Skip to main content
×
Home

Roles, stacks, histories: A triple for Hoare

  • JOHANNES BORGSTRÖM (a1), ANDREW D. GORDON (a1) and RICCARDO PUCELLA (a2)
Abstract
Abstract

Behavioral type and effect systems regulate properties such as adherence to object and communication protocols, dynamic security policies, avoidance of race conditions, and many others. Typically, each system is based on some specific syntax of constraints, and is checked with an ad hoc solver. Instead, we advocate types refined with first-order logic formulas as a basis for behavioral type systems, and general purpose automated theorem provers as an effective means of checking programs. To illustrate this approach, we define a triple of security-related type systems: for role-based access control, for stack inspection, and for history-based access control. The three are all instances of a refined state monad. Our semantics allows a precise comparison of the similarities and differences of these mechanisms. In our examples, the benefit of behavioral type-checking is to rule out the possibility of unexpected security exceptions, a common problem with code-based access control.

Copyright
References
Hide All
Abadi M. (2006) Access control in a core calculus of dependency. In International Conference on Functional Programming (ICFP'06), pp. 263–273.
Abadi M., Burrows M., Lampson B. & Plotkin G. (1993) A calculus for access control in distributed systems, ACM Trans. Program. Lang. Syst., 15 (4): 706734.
Abadi M. & Fournet C. (2003) Access control based on execution history. In Network and Distributed System Security Symposium (NDSS'03), Reiter M. & Gligor V. (eds). Reston, VA: The Internet Society, pp. 107121.
Aspinall D. & Compagnoni A. (2001) Subtyping dependent types, Theor. Comput. Sci., 266 (1–2): 273309.
Atkey R. (2009) Parameterized notions of computation, J. Funct. Program., 19: 355376.
Banerjee A. & Naumann D. (2005a) History-based access control and secure information flow. In Construction and Analysis of Safe, Secure and Interoperable Smart Devices (CASSIS 2004), Barthe G., Burdy L., Huisman M., Lanet J.-L. & Muntean T. (eds), Lecture Notes in Computer Science, vol. 3362. Berlin Heidelberg, Germany: Springer, pp. 2748.
Banerjee A. & Naumann D. (2005b) Stack-based access control and secure information flow, J. Funct. Program., 15 (2): 131177.
Becker M. Y. & Nanz S. (2007) A logic for state-modifying authorization policies. In European Symposium on Research in Computer Security (ESORICS'07), Biskup J. & López J. (eds), Lecture Notes in Computer Science, vol. 4734. Berlin Heidelberg, Germany: Springer, pp. 203218.
Becker M. Y. & Sewell P. (2004) Cassandra: Flexible trust management, applied to electronic health records. In IEEE Computer Security Foundations Workshop (CSFW'04), pp. 139–154.
Bengtson J., Bhargavan K., Fournet C., Gordon A. D. & Maffeis S. 2008 Refinement Types for Secure Implementations. Technical Report MSR–TR–2008–118, Microsoft Research (a preliminary, abridged version appears in the proceedings of Computer Security Foundations Symposium 2008).
Besson F., Blanc T, Fournet C. & Gordon A. D. (2004) From stack inspection to access control: A security analysis for libraries. In IEEE Computer Security Foundations Workshop (CSFW'04), pp. 61–77.
Borgström J., Gordon A. D. & Pucella R. (2009) Roles, Stacks, Histories: A Triple for Hoare. Technical Report MSR–TR–2009–97, Microsoft Research.
Cardelli L. (1986) Typechecking dependent types and subtypes. In Foundations of Logic and Functional Programming, Boscarol M., Aiello L. C. & Levi G. (eds), Lecture Notes in Computer Science, vol. 306. Berlin Heidelberg, Germany: Springer, pp. 4557.
