Skip to main content
SpringerLink
Log in

Discretionary capability confinement

  • SPECIAL ISSUE PAPER
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Motivated by the need of application-level access control in dynamically extensible systems, this work proposes a static annotation system for modeling capabilities in a Java-like programming language. Addressing a common critique of capability systems, the proposed annotation system can provably enforce capability confinement. This confinement guarantee is leveraged to model a strong form of separation of duty known as hereditary mutual suspicion. The annotation system has been fully implemented in a standard Java Virtual Machine.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Abadi, M., Fournet, C.: Access control based on execution history. In: Proceedings of the 10th Annual Network and Distributed System Security Symposium. San Diego (2003)

  2. Arnold K., Gosling J. and Holmes D. (2000). The Java Programming Language, 3rd edn. Addison Wesley, Reading

    Google Scholar 

  3. Bandmann, O., Dam, M., Firozabadi, B.S.: Constrained delegation. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 131–140, Berkeley, (2002)

  4. Bauer L., Appel A.W. and Felten E.W. (2003). Mechanisms for secure modular programming in Java. Softw. Pract. Exp. 33(5): 461–480

    Article  Google Scholar 

  5. Boebert, W.E.: On the inability of an unmodified capability machine to enforce the *-property. In: Proceedings of the 7th DoD/NBS Computer Security Conference pp. 291–293, Gaithersburg (1984). http://zesty.ca/capmyths/boebert.html

  6. Boyland, J., Noble, J., Retert, W.: Capabilities for sharing: a generalization of uniqueness and read-only. In: Proceedings of the 2001 European Conference on Object-Oriented Programming, pp. 2–27, Budapest (2001)

  7. Carzaniga, A., Picco, G.P., Vigna, G.: Designing distributed applications with mobile code paradigms. In: Proceedings of the 19th International Conference on Software Engineering, pp. 22–32, Boston (1997)

  8. Chander, A., Dean, D., Mitchell, J.C.: A state-transition model of trust management and access control. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop, pp. 27–43, Cape Breton (2001)

  9. Clark, D.D., Wilson, D.R.: A comparison of commercial and military computer security policies. In: Proceedings of the 1987 IEEE Symposium on Security and Privacy, pp. 184–194 (1987)

  10. Crary, K., Walker, D., Morrisett, G.: Typed memory management in a calculus of capabilities. In: Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 262–275, San Antonio (1999)

  11. Dennis J.B. and Van Horn E.C. (1966). Programming semantics for multiprogrammed computations. Commun. ACM 9(3): 143–155

    Article  MATH  Google Scholar 

  12. ECMA: Standard ECMA-335: Common Language Infrastructure (CLI), 2nd edn. (2002)

  13. Edjlali, G., Acharya, A., Chaudhary, V.: History-based access control for mobile code. In: Proceedings of the 5th ACM Conference on Computer and Communications Security, pp. 38–48, San Francisco (1998)

  14. Ferraiolo D.F., Sandhu R., Gavrila S., Richard Kuhn D. and Chandramouli R (2001). proposed NIST standard for role-based access control. ACM Trans. Inf. System Secur. 4(3): 224–274

    Article  Google Scholar 

  15. Fong, P.W.L.: Disetionary capability confinement. In: Proceedings of the 11th European Symposium on Research in Computer Security (ESORICS’06) Lecture Notes in Computer Science, Vol. 4189, pp. 127–144, Hamburg. Springer, Heidelberg (2006)

  16. Fong, P.W.L.: Reasoning about safety properties in a JVM-like environment. Sci. Comput. Program. (2007)

  17. Fournet C. and Gordon A.D. (2003). Stack inspection: Theory and variants. ACM Trans. Program. Lang. Systems 25(3): 360–399

    Article  Google Scholar 

  18. Gamma E., Helm R., Johnson R. and Vlissides J. (1994). Design Patterns: Elements of Reusable Object-Oriented Software. Addison Wesley, Reading

    Google Scholar 

  19. Gong, L.: A secure identity-based capability system. In: Proceedings of the 1989 IEEE Symposium on Security and Privacy, pp. 56–63, Oakland (1989)

  20. Gong L., Ellison G. and Dageforde M. (2003). Inside Java 2 Platform Security, 2nd edn. Addison Wesley, Reading

    Google Scholar 

  21. Gong, L., Schemers, R.: Implementing protection domains in the Java development kit 1.2. In: Proceedings of the Internet Society Symposium on Network and Distributed System Security (NDSS’98), pp. 125–134, San Diego (1998)

  22. Grothoff, C., Palsberg, J., Vitek, J.: Encapsulating objects with confined types. In: Proceedings of the 16th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, pp. 241–253, Tampa Bay (2001)

  23. Hardy N. (1988). The confused deputy: or why capabilities might have been invented. Oper. Systems Rev. 22(4): 36–38

    Article  Google Scholar 

  24. Hawblitzel, C., Chang, C.-C., Czajkowski, G., Hu, D., von Eicken, T.: Implementing multiple protection domains in Java. In: Proceedings of the USENIX Annual Technical Conference, New Orleans (1998)

  25. Hawblitzel, C., von Eicken, T.: A case for language-based protection. Technical Report 98-1670, Department of Computer Science, Cornell University (1998)

  26. Hutchinson, N.C., Raj, R.K., Black, A.P., Levy, H.M., Jul, E.: The Emerald programming language report. Technical Report 87-10-07, Department of Computer Science, University of Washington (1987)

  27. Jones A.K. and Liskov B.H. (1978). A language extension for expressing constraints on data access. Commun. ACM 21(5): 358–367

    Article  MATH  Google Scholar 

  28. Li, N., Bizri, Z., Tripunitara, M.V.: On mutually-exclusive roles and separation of duty. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 42–51, Washington USA (2004)

