Skip to main content
SpringerLink
Log in
Book cover

Reflections on the Work of C.A.R. Hoare pp 71–99Cite as

Roles, Stacks, Histories: A Triple for Hoare

  • Chapter
  • First Online:

Abstract

Behavioural type and effect systems regulate properties such as adherence to object and communication protocols, dynamic security policies, avoidance of race conditions, and many others. Typically, each system is based on some specific syntax of constraints, and is checked with an ad hoc solver. Instead, weadvocate types refined with first-order logic formulas as a basis for behavioural type systems, and general purpose automated theorem provers as an effective means of checking programs. To illustrate this approach, we define a triple of security-related type systems: for role-based access control, for stack inspection, and for history-based access control. The three are all instances of a refined state monad. Our semantics allows a precise comparison of the similarities and differences of these mechanisms. In our examples, the benefit of behavioural type-checking is to rule out the possibility of unexpected security exceptions, a common problem with code-based access control.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Abadi, M.: Access control in a core calculus of dependency. In: International Conference on Functional Programming (ICFP’06), pp. 263–273 (2006).

    Google Scholar 

  2. Abadi, M., Fournet, C.: Access control based on execution history. In: Network and Distributed System Security Symposium (NDSS’03), pp. 107–121. The Internet Society, ISOC, Reston, VA, USA (2003).

    Google Scholar 

  3. Abadi, M., Burrows, M., Lampson, B., Plotkin, G.: A calculus for access control in distributed systems. ACM Trans. Programming Languages Systems 15(4), 706–734 (1993).

    Article  Google Scholar 

  4. Aspinall, D., Compagnoni, A.: Subtyping dependent types. Theoret. Comput Sci. 266(1–2), 273–309 (2001).

    Article  MATH  MathSciNet  Google Scholar 

  5. Atkey, R.: Parameterized notions of computation. J. Funct. Programm. 19, 355–376 (2009).

    MathSciNet  Google Scholar 

  6. Banerjee, A., Naumann, D.: History-based access control and secure information flow. In: Construction and Analysis of Safe, Secure, and Interoperable Smart Devices (CASSIS 2004), vol. 3362 of LNCS, pp. 27–48 Springer, Heidelberg, Germany (2005).

    Google Scholar 

  7. Banerjee, A., Naumann, D.: Stack-based access control and secure information flow. J. Funct. Programm. 15(2), 131–177 (2005)

    Article  MATH  MathSciNet  Google Scholar 

  8. Becker, M.Y., Nanz, S.: A logic for state-modifying authorization policies. In: European Symposium on Research in Computer Security (ESORICS’07), vol. 4734 of LNCS, pp. 203–218. Springer, Heidelberg, Germany (2007).

    Google Scholar 

  9. Becker, M.Y., Sewell, P.: Cassandra: flexible trust management, applied to electronic health records. In: 17th IEEE Computer Security Foundations Workshop (CSFW’04), pp. 139–154 (June 2004).

    Google Scholar 

  10. Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A.D., Maffeis, S.: Refinement types for secure implementations. Technical Report MSR-TR-2008-118, Microsoft Research (2008). Apreliminary, abridged version appears in the proceedings of CSF’08.

    Google Scholar 

  11. Besson, F., Blanc, T., Fournet, C., Gordon, A.D.: From stack inspection to access control: Asecurity analysis for libraries. In: Computer Security Foundations Workshop (CSFW’04), pp.61–77 (2004).

    Google Scholar 

  12. Borgström, J., Gordon, A.D., Pucella, R.: Roles, stacks, histories: A triple for Hoare. Technical Report MSR-TR-2009-97, Microsoft Research (2009).

    Google Scholar 

  13. Cardelli, L.: Typechecking dependent types and subtypes. In: Foundations of Logic and Functional Programming, vol. 306 of LNCS, pp. 45–57. Springer (1986).

    Google Scholar 

  14. Constable, R.L., Allen, S.F., Bromley, H.M., Cleaveland, W.R., Cremer, J.F., Harper, R.W., Howe, D.J., Knoblock, T.B., Mendler, N.P., Panangaden, P., etal.: Implementing Mathematicswith the Nuprl Proof Development System. Prentice-Hall, Hemel Hampstead, England (1986).

    Google Scholar 

  15. deMoura, L., Bjørner, N.: Z3: An efficient SMT solver. In: Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08), vol. 4963 of LNCS, pp. 337–340. Springer (2008).

    Google Scholar 

  16. DeLine, R., Fähndrich, M.: Enforcing high-level protocols in low-level software. In: Programming Language Design and Implementation (PLDI’01), pp. 59–69 (2001).

