Hostname: page-component-cd9895bd7-gxg78 Total loading time: 0 Render date: 2024-12-26T07:00:10.309Z Has data issue: false hasContentIssue false

Roles, stacks, histories: A triple for Hoare

Published online by Cambridge University Press:  22 September 2010

JOHANNES BORGSTRÖM
Affiliation:
Microsoft Research, Cambridge, United Kingdom (e-mail: adg@microsoft.com)
ANDREW D. GORDON
Affiliation:
Microsoft Research, Cambridge, United Kingdom (e-mail: adg@microsoft.com)
RICCARDO PUCELLA
Affiliation:
Northeastern University, College of Computer and Information Science, Boston, Massachusetts, USA
Rights & Permissions [Opens in a new window]

Abstract

Core share and HTML view are not available for this content. However, as you have access to this content, a full PDF is available via the ‘Save PDF’ action button.

Behavioral type and effect systems regulate properties such as adherence to object and communication protocols, dynamic security policies, avoidance of race conditions, and many others. Typically, each system is based on some specific syntax of constraints, and is checked with an ad hoc solver. Instead, we advocate types refined with first-order logic formulas as a basis for behavioral type systems, and general purpose automated theorem provers as an effective means of checking programs. To illustrate this approach, we define a triple of security-related type systems: for role-based access control, for stack inspection, and for history-based access control. The three are all instances of a refined state monad. Our semantics allows a precise comparison of the similarities and differences of these mechanisms. In our examples, the benefit of behavioral type-checking is to rule out the possibility of unexpected security exceptions, a common problem with code-based access control.

