Deriving an information flow checker and certifying compiler for Java

Abstract. We present an information-flow type system for a distributed object-oriented language with active objects, asynchronous method calls and futures. The variables of the program are classified as high and low. We allow while cycles with high guards to be used but only if they are not followed (directly or through synchronization) by an assignment to a low variable. To ensure the security of synchronization, we use a high and a low lock for each concurrent object group (cog). In some cases, we must allow a high lock held by one task to be overtaken by another, if the former is about to make a low side effect but the latter cannot make any low side effects. This is necessary to prevent synchronization depending on high variables from influencing the order of low side effects in different cogs. We prove a non-interference result for our type system.

show abstract

“…In that area, a lot of attention has also been devoted to the analysis of low-level OO-languages, e.g. Java bytecode [4,5].…”

Section: Related Workmentioning

confidence: 99%

Securing the Future — An Information Flow Analysis of a Distributed OO Language

Pettai

Laud

2012

SOFSEM 2012: Theory and Practice of Computer Science

View full text Add to dashboard Cite

show abstract

“…Barthe and Rezk [BR05] consider type-based enforcement of secure information flow in Java bytecode-like languages. Barthe et al [BRN06] extend this work to derive an information-flow certifying compiler for a Java-like language.…”

Section: Related Workmentioning

confidence: 99%

“…Barthe et al [BPR07] extend this approach to multiple types of catchable exceptions. Connecting this with security-type preserving compilation, Barthe et al [BRN06] show how to securely compile a source language with a single type of catchable exceptions to the low-level language of Barthe and Rezk [BR05].…”

Section: Related Workmentioning

confidence: 99%

Securing Class Initialization

Nakata

Sabelfeld

2010

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Abstract. Language-based information-flow security is concerned with specifying and enforcing security policies for information flow via language constructs. Although much progress has been made on understanding information flow in object-oriented programs, the impact of class initialization on information flow has been so far largely unexplored. This paper turns the spotlight on security implications of class initialization. We discuss the subtleties of information propagation when classes are initialized and propose a formalization that illustrates how to track information flow in presence of class initialization by a type-andeffect system for a simple language. We show how to extend the formalization to a language with exception handling.

show abstract

“…JFlow offers a practical tool for developing secure applications but does not address mobile code security as envisioned in MOBIUS since it applies to source code. In order to show that applications written in (a variant of) JFlow can be deployed in a mobile code architecture that delivers the promises of JFlow in terms of confidentiality, [7] proves that a standard (non-optimizing) Java compiler translates programs that are typable in a type system inspired from [5], but extended to exceptions, into programs that are typable in our system.…”

Section: Bytecode Verification Fo R Secure Information Flowmentioning

confidence: 99%

MOBIUS: Mobility, Ubiquity, Security

Barthe

Beringer

Crégut

et al.

Trustworthy Global Computing

View full text Add to dashboard Cite

Abstract. Through their global, uniform provision of services and their dis tributed nature, global computers have the potential to profoundly enhance our daily life. However, they will not realize their full potential, unless the necessary levels of trust and security can be guaranteed. The goal of the MOBIUS project is to develop a Proof Carrying Code architecture to secure global computers that consist of Java-enabled mobile devices. In this progress report, we detail its objectives and provide a snapshot of the project results during its first year of activity.

show abstract

Deriving an information flow checker and certifying compiler for Java

Cited by 35 publications

References 20 publications

Securing the Future — An Information Flow Analysis of a Distributed OO Language

Securing the Future — An Information Flow Analysis of a Distributed OO Language

Securing Class Initialization

MOBIUS: Mobility, Ubiquity, Security

Contact Info

Product

Resources

About