Constable R. L., Allen S. F., Bromley H. M., Cleaveland W. R., Cremer J. F., Harper R. W., Howe D. J., Knoblock T. B., Mendler N. P., Panangaden P., Sasaki J. T. & Smith S. F. (1986) Implementing Mathematics with the Nuprl Proof Development system. Hemel Hampstead, England: Prentice-Hall.
DeLine R. & Fähndrich M. (2001) Enforcing high-level protocols in low-level software. In Programming Language Design and Implementation (PLDI'01), pp. 59–69.
de Moura L. & Bjørner N. (2008) Z3: An efficient SMT solver. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS'08), Ramakrishnan C. R. & Rehof J. (eds), Lecture Notes in Computer Science, vol. 4963. Berlin Heidelberg, Germany: Springer, pp. 337340.
Detlefs D., Nelson G. & Saxe J. B. (2005) Simplify: A theorem prover for program checking, J. ACM, 52 (3): 365473.
Dutertre B. & de Moura L. (2006) The YICES SMT solver [online]. Accessed August 13, 2010. Available at: http://yices.csl.sri.com/tool-paper.pdf
Ferraiolo D. F. & Kuhn D. R. (1992) Role based access control. In National Computer Security Conference, pp. 554–563.
Filliâtre J. & C.Marché C. (2004) Multi-prover verification of C Programs. In International Conference on Formal Engineering Methods (ICFEM 2004), Davies J., Schulte W. & Barnett M. (eds), Lecture Notes in Computer Science, vol. 3308. Berlin Heidelberg, Germany: Springer, pp. 1529.
Filliâtre J.-C. (1999) Proof of imperative programs in type theory. In Selected papers from the International Workshop on Types for Proofs and Programs (TYPES '98), vol. 1657. Berlin Heidelberg, Germany: Springer, pp. 7892.
Flanagan C. (2006) Hybrid type checking. In ACM Symposium on Principles of Programming Languages (POPL'06), pp. 245–256.
Flanagan C. & Abadi M. (1999) Types for safe locking. In European Symposium on Programming (ESOP'99), Swierstra S. Doaitse (ed), Lecture Notes in Computer Science, vol. 1576. Berlin Heidelberg, Germany: Springer, pp. 91108.
Fournet C. & Gordon A. D. (2003) Stack inspection: Theory and variants, ACM Trans. Program. Lang. Syst., 25 (3): 360399.
Fournet C., Gordon A. D. & Maffeis S. (2005) A type discipline for authorization policies. In European Symposium on Programming (ESOP'05), Sagiv M. (ed), Lecture Notes in Computer Science, vol. 3444. Berlin Heidelberg, Germany: Springer, pp. 141156.
Fournet C., Gordon A. D. & Maffeis S. (2007) A type discipline for authorization policies in distributed systems. In IEEE Computer Security Foundation Symposium (CSF'07), pp. 31–45.
Freeman T. & Pfenning F. (1991) Refinement types for ML. In Programming Language Design and Implementation (PLDI'91). ACM Press, pp. 268277.
Gifford D. & Lucassen J. (1986) Integrating functional and imperative programming. In ACM Conference on Lisp and Functional Programming, pp. 28–38.
Gong L. (1999) Inside Java 2 Platform Security: Architecture, API Design, and Implementation. Addison-Wesley.
Gordon A. D. & Fournet C. (2009) Principles and Applications of Refinement Types. Technical Report MSR–TR–2009–147, Microsoft Research.
Gordon A. D. & Jeffrey A. S. A. (2003) Authenticity by typing for security protocols, J. Comput. Secur., 11 (4): 451521.
Gronski J., Knowles K., Tomb A., Freund S. N. & Flanagan C. (2006) Sage: Hybrid checking for flexible specifications. In Scheme and Functional Programming Workshop, Findler R. (ed), pp. 93–104.
Gunter C. (1992) Semantics of Programming Languages. MIT Press.
Hardy N. (1988) The confused deputy (or why capabilities might have been invented), ACM SIGOPS Oper. Syst. Rev., 22: 3638.
Jia L., Vaughan J. A., Mazurak K., Zhao J., Zarko L., Schorr J. & Zdancewic S. (2008) AURA: Preliminary Technical Results. Technical Report MS-CIS-08-10, University of Pennsylvania.
Knowles K. W. & Flanagan C. (2007) Type reconstruction for general refinement types. In European Symposium on Programming (ESOP'07), De Nicola R. (ed), Lecture Notes in Computer Science, vol. 4421. Berlin Heidelberg, Germany: Springer, pp. 505519.
