Security Properties of Typed Applets

  • Xavier Leroy
  • François Rouaix
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1603)

Abstract

This paper formalizes the folklore result that strongly-typed applets are more secure than untyped ones. We formulate and prove several security properties that all well-typed applets possess, and identify sufficient conditions for the applet execution environment to be safe, such as procedural encapsulation, type abstraction, and systematic type-based placement of run-time checks. These results are a first step towards formal techniques for developing and validating safe execution environments for applets.

Keywords

Security Policy Security Property Execution Environment Object File Type Soundness 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    M. Abadi. Secrecy by typing in security protocols. In Theoretical Aspects of Computer Software’ 97, volume 1281 of Lecture Notes in Computer Science, pages 611–638. Springer-Verlag, Sept. 1997.CrossRefGoogle Scholar
  2. 2.
    M. Abadi, A. Banerjee, N. Heintze, and J. G. Riecke. A core calculus of dependency. In 26th symposium Principles of Programming Languages, pages 147–160. ACM Press, 1999.Google Scholar
  3. 3.
    M. Abadi and A. D. Gordon. Reasoning about cryptographic protocols in the Spi calculus. In CONCUR’97: Concurrency Theory, volume 1243 of Lecture Notes in Computer Science, pages 59–73. Springer-Verlag, July 1997.Google Scholar
  4. 4.
    D. S. Alexander, W. A. Arbaugh, M. W. Hicks, P. Kakkar, A. D. Keromytis, J. T. Moore, C. A. Gunter, S. M. Nettles, and J. M. Smith. The SwitchWare active network architecture. IEEE Network, 12(3):29–36, 1998.CrossRefGoogle Scholar
  5. 5.
    D. S. Alexander, W. A. Arbaugh, A. D. Keromytis, and J. M. Smith. Security in active networks. In J. Vitek and C. Jensen, editors, Secure Internet Programming, Lecture Notes in Computer Science. Springer-Verlag Inc., New York, NY, USA, 1999.Google Scholar
  6. 6.
    J.-P. Banâtre and C. Bryce. A security proof system for networks of communicating processes. Research report 2042, INRIA, Sept. 1993.Google Scholar
  7. 7.
    J.-P. Billon. Security breaches in the JDK 1.1 beta2 security API. Dyade, http://www.dyade.fr/fr/actions/VIP/SecHole.html, Jan. 1997.
  8. 8.
    N. S. Borenstein. Email with a mind of its own: the Safe-Tcl language for enabled mail. In IFIP International Working Conference on Upper Layer Protocols, Architectures and Applications, 1994.Google Scholar
  9. 9.
    V. Breazu-Tannen, T. Coquand, C. A. Gunter, and A. Scedrov. Inheritance as implicit coercion. Information and Computation, 93(1):172–221, 1991.MATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    K. Brunnstein. Hostile ActiveX control demonstrated. RISKS Forum, 18(82), Feb. 1997.Google Scholar
  11. 11.
    L. Cardelli, S. Martini, J. C. Mitchell, and A. Scedrov. An extension of system F with subtyping. Information and Computation, 109(1–2):4–56, 1994.MATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    D. Dean, E. W. Felten, D. S. Wallach, and D. Balfanz. Java security: Web browsers and beyond. In D. E. Denning and P. J. Denning, editors, Internet Besieged: Countering Cyberspace Scofflaws, pages 241–269. ACM Press, 1997.Google Scholar
  13. 13.
    D. E. Denning. A lattice model of secure information flow. Commun. ACM, 19(5):236–242, 1976.MATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Commun. ACM, 20(7):504–513, 1977.MATHCrossRefGoogle Scholar
  15. 15.
    S. Drossopoulou and S. Eisenbach. Java is type safe — probably. In Proc. 11th European Conference on Object Oriented Programming, volume 1241 of Lecture Notes in Computer Science, pages 389–418. Springer-Verlag, June 1997.Google Scholar
  16. 16.
    M. Erdos, B. Hartman, and M. Mueller. Security reference model for the Java Developer’s Kit 1.0.2. JavaSoft, http://java.sun.com/security/SRM.html, Nov. 1996.
  17. 17.
    S. N. Freund and J. C. Mitchell. A type system for object initialization in the Java bytecode language. In Object-Oriented Programming Systems, Languages and Applications 1998, pages 310–327. ACM Press, 1998.Google Scholar
  18. 18.
    L. Gong. Java security architecture (JDK1.2). JavaSoft, http://java.sun.com/products/jdk/1.2/docs/guide/security/spec/security-spec.doc.html, Oct. 1998.
  19. 19.
    J. Gosling and H. McGilton. The Java language environment — a white paper. JavaSoft, http://java.sun.com/docs/white/langenv, May 1996.
  20. 20.
    N. Heintze and J. G. Riecke. The SLam calculus: programming with secrecy and integrity. In 25th symposium Principles of Programming Languages, pages 365–377. ACM Press, 1998.Google Scholar
