Abstract
In authorization, there is often a wish to shift the burden of proof to those making requests, since they may have more resources and more specific knowledge to construct the required proofs. We introduce an extreme instance of this approach, which we call Code-Carrying Authorization (CCA). With CCA, access-control decisions can partly be delegated to untrusted code obtained at run-time. The dynamic verification of this code ensures the safety of authorization decisions. We define and study this approach in the setting of a higher-order spi calculus. The type system of this calculus provides the needed support for static and dynamic verification.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Abadi, M.: Access control in a core calculus of dependency. In: Computation, Meaning, and Logic: Articles dedicated to Gordon Plotkin. ENTCS, vol. 172, pp. 5–31. Elsevier, Amsterdam (2007)
Abadi, M., Cardelli, L., Pierce, B., Plotkin, G.: Dynamic typing in a statically-typed language. In: POPL 1989: Proceedings of the 16th Annual ACM Symposium on Principles of Programming Languages, pp. 213–227. ACM, New York (1989)
Abadi, M., Gordon, A.D.: A calculus for cryptographic protocols: The spi calculus. Inf. and Comp. 148, 1–70 (1999)
Appel, A.W., Felten, E.W.: Proof-carrying authentication. In: CCS 1999: Proceedings of the 6th ACM Conference on Computer and Communications Security, pp. 52–62 (1999)
Bauer, L., Schneider, M.A., Felten, E.W.: A general and flexible access-control system for the Web. In: Proceedings of the 11th USENIX Security Symposium, pp. 93–108 (2002)
Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A.D., Maffeis, S.: Refinement types for secure implementations. In: 21st IEEE Computer Security Foundations Symposium (CSF 2008), June 2008, pp. 17–32. IEEE, Los Alamitos (2008)
Ceri, S., Gottlob, G., Tanca, L.: What you always wanted to know about Datalog (and never dared to ask). IEEE Trans. Knowl. Data Eng. 1(1), 146–166 (1989)
Chang, B.-Y.E., Chlipala, A.J., Necula, G.C., Schneck, R.R.: The Open Verifier framework for foundational verifiers. In: ACM SIGPLAN Workshop on Types in Language Design and Implementation (TLDI 2005), pp. 1–12. ACM, New York (2005)
Cirillo, A., Jagadeesan, R., Pitcher, C., Riely, J.: Do As I SaY! Programmatic access control with explicit identities. In: CSF 2007: 20th IEEE Computer Security Foundation Symposium, pp. 16–30. IEEE, Los Alamitos (2007)
Cirillo, A., Riely, J.: Access control based on code identity for open distributed systems. In: Barthe, G., Fournet, C. (eds.) TGC 2007. LNCS, vol. 4912, pp. 169–185. Springer, Heidelberg (2008)
DeTreville, J.: Binder, a logic-based security language. In: IEEE Computer Society Symposium on Research in Security and Privacy, pp. 105–113. IEEE, Los Alamitos (2002)
Fournet, C., Gordon, A.D., Maffeis, S.: A type discipline for authorization policies. ACM Trans. Program. Lang. Syst. 29(5), 25 (2007)
Fournet, C., Gordon, A.D., Maffeis, S.: A type discipline for authorization policies in distributed systems. In: CSF 2007: 20th IEEE Computer Security Foundation Symposium, pp. 31–45. IEEE, Los Alamitos (2007)
Hennessy, M., Rathke, J., Yoshida, N.: SafeDpi: a language for controlling mobile code. Acta Inf. 42(4-5), 227–290 (2005)
Lesniewski-Laas, C., Ford, B., Strauss, J., Morris, R., Kaashoek, M.F.: Alpaca: extensible authorization for distributed services. In: CCS 2007: Proceedings of the 14th ACM conference on Computer and communications security, pp. 432–444. ACM, New York (2007)
Maffeis, S., Abadi, M., Fournet, C., Gordon, A.D.: Code-carrying authorization. Long version (2008), http://www.doc.ic.ac.uk/~maffeis/cca.pdf
Necula, G.C.: Proof-carrying code. In: POPL 1997: Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pp. 106–119. ACM, New York (1997)
Riely, J., Hennessy, M.: Trust and partial typing in open systems of mobile agents. J. Autom. Reas. 31(3-4), 335–370 (2003)
Sangiorgi, D.: From pi-calculus to higher-order pi-calculus - and back. In: Gaudel, M.-C., Jouannaud, J.-P. (eds.) CAAP 1993, FASE 1993, and TAPSOFT 1993. LNCS, vol. 668, pp. 151–166. Springer, Heidelberg (1993)
Vaughan, J.A., Jia, L., Mazurak, K., Zdancewic, S.: Evidence-based audit. In: 21st IEEE Computer Security Foundations Symposium (CSF 2008), June 2008, pp. 163–176. IEEE, Los Alamitos (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Maffeis, S., Abadi, M., Fournet, C., Gordon, A.D. (2008). Code-Carrying Authorization. In: Jajodia, S., Lopez, J. (eds) Computer Security - ESORICS 2008. ESORICS 2008. Lecture Notes in Computer Science, vol 5283. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88313-5_36
Download citation
DOI: https://doi.org/10.1007/978-3-540-88313-5_36
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88312-8
Online ISBN: 978-3-540-88313-5
eBook Packages: Computer ScienceComputer Science (R0)