    Google Scholar 

  17. Detlefs, D., Nelson, G., Saxe, J.B.: Simplify: a theorem prover for program checking. J.ACM 52(3): 365–473 (2005).

    Article  MathSciNet  Google Scholar 

  18. Dutertre, B., de Moura, L.: The YICES SMT solver. Available at http://yices.csl.sri.com/tool-paper.pdf, 2006.

  19. Ferraiolo, D.F., Kuhn, D.R.: Role based access control. In: Proc.National Computer Security Conference, pp. 554–563 (1992).

    Google Scholar 

  20. Filliâtre, J., Marché, C.: Multi-prover Verification of C Programs. In: International Conference on Formal Engineering Methods (ICFEM 2004), vol. 3308 of LNCS, pp. 15–29. Springer (2004).

    Google Scholar 

  21. Filliâtre, J.-C.: Proof of imperative programs in type theory. In: Selected Papers from the International Workshop on Types for Proofs and Programs (TYPES ’98), 1657, pp. 78–92. Springer (1999).

    Google Scholar 

  22. Flanagan, C.: Hybrid type checking. In: ACM Symposium on Principles of Programming Languages (POPL’06), pp. 245–256 (2006).

    Google Scholar 

  23. Flanagan, C., Abadi, M.: Types for safe locking. In: European Symposium on Programming (ESOP’99), vol. 1576 of LNCS, pp. 91–108, Springer (1999).

    Google Scholar 

  24. Fournet, C., Gordon, A.D.: Stack inspection: Theory and variants. ACM Trans. Programm. Languages Systems 25(3): 360–399 (2003).

    Article  Google Scholar 

  25. Fournet, C., Gordon, A.D., Maffeis, S.: A type discipline for authorization policies. In: 14th European Symposium on Programming (ESOP’05), vol. 3444 of LNCS, pp. 141–156. Springer, Heidelberg, Germany(2005).

    Google Scholar 

  26. Fournet, C., Gordon, A.D., Maffeis, S.: A type discipline for authorization policies in distributed systems. In: 20th IEEE Computer Security Foundation Symposium (CSF’07), pp. 31–45 (2007).

    Google Scholar 

  27. Freeman, T., Pfenning, F.: Refinement types for ML. In: Programming Language Design and Implementation (PLDI’91), pp. 268–277. ACM, New York, NY, USA (1991).

    Google Scholar 

  28. Gifford, D., Lucassen, J.: Integrating functional and imperative programming. In: ACM Conference on Lisp and Functional Programming, pp. 28–38, (1986).

    Google Scholar 

  29. Gong, L.: Inside Java 2 Platform Security: Architecture, API Design, and Implementation. Addison-Wesley (1999).

    Google Scholar 

  30. Gordon, A.D., Jeffrey, A.S.A.: Authenticity by typing for security protocols. J. Comput. Security 11(4): 451–521 (2003).

    Google Scholar 

  31. Gronski, J., Knowles, K., Tomb, A., Freund, S.N., Flanagan, C.: Sage: hybrid checking for flexible specifications. In: R.Findler, (ed.) Scheme and Functional Programming Workshop, pp. 93–104, (2006).

    Google Scholar 

  32. Gunter, C.: Semantics of Programming Languages. MIT, Kluwer, Dordrecht, the Netherlands (1992).

    Google Scholar 

  33. Hardy, N.: The confused deputy (or why capabilities might have been invented). ACM SIGOPS Operat. Systems Rev., 22, 36–38 (1988).

    Article  Google Scholar 

  34. Jia, L., Vaughan, J.A., Mazurak, K., Zhao, J., Zarko, L., Schorr, J., Zdancewic, S.: AURA: Preliminary technical results. Technical Report MS-CIS-08-10, University of Pennsylvania (2008).

    Google Scholar 

  35. Knowles, K.W., Flanagan, C.: Type reconstruction for general refinement types. In: ESOP, vol. 4421 of LNCS, pp. 505–519. Springer (2007).

    Google Scholar 

  36. Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust management framework. In: IEEE Security and Privacy, pp 114–130, (2002).

    Google Scholar 

  37. Maffeis, S., Abadi, M., Fournet, C., Gordon, A.D.: Code-carrying authorization. In: European Symposium On Research In Computer Security (ESORICS’08), pp. 563–579 (2008).

    Google Scholar 

  38. Moggi, E.: Notions of computations and monads. Inform. Comput., 93, 55–92 (1991).

    Article  MATH  MathSciNet  Google Scholar 

  39. Nanevski, A., Morrisett, G., Birkedal, L.: Polymorphism and separation in Hoare Type Theory. In: International Conference on Functional Programming (ICFP’06), pp. 62–73 (2006).

    Google Scholar 

  40. Nanevski, A., Morrisett, G., Shinnar, A., Govereau, P., Birkedal, L.: Ynot: dependent types for imperative programs. In: International Conference on Functional Programming (ICFP’08), pp.229–240 (2008).