Li N., Mitchell J. C. & Winsborough W. H. (2002) Design of a role-based trust management framework. In IEEE Security and Privacy, pp. 114–130.
Maffeis S., Abadi M., Fournet C. & Gordon A. D. (2008) Code-carrying authorization. In European Symposium On Research In Computer Security (ESORICS'08), pp. 563–579.
Moggi E. (1991) Notions of computations and monads, Inf. Comput., 93: 5592.
Nanevski A., Morrisett G. & Birkedal L. (2006) Polymorphism and separation in Hoare Type Theory. In International Conference on Functional Programming (ICFP'06), pp. 62–73.
Nanevski A., Morrisett G., Shinnar A., Govereau P. & Birkedal L. (2008) Ynot: Dependent types for imperative programs. In International Conference on Functional Programming (ICFP'08), pp. 229–240.
Nordström B., Petersson K. & Smith J. (1990) Programming in Martin-Löf's type Theory. Clarendon Press, Oxford.
Pierce B. & Sangiorgi D. (1996) Typing and subtyping for mobile processes, Math. Struct. Comput. Sci., 6 (5): 409454.
Pistoia M., Banerjee A. & Naumann D. (2007a) Beyond stack inspection: A unified access-control and information-flow security model. In IEEE Security and Privacy, pp. 149–163.
Pistoia M., Chandra S., Fink S. J. & Yahav E. (2007b) A survey of static analysis methods for identifying security vulnerabilities in software systems, IBM Syst. J., 46 (2): 265288.
Plotkin G. D. (1985) Denotational Semantics with Partial Functions. Unpublished lecture notes, CSLI, Stanford University.
Pottier F., Skalka C. & Smith S. (2005) A systematic approach to static access control, ACM Trans. Program. Lang. Syst., 27 (2): 344382.
Ranise S. & Tinelli C. (2006) The SMT-LIB Standard: Version 1.2. [online]. Accessed August 13, 2010. Available at: http://goedel.cs.uiowa.edu/smtlib/papers.html
Régis-Gianas Y. & Pottier F. (2008) A Hoare logic for call-by-value functional programs. In Mathematics of Program Construction (MPC'08), Adebaud P. & Paulin-Mohring C. (eds), Lecture Notes in Computer Science, vol. 5133. Berlin Heidelberg, Germany: Springer, pp. 305335.
Rondon P., Kawaguchi M. & Jhala R. (2008) Liquid types. In Programming Language Design and Implementation (PLDI'08). ACM, pp. 159169.
Rushby J., Owre S. & Shankar N. (1998) Subtypes for specifications: Predicate subtyping in PVS, IEEE Trans. Softw. Eng., 24 (9): 709720.
Sabry A. & Felleisen M. (1993) Reasoning about programs in continuation-passing style, LISP Symb. Comput., 6 (3–4): 289360.
Sandhu R., Coyne E. J., Feinstein H. L. & Youman C. E. (1996) Role-based access control models, IEEE Comput., 29 (2): 3847.
Strom R. E. & Yemini S. (1986) Typestate: A programming language concept for enhancing software reliability, IEEE Trans. Softw. Eng., 12: 157171.
Wadler P. (1992) Comprehending monads, Math. Struct. Comput. Sci., 2: 461493.
Wallach D. S., Appel A. W. & Felten E. W. (2000) SAFKASI: A security mechanism for language-based systems, ACM Trans. Softw. Eng. Methodol., 9 (4): 341378.
Xi H. & Pfenning F. (1999) Dependent types in practical programming. In Principles of Programming Languages (POPL'99), pp. 214–227.
Recommend this journal

Email your librarian or administrator to recommend adding this journal to your organisation's collection.

Journal of Functional Programming
  • ISSN: 0956-7968
  • EISSN: 1469-7653
  • URL: /core/journals/journal-of-functional-programming
Please enter your name
Please enter a valid email address
Who would you like to send this to? *
×

Metrics

Full text views

Total number of HTML views: 0
Total number of PDF views: 7 *
Loading metrics...

Abstract views

Total abstract views: 181 *
Loading metrics...

* Views captured on Cambridge Core between September 2016 - 19th November 2017. This data will be updated every 24 hours.