A Tail-Recursive Semantics for Stack Inspections
Security folklore holds that a security mechanism based on stack inspection is incompatible with a global tail call optimization policy. An implementation of such a language may have to allocate memory for a source-code tail call, and a program that uses only tail calls (and no other memory-allocating construct) may nevertheless exhaust the available memory. In this paper, we prove this widely held belief wrong. We exhibit an abstract machine for a language with security stack inspection whose space consumption function is equivalent to that of the canonical tail call optimizing abstract machine. Our machine is surprisingly simple and suggests that tail-calls are as easy to implement in a security setting as they are in a conventional one.
KeywordsGarbage Collection Reduction Rule Source Language Abstract Machine Runtime System
- Nick Benton, Andrew Kennedy, and George Russell. Compiling standard ML to Java bytecodes. In ACM SIGPLAN International Conference on Functional Programming, pages 129–140, 1998.Google Scholar
- Don Box. Essential.NET, Volume I: The Common Language Runtime. Addison-Wesley, To Appear.Google Scholar
- John Clements, Matthew Flatt, and Matthias Felleisen. Modeling an algebraic stepper. Lecture Notes in Computer Science, 2028:320–334, 2001.Google Scholar
- William D. Clinger. Proper tail recursion and space efficiency. In ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 174–185, 1998.Google Scholar
- Matthias Felleisen and Matthew Flatt. Programming languages and their calculi. Unpublished Manuscript. Online at http://www.ccs.neu.edu/home/matthias/3810-w02/mono.ps.gz>, 1989–2002.
- Matthew Flatt. PLT MzScheme: Language manual. Online at http://www.plt-scheme.org>, 1995-2002.
- Cedric Fournet and Andrew D. Gordon. Stack inspection: theory and variants. In Symposium on Principles of Programming Languages, pages 307–318, 2002.Google Scholar
- Erich Gamma, Richard Helm, Ralph Johnson, and John Vlissides. Design Patterns. Addison-Wesley, 1995.Google Scholar
- Guy Lewis Steele Jr. Debunking the “expensive procedure call” myth. In ACM Conference, pages 153–162, 1977.Google Scholar
- Günter Karjoth. An operational semantics of Java 2 access control. In The Computer Security Foundations Workshop, pages 224–232, 2000.Google Scholar
- Gordon D. Plotkin. Call-by-name, call-by-value and the λ-calculus. Theoretical Computer Science, pages 125–159, 1975.Google Scholar
- F. Pottier, Christian Skalka, and Scott Smith. A systematic approach to static access control. Lecture Notes in Computer Science, 2028:30–45, 2001.Google Scholar
- Michel Schinz and Martin Odersky. Tail call elimination on the Java virtual machine. In SIGPLAN BABEL Workshop on Multi-Language Infrastructure and Interoperability, pages 155–168, 2001.Google Scholar
- Dan Wallach, Dirk Balfanz, Drew Dean, and Ed Felten. Extensible security architectures for Java. In The 16th Symposium on Operating Systems Principles, pages 116–128, october 1997.Google Scholar