    Google Scholar 

  41. Nordström, B., Petersson, K., Smith, J.: Programming in Martin-Löf’s Type Theory. Clarendon Press Oxford (1990).

    Google Scholar 

  42. Pierce, B., Sangiorgi, D.: Typing and subtyping for mobile processes. Math. Structures Comput. Sci., 6(5) 409–454 (1996).

    MATH  MathSciNet  Google Scholar 

  43. Pistoia, M., Banerjee, A., Naumann, D.: Beyond stack inspection: A unified access-control and information-flow security model. In: IEEE Security and Privacy, pp. 149–163 (2007).

    Google Scholar 

  44. Pistoia, M., Chandra, S., Fink, S.J., Yahav, E.: A survey of static analysis methods for identifying security vulnerabilities in software systems. IBM Syst. J. 46(2), 265–288 (2007).

    Article  Google Scholar 

  45. Plotkin, G.D.: Denotational semantics with partial functions. Unpublished lecture notes, CSLI, Stanford University (July 1985).

    Google Scholar 

  46. Pottier, F., Skalka, C., Smith, S.: A systematic approach to static access control. ACM Trans. on Programm. Languages Systems 27(2), 344–382 (2005).

    Article  Google Scholar 

  47. Ranise S., Tinelli, C.: The SMT-LIB Standard: Version 1.2 (2006).

    Google Scholar 

  48. Régis-Gianas, Y., Pottier, F.: A Hoare logic for call-by-value functional programs. In: Mathematics of Program Construction (MPC’08), vol. 5133 of LNCS, pp. 305–335. Springer, Heidelberg, Germany (2008).

    Google Scholar 

  49. Rondon, P., Kawaguchi, M., Jhala, R.: Liquid types. In: Programming Language Design and Implementation (PLDI’08), pp. 159–169. ACM, New York, NY, USA (2008).

    Google Scholar 

  50. Rushby, J., Owre, S., Shankar, N.: Subtypes for specifications: Predicate subtyping in PVS. IEEE Trans. Software Eng., 24(9), 709–720 (1998).

    Article  Google Scholar 

  51. Sabry A., Felleisen, M.: Reasoning about programs in continuation-passing style. LISP and Symbolic Comput., 6(3–4), 289–360 (1993).

    Article  Google Scholar 

  52. Sandhu, R., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Comput. 29(2), 38–47 (1996).

    Google Scholar 

  53. Strom, R.E., Yemini, S.: Typestate: A programming language concept for enhancing software reliability. IEEE Trans. Software Eng. 12, 157–171 (1986).

    Article  MATH  Google Scholar 

  54. Wadler, P.: Comprehending monads. Math. Struct. Comput. Sci. 2, 461–493 (1992).

    Article  MATH  MathSciNet  Google Scholar 

  55. Wallach, D.S., Appel, A.W., Felten, E.W.: SAFKASI: A security mechanism for language-based systems. ACM Trans. Software Eng. Methodo., 9(4), pp. 341–378 (2000).

    Article  Google Scholar 

  56. Xi, H., Pfenning, F., Dependent types in practical programming. In: Principles of Programming Languages (POPL’99), pp. 214–227 (1999).

    Google Scholar 

Download references

Acknowledgements

We are grateful to Martín Abadi, Robert Atkey, Anindya Banerjee, Moritz Becker, Cliff Jones, David Naumann, Nikhil Swamy, and Wouter Swierstra for comments and discussions.

Author information

Authors and Affiliations

  1. Microsoft Research, Cambridge, UK

    Johannes Borgström & Andrew D. Gordon

  2. Department of Computer Science, Northeastern University, Boston, USA

    Riccardo Pucella

Authors
  1. Johannes Borgström
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andrew D. Gordon
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Riccardo Pucella
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andrew D. Gordon .

Editor information

Editors and Affiliations

  1. Oxford University Computing Laboratory, Parks Road, Oxford, OX13QD, United Kingdom

    A.W. Roscoe

  2. Dept. Computing Science, University of Newcastle upon Tyne, Newcastle upon Tyne, NE17RU, United Kingdom

    Cliff B. Jones

  3. Microsoft Research Ltd., J. J. Thomson Avenue 7, Cambridge, CB30FB, United Kingdom

    Kenneth R. Wood

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer London

About this chapter

Cite this chapter

Borgström, J., Gordon, A.D., Pucella, R. (2010). Roles, Stacks, Histories: A Triple for Hoare. In: Roscoe, A., Jones, C., Wood, K. (eds) Reflections on the Work of C.A.R. Hoare. Springer, London. https://doi.org/10.1007/978-1-84882-912-1_4

Download citation

  • DOI: https://doi.org/10.1007/978-1-84882-912-1_4

  • Published:

  • Publisher Name: Springer, London

  • Print ISBN: 978-1-84882-911-4

  • Online ISBN: 978-1-84882-912-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation