Abstract
Both proofs and trust relations play a role in security decisions, in particular in determining whether to execute a piece of code. We have developed a language, called BCIC, for policies that combine proofs and trusted assertions about code. In this paper, using BCIC, we suggest an approach to code auditing that bases auditing decisions on logical policies and tools.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Abadi, M., Burrows, M., Lampson, B., Plotkin, G.: A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems 15(4), 706–734 (1993)
Bertot, Y., Castéran, P.: Interactive Theorem Proving and Program Development. Springer, Heidelberg (2004)
Coquand, T., Huet, G.: The calculus of constructions. Information and Computation 76(2/3), 95–120 (1988)
De Treville, J.: Binder, a logic-based security language. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 105–113 (2002)
ECMA. C# and common language infrastructure standards (2007), Online at http://msdn2.microsoft.com/en-us/netframework/aa569283.aspx
Perl Foundation. Perl 5.8.8 documentation: perlsec - Perl security, Online at http://perldoc.perl.org/perlsec.html
Harper, R., Honsell, F., Plotkin, G.: A framework for defining logics. Journal of the ACM 40(1), 143–184 (1993)
Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems: Theory and practice. ACM Transactions on Computer Systems 10(4), 265–310 (1992)
Lindholm, T., Yellin, F.: The JavaTM Virtual Machine Specification. Addison-Wesley, Reading (1997)
Morrisett, G., Walker, D., Crary, K., Glew, N.: From System F to typed assembly language. ACM Transactions on Programming Languages and Systems 21(3), 528–569 (1999)
Necula, G.C.: Proof-carrying code. In: POPL 1997. Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on the Principles of Programming Languages, pp. 106–119. ACM Press, New York (1997)
Microsoft Developer Network. About ActiveX controls,(2007), Online at http://msdn2.microsoft.com/en-us/library/Aa751971.aspx
Ørbæk, P., Palsberg, J.: Trust in the λ-calculus. Journal of Functional Programming 7(6), 557–591 (1997)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)
Sabelfeld, A., Sands, D.: Declassification: Dimensions and principles. In: CSFW 2005. Proceedings of the 18th IEEE Workshop on Computer Security Foundations, pp. 255–269 (2005)
The Coq Development Team. The Coq proof assistant, http://coq.inria.fr/
Whitehead, N.: Towards static analysis in a logic for code authorization. (Manuscript)
Whitehead, N.: A certified distributed security logic for authorizing code. In: Altenkirch, T., McBride, C. (eds.) TYPES 2006. LNCS, vol. 4502, pp. 253–268. Springer, Heidelberg (2007)
Whitehead, N., Abadi, M.: BCiC: A system for code authentication and verification. In: Baader, F., Voronkov, A. (eds.) LPAR 2004. LNCS (LNAI), vol. 3452, pp. 110–124. Springer, Heidelberg (2005)
Whitehead, N., Abadi, M., Necula, G.: By reason and authority: A system for authorization of proof-carrying code. In: CSFW 2004. Proceedings of the 17th IEEE Computer Security Foundations Workshop, pp. 236–250 (2004)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Whitehead, N., Johnson, J., Abadi, M. (2007). Policies and Proofs for Code Auditing. In: Namjoshi, K.S., Yoneda, T., Higashino, T., Okamura, Y. (eds) Automated Technology for Verification and Analysis. ATVA 2007. Lecture Notes in Computer Science, vol 4762. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75596-8_1
Download citation
DOI: https://doi.org/10.1007/978-3-540-75596-8_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75595-1
Online ISBN: 978-3-540-75596-8
eBook Packages: Computer ScienceComputer Science (R0)