ect type system adapted to our particular e ectful programming language. Several researchers have proposed ways of de ning e cient, provably correct compilation schemes for languages whose security policy is expressed by a security automaton. Walker [13] de nes a source language, equipped with such a 16 Franois Pottier, Christian Skalka, and Scott Smith security policy, then shows how to compile it into a dependently typed target language, whose type system, by encoding assertions about security states, guarantees that no run time violations ....

David Walker. A type system for expressive security policies. In Conference Record of POPL'00: The 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 254267, Boston, Massachusetts, January 2000. URL: http://www.cs.cornell.edu/home/walker/papers/sa-popl00_ps.gz.

....can then be mechanically checked at the server to verify that the property holds of the code. Type systems in this certified code framework can be viewed as compressed proofs from the types it is possible to construct a typing proof, and program properties are implied by the proof. Walker in [14] has developed another sort of secure certified code, by describing security automata which can specify and enforce highly expressive security policies. However, certified code is in fact more general than our type based approach note that we focus on properties that can be inferred, whereas ....

D. Walker. A type system for expressive security policies. In Twenty-seventh Symposium on Principles of Programming Languages, pages 254--267, Boston, MA, January 2000. ACM SIGPLAN.

....static means we discuss in this paper can provide them at no additional cost. Stronger safety policies are also possible, including guarantees of the integrity of data stored on the stack [9] limits on resource consumption [14, 4] and policies specified by allowable traces of program operations [26]. However, for policies such as these, the evidence of compliance (which we discuss in the next section) can be more complicated, thereby requiring greater expense both to produce and to verify that evidence, and possibly reducing confidence in the system s correctness. Thus the choice of safety ....

D. Walker. A type system for expressive security policies. In Twenty-Seventh ACM Symposium on Principles of Programming Languages, Boston, Jan. 2000. To appear.

....runtime penalty (using static analyses) Our approach belongs to that class. The recent work by Erlingsson and Schneider [5] considers also the problem of specializing a security automaton to a program. Walker uses their technique and generates secure, certified code in a type theoretic framework [21]. Compared to our approach, they consider possibly infinite state automata but simpler, local, optimizations. By using global analyses and transformations, we are able to suppress more unnecessary checks and transitions. Also, by working on program abstractions, our framework is more general than ....

D. Walker. A type system for expressive security policies. In Conference record of the 27th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, Boston, 2000. ACM Press.

....runtime penalty (using static analyses) Our approach belongs to that class. The recent work by Erlingsson and Schneider [5] considers also the problem of specializing a security automaton to a program. Walker uses their technique and generates secure, certified code in a type theoretic framework [21]. Compared to our approach, they consider possibly infinite state automata but simpler, local, optimizations. By using global analyses and transformations, we are able to suppress more unnecessary checks and transitions. Also, by working on program abstractions, our framework is more general than ....

D. Walker. A type system for expressive security policies. In Conference record of the 27th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, Boston, 2000. ACM Press.

....to loadtime overhead. Moreover, even the most sophisticated analysis techniques are necessarily incomplete, because safety properties are undecidable in general. There is recent evidence that code instrumentation can be used in conjunction with language based methods to improve performance [6, 33]. 4 Language Based Security Schneider defines language based security very broadly as a set of techniques based on programming language theory and implementation, including semantics, types, optimization, and verification, brought to bear on the security question. By that definition, SFI and ....

David Walker. A type system for expressive security policies. In Proc. FLOC'99 Workshop on Run-time Result Verification, July 1999. To appear.

No context found.

Walker, D. 2000. A type system for expressive security policies. In Twenty-Seventh ACM Symposium on Principles of Programming Languages. ACM Press, Boston, 254-267.

No context found.

David Walker. A type system for expressive security policies. In Twenty-Seventh ACM Symposium on Principles of Programming Languages, January 2000. To appear. 56

No context found.

David Walker. A type system for expressive security policies. In Twenty-Seventh ACM Symposium on Principles of Programming Languages, Boston, January 2000. To appear.

No context found.

David Walker. A type system for expressive security policies. Technical Report TR99-1740, Cornell University, April 1999.

No context found.

David Walker. A type system for expressive security policies. In Twenty-Seventh ACM Symposium on Principles of Programming Languages, pages 254--267, Boston, January 2000. A Proofs of Theorems Theorem 1 (Precise T-Enforcement) A property

....aspect oriented programming languages [KHH 01] which have been designed to facilitate the enforcement of security properties. Other researchers have investigated optimization techniques for run time monitors [CF00,Thi01] and certification of programs instrumented with security checks [Wal00] Kim et al. KKL 02] analyze the performance cost of run time monitors and show that the language one uses to define monitors has a significant impact on performance. They also define optimizations to decrease the overhead of run time monitoring. Run time monitoring and checking can also be ....

David Walker. A type system for expressive security policies. In Twenty-Seventh ACM Symposium on Principles of Programming Languages, pages 254--267, Boston, January 2000. Jay Ligatti et al. A Proofs of Theorems Theorem 1 (Uniform Precise T-Enforcement) Aproperty

....aspect oriented programming languages [KHH 01] which have been designed to facilitate the enforcement of security properties. Other researchers have investigated optimization techniques for run time monitors [CF00, Thi01] and certification of programs instrumented with security checks [Wal00] Kim et al. KKL 02] analyze the performance cost of run time monitors and show that the language one uses to define monitors has a significant impact on performance. They also define optimizations to decrease the overhead of run time monitoring. Run time monitoring and checking can also be ....

David Walker. A type system for expressive security policies. In Twenty-Seventh ACM Symposium on Principles of Programming Languages, pages 254--267, Boston, January 2000.

....here; these mechanisms, however, have no formal semantics, and there has been no analysis of the classes of policies that they enforce. Other researchers have investigated optimization techniques for security automata [CF00, Thi01] certification of programs instrumented with security checks [Wal00] and the use of run time monitoring and checking in distributed [SS98] and real time systems 99] Overview The remainder of the paper begins with a review of Alpern and Schneider s framework for understanding the behavior of software systems [AS87, Sch00] Section 2) and an explanation of the ....

David Walker. A type system for expressive security policies. In Twenty-Seventh ACM Symposium on Principles of Programming Languages, pages 254--267, Boston, January 2000. 10

....here; these mechanisms, however, have no formal semantics, and there has been no analysis of the classes of policies that they enforce. Other researchers have investigated optimization techniques for security automata [CF00, Thi01] certification of programs instrumented with security checks [Wal00] and the use of run time monitoring and checking in distributed [SS98] and real time systems 99] Overview The remainder of the paper begins with a review of Alpern and Schneider s framework for understanding the behavior of software systems [AS87, Sch00] Section 2) and an explanation of the ....

David Walker. A type system for expressive security policies. In TwentySeventh ACM Symposium on Principles of Programming Languages, pages 254--267, Boston, January 2000. 27

....The signature I assigns kinds to the indices. Kinds for variables are determined by the predicate context #. The kind of a function symbol must agree with the kinds of the predicates to which it is applied. Due to space considerations, the formal rules have been omitted (see the technical report [29] for details) Figure 6 gives the rules for proving predicates. The judgement # # P indicates that the boolean valued predicate P is true, and the judgement # # P in state indicates that the automaton is in state P . 1 In order to simplify the presentation, we only consider policies that ....

....of the type. Function types of the form #[#] P , #1 , #n) # 0 also require that P has kind State and that the predicates occuring in # have kind B. These rules are straight forward, and due to space considerations, we have omitted them. They may be found in the technical report [29]. Because predicates are uninterpreted, we can use standard syntactic equality of types up to # conversion of bound variables. Values and Expressions The typing rules for values have the form # # v : # and state that the value v has type # in the given context. The judgement # # e states that ....

[Article contains additional citation context not shown here]

David Walker. A type system for expressive security policies. Technical Report TR99-1740, Cornell University, April 1999.

....already contained many of the required constructors. In particular, singleton types were already used to enable array bounds check elimination in the style of Xi and Pfenning [28] and run time type analysis [5] and may soon be used to facilitate static checking of expressive security policies [25]. Moreover TAL, like other F based type directed compilers such as TIL(T) 20] and FLINT [18] already had a rich kind structure so adding location and store polymorphism just involved adding two base kinds. In some ways, our new mechanisms simplify previous work. Previous versions of TAL ....

David Walker. A type system for expressive security policies. In Twenty-Seventh ACM Symposium on Principles of Programming Languages, Boston, January 2000. To appear.

....already contained many of the required constructors. In particular, singleton types were already used to enable array bounds check elimination in the style of Xi and Pfenning [29] and run time type analysis [5] and may soon be used to facilitate static checking of expressive security policies [26]. Moreover TAL, like other F based type directed compilers such as TIL(T) 21] and FLINT [18] already had a rich kind structure so adding location and store polymorphism just involved adding two base kinds. In some ways, our new mechanisms simplify previous work. Previous versions of TAL ....

David Walker. A type system for expressive security policies. In Twenty-Seventh ACM Symposium on Principles of Programming Languages, Boston, January 2000. To appear.

No context found.

D. Walker. A type system for expressive security policies. In Proc. POPL, pages 254--267, January 2000.

No context found.

D. Walker. A type system for expressive security policies. In Languages, Boston, Jan. 2000. To appear.

No context found.

D. Walker. A Type System for Expressive Security Policies. In Proceedings of POPL'00, pages 254--267. ACM Press, 2000.

No context found.

D. Walker. A type system for expressive security policies. In Conference record of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM Press, 2000.

No context found.

David Walker. A type system for expressive security policies. In 27th symposium Principles of Programming Languages, pages 254--267. ACM Press, 2000.

No context found.

D. Walker. A Type System for Expressive Security Policies. In Proceedings of POPL'00, pages 254--267. ACM Press, 2000. 16

No context found.

D. Walker. A type system for expressive security policies. In Conference record of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 254-267. ACM Press, 2000.

No context found.

David Walker. A type system for expressive security policies. In FLOC '99 Workshop on Run-time Result Veri cation, Trento, Italy, July 1999.

No context found.

D. Walker. A type system for expressive security policies. In Proc. 27th ACM Symp. on Principles of Prog. Lang., pages 254--267, 2000.

No context found.

D. Walker. A Type System for Expressive Security Policies. In Proceedings of POPL'00, pages 254267. ACM Press, 2000.

No context found.

D. Walker. A type system for expressive security policies. In Proceedings of POPL-00, pages 254--267. ACM Press, Jan. 2000.

No context found.

D. Walker. A type system for expressive security policies. Technical Report TR99-1740, Cornell University, Apr. 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC