Abstract. This paper shows how type effect systems can be combined with model-checking techniques to produce powerful, automatically verifiable program logics for higher-order programs. The properties verified are based on the ordered sequence of events that occur during program execution—an event history. Our type and effect systems automatically infer conservative approximations of the event histories arising at run-time, and model-checking techniques are used to verify logical properties of these histories. Our language model is based on the λ-calculus. Technical results include a powerful type inference algorithm for a polymorphic type effect system, and a method for applying known model-checking techniques to the history effects inferred by the type inference algorithm, allowing static enforcement of history- and stackbased security mechanisms. 1

Abstract not found

One way to guarantee that software behaves securely is to monitor programs at run time and check that they dynamically adhere to constraints specified by a security policy. Whenever a program monitor detects that untrusted software is attempting to execute a dangerous action, it takes remedial steps to ensure that only safe code actually gets executed. This thesis considers the space of policies enforceable by monitoring the run-time behaviors of programs and develops a practical language for specifying monitors ’ policies. In order to delineate the space of policies that monitors can enforce, we first have to define exactly what it means for a monitor to enforce a policy. We therefore begin by building a formal framework for analyzing policy enforcement; we precisely define policies, monitors, and enforcement. Having this framework allows us to consider the enforcement powers of program monitors and prove that they enforce an interesting set of policies that we define and call the infinite renewal properties. We show how, when given any reasonable infinite renewal property, to construct a

Abstract. This paper shows how type effect systems can be combined with model-checking techniques to produce powerful, automatically verifiable program logics for higher order programs. The properties verified are based on the ordered sequence of events that occur during program execution, so called event traces. Our type and effect systems infer conservative approximations of the event traces arising at run-time, and model-checking techniques are used to verify logical properties of these histories. Our language model is based on the λ-calculus. Technical results include a type inference algorithm for a polymorphic type effect system, and a method for applying known model-checking techniques to the trace effects inferred by the type inference algorithm, allowing static enforcement of history- and stack-based security mechanisms. A type safety result is proven for both unification and subtyping constraint versions of the type system, ensuring that statically well-typed programs do not contain trace event checks that can fail at run-time. 1

Secure cooperation is the problem of protecting mutually suspicious code units within the same execution environment from their potentially malicious peers. A statically enforceable capability type system is proposed for the JVM bytecode language to provide fine-grained access control of shared resources among peer code units. The design of the type system is inspired by recent advances in alias control type systems for object-oriented programming languages. The exercise of access rights and the propagation of capabilities are given a uniform interpretation as alias creation events. Each capability type assigns to a reference a dataflow trajectory, prescribing the set of aliases that is allowed to be created from the reference. An orthogonal and complementary type system for controlling object creation and downcasting is also designed to avoid a class of capability spoofing attacks. The combined type system successfully addresses a number of classical protection problems recast in a programming language context. This work therefore demonstrates the need and the feasibility of a languagebased approach to enforce application-level security among peer code units.

remote playground. In 1998 IEEE Symposium on Security and Privacy, pages 40--51, Oakland, CA, USA, May 1998. IEEE, IEEE Comput. Soc. [26] P. Ørbaek and J. Palsberg. Trust in the -calculus. J. Functional Programming, 1(1):1--35, January 1993. Cambridge University Press. [27] John K. Ousterhout, Jacob Y. Levy, and Brent B. Welch. The Safe-Tcl security model. Technical Report TR-97-60, Sun Microsystem Laboratories, 1997. Available at http://research.sun.com/technicalreports /1997/abstract-60.html. [28] Holger Peine and Torsten Stoplmann. The architecture of the Ara platform for mobile agents. In Kurt Rothermel and Radu Pepescu-Zeletin, editors, Mobile Agents. First Interation Workshop, MA '97, number 1219 in Lecture Notes in Computer Science, pages 50--61, Berlin, Germany, April 1997. Springer-Verlag. [29] Aviel D. Rubin and Daniel E. Geer. Mobile code security. 1998. [30] Fred B. Schneider. Towards fault-tolerant and secure age