  21. 21.
    D. Hopwood. Java security bug (applets can load native methods). RISKS Forum, 17(83), Mar. 1996.Google Scholar
  22. 22.
    T. Jensen, D. Le Métayer, and T. Thorn. Security and dynamic class loading in Java: A formalisation. In International Conference on Computer Languages 1998, pages 4–15. IEEE Computer Society Press, 1998.Google Scholar
  23. 23.
    X. Leroy. Polymorphic typing of an algorithmic language. Research report 1778, INRIA, 1992.Google Scholar
  24. 24.
    X. Leroy, J. Vouillon, D. Doligez, et al. The Objective Caml system. Software and documentation available on the Web, http://caml.inria.fr/ocaml/, 1996.
  25. 25.
    R. Milner, M. Tofte, R. Harper, and D. MacQueen. The definition of Standard ML (revised). The MIT Press, 1997.Google Scholar
  26. 26.
    G. Morrisett, M. Felleisen, and R. Harper. Abstract models of memory management. In Functional Programming Languages and Computer Architecture 1995, pages 66–77. ACM Press, 1995.Google Scholar
  27. 27.
    G. C. Necula. Proof-carrying code. In 24th symposium Principles of Programming Languages, pages 106–119. ACM Press, 1997.Google Scholar
  28. 28.
    G. C. Necula and P. Lee. Safe kernel extensions without run-time checking. In Proc. Symp. Operating Systems Design and Implementation, pages 229–243. Usenix association, 1996.Google Scholar
  29. 29.
    T. Nipkow and D. von Oheimb. JavaLight is type-safe — definitely. In 25th symposium Principles of Programming Languages, pages 161–170. ACM Press, 1998.Google Scholar
  30. 30.
    J. Palsberg and P. O’Keefe. A type system equivalent to flow analysis. ACM Trans. Prog. Lang. Syst., 17(4):576–599, 1995.CrossRefGoogle Scholar
  31. 31.
    J. Palsberg and P. Ørbaek. Trust in the λ-calculus. Journal of Functional Programming, 7(6):557–591, 1997.MATHCrossRefMathSciNetGoogle Scholar
  32. 32.
    G. D. Plotkin. A structural approach to operational semantics. Technical Report DAIMI FN-19, Aarhus University, 1981.Google Scholar
  33. 33.
    Z. Qian. A formal specification of a large subset of Java Virtual Machine instructions. In J. Alves-Foss, editor, Formal Syntax and Semantics of Java, Lecture Notes in Computer Science. Springer-Verlag, 1998. To appear.Google Scholar
  34. 34.
    J. C. Reynolds. User-defined types and procedural data structures as comple mentary approaches to data abstraction. In C. Gunter and J. Mitchell, editors, Theoretical aspects of object-oriented programming, pages 13–23. MIT Press, 1994.Google Scholar
  35. 35.
    F. Rouaix. A Web navigator with applets in Caml. In Proceedings of the 5th International World Wide Web Conference, Computer Networks and Telecommunications Networking, volume 28, pages 1365–1371. Elsevier, May 1996.Google Scholar
  36. 36.
    R. Stata and M. Abadi. A type system for Java bytecode subroutines. In 25th symposium Principles of Programming Languages, pages 149–160. ACM Press, 1998.Google Scholar
  37. 37.
    D. Syme. Proving JavaS type soundness. Technical Report 427, University of Cambridge Computer Laboratory, June 1997.Google Scholar
  38. 38.
    J.-P. Talpin and P. Jouvelot. The type and effect discipline. Information and Computation, 111(2):245–296, 1994.MATHCrossRefMathSciNetGoogle Scholar
  39. 39.
    M. Tofte. Type inference for polymorphic references. Information and Computation, 89(1), 1990.Google Scholar
  40. 40.
    D. Volpano and G. Smith. A type-based approach to program security. In Proceedings of TAPSOFT’97, Colloquium on Formal Approaches in Software Engineering, volume 1214 of Lecture Notes in Computer Science, pages 607–621. Springer-Verlag, 1997.Google Scholar
  41. 41.
    D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. Journal of Computer Security, 4(3):1–21, 1996.Google Scholar
  42. 42.
    D. S. Wallach, D. Balfanz, D. Dean, and E. W. Felten. Extensible security architectures for Java. Technical report 546-97, Department of Computer Science, Princeton University, Apr. 1997.Google Scholar
  43. 43.
    D. S. Wallach and E. W. Felten. Understanding Java stack inspection. In Proceedings of the 1998 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 1998.Google Scholar
  44. 44.
    F. Yellin. Low level security in Java. In Proceedings of the Fourth International World Wide Web Conference, pages 369–379. O’Reilly, 1995.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Xavier Leroy
    • 1
  • François Rouaix
    • 2
  1. 1.INRIA RocquencourtLe ChesnayFrance
  2. 2.Liquid Market IncLos AngelesUSA

Personalised recommendations