Sharing and transfer of references is difficult to control in object-oriented languages. As information security is increasingly becoming software dependent, this difficulty poses serious problems for writing secure components. In this paper, we present a set of inexpensive syntactic constraints that strengthen encapsulation in object-oriented programs and facilitate the implementation of secure systems. We introduce two mechanisms: con ned types to impose static scoping on dynamic object references and anonymous methods which do not reveal the identity of the current instance (this). Confined types protect objects from use by untrusted code, while anonymous methods allow standard classes to be reused from con ned classes. We have implemented a verifier which performs a modular analysis of Java programs and provides a static guarantee that confinement is respected. We present security related programming examples.

Object-oriented languages provide little support for encapsulating objects. Reference semantics allows objects to escape their defining scope. The pervasive aliasing that ensues remains a major source of software defects. This paper introduces Kacheck/J a tool for inferring object encapsulation properties in large Java programs. Our goal is to develop practical tools to assist software engineers, thus we focus on simple and scalable techniques. Kacheck/J is able to infer confinement for Java classes. A class and its subclasses are confined if all of their instances are encapsulated in their defining package. This simple property can be used to identify accidental leaks of sensitive objects. The analysis is scalable and efficient; Kacheck/J is able to infer confinement on a corpus of 46,000 classes (115 MB) in 6 minutes. 1.

Containment of objects is a natural concept that has been poorly supported in object-oriented programming languages. For a predefined set of ownership contexts, this paper presents a type system that enforces certain containment relationships for run-time objects. A fixed ordering relationship is presumed between the owners. The formalisation of ownership types has developed from our work with flexible alias protection together with an investigation of structural properties of object graphs based on dominator trees. Our general ownership type system permits fresh ownership contexts to be created at run-time. Here we present a simplified system in which the ownership contexts are predefined. This is powerful enough to express and enforce constraints about a system's high-level structure. Our formal system is presented in an imperative variant of the object calculus. We present type preservation and soundness results. Furthermore we highlight how these type theoretic results establish a containment invariant for objects, in which access to contained objects is only permitted via their owners. In effect, the predefined ownership ordering restricts the permissible inter-object reference structure.

Confinement properties impose a structure on object graphs which can be used to enforce encapsulation -- which is essential to certain program optimizations, to modular reasoning, and in many cases to software assurance. This paper formalizes the notion of confined type in the context of Featherweight Java. A static type system that mirrors the informal rules of [16] is proposed and proven sound. The definition of confined types is extended to confined instantiation of generic classes.

The sharing and transfer of references in object-oriented languages is difficult to control. Without any constraint, practical experience has shown that even carefully engineered object-oriented code can be brittle, and subtle security deficiencies can go unnoticed. In this paper, we present inexpensive syntactic constraints that strengthen encapsulation by imposing static restrictions on the spread of references. In particular, we introduce confined types to impose a static scoping discipline on dynamic references and anonymous methods to loosen confinement somewhat to allow code reuse. We have implemented a verifier which performs a modular analysis of Java programs and provides a static guarantee that confinement is respected. Copyright c ○ 2000 John Wiley & Sons, Ltd. key words: sharing, aliasing, Java, object-orientation, security 1.

Scientific computing and image processing applications access large amounts of data in regular patterns. In order to relieve the memory bottleneck, caching tries to keep recently referenced data available in fast storage.

Ownership Types prevent representation exposure - unauthorised access to the encapsulated implementation of an object. Unfortunately, existing ownership type systems are too strict, do not support subtyping, and exclude many important object-oriented idioms, such as iterators, objects with multiple interfaces, and initialisation with pre-existing objects. We develop a more flexible model of containment by abstractly modeling the two sides of object access, that is, which objects an object can access and which objects can access it. Using a variant of Abadi and Cardelli's object calculus as a vehicle, we provide an account of object ownership which supports subtyping and allows more flexible object graph structure.