Idea: Enforcing Consumer-Specified Security Properties for Modular Software

Galilei, Giacomo A.; Gervasi, Vincenzo

doi:10.1007/978-3-642-11747-3_14

Giacomo A. Galilei¹⁹ &
Vincenzo Gervasi¹⁹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5965))

Included in the following conference series:

International Symposium on Engineering Secure Software and Systems

1039 Accesses

Abstract

Nowadays systems that download updates from the net or let the user download third-party code for extending the application functions (plug-ins) are widespread. In these dynamic environments the code that is going to be executed is not known at compile-time, and often not even at application start-up, neither by the application producer nor by the user. This turns reliable, well designed software into a dangerous and potentially malicious software for the user and for the system it runs onto: i.e., a well-behaved modular application becomes the unwilling host for malicious components. In this scenario, the application producer lines up with the user in requesting that dynamically loaded third-party components must satisfy given security requirements.

In this paper we present a framework that allows the consumer side of untrusted code to state desired properties about it. We exploit the facilities of the so-called virtual execution environments to encode directly into the meta-data of object code a well structured specification. Once the dynamic component is loaded at run-time by the main application, the framework will recover such specifications and check them against the requirements gathered from the main application, the user and the host operating system, injecting run-time checks as needed into the untrusted code to ensure that the actual behaviour of the component matches the specified one.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Thompson, S.: A survey on model checking Java programs. Technical Report CSRG-407. Department of Computer Science, University of Toronto (2000)
Google Scholar
Leavens, G., Cheon, Y.: Design by contract with JML (2003)
Google Scholar
Necula, G.C.: Proof-carrying code. In: Proc. 24th ACM Symp. Principles of Programming Languages, pp. 106–119. ACM Press, New York (1997)
Google Scholar
Thomas, P., Weedon, R.: Object-Oriented Programming in Eiffel, 2nd edn. Addison-Wesley, Reading (1997)
MATH Google Scholar
Guttag, J.V., Horning, J.H.: Larch: languages and tools for formal specification. Springer, Heidelberg (1993)
MATH Google Scholar
Leavens, G.T.: The Java modeling language (JML) home page, http://www.cs.ucf.edu/~leavens/JML/
Chalin, P., Kiniry, J.R., Leavens, G.T., Poll, E.: Beyond assertions: Advanced specification and verification with JML and ESC/Java2. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 342–363. Springer, Heidelberg (2006)
Chapter Google Scholar
Clifton, C., Millstein, T., Leavens, G.T., Chambers, C.: MultiJava: Design rationale, compiler implementation, and applications. ACM Transactions on Programming Languages and Systems 28(3) (2006)
Google Scholar
Taylor, K.B., Rieken, J., Leavens, G.T.: Adapting the Java Modeling Language for Java 5 annotations. Technical Report 08-06, Department of Computer Science, Iowa State University (2008)
Google Scholar
Bruneton, É., Lenglet, R., Coupaye, T.: ASM: a code manipulation tool to implement adaptable systems. In: Proceedings of the ASF (ACM SIGOPS France) Journées Composants 2002: Systèmes à composants adaptables et extensibles (Adaptable and extensible component systems) (2002)
Google Scholar
Apache Jakarta Project: (BCEL - the bytecode engineering library), http://jakarta.apache.org/bcel/
Galilei, G.: JDasm, http://jdasm.sourceforge.net
Lindholm, T., Yellin, F.: The Java Virtual Machine Specification, 2nd edn. Prentice Hall PTR, Englewood Cliffs (2002)
Google Scholar
Burdy, L., Cheon, Y., Cok, D., Ernst, M., Kiniry, J., Leavens, G.T., Rustan, K., Leino, M., Poll, E.: An overview of JML tools and applications. International Journal on Software Tools for Technology Transfer 7(3), 212–232 (2005)
Article Google Scholar

Download references

Author information

Authors and Affiliations

Dipartimento di Informatica, Università di Pisa,
Giacomo A. Galilei & Vincenzo Gervasi

Authors

Giacomo A. Galilei
View author publications
You can also search for this author in PubMed Google Scholar
Vincenzo Gervasi
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Dipartimento Ingegneria e Scienza dell’Informazione, Università di Trento, Via Sommarive 14, 38050, Povo (Trento), Italy
Fabio Massacci
Department of Computer Science, Rice University, 3122 Duncan Hall, 6100 Main Street, TX 77005, Houston, USA
Dan Wallach
Faculty of Mathematics and Computer Science, Eindhoven University of Technology, Den Dolech 2, 5612, Eindhoven, AZ, The Netherlands
Nicola Zannone

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Galilei, G.A., Gervasi, V. (2010). Idea: Enforcing Consumer-Specified Security Properties for Modular Software. In: Massacci, F., Wallach, D., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2010. Lecture Notes in Computer Science, vol 5965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11747-3_14

Download citation

DOI: https://doi.org/10.1007/978-3-642-11747-3_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11746-6
Online ISBN: 978-3-642-11747-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics