Declarative Policies for Capability Control

Dimoulas, Christos; Moore, Scott M.; Askarov, Aslan; Chong, Stephen

doi:10.1109/csf.2014.9

Cited by 26 publications

(12 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They prove a property related to one of the properties in Section 5, which also ignores the behaviour of processes/objects. Dimoulas et al formalise capability safety in terms of a notion of component boundaries and the ownership of code by security principals [24], in a simple language without mutable state. The formalisation of capability-safety does not seem intended for reasoning about code.…”

Section: Related Workmentioning

confidence: 99%

Reasoning about Object Capabilities with Logical Relations and Effect Parametricity

Devriese

Birkedal

Piessens

2016

2016 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

Object capabilities are a technique for fine-grained privilege separation in programming languages and systems, with important applications in security. However, current formal characterisations do not fully capture capability-safety of a programming language and are not sufficient for verifying typical applications. Using state-of-the-art techniques from programming languages research, we define a logical relation for a core calculus of JavaScript that better characterises capability-safety. The relation is powerful enough to reason about typical capability patterns and supports evolvable invariants on shared data structures, capabilities with restricted authority over them and isolated components with restricted communication channels. We use a novel notion of effect parametricity for deriving properties about effects. Our results imply memory access bounds that have previously been used to characterise capability-safety.

show abstract

Section: Related Workmentioning

confidence: 99%

Reasoning about Object Capabilities with Logical Relations and Effect Parametricity

Devriese

Birkedal

Piessens

2016

2016 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

show abstract

“…Lerner et al extend this system to ensure browser extensions observe "private mode" browsing conventions, such as that "no private browsing history retained" [22]. Dimoulas et al [11] generalise the language and type checker based approach to enforce explicit policies, that describe which components may access, or may influence the use of, particular capabilities. Alternatively, Taly et al [39] model JavaScript APIs in Datalog, and then carry out a Datalog search for an "attacker" from the set of all valid API calls.…”

Section: Related Workmentioning

confidence: 98%

“…The specification consists of two policies: Pol_deal_1 promises that if the purses come from the same mints, and have sufficient funds (lines 6-7), then the result will be true (line 9), the transfer of the monies and the goods will take place (lines [10][11], and all other purses will remain unaffected (line 12). Pol_deal_2 promises that if the purses do not come from the same mints, or have insufficient funds, then the result will be false and all purses will be unaffected.…”

Section: Specifying Swapsiesmentioning

confidence: 99%

Swapsies on the Internet

Drossopoulou

Noble

Miller

2015

Proceedings of the 10th ACM Workshop on Programming Languages and Analysis for Security

View full text Add to dashboard Cite

Contemporary open systems use components developed by many different parties, linked together dynamically in unforeseen constellations. Code needs to live up to strict security specifications: it has to ensure the correct functioning of its objects when they collaborate with external objects which may be malicious.In this paper we propose specifications that model risk and trust in such open systems. We specify Miller, Van Cutsem, and Tulloh's escrow exchange example, and discuss the meaning of such a specification. We argue informally that the code satisfies its specification.

show abstract

“…Moore et al [29] use contracts to constrain the use of capabilities in a secure shell scripting language. Dimoulas et al [10] use contracts to control the flow of capabilities between components in objectcapability languages. Heidegger et al [19] use contracts to specify which fields of an object may be accessed by a component.…”

Section: Inlined Reference Monitorsmentioning

confidence: 99%

Extensible access control with authorization contracts

Moore

Dimoulas

Findler³

et al. 2016

Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applicatio

Self Cite

View full text Add to dashboard Cite

Existing programming language access control frameworks do not meet the needs of all software components. We propose an expressive framework for implementing access control monitors for components. The basis of the framework is a novel concept: the authority environment. An authority environment associates rights with an execution context. The building blocks of access control monitors in our framework are authorization contracts: software contracts that manage authority environments. We demonstrate the expressiveness of our framework by implementing a diverse set of existing access control mechanisms and writing custom access control monitors for three realistic case studies.

show abstract

Declarative Policies for Capability Control

Cited by 26 publications

References 41 publications

Reasoning about Object Capabilities with Logical Relations and Effect Parametricity

Reasoning about Object Capabilities with Logical Relations and Effect Parametricity

Swapsies on the Internet

Extensible access control with authorization contracts

Contact Info

Product

Resources

About