Tapido: Trust and Authorization Via Provenance and Integrity in Distributed Objects (Extended Abstract)

  • Andrew Cirillo
  • Radha Jagadeesan
  • Corin Pitcher
  • James Riely
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4960)


Existing web services and mashups exemplify the need for flexible construction of distributed applications. How to do so securely remains a topic of current research. We present Tapido, a programming model to address Trust and Authorization concerns via Provenance and Integrity in systems of Distributed Objects. Creation of Tapido objects requires (static) authorization checks and their communication provides fine-grain control of their embedded authorization effects. Tapido programs constrain such delegation of rights by using provenance information. A type-and-effect system with effect polymorphism provides static support for the programmer to reason about security policies. We illustrate the programming model and static analysis with example programs and policies.


Security Policy Access Control Policy Method Invocation Type Pred Authorization Policy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Chess, B., O’Neil, Y.T., West, J.: Javascript hijacking. Technical report, Fortify Software (2007),
  2. 2.
    Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems: Theory and practice. ACM Trans. Comput. Syst. 10(4), 265–310 (1992)CrossRefGoogle Scholar
  3. 3.
    Wobber, E., Abadi, M., Burrows, M., Lampson, B.: Authentication in the Taos operating system. ACM Trans. Comput. Syst. 12(1), 3–32 (1994)CrossRefGoogle Scholar
  4. 4.
    Abadi, M., Fournet, C., Gonthier, G.: Authentication primitives and their compilation. In: POPL, pp. 302–315 (2000)Google Scholar
  5. 5.
    Landau, S.: Liberty ID-WSF security and privacy overview (2006),
  6. 6.
    Li, N., Mitchell, J.C., Tong, D.: Securing Java RMI-based distributed applications. In: ACSAC, pp. 262–271. IEEE Computer Society, Los Alamitos (2004)Google Scholar
  7. 7.
    Scheifler, B., Venners, B.: A conversation with Bob Scheifler, part I, by Bill Venners (2002),
  8. 8.
    Gordon, A.D., Pucella, R.: Validating a web service security abstraction by typing. Formal Asp. Comput. 17(3), 277–318 (2005)zbMATHCrossRefGoogle Scholar
  9. 9.
    Abadi, M., Burrows, M., Lampson, B.W., Plotkin, G.D.: A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst. 15(4), 706–734 (1993)CrossRefGoogle Scholar
  10. 10.
    Abadi, M.: Access control in a core calculus of dependency. In: ICFP, pp. 263–273. ACM, New York (2006)Google Scholar
  11. 11.
    Garg, D., Pfenning, F.: Non-interference in constructive authorization logic. CSFW 19, 283–296 (2006)Google Scholar
  12. 12.
    Garg, D., Bauer, L., Bowers, K.D., Pfenning, F., Reiter, M.K.: A linear logic of authorization and knowledge. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 297–312. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    Woo, T.Y.C., Lam, S.S.: A semantic model for authentication protocols. In: IEEE Symposium on Research in Security and Privacy (1993)Google Scholar
  14. 14.
    Fournet, C., Gordon, A.D., Maffeis, S.: A type discipline for authorization in distributed systems. In: CSF, IEEE Computer Society Press, Los Alamitos (2007)Google Scholar
  15. 15.
    Cirillo, A., Jagadeesan, R., Pitcher, C., Riely, J.: Do As I SaY! programmatic access control with explicit identities. In: CSF, IEEE, Los Alamitos (2007)Google Scholar
  16. 16.
    Gordon, A.D., Jeffrey, A.: Authenticity by typing for security protocols. Journal of Computer Security 11(4), 451–520 (2003)Google Scholar
  17. 17.
    Buneman, P., Tan, W.C.: Provenance in databases. In: SIGMOD Conference, pp. 1171–1173. ACM, New York (2007)Google Scholar
  18. 18.
    Wallach, D.S., Appel, A.W., Felten, E.W.: SAFKASI: a security mechanism for language-based systems. ACM Trans. Softw. Eng. Methodol. 9(4), 341–378 (2000)CrossRefGoogle Scholar
  19. 19.
