Hostname: page-component-cd9895bd7-7cvxr Total loading time: 0 Render date: 2024-12-26T09:43:22.940Z Has data issue: false hasContentIssue false

Security monitor inlining and certification for multithreaded Java

Published online by Cambridge University Press:  17 December 2014

MADS DAM
Affiliation:
Royal Institute of Technology (KTH), Lindstedtsvägen 3, SE-100 44, Stockholm, Sweden
BART JACOBS
Affiliation:
Katholieke Universiteit Leuven, Celestijnenlaan 200A, B-3001 Leuven, Belgium Email: landreas@kth.se
ANDREAS LUNDBLAD
Affiliation:
Royal Institute of Technology (KTH), Lindstedtsvägen 3, SE-100 44, Stockholm, Sweden
FRANK PIESSENS
Affiliation:
Katholieke Universiteit Leuven, Celestijnenlaan 200A, B-3001 Leuven, Belgium Email: landreas@kth.se

Abstract

Security monitor inlining is a technique for security policy enforcement whereby monitor functionality is injected into application code in the style of aspect-oriented programming. The intention is that the injected code enforces compliance with the policy (security), and otherwise interferes with the application as little as possible (conservativity and transparency). Such inliners are said to be correct. For sequential Java-like languages, inlining is well understood, and several provably correct inliners have been proposed. For multithreaded Java one difficulty is the need to maintain a shared monitor state. We show that this problem introduces fundamental limitations in the type of security policies that can be correctly enforced by inlining. A class of race-free policies is identified that precisely characterizes the inlineable policies by showing that inlining of a policy outside this class is either not secure or not transparent, and by exhibiting a concrete inliner for policies inside the class which is secure, conservative and transparent. The inliner is implemented for Java and applied to a number of practical application security policies. Finally, we discuss how certification in the style of proof-carrying code could be supported for inlined programs by using annotations to reduce a potentially complex verification problem for multithreaded Java bytecode to sequential verification of just the inlined code snippets.

Type
Special Issue: Objects and Services
Copyright
Copyright © Cambridge University Press 2014 

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Aktug, I., Dam, M. and Gurov, D. (2009) Provably correct runtime monitoring. Journal of Logic and Algebraic Programming 78 (5)304339.Google Scholar
Aktug, I. and Naliuka, K. (2008) Conspec–a formal language for policy specification. Science of Computer Programming 74 (1-2)212. (Special issue on Security and Trust.)Google Scholar
Bannwart, F. Y. and Müller, P. (2005) A logic for bytecode. In: Bytecode Semantics, Verification, Analysis and Transformation (BYTECODE). Elsevier Electronic Notes in Theoretical Computer Science 141-1 255273.Google Scholar
Bauer, L., Ligatti, J. and Walker, D. (2003) Types and effects for non-interfering program monitors. In: Okada, M., Pierce, B., Scedrov, A., Tokuda, H. and Yonezawa, A. (eds.) Software Security–Theories and Systems. Mext-NSF-JSPS International Symposium. Springer Lecture Notes in Computer Science 2609 154171.Google Scholar
Bauer, L., Ligatti, J. and Walker, D. (2005) Composing security policies with Polymer. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) 305314.Google Scholar
Bielova, N., Dragoni, N., Massacci, F., Naliuka, K. and Siahaan, I. (2009) Matching in security-by-contract for mobile code. Journal of Logic and Algebraic Programming 78 (5)340358.Google Scholar
Chen, F. (2005) Java-MOP: a monitoring oriented programming environment for Java. In: Proceedings of the Eleventh International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), Springer 546550.Google Scholar
Chudnov, A. and Naumann, D. A. (2010) Information flow monitor inlining. In: Computer Security Foundations 200214.Google Scholar
Dam, M., Jacobs, B., Lundblad, A. and Piessens, F. (2009) Security monitor inlining for multithreaded Java. In: Proceeding of ECOOP 2009 - Object-Oriented Programming, 23rd European Conference, Genova, Italy, 6–10 July, 2009, Springer-Verlag 546569.Google Scholar
Dam, M., Jacobs, B., Lundblad, A. and Piessens, F. (2010) Provably correct inline monitoring for multithreaded Java-like programs. Journal of Computer Security 18 3759.Google Scholar
DeLine, R. and Fähndrich, M. (2001) Enforcing high-level protocols in low-level software. In: PLDI'01: Proceedings of the ACM SIGPLAN 2001 Conference on Programming Language Design and Implementation, ACM 5969.Google Scholar
Desmet, L., Joosen, W., Massacci, F., Philippaerts, P., Piessens, F., Siahaan, I. and Vanoverberghe, D. (2008) Security-by-contract on the .NET platform. Information Security Technical Report 13 (1)2532.Google Scholar
Deutsch, P. and Grant, C. A. (1971) A flexible measurement tool for software systems. Information Processing 71, Proceeding International Federation for Information Processing Congress 1 320326.Google Scholar
Erlingsson, U. (2004) The Inlined Reference Monitor Approach to Security Policy Enforcement. Ph.D. thesis, Department of Computer Science, Cornell University.Google Scholar
Erlingsson, U. and Schneider, F. B. (2000a) IRM enforcement of Java stack inspection. In: IEEE Symposium on Security and Privacy, IEEE Computer Society 0246.Google Scholar
Erlingsson, U. and Schneider, F. B. (2000b) SASI enforcement of security policies: a retrospective. In: Proceedings of the Workshop on New Security Paradigms (NSPW'99), ACM Press 8795.Google Scholar
Evans, D. and Twyman, A. (1999) Flexible policy-directed code safety. In: IEEE Symposium on Security and Privacy 3245.Google Scholar
Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A. and Stewart, L. (1999) HTTP authentication: Basic and digest access authentication. Request for Comments 2617 (Draft Standard).Google Scholar
Gosling, J., Joy, B., Steele, G. and Bracha, G. (2005) Java(TM) Language Specification, The (3rd Edition) (Java (Addison-Wesley)). Addison-Wesley Professional.Google Scholar
Hamlen, K. W. and Jones, M. (2008) Aspect-oriented in-lined reference monitors. In: PLAS'08: Proceedings of the 3rd ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, ACM 1120.Google Scholar
Hamlen, K. W., Morrisett, G. and Schneider, F. B. (2006a) Certified in-lined reference monitoring on .NET. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS'06) 716.Google Scholar
Hamlen, K. W., Morrisett, G. and Schneider, F. B. (2006b) Computability classes for enforcement mechanisms. ACM Transactions on Programming Languages and Systems 28 (1)175205.Google Scholar
HATS (2010) Evaluation of the core framework, deliverable 5.2 of project fp7-231620 (hats). Available at http://www.cse.chalmers.se/research/hats/sites/default/files/Deliverable52.pdf.Google Scholar
Jones, M. and Hamlen, K. W. (2010) Disambiguating aspect-oriented security policies. In: Aspect-Oriented Software Development 193204.Google Scholar
Kim, M., Kannan, S., Lee, I., Sokolsky, O. and Viswanathan, M. (2001) Java-MaC: A run-time assurance tool for Java programs. Electronic Notes in Theoretical Computer Science 55 (2)218235. (RV'2001, Runtime Verification (in connection with CAV '01)).Google Scholar
Leroy, X. (2003) Java bytecode verification: Algorithms and formalizations. Journal of Automated Reasoning 30 (3–4)235269.Google Scholar
Ligatti, J., Bauer, L. and Walker, D. (2005) Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security 4 (1–2)216.Google Scholar
Ligatti, J. A. (2006) Policy Enforcement via Program Monitoring, Ph.D. thesis, Princeton University.Google Scholar
Lindholm, T. and Yellin, F. (1999) Java Virtual Machine Specification, volume 2, Addison-Wesley Longman Publishing Co., Inc.Google Scholar
Lipton, R. J. (1975) Reduction: A method of proving properties of parallel programs. Communications of the ACM 18 717721.Google Scholar
Lundblad, A. (2010) Inlined reference monitors for multithreaded java: Case-studies. Available at http://www.csc.kth.se/~landreas/mt_inlining/.Google Scholar
Dragoni, N., Massacci, F., Naliuka, K. and Siahaan, I. (2007) Security-by-contract: Toward a semantics for digital signatures on mobile code. In: Proceedings of the 4th European PKI Workshop. Springer Lecture Notes in Computer Science 4582 297312.Google Scholar
Necula, G. C. (1997) Proof-carrying code. In: POPL'97: Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press 106119.Google Scholar
Reynal, S. (2010) Jpicedt website. Available at http://jpicedt.sourceforge.net/.Google Scholar
S3MS (2008) Project web page. Available at http://www.s3ms.org.Google Scholar
Schneider, F. B. (2000) Enforceable security policies. ACM Transactions Information and Systems Security 3 (1)3050.Google Scholar
Skalka, C. and Smith, S. (2004) History effects and verification. In: Asian Programming Languages Symposium 107128.Google Scholar
Sridhar, M. and Hamlen, K. W. (2010a) Actionscript in-lined reference monitoring in prolog. In: Practical Aspects of Declarative Languages 149151.Google Scholar
Sridhar, M. and Hamlen, K. W. (2010b) Model checking in-lined reference monitors. In: Verification, Model Checking, and Abstract Interpretation 312327.Google Scholar
Sridhar, M. and Hamlen, K. W. (2011) Flexible in-lined reference monitor certification: Challenges and future directions. In: Proceedings of the 5th ACM Workshop on Programming Languages Meets Program Verification, PLPV'11, New York, NY, USA. ACM 5560.Google Scholar
Vanoverberghe, D. and Piessens, F. (2009) Security enforcement aware software development. Information and Software Technology 51 (7)11721185.Google Scholar
Viswanathan, M. (2000) Foundations for the Run-Time Analysis of Software Systems, Ph.D. thesis, University of Pennsylvania.Google Scholar
Walker, D. (2000) A type system for expressive security policies. In: POPL'00: Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM 254267.Google Scholar