Security is a major, frequent concern in extensible software systems such as Java Virtual Machines and the Common Language Runtime. These systems aim to enable simple, classic applets and also, for example, distributed applications, Web services, and programmable networks, with appropriate security expectations. Accordingly, they feature elaborate constructs and mechanisms for associating rights with code, including a technique for determining the run-time rights of a piece of code as a function of the state of the execution stack. These mechanisms prevent many security holes, but they are inherently partial and they have proved difficult to use reliably.

Stack inspection is a security mechanism implemented in runtimes such as the JVM and the CLR to accommodate components with diverse levels of trust. Although stack inspection enables the finegrained expression of access control policies, it has rather a complex and subtle semantics. We present a formal semantics and an equational theory to explain how stack inspection a#ects program behaviour and code optimisations. We discuss the security properties enforced by stack inspection, and also consider variants with stronger, simpler properties.

We present the design and implementation of a typechecker for verifying security properties of the source code of cryptographic protocols and access control mechanisms. The underlying type theory is a λ-calculus equipped with refinement types for expressing pre- and post-conditions within first-order logic. We derive formal cryptographic primitives and represent active adversaries within the type theory. Well-typed programs enjoy assertion-based security properties, with respect to a realistic threat model including key compromise. The implementation amounts to an enhanced typechecker for the general purpose functional language F#; typechecking generates verification conditions that are passed to an SMT solver. We describe a series of checked examples. This is the first tool to verify authentication properties of cryptographic protocols by typechecking their source code. 1

Nobuko Yoshida Imperial College London ABSTRACT We introduce a new expressive theory of types for the higher-order p-calculus and demonstrate its applicability via non-trivial security analyses of a simple class-based language with distributed code mobility. The new theory significantly improves our previous one presented in [52] by the use of channel dependent/existential types. New dependent types control dynamic change of process accessibility via channel passing, while existential types guarantee safe scope-extrusion in higher-order process passing. This solves an open issue in [52], leading to significant enlargement of original typability. Two basic security concerns for mobile computation, secrecy for data confidentiality and access controls for authorised resources are analysed in a uniform type-based static framework, culminating in the noninterference theorem and authority-error freedom in the presence of higher-order code mobility. The generality and expressiveness of the new type discipline are tested with a sound embedding of multi-threaded class-based language with dynamic code/class distribution, enforcing secrecy and accessibility.

We present a new static analysis for reviewing the security of libraries for systems, such as JVMs or the CLR, that rely on stack inspection for access control. We describe its implementation for the CLR. Our tool inputs a set of libraries plus a description of the permissions granted to unknown, potentially hostile code. It constructs a permissionsensitive call graph, which can be queried to identify potential security defects. It has been applied to large pre-existing libraries. We also develop a new formal model of the essentials of access control in the CLR (types, classes and inheritance, access modifiers, permissions, and stack inspection). In this model, we state and prove the correctness of the analysis. 1. Motivation

This course takes a programming language approach to solving problems in the analysis of cryptographic protocols. Our method is based on specifying a protocol as a program coded up in the spi calculus of Abadi and Gordon. Spi is a small concurrent language with primitives for cryptography. Protocol

Abstract not found