Securing Class Initialization

  • Keiko Nakata
  • Andrei Sabelfeld
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 321)

Abstract

Language-based information-flow security is concerned with specifying and enforcing security policies for information flow via language constructs. Although much progress has been made on understanding information flow in object-oriented programs, the impact of class initialization on information flow has been so far largely unexplored. This paper turns the spotlight on security implications of class initialization. We discuss the subtleties of information propagation when classes are initialized and propose a formalization that illustrates how to track information flow in presence of class initialization by a type-and-effect system for a simple language. We show how to extend the formalization to a language with exception handling.

References

  1. [ABB06]
    Amtoft, T., Bandhakavi, S., Banerjee, A.: A logic for information flow in object-oriented programs. In: Proc. ACM Symp. on Principles of Programming Languages, pp. 91–102 (2006)Google Scholar
  2. [ABF03]
    Avvenuti, M., Bernardeschi, C., De Francesco, N.: Java bytecode verification for secure information flow. SIGPLAN Notices 38(12), 20–27 (2003)CrossRefGoogle Scholar
  3. [AC96]
    Abadi, M., Cardelli, L.: A Theory of Objects. Monographs in Computer Science. Springer, New York (1996)Google Scholar
  4. [AHSS08]
    Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. [AS09]
    Askarov, A., Sabelfeld, A.: Catch me if you can: Permissive yet secure error handling. In: Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS) (June 2009)Google Scholar
  6. [BCG+02]
    Bieber, P., Cazin, J., Girard, P., Lanet, J.-L., Zanon, G.: Checking secure interactions of smart card applets: extended version. J. Computer Security 10(4), 369–398 (2002)Google Scholar
  7. [BFLM05]
    Bernardeschi, C., De Francesco, N., Lettieri, G., Martini, L.: Checking secure information flow in java bytecode by code transformation and standard bytecode verification. Software: Practice and Experience 34, 1225–1255 (2005)CrossRefGoogle Scholar
  8. [BN05]
    Banerjee, A., Naumann, D.A.: Stack-based access control and secure information flow. Journal of Functional Programming 15(2), 131–177 (2005)MATHCrossRefMathSciNetGoogle Scholar
  9. [BPR07]
    Barthe, G., Pichardie, D., Rezk, T.: A certified lightweight non-interference java bytecode verifier. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 125–140. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. [BR05]
    Barthe, G., Rezk, T.: Non-interference for a jvm-like language. In: Proc. Types in Language Design and Implementation, pp. 103–112 (2005)Google Scholar
  11. [BRN06]
    Barthe, G., Rezk, T., Naumann, D.: Deriving an information flow checker and certifying compiler for java. In: Proc. IEEE Symp. on Security and Privacy, pp. 230–242 (2006)Google Scholar
  12. [BS99]
    Barthe, G., Serpette, B.: Partial evaluation and non-interference for object calculi. In: Middeldorp, A. (ed.) FLOPS 1999. LNCS, vol. 1722, pp. 53–67. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  13. [Cro09]
    Crockford, D.: Making javascript safe for advertising. adsafe.org (2009)Google Scholar
  14. [DD77]
    Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. of the ACM 20(7), 504–513 (1977)MATHCrossRefGoogle Scholar
  15. [Den76]
    Denning, D.E.: A lattice model of secure information flow. Comm. of the ACM 19(5), 236–243 (1976)MATHCrossRefMathSciNetGoogle Scholar
  16. [Exc]
    Excalibur. Documentation and Software, http://excalibur.apache.org/index.html
  17. [Fac09]
  18. [GJSB96]
    Gosling, J., Joy, B., Steele, G., Bracha, G.: The JavaTM Language Specification. Addison-Wesley, Reading (1996)MATHGoogle Scholar
  19. [GM82]
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proc. IEEE Symp. on Security and Privacy, April 1982, pp. 11–20 (1982)Google Scholar
  20. [HS06]
    Hedin, D., Sands, D.: Noninterference in the presence of non-opaque pointers. In: Proc. IEEE Computer Security Foundations Workshop, pp. 255–269 (2006)Google Scholar
  21. [HS09]
    Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive informationflow control based on program dependence graphs. International Journal of Information Security 8(6), 399–422 (2009); Supersedes ISSSE and ISoLA 2006CrossRefGoogle Scholar
  22. [Koz99]
    Kozen, D.: Language-based security. In: Kutyłowski, M., Wierzbicki, T., Pacholski, L. (eds.) MFCS 1999. LNCS, vol. 1672, pp. 284–298. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  23. [LB98]
    Liang, S., Bracha, G.: Dynamics class loading in the Java virtual machine. In: Proc. ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages & Applications, pp. 36–44 (1998)Google Scholar
  24. [Ler03]
    Leroy, X.: Java bytecode verification: algorithms and formalizations. J. Automated Reasoning 30(3–4), 235–269 (2003)MATHCrossRefMathSciNetGoogle Scholar
  25. [LY99]
    Lindholm, T., Yellin, F.: The JavaTM Virtual Machine Specification, 2nd edn. Addison-Wesley, Reading (1999)Google Scholar
  26. [MSL+08]
    Miller, M., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: Safe active content in sanitized javascript (2008)Google Scholar
  27. [Mye99]
    Myers, A.C.: JFlow: Practical mostly-static information flow control. In: Proc. ACM Symp. on Principles of Programming Languages, January 1999, pp. 228–241 (1999)Google Scholar
  28. [MZZ+10]
    Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow. Software release (2001– 2010), http://www.cs.cornell.edu/jif
  29. [Nau06]
    Naumann, D.: From coupling relations to mated invariants for checking information flow. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 279–296. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  30. [PS03]
    Pottier, F., Simonet, V.: Information flow inference for ML. ACM TOPLAS 25(1), 117–158 (2003)CrossRefGoogle Scholar
  31. [Sim03]
    Simonet, V.: The Flow Caml system. Software release (July 2003), http://cristal.inria.fr/~simonet/soft/flowcaml
  32. [SM03]
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  33. [SMH00]
    Schneider, F.B., Morrisett, G., Harper, R.: A language-based approach to security. In: Wilhelm, R. (ed.) Informatics: 10 Years Back, 10 Years Ahead. LNCS, vol. 2000, pp. 86–101. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  34. [Sun]
    Java 2 platform, standard edition 5.0, API specification, http://java.sun.com/j2se/1.5.0/docs/api/
  35. [Sys10]
    Praxis High Integrity Systems. Sparkada examinar. Software release (2010), http://www.praxis-his.com/sparkada
  36. [VSI96]
    Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. J. Computer Security 4(3), 167–187 (1996)Google Scholar
  37. [WAF00]
    Wallach, D.S., Appel, A.W., Felten, E.W.: The security architecture formerly known as stack inspection: A security mechanism for language-based systems. ACM Transactions on Software Engineering and Methodology 9(4), 341–378 (2000)CrossRefGoogle Scholar

Copyright information

© IFIP 2010

Authors and Affiliations

  • Keiko Nakata
    • 1
  • Andrei Sabelfeld
    • 2
  1. 1.Institute of CyberneticsTallinn University of TechnologyTallinnEstonia
  2. 2.Chalmers University of TechnologyGothenburgSweden

Personalised recommendations