Abstract
Several authors have proposed using code modification as a technique for enforcing security policies such as resource limits, access controls, and network information flows. However, these approaches are typically ad hoc and are implemented without a high level abstract framework for code modification. We propose using reflection as a mechanism for implementing code modifications within an abstract framework based on the semantics of the underlying programming language. We have developed a reflective version of Java called Kava that uses byte-code rewriting techniques to insert pre-defined hooks into Java class files at load time. This makes it possible to specify and implement security policies for mobile code in a more abstract and flexible way. Our mechanism could be used as a more principled way of enforcing some of the existing security policies described in the literature. The advantages of our approach over related work (SASI , JRes , etc.) are that we can guarantee that our security mechanisms cannot be bypassed, a property we call strong non-bypassability , and that our approach provides the high level abstractions needed to build useful security policies.
Chapter PDF
References
Cohen, G.A., Chase, J.S.: Automatic Program Transformation with JOIE. In: Proceedings of USENIX Annual Technical Symposium (1998)
Czajkowsik, G., von Eicken, T.: JRes: A Resource Accounting Interface for Java. In: ACM OOPSLA Conference (October 1998)
Dahm, M. : Bytecode Engineering. Java Informations Tage (1999)
Erlingsson, U., Schneider, F.: SASI Enforcement of Security Policies: A Retrospective. In: Proceedings New Security Paradigms Workshop (1999)
Evans, D., Twyman, A. : Flexible Policy-Directed Code Safety. In: IEEE Security and Privacy, Oakland, CA., May 9-12 (1999)
Florio, M.F., Gorrieri, R., Marchetti, G.: Coping with Denial of Service due to Malicious Java Applets. Computer Communications Journal (August 2000)
Fraser, T., Badger, L., Feldman, M. : Hardening COTS Software with Generic Software Wrappers. In: IEEE Security and Privacy, Oakland, CA., May 9-12 (1999 )
Gong, L.: Inside Java(TM) 2 Platform Security. Addison-Wesley, Reading (1999)
Gosling, J., Yellin, F., The Java Team: Java API Documentation Version 1.0.2, Sun Microsystems, Inc., 1996
Gosling, J., Joy, B., Steele, G.L.: The Java Language Specification. The Java Series. Addison-Wesley, Reading (1996)
Kiczales, G., des Rivieres, J.: The Art of the Metaobject Protocol. MIT Press, Cambridge (1991)
Maes, P. : Concepts and experiments in computational reflection. In: OOPSLA (1987)
Pandey, R., Hashii, B.: Providing Fine-Grained Access Control for mobile pro- grams through binary editing, Technical Report TR98-08, University of California, Davis (August 1998)
Java Team, JDK 1.1.8 Documentation, Sun Microsystems, Inc., (1996-1999)
Java Team, Java 2 SDK Documentation", Sun Microsystems, Inc. (1996-1999)
Java Security Team, Java Authentication and Authorization Service, Sun Microsystems, Inc. (1999), http://java.sun.com/security/jaas/index.html
Welch, I.: Reflective Enforcement of the Clark-Wilson Integrity Model. In: 2nd Workshop on Distributed Object Security, OOPSLA (1999)
Welch, I., Stroud, R.J.: Supporting Real World Security Models in Java. In: Proceedings of 7th IEEE International Workshop on Future Treads of Distributed Computing Systems, Cape Town, South Africa, December 20-22 (1999)
Welch, I., Stroud, R.J.: Kava: A Reflective Java based on Bytecode Rewriting. In: Cazzola, W., Stroud, R.J., Tisato, F. (eds.) Reflection and Software Engineering. LNCS, vol. 1826, p. 155. Springer, Heidelberg (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Welch, I., Stroud, R.J. (2000). Using Reflection as a Mechanism for Enforcing Security Policies in Mobile Code. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds) Computer Security - ESORICS 2000. ESORICS 2000. Lecture Notes in Computer Science, vol 1895. Springer, Berlin, Heidelberg. https://doi.org/10.1007/10722599_19
Download citation
DOI: https://doi.org/10.1007/10722599_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-41031-7
Online ISBN: 978-3-540-45299-7
eBook Packages: Springer Book Archive