Secure the Clones

Static Enforcement of Policies for Secure Object Copying
  • Thomas Jensen
  • Florent Kirchner
  • David Pichardie
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6602)


Exchanging mutable data objects with untrusted code is a delicate matter because of the risk of creating a data space that is accessible by an attacker. Consequently, secure programming guidelines for Java stress the importance of using defensive copying before accepting or handing out references to an internal mutable object. However, implementation of a copy method (like clone()) is entirely left to the programmer. It may not provide a sufficiently deep copy of an object and is subject to overriding by a malicious sub-class. Currently no language-based mechanism supports secure object cloning. This paper proposes a type-based annotation system for defining modular copy policies for class-based object-oriented programs. A copy policy specifies the maximally allowed sharing between an object and its clone. We present a static enforcement mechanism that will guarantee that all classes fulfill their copy policy, even in the presence of overriding of copy methods, and establish the semantic correctness of the overall approach in Coq. The mechanism has been implemented and experimentally evaluated on clone methods from several Java libraries.


Policy Language Shape Graph Static Enforcement Default Policy Method Declaration 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Aiken, A., Foster, J.S., Kodumal, J., Terauchi, T.: Checking and inferring local non-aliasing. In: Proc. of PLDI 2003, pp. 129–140. ACM Press, New York (2003)Google Scholar
  2. 2.
    Anderson, Z., Gay, D., Naik, M.: Lightweight annotations for controlling sharing in concurrent data structures. In: Proc. of PLDI 2009, pp. 98–109. ACM Press, New York (2009)Google Scholar
  3. 3.
    Blanchet, B.: Escape analysis for object-oriented languages: Application to Java. In: Proc. of OOPSLA, pp. 20–34. ACM Press, New York (1999)Google Scholar
  4. 4.
    Bloch, J.: JSR 175: A metadata facility for the Java programming language, September 30 (2004),
  5. 5.
    CERT. The CERT Sun Microsystems Secure Coding Standard for Java (2010),
  6. 6.
    Choi, J.D., Gupta, M., Serrano, M.J., Sreedhar, V.C., Midkiff, S.P.: Escape analysis for java. In: Proc. of OOPSLA, pp. 1–19. ACM Press, New York (1999)Google Scholar
  7. 7.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proc. of POPL 1977, pp. 238–252. ACM Press, New York (1977)Google Scholar
  8. 8.
    Fähndrich, M., Leino, K.R.M.: Declaring and checking non-null types in an object-oriented language. In: Proc. of OOPSLA 2003, pp. 302–312. ACM Press, New York (2003)Google Scholar
  9. 9.
    Hubert, L., Jensen, T., Pichardie, D.: Semantic foundations and inference of non-null annotations. In: Barthe, G., de Boer, F.S. (eds.) FMOODS 2008. LNCS, vol. 5051, pp. 132–149. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Jensen, T., Kirchner, F., Pichardie, D.: Secure the clones, Extended version (2010),
  11. 11.
    O’Hearn, P.W., Yang, H., Reynolds, J.C.: Separation and information hiding. In: Proc. of POPL 2004, pp. 268–280. ACM Press, New York (2004)Google Scholar
  12. 12.
    Sagiv, S., Reps, T.W., Wilhelm, R.: Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst. 24(3), 217–298 (2002)CrossRefGoogle Scholar
  13. 13.
    Sun Develper Network. Secure Coding Guidelines for the Java Programming Language, version 3.0 (2010),
  14. 14.
    Tofte, M., Talpin, J.-P.: Region-based memory management. Information and Computation 132(2), 109–176 (1997)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Thomas Jensen
    • 1
  • Florent Kirchner
    • 1
  • David Pichardie
    • 1
  1. 1.INRIA RennesBretagne AtlantiqueFrance

Personalised recommendations