Abstract not found

Secure cooperation is the problem of protecting mutually suspicious code units within the same execution environment from their potentially malicious peers. A statically enforceable capability type system is proposed for the JVM bytecode language to provide fine-grained access control of shared resources among peer code units. The design of the type system is inspired by recent advances in alias control type systems for object-oriented programming languages. The exercise of access rights and the propagation of capabilities are given a uniform interpretation as alias creation events. Each capability type assigns to a reference a dataflow trajectory, prescribing the set of aliases that is allowed to be created from the reference. An orthogonal and complementary type system for controlling object creation and downcasting is also designed to avoid a class of capability spoofing attacks. The combined type system successfully addresses a number of classical protection problems recast in a programming language context. This work therefore demonstrates the need and the feasibility of a languagebased approach to enforce application-level security among peer code units.

Abstract Secure cooperation is the problem of protecting mutually suspicious code units from one another. The notion ofcapabilities is an effective means for facilitating secure cooperation in dynamically extensible software systems, in which both trusted and untrusted code may run alongside each other. This paper proposes a lightweight, staticallyenforceable type system, Discretionary Object Confinement (DOC), for modeling capabilities with abstract interface types. The type system can be seen as a discretionary variant of confined types. Formulated at the bytecode level,the type system is enforceable at link time, by the code consumer. Type checking does not involve any iterative flow analysis, and is therefore highly efficient. A link-time type checker has been implemented for the Java platform underthe framework of Pluggable Verification Modules. The simplicity of the type system imposes only a modest increase in size to the trusted computing base. Although DOC enjoys an efficient type checking procedure, the inference ofDOC annotations from legacy code base is NP-complete. The practical implication of this negative result is discussed. 1 Introduction Secure cooperation [27, 24] is the problem of protecting mutually suspicious code units within the same executionenvironment from one another. Peer code units collaborate by sharing object references. The challenge is to allow the owner of an object reference to impose access constraints over those object references that are shared with an untrustedpeer. Secure cooperation is thus an enabling infrastructure for dynamically extensible software systems such as mobile code language environments, scriptable applications, and software systems with plug-in architectures, in which bothtrusted and untrusted code units may run alongside each other.