    Abadi, M., Fournet, C.: Access control based on execution history. In: Proc. Network and Distributed System Security Symp. (2003)Google Scholar
  20. 20.
    Gifford, D.K., Lucassen, J.M.: Integrating functional and imperative programming. In: LISP and Functional Programming, pp. 28–38 (1986)Google Scholar
  21. 21.
    Lucassen, J.M., Gifford, D.K.: Polymorphic effect systems. In: POPL, pp. 47–57 (1988)Google Scholar
  22. 22.
    Talpin, J., Jouvelot, P.: Polymorphic type, region and effect inference. J. Funct. Program. 2(3), 245–271 (1992)zbMATHMathSciNetCrossRefGoogle Scholar
  23. 23.
    Talpin, J., Jouvelot, P.: The type and effect discipline. Inf. Comput. 111(2), 245–296 (1994)zbMATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    Bierman, G., Parkinson, M., Pitts, A.: MJ: An imperative core calculus for Java and Java with effects. Technical Report 563, Cambridge University Computer Laboratory (2003)Google Scholar
  25. 25.
    Greenhouse, A., Boyland, J.: An object-oriented effects system. In: Guerraoui, R. (ed.) ECOOP 1999. LNCS, vol. 1628, pp. 205–229. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  26. 26.
    Grothoff, C., Palsberg, J., Vitek, J.: Encapsulating objects with confined types. In: TOPLAS (to appear, 2007)Google Scholar
  27. 27.
    Potanin, A., Noble, J., Clarke, D., Biddle, R.: Featherweight generic confinement. J. Funct. Program. 16(6), 793–811 (2006)zbMATHCrossRefMathSciNetGoogle Scholar
  28. 28.
    Damiani, F., Drossopoulou, S., Giannini, P.: Refined effects for unanticipated object re-classification: Fickle3. In: Blundo, C., Laneve, C. (eds.) ICTCS 2003. LNCS, vol. 2841, pp. 97–110. Springer, Heidelberg (2003)Google Scholar
  29. 29.
    DeLine, R., Fähndrich, M.: Enforcing high-level protocols in low-level software. In: PLDI, pp. 59–69 (2001)Google Scholar
  30. 30.
    Dezani-Ciancaglini, M., Yoshida, N., Ahern, A., Drossopoulou, S.: A distributed object-oriented language with session types. In: De Nicola, R., Sangiorgi, D. (eds.) TGC 2005. LNCS, vol. 3705, pp. 299–318. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  31. 31.
    Fournet, C., Gordon, A.D., Maffeis, S.: A type discipline for authorization policies. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 141–156. Springer, Heidelberg (2005)Google Scholar
  32. 32.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  33. 33.
    Flatt, M., Krishnamurthi, S., Felleisen, M.: Classes and mixins. In: POPL, pp. 171–183 (1998)Google Scholar
  34. 34.
    Igarashi, A., Pierce, B., Wadler, P.: Featherweight Java: A minimal core calculus for Java and GJ. In: OOPSLA (1999)Google Scholar
  35. 35.
    Drossopoulou, S., Eisenbach, S., Khurshid, S.: Is the Java type system sound? Theory and Practice of Object Systems 5(11), 3–24 (1999)CrossRefGoogle Scholar
  36. 36.
    Bracha, G., Odersky, M., Stoutamire, D., Wadler, P.: Making the future safe for the past: Adding genericity to the Java programming language. In: OOPSLA, pp. 183–200 (1998)Google Scholar
  37. 37.
    Igarashi, A., Pierce, B.C.: On inner classes. Information and Computation 177(1), 56–89 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  38. 38.
    Gordon, A.D., Hankin, P.D.: A concurrent object calculus: Reduction and typing. In: Proceedings HLCL’98, ENTCS (1998)Google Scholar
  39. 39.
    Cardelli, L.: A language with distributed scope. In: POPL, pp. 286–297. ACM Press, New York (1995)Google Scholar
  40. 40.
    Jeffrey, A.S.A.: A distributed object calculus. In: Proc. Foundations of Object Oriented Languages (2000)Google Scholar
  41. 41.
    Castellani, I.: Process algebras with localities. In: Handbook of Process Algebra, North-Holland, pp. 945–1045 (2001)Google Scholar
  42. 42.
    Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns. Addison-Wesley, Reading (1995)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Andrew Cirillo
    • 1
  • Radha Jagadeesan
    • 1
  • Corin Pitcher
    • 1
  • James Riely
    • 1
  1. 1.School of CTIDePaul University 

Personalised recommendations