Abstract
Nowadays systems that download updates from the net or let the user download third-party code for extending the application functions (plug-ins) are widespread. In these dynamic environments the code that is going to be executed is not known at compile-time, and often not even at application start-up, neither by the application producer nor by the user. This turns reliable, well designed software into a dangerous and potentially malicious software for the user and for the system it runs onto: i.e., a well-behaved modular application becomes the unwilling host for malicious components. In this scenario, the application producer lines up with the user in requesting that dynamically loaded third-party components must satisfy given security requirements.
In this paper we present a framework that allows the consumer side of untrusted code to state desired properties about it. We exploit the facilities of the so-called virtual execution environments to encode directly into the meta-data of object code a well structured specification. Once the dynamic component is loaded at run-time by the main application, the framework will recover such specifications and check them against the requirements gathered from the main application, the user and the host operating system, injecting run-time checks as needed into the untrusted code to ensure that the actual behaviour of the component matches the specified one.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Thompson, S.: A survey on model checking Java programs. Technical Report CSRG-407. Department of Computer Science, University of Toronto (2000)
Leavens, G., Cheon, Y.: Design by contract with JML (2003)
Necula, G.C.: Proof-carrying code. In: Proc. 24th ACM Symp. Principles of Programming Languages, pp. 106–119. ACM Press, New York (1997)
Thomas, P., Weedon, R.: Object-Oriented Programming in Eiffel, 2nd edn. Addison-Wesley, Reading (1997)
Guttag, J.V., Horning, J.H.: Larch: languages and tools for formal specification. Springer, Heidelberg (1993)
Leavens, G.T.: The Java modeling language (JML) home page, http://www.cs.ucf.edu/~leavens/JML/
Chalin, P., Kiniry, J.R., Leavens, G.T., Poll, E.: Beyond assertions: Advanced specification and verification with JML and ESC/Java2. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 342–363. Springer, Heidelberg (2006)
Clifton, C., Millstein, T., Leavens, G.T., Chambers, C.: MultiJava: Design rationale, compiler implementation, and applications. ACM Transactions on Programming Languages and Systems 28(3) (2006)
Taylor, K.B., Rieken, J., Leavens, G.T.: Adapting the Java Modeling Language for Java 5 annotations. Technical Report 08-06, Department of Computer Science, Iowa State University (2008)
Bruneton, É., Lenglet, R., Coupaye, T.: ASM: a code manipulation tool to implement adaptable systems. In: Proceedings of the ASF (ACM SIGOPS France) Journées Composants 2002: Systèmes à composants adaptables et extensibles (Adaptable and extensible component systems) (2002)
Apache Jakarta Project: (BCEL - the bytecode engineering library), http://jakarta.apache.org/bcel/
Galilei, G.: JDasm, http://jdasm.sourceforge.net
Lindholm, T., Yellin, F.: The Java Virtual Machine Specification, 2nd edn. Prentice Hall PTR, Englewood Cliffs (2002)
Burdy, L., Cheon, Y., Cok, D., Ernst, M., Kiniry, J., Leavens, G.T., Rustan, K., Leino, M., Poll, E.: An overview of JML tools and applications. International Journal on Software Tools for Technology Transfer 7(3), 212–232 (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Galilei, G.A., Gervasi, V. (2010). Idea: Enforcing Consumer-Specified Security Properties for Modular Software. In: Massacci, F., Wallach, D., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2010. Lecture Notes in Computer Science, vol 5965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11747-3_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-11747-3_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11746-6
Online ISBN: 978-3-642-11747-3
eBook Packages: Computer ScienceComputer Science (R0)