Protection in programming languages

Morris, James H.

doi:10.1145/361932.361937

Cited by 157 publications

(69 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As a warm-up, we begin with a simple micro-policy for dynamic sealing [62], [80], a linguistic mechanism analogous to perfect symmetric encryption. Informally, we extend the basic machine with three new primitives (presented as monitor services): mkkey creates a fresh sealing key; seal takes a data value (a machine word) and a key and returns an opaque "sealed value" that can be stored in memory and registers but not used in any other way until it is passed (together with the same key that was used to seal it) through the unseal service, which unwraps it and returns the original raw word.…”

Section: Sealing Micro-policymentioning

confidence: 99%

“…Each symbolic micro-policy consists of (i) sets of metadata tags that are used to label every piece of data in the machine's memory and registers (including the program counter); (ii) a transfer function that uses both the current opcode and the tags on the pc, on the current instruction, and on the instruction operands to determine whether the operation is permitted and, if it is, to specify how the pc and the instruction's result should be tagged in the next machine state; and (iii) a set of monitor services that can be invoked by user code. For example, in a micro-policy for dynamic sealing (a languagebased protection mechanism in the style of perfect symmetric encryption [62], described below in §4) the set of tags used for registers and memory might be {Data, Key k, Sealed k}, where Data is used to tag ordinary data values, Sealed k is used to tag values sealed with the key k, and Key k denotes a key that can be used for sealing and unsealing values. The transfer function for this micro-policy would allow, for example, arithmetic operations on values tagged Data but deny them on data tagged Sealed or Key.…”

Section: Introductionmentioning

confidence: 99%

“…Monitor services are provided to allow user programs to create new keys and to seal and unseal data values with given keys. We instantiate this symbolic machine with a diverse set of security micro-policies: 1) dynamic sealing [62], [80]; 2) compartmentalization, which sandboxes untrusted code and allows it to be run alongside trusted code [84]; 3) control-flow integrity (CFI), which prevents code-reuse attacks such as return-oriented programming [6]; and 4) memory safety, which prevents temporal and spatial violations for heap-allocated data [39]. The intended behavior of each micro-policy is specified by an abstract machine (top layer in Figure 1), which gives a clear characterization of the micro-policy's behavior as seen by a user-level programmer.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Amorim¹,

Dénès

Giannarakis

et al. 2015

2015 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

Abstract-Recent advances in hardware design have demonstrated mechanisms allowing a wide range of low-level security policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level "symbolic machine," and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety; in addition, we show how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy's rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller.

show abstract

Section: Sealing Micro-policymentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Amorim¹,

Dénès

Giannarakis

et al. 2015

2015 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

show abstract

“…The object-capability paradigm, in the air by 1967 [Wilkes79,Fabry74], and well established by 1973 [Redell74,Hewitt73,Morris73,Wulf74,Wulf81], adds the observation that the abstraction mechanisms provided by the base model are not just for procedural, data, and control abstractions, but also for access abstractions, such as Redell's Caretaker. (These are "communications abstractions" in [Tribble95].…”

Section: Access Abstractionmentioning

confidence: 99%

Paradigm Regained: Abstraction Mechanisms for Access Control

Miller

Shapiro

2003

Advances in Computing Science – ASIAN 2003. Progamming Languages and Distributed Computation Programming Languages and Distribu

View full text Add to dashboard Cite

Abstract. Access control systems must be evaluated in part on how well they enable one to distribute the access rights needed for cooperation, while simultaneously limiting the propagation of rights which would create vulnerabilities. Analysis to date implicitly assumes access is controlled only by manipulating a system's protection state-the arrangement of the access graph. Because of the limitations of this analysis, capability systems have been "proven" unable to enforce some basic policies: revocation, confinement, and the *-properties (explained in the text).In actual practice, programmers build access abstractions-programs that help control access, extending the kinds of access control that can be expressed. Working in Dennis and van Horn's original capability model, we show how abstractions were used in actual capability systems to enforce the above policies. These simple, often tractable programs limited the rights of arbitrarily complex, untrusted programs. When analysis includes the possibility of access abstractions, as it must, the original capability model is shown to be stronger than is commonly supposed.

show abstract

“…(The notion of incorporating protection in languages appears in [2], [26].) In the foregoing discussion we stressed the restrictions imposed on actual parameters by the appearance of the "<>" notation in a formal parameter list.…”

Section: Ieee Transactions On Software Engineering December 1976mentioning

confidence: 99%

An Introduction to the Construction and Verification of Alphard Programs

Wulf

London

Shaw

1976

IIEEE Trans. Software Eng.

258

View full text Add to dashboard Cite

Abstract-The programming language Alphard is designed to provide support for both the methodologies of "well-structured" programming and the techniques of formal program verification. Language constructs allow a programmer to isolate an abstraction, specifying its behavior publicly while localizing.knowledge about its implementation. The verification of such an abstraction consists of showing that its implementation behaves in accordance with its public specifications; the abstraction can then be used with confidence in constructing other programs, and the verification of that use employs only the public specifications. This paper introduces Alphard by developing and verifying a data structure definition and a program that uses it. It shows how each language construct contributes to the development of the abstraction and discusses the way the language design and the verification methodology wete tailored to each other. It serves not only as an introduction to Alphard, but also as an example of the symbiosis between verification and methodology in language design. The strategy of program structuring, illustrated for Alphard, is also applicable to most of the "data abstraction" mechanisms now appearing.

show abstract

Protection in programming languages

Abstract: Linguistic mechanisms which can be used to protect one subprogram from another's malfunctioning are described. Function-producing functions and various type-tagging schemes are considered. An attempt is made to distinguish between access limitation and authentication.

Cited by 157 publications

References 6 publications

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Paradigm Regained: Abstraction Mechanisms for Access Control

An Introduction to the Construction and Verification of Alphard Programs

Contact Info

Product

Resources

About