  29. Li N., Grosof B.N. and Feigenbaum J (2003). Delegation logic: A logic-based approach to distributed authorization. ACM Trans. Inf. System Secur. 6(1): 128–171

    Article  Google Scholar 

  30. Lipton R.J. and Snyder L. (1977). A linear time algorithm for deciding subject security. J. ACM 24(3): 455–464

    Article  MATH  MathSciNet  Google Scholar 

  31. Liskov, B.: Data abstraction and hierarchy. In: Addendum to the Proceedings of the 2nd Object-Oriented Programming Systems, Languages and Applications (OOPSLA’87), pp. 17–34, Orlando (1987)

  32. Mettler, A., Wagner, D.: The Joe-E language specification (draft). URL: http://www.joe-e.org (2006)

  33. Miller, M.S.: Robust Composition: towards a unified approach to access control and concurrency control. PhD thesis, Department of Computer Science, Johns Hopkins University, Baltimore (2006)

  34. Miller, M.S., Yee, K.-P., Shapiro, J.: Capability myths demolished. Technical Report SRL2003-02, System Research Lab, Department of Computer Science, The John Hopkins University, Baltimore (2003)

  35. Pottier F., Skalka C. and Smith S. (2005). A systematic approach to static access control. ACM Trans. Program. Lang. Systems 27(2): 344–382

    Article  Google Scholar 

  36. Rees, J.A.: A security kernel based on the lambda-calculus. A. I. Memo 1564, MIT (1996)

  37. Sabelfeld A. and Meyers A.C. (2003). Language-based information-flow security. IEEE J. Selected Areas Commun. 21(1): 5–19

    Article  Google Scholar 

  38. Saltzer J.H. and Schroeder M.D. (1975). The protection of information in computer systems. Proc. IEEE 63(9): 1278–1308

    Article  Google Scholar 

  39. Sandhu, R.S.: The typed access matrix model. In: Proceedings of the 1992 IEEE Symposium on Security and Privacy, pp. 122–136 (1992)

  40. Sandhu R.S., Coyne E.J., Feinstein H.L. and Youman C.E. (1996). Role-based access control models. IEEE Comput. 29(2): 38–47

    Google Scholar 

  41. Sandhu R.S. (1988). The schematic protection model: Its definition and analysis for acyclic attenuating schemes. J. ACM 35(2): 404–432

    Article  Google Scholar 

  42. Saraswat, V., Jagadeesan, R.: Static support for capability-based programming in Java. URLhttp://fpl.cs.depaul.edu/rjagadeesan/ftp/neighborhood.pdf

  43. Schärli, N., Black, A.P., Ducasse, S.: Object-oriented encapsulation for dynamically typed languages. In: Proceedings of the 19th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, pp. 130–149, Vancouver (2004)

  44. Schärli, N., Ducasse, S., Nierstrasz, O., Wuyts, R.: Composable encapsulation policies. In: Proceedings of the 18th European Conference on Object-Oriented Programming, Oslo (2004)

  45. Schneider, F.B., Morrisett, G., Harper, R.: A language-based approach to security. In: Informatics: 10 Years Back, 10 Years Ahead, LNCS, vol. 2000, pp. 86–101. Springer, Heidelberg (2000)

  46. Schroeder, M.D.: Cooperation of Mutually Suspicious Subsystems in a Computer Utility. Ph.D. thesis, MIT (1972)

  47. Skalka C. and Smith S (2005). Static use-based object confinement. Int. J. Inf. Secur. 4(1–2): 87–104

    Article  Google Scholar 

  48. Spiessens, F., Van Roy, P.: A practical formal model for safety analysis in capability-based systems. In: Proceedings of the IST/FET International Workshop on Trustworthy Global Computing (TGC’05), Lecture Notes in Computer Science, vol. 3705, pp. 248–278, Edinburgh. Springer, Heidelberg (2005)

  49. Erlingsson, Ú., Schneider, F.B.: IRM enforcement of Java stack inspection. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, pp. 246–255, Berkeley (2000)

  50. Vitek J. and Bokowski B. (2001). Confined types in Java. Softw. Prac. Exp. 31(6): 507–532

    Article  MATH  Google Scholar 

  51. Wagner, D.: Object capabilities for security. Invited talk. ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, Ottawa (2006). URLhttp://www.cis.upenn.edu/~stevez/plas06.html

  52. Wainer, J., Kumar, A.: A fine-grained, controllable, user-to-user delegation method in RBAC. In: Proceedings of the 10th ACM Symposium on Access Control Models and Technologies, pp. 59–66, Stockholm (2005)

  53. Wallach D.S., Appel A.W. and Felten E.W. (2000). SAFKASI: A security mechanism for language-based systems. ACM Trans. Softw. Eng. Methodo. 9(4): 341–378

    Article  Google Scholar 

  54. Wallach, D.S., Balfanz, D., Dean, D., Felten, E.W.: Extensible security architectures for Java. In: Proceedings of the 16th ACM Symposium on Operating Systems Principles (SOSP’97), pp. 116–128, Saint Malo (1997)

  55. Zhao, T., Palsberg, J., Vitek, J.: Lightweight confinement for featherweight Java. In: Proceedings of the 18th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, pp. 135–148, Anaheim (2003)

  56. Zhao T., Palsberg J. and Vitek J. (2006). Type-based confinement. J. Funct. Program. 16(1): 83–128

    Article  MATH  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Regina, Regina, SK, Canada

    Philip W. L. Fong

Authors
  1. Philip W. L. Fong
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Philip W. L. Fong.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Fong, P.W.L. Discretionary capability confinement. Int. J. Inf. Secur. 7, 137–154 (2008). https://doi.org/10.1007/s10207-007-0047-5

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-007-0047-5

Keywords

Search

Navigation