Type
Articles
Copyright
Copyright © Cambridge University Press 2010

References

Abadi, M. (2006) Access control in a core calculus of dependency. In International Conference on Functional Programming (ICFP'06), pp. 263–273.CrossRefGoogle Scholar
Abadi, M., Burrows, M., Lampson, B. & Plotkin, G. (1993) A calculus for access control in distributed systems, ACM Trans. Program. Lang. Syst., 15 (4): 706734.CrossRefGoogle Scholar
Abadi, M. & Fournet, C. (2003) Access control based on execution history. In Network and Distributed System Security Symposium (NDSS'03), Reiter, M. & Gligor, V. (eds). Reston, VA: The Internet Society, pp. 107121.Google Scholar
Aspinall, D. & Compagnoni, A. (2001) Subtyping dependent types, Theor. Comput. Sci., 266 (1–2): 273309.CrossRefGoogle Scholar
Atkey, R. (2009) Parameterized notions of computation, J. Funct. Program., 19: 355376.CrossRefGoogle Scholar
Banerjee, A. & Naumann, D. (2005a) History-based access control and secure information flow. In Construction and Analysis of Safe, Secure and Interoperable Smart Devices (CASSIS 2004), Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L. & Muntean, T. (eds), Lecture Notes in Computer Science, vol. 3362. Berlin Heidelberg, Germany: Springer, pp. 2748.Google Scholar
Banerjee, A. & Naumann, D. (2005b) Stack-based access control and secure information flow, J. Funct. Program., 15 (2): 131177.CrossRefGoogle Scholar
Becker, M. Y. & Nanz, S. (2007) A logic for state-modifying authorization policies. In European Symposium on Research in Computer Security (ESORICS'07), Biskup, J. & López, J. (eds), Lecture Notes in Computer Science, vol. 4734. Berlin Heidelberg, Germany: Springer, pp. 203218.Google Scholar
Becker, M. Y. & Sewell, P. (2004) Cassandra: Flexible trust management, applied to electronic health records. In IEEE Computer Security Foundations Workshop (CSFW'04), pp. 139–154.CrossRefGoogle Scholar
Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A. D. & Maffeis, S. 2008 Refinement Types for Secure Implementations. Technical Report MSR–TR–2008–118, Microsoft Research (a preliminary, abridged version appears in the proceedings of Computer Security Foundations Symposium 2008).CrossRefGoogle Scholar
Besson, F., Blanc, T, Fournet, C. & Gordon, A. D. (2004) From stack inspection to access control: A security analysis for libraries. In IEEE Computer Security Foundations Workshop (CSFW'04), pp. 61–77.CrossRefGoogle Scholar
Borgström, J., Gordon, A. D. & Pucella, R. (2009) Roles, Stacks, Histories: A Triple for Hoare. Technical Report MSR–TR–2009–97, Microsoft Research.Google Scholar
Cardelli, L. (1986) Typechecking dependent types and subtypes. In Foundations of Logic and Functional Programming, Boscarol, M., Aiello, L. C. & Levi, G. (eds), Lecture Notes in Computer Science, vol. 306. Berlin Heidelberg, Germany: Springer, pp. 4557.Google Scholar
Constable, R. L., Allen, S. F., Bromley, H. M., Cleaveland, W. R., Cremer, J. F., Harper, R. W., Howe, D. J., Knoblock, T. B., Mendler, N. P., Panangaden, P., Sasaki, J. T. & Smith, S. F. (1986) Implementing Mathematics with the Nuprl Proof Development system. Hemel Hampstead, England: Prentice-Hall.Google Scholar
DeLine, R. & Fähndrich, M. (2001) Enforcing high-level protocols in low-level software. In Programming Language Design and Implementation (PLDI'01), pp. 59–69.CrossRefGoogle Scholar
de Moura, L. & Bjørner, N. (2008) Z3: An efficient SMT solver. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS'08), Ramakrishnan, C. R. & Rehof, J. (eds), Lecture Notes in Computer Science, vol. 4963. Berlin Heidelberg, Germany: Springer, pp. 337340.Google Scholar
Detlefs, D., Nelson, G. & Saxe, J. B. (2005) Simplify: A theorem prover for program checking, J. ACM, 52 (3): 365473.CrossRefGoogle Scholar
Dutertre, B. & de Moura, L. (2006) The YICES SMT solver [online]. Accessed August 13, 2010. Available at: http://yices.csl.sri.com/tool-paper.pdfGoogle Scholar
Ferraiolo, D. F. & Kuhn, D. R. (1992) Role based access control. In National Computer Security Conference, pp. 554–563.Google Scholar
Filliâtre, J. & C.Marché, C. (2004) Multi-prover verification of C Programs. In International Conference on Formal Engineering Methods (ICFEM 2004), Davies, J., Schulte, W. & Barnett, M. (eds), Lecture Notes in Computer Science, vol. 3308. Berlin Heidelberg, Germany: Springer, pp. 1529.Google Scholar
Filliâtre, J.-C. (1999) Proof of imperative programs in type theory. In Selected papers from the International Workshop on Types for Proofs and Programs (TYPES '98), vol. 1657. Berlin Heidelberg, Germany: Springer, pp. 7892.Google Scholar
Flanagan, C. (2006) Hybrid type checking. In ACM Symposium on Principles of Programming Languages (POPL'06), pp. 245–256.CrossRefGoogle Scholar
Flanagan, C. & Abadi, M. (1999) Types for safe locking. In European Symposium on Programming (ESOP'99), Swierstra, S. Doaitse (ed), Lecture Notes in Computer Science, vol. 1576. Berlin Heidelberg, Germany: Springer, pp. 91108.Google Scholar
Fournet, C. & Gordon, A. D. (2003) Stack inspection: Theory and variants, ACM Trans. Program. Lang. Syst., 25 (3): 360399.CrossRefGoogle Scholar
Fournet, C., Gordon, A. D. & Maffeis, S. (2005) A type discipline for authorization policies. In European Symposium on Programming (ESOP'05), Sagiv, M. (ed), Lecture Notes in Computer Science, vol. 3444. Berlin Heidelberg, Germany: Springer, pp. 141156.Google Scholar
Fournet, C., Gordon, A. D. & Maffeis, S. (2007) A type discipline for authorization policies in distributed systems. In IEEE Computer Security Foundation Symposium (CSF'07), pp. 31–45.CrossRefGoogle Scholar
Freeman, T. & Pfenning, F. (1991) Refinement types for ML. In Programming Language Design and Implementation (PLDI'91). ACM Press, pp. 268277.Google Scholar
Gifford, D. & Lucassen, J. (1986) Integrating functional and imperative programming. In ACM Conference on Lisp and Functional Programming, pp. 28–38.CrossRefGoogle Scholar
Gong, L. (1999) Inside Java 2 Platform Security: Architecture, API Design, and Implementation. Addison-Wesley.Google Scholar
Gordon, A. D. & Fournet, C. (2009) Principles and Applications of Refinement Types. Technical Report MSR–TR–2009–147, Microsoft Research.Google Scholar
Gordon, A. D. & Jeffrey, A. S. A. (2003) Authenticity by typing for security protocols, J. Comput. Secur., 11 (4): 451521.CrossRefGoogle Scholar
Gronski, J., Knowles, K., Tomb, A., Freund, S. N. & Flanagan, C. (2006) Sage: Hybrid checking for flexible specifications. In Scheme and Functional Programming Workshop, Findler, R. (ed), pp. 93–104.Google Scholar
Gunter, C. (1992) Semantics of Programming Languages. MIT Press.Google Scholar
Hardy, N. (1988) The confused deputy (or why capabilities might have been invented), ACM SIGOPS Oper. Syst. Rev., 22: 3638.CrossRefGoogle Scholar
Jia, L., Vaughan, J. A., Mazurak, K., Zhao, J., Zarko, L., Schorr, J. & Zdancewic, S. (2008) AURA: Preliminary Technical Results. Technical Report MS-CIS-08-10, University of Pennsylvania.CrossRefGoogle Scholar
Knowles, K. W. & Flanagan, C. (2007) Type reconstruction for general refinement types. In European Symposium on Programming (ESOP'07), De Nicola, R. (ed), Lecture Notes in Computer Science, vol. 4421. Berlin Heidelberg, Germany: Springer, pp. 505519.Google Scholar
Li, N., Mitchell, J. C. & Winsborough, W. H. (2002) Design of a role-based trust management framework. In IEEE Security and Privacy, pp. 114–130.Google Scholar
Maffeis, S., Abadi, M., Fournet, C. & Gordon, A. D. (2008) Code-carrying authorization. In European Symposium On Research In Computer Security (ESORICS'08), pp. 563–579.CrossRefGoogle Scholar
Moggi, E. (1991) Notions of computations and monads, Inf. Comput., 93: 5592.CrossRefGoogle Scholar
Nanevski, A., Morrisett, G. & Birkedal, L. (2006) Polymorphism and separation in Hoare Type Theory. In International Conference on Functional Programming (ICFP'06), pp. 62–73.CrossRefGoogle Scholar
Nanevski, A., Morrisett, G., Shinnar, A., Govereau, P. & Birkedal, L. (2008) Ynot: Dependent types for imperative programs. In International Conference on Functional Programming (ICFP'08), pp. 229–240.CrossRefGoogle Scholar
Nordström, B., Petersson, K. & Smith, J. (1990) Programming in Martin-Löf's type Theory. Clarendon Press, Oxford.Google Scholar
Pierce, B. & Sangiorgi, D. (1996) Typing and subtyping for mobile processes, Math. Struct. Comput. Sci., 6 (5): 409454.CrossRefGoogle Scholar
Pistoia, M., Banerjee, A. & Naumann, D. (2007a) Beyond stack inspection: A unified access-control and information-flow security model. In IEEE Security and Privacy, pp. 149–163.CrossRefGoogle Scholar
Pistoia, M., Chandra, S., Fink, S. J. & Yahav, E. (2007b) A survey of static analysis methods for identifying security vulnerabilities in software systems, IBM Syst. J., 46 (2): 265288.CrossRefGoogle Scholar
Plotkin, G. D. (1985) Denotational Semantics with Partial Functions. Unpublished lecture notes, CSLI, Stanford University.Google Scholar
Pottier, F., Skalka, C. & Smith, S. (2005) A systematic approach to static access control, ACM Trans. Program. Lang. Syst., 27 (2): 344382.CrossRefGoogle Scholar
Ranise, S. & Tinelli, C. (2006) The SMT-LIB Standard: Version 1.2. [online]. Accessed August 13, 2010. Available at: http://goedel.cs.uiowa.edu/smtlib/papers.htmlGoogle Scholar
Régis-Gianas, Y. & Pottier, F. (2008) A Hoare logic for call-by-value functional programs. In Mathematics of Program Construction (MPC'08), Adebaud, P. & Paulin-Mohring, C. (eds), Lecture Notes in Computer Science, vol. 5133. Berlin Heidelberg, Germany: Springer, pp. 305335.CrossRefGoogle Scholar
Rondon, P., Kawaguchi, M. & Jhala, R. (2008) Liquid types. In Programming Language Design and Implementation (PLDI'08). ACM, pp. 159169.Google Scholar
Rushby, J., Owre, S. & Shankar, N. (1998) Subtypes for specifications: Predicate subtyping in PVS, IEEE Trans. Softw. Eng., 24 (9): 709720.CrossRefGoogle Scholar
Sabry, A. & Felleisen, M. (1993) Reasoning about programs in continuation-passing style, LISP Symb. Comput., 6 (3–4): 289360.Google Scholar
Sandhu, R., Coyne, E. J., Feinstein, H. L. & Youman, C. E. (1996) Role-based access control models, IEEE Comput., 29 (2): 3847.CrossRefGoogle Scholar
Strom, R. E. & Yemini, S. (1986) Typestate: A programming language concept for enhancing software reliability, IEEE Trans. Softw. Eng., 12: 157171.CrossRefGoogle Scholar
Wadler, P. (1992) Comprehending monads, Math. Struct. Comput. Sci., 2: 461493.CrossRefGoogle Scholar
Wallach, D. S., Appel, A. W. & Felten, E. W. (2000) SAFKASI: A security mechanism for language-based systems, ACM Trans. Softw. Eng. Methodol., 9 (4): 341378.CrossRefGoogle Scholar
Xi, H. & Pfenning, F. (1999) Dependent types in practical programming. In Principles of Programming Languages (POPL'99), pp. 214–227.CrossRefGoogle Scholar
Submit a response

Discussions

No Discussions